Re: Recurrent question

On 16 Dec 2005 10:04:12 +0100, Volker Birk <bumens@xxxxxxxxxxx> wrote:

>Ric <me@xxxxxxxxxxx> wrote:
>> >An Anti-Virus program DOES NOT PROTECT FROM EVERY VIRUS infection. But it
>> >does help to filter out the annoying trials of so many malwares, which are
>> >in the wild.
>> PFW, anti-virus, spam filter. They all seem similar in this respect.
>> Each one can only be partially effective.
>
>The difference is:
>
>If an Anti-Virus program knows how to detect a specific virus, this virus
>loses.
>
>It does not matter, that virus programmers know how Anti-Virus products
>work. It does not matter, what the virus code looks like. If an Anti-Virus
>program scans all incoming data, _before_ code out of this data can be
>executed, the Anti-Virus program wins. It makes your computer secure
>against well-known viruses. There is no way, how viruses could circumvent
>this, if the Anti-Virus software is well designed.
>
>The opposite is true for "Personal Firewalls" and their attempt to
>control malware, which already is running.

Obviously once bad code has executed it's too late, but even then
PFW's can still prevent some (dumb/old?) code from calling out. It may
not prevent changes to the OS but it's better than nothing, and can
keep the problem local. Some people have installed a PFW which has
then alerted them to trojans already running and connecting out.

>If the malware is not written too dumb, the malware wins. The "Personal
>Firewall" has no chance to win that battle, and it does not matter, if
>the malware programmer knows, how exactly a "Personal Firewall" looks
>like (as I proofed with http://www.dingens.org/breakout-en.c). There is
>no way to implement this securely, because of the design of Microsoft
>Windows. No "Personal Firewall" provider can change this fact. It only
>can be changed by Microsoft by dropping the core Windows concepts.

I had a look at breakout-en.c. At a guess it locates the IE window,
sends the url to it and whacks the return key for you. Is this roughly
correct?

While downloading http://www.dingens.org/breakout-en.exe AVG said:
Virus detected while opening file: C:\Documents and
Settings\#\Desktop\breakout-en.exe Trojan horse Clicker.XH
Ah. First it's a virus then it's a trojan :) The AVG database said:
Clicker - The exact description is not available. 1st catch to AVG.

I tried to run it in a sandbox and got an "access is denied" error as
expected. I had to disable the resident scanner and quit AVG to get
access to the file. 2nd catch to AVG. Then I ran it without explorer
running and got your message, then checked the sandbox to see that no
files were in it. I ran it sandboxed again with IE open but it
couldn't find IE, so I ran it unsandboxed with IE running and received
"The page cannot be displayed." I checked ethereal and no packets had
gone out. As I use Firefox or Opera on this computer I have denied IE
all access using Outpost Pro (which I've been trying for a couple of
weeks now). 3rd catch to Outpost. So the IE rule was deleted. I ran it
again and Outpost asked if IE could access the internet. 4th catch to
Outpost. Then a rule was created to allow IE to access the internet
and breakout accessed your website through IE.

So AVG caught it twice and Outpost caught it twice. If IE had been my
default browser only AVG would have stopped it. I don't know how long
AVG has been able to detect it but when breakout was written it
probably went undetected by anti-virus programs. So this seems to me
like a browser vulnerability that exploits the fact that a browser is
allowed through the firewall, rather than an actual firewall exploit.
More than that it is a user exploit because I forgot to use my brain
and ran untrusted code. So once I ran it I was toast anyway, it could
have wreaked havoc on my HD and left me with no firewall or OS.

Breakout can do me no harm from the outside, I have to download it and
run it. Therefore it can't negate the fact that some PFW's are useful
for external protection. It also needs to latch on to a program which
is allowed through the firewall. Therefore if I had no PFW installed
Breakout should be able to latch on to any program I have installed
and have full remote access with programs I have currently blocked
access to. With a PFW installed it can only call out through programs
that already have access through the firewall.

On the subject of the XP firewall, as that blocks no outbound it is
inferior in that respect to firewalls that can block some outbound and
therefore not as useful. Breakout would automatically get past the XP
firewall.

>These are the reasons why I'm saying, that Anti-Virus programs can help
>with security, if they're well designed and are used to scan any incoming
>data before code out of this data can be executed, while "Personal Firewalls"
>and "controlling outbound traffic" is a useless attempt.

Outpost contained Breakout and IE until I removed all references to IE
from the rules.

>> So you agree in the right situation, and in the right hands, a PFW can
>> prevent _some_ malware, and therefore be useful?
>
>No. A security system cannot be designed for "can control everything,
>which let itself being controlled". This has nothing to do with security.
>
>A security system has to control _especially_ those, who do not want
>to be controlled.
>
>> I thought PFW's stopped most trojans connecting out.
>
>You're wrong. Only very dumb designed or old malware can be controlled,
>because it lets itself being controlled.

I'd say that more than half is old and dumb. If we stop protecting
against the old stuff people can go back to using it against us.

>> >Teaching users by alerting "The process svchost.exe tries to open port 53,
>> >do you want to allow this?" - IBTD.
>> >Even an IT professional cannot answer this question correctly, and
>> >%USERNAME% cannot understand what's going on here at all.
>> I can answer it for my situation. Deny it.
>
>Yes, I do. Hint: I just offered the worst example a "Personal Firewall"
>can alert - nobody can find out useful information of this special alert,
>because there is nothing like that in it ;-)

What, svchost.exe?. ZoneAlarm calls it "Generic Host Process for Win32
Services", which it got from the file description. Get
http://www.sysinternals.com/utilities/processexplorer.html
run it and look for svchost.exe. I have two instances running, the
others I had previously closed. The first says:
C:\WINDOWS\system32\svchost -k rpcss
I don't want RPC accessing the internet.

The second says:
C:\WINDOWS\System32\svchost.exe -k netsvcs
If I right click it and select properties then click the services tab
it says:
Services registered in this process:
AudioSrv Windows Audio
CryptSvc Cryptographic Services
dmserver Logical Disk Manager
Netman Network Connections
Themes Themes
winmgmt Windows Management Instrumentation

If I click Netman it tells me it "Manages objects in the Network and
Dial-up Connections folder, in which you can view both local area
network and remote connections."

None of these has any need to access the internet so I can safely deny
all access to svchost.exe without losing any functionality.
It's a doddle :)

>I believe you, that with better and more useful alerts you can deal with ;-)
>
>> I don't use any Microsoft
>> network protocols (except TCP/IP)
>
>TCP/IP is not a network protocol. It's a family of many network protocols.

I did say protocols. :)

>And it's not from Microsoft. Not even Windows' implementation of the TCP/IP
>network protocol stack originally is from Microsoft - it's a modified BSD
>stack.

I know. But it's theirs now.

Ric

>> The alerts could be a lot more helpful instead of spreading FUD. It
>> doesn't help when they say you have just been attacked by 3 echo
>> request packets or some UDP packets to port 1026. They always seem to
>> think messenger spam is a port scan.
>
>Yes. For an experienced user, who knows about network protocols. Or, to
>say this another way: for a very small group of users.
>
>Yours,
>VB.

.

Relevant Pages

  • Re: whats going on here?
    ... after successfully installing Malware and Spybot I ... you can then uninstall whatever firewall and anti-virus is on the machine. ... Make sure that the anti-virus is installed before you connect to the internet to install your anti-virus and updates. ...
    (microsoft.public.windowsxp.general)
  • Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning
    ... abandoning some of the old DOS anti-virus security model may ... So far I have not found a exact list of what is needed by AV or Malware ... You use it to monitor actions another use it to do harm like steal data. ...
    (Linux-Kernel)
  • Re: Recurrent question
    ... If an Anti-Virus program knows how to detect a specific virus, ... If the malware is not written too dumb, ... No "Personal Firewall" provider can change this fact. ... A security system cannot be designed for "can control everything, ...
    (comp.security.firewalls)
  • RE: DMZ Design and Functionality
    ... I think that for your anti-virus box to do what you hope, ... not so much a DMZ as three firewall layers between your ... > Subject: DMZ Design and Functionality ... > OpenBSD that does nothing but firewall. ...
    (Security-Basics)
  • RE: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning
    ... abandoning some of the old DOS anti-virus security model may ... some anti-virus products started demanding a min standard LSM to run ... So far I have not found a exact list of what is needed by AV or Malware ...
    (Linux-Kernel)