Re: Windowx 200x/XP virus proof document released

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 05/31/04 

Date: Mon, 31 May 2004 13:40:15 -0400

Wow - my brain hurts. Yes, antivirus is no cure-all - nor is a firewall -
nor is anything. A combination of these, plus common sense & suspicion &
'safe hex' is really the answer.

Wellington Terumi Uemura wrote:
> Hello!
>
> Some time ago, i was asking people to send me virus and worms to my
> personal research:
>
http://www.derkeiler.com/Newsgroups/microsoft.public.security.virus/2004-03/1673.html
>
> And I did receive many jokes about it, people talling me that "if was
> that good others "specialists" would have released the information
> before" or that this kind of "stuff" is IMPOSSIBLE. E-mail from every
> where, includind some people from Microsoft Brasil telling me to show
> then what this "magic" was all about.
>
> The good part is that, after sending this document to a person in
> Microsoft Brasil, it never replyed or make any comments about it or
> others "specialists" that got the document some how, telling me that
> "I knew that, nothing new about it"!
>
> Is strange that security magazines and sites, their focus about worms
> and virus issue is "Firewall and antivirus" or don't open unknow files
> that come in to your e-mail box, don't do this, don't do that. I know
> that users dont care about it thinking that a antivirus will prevent
> infection, many os us was using antivirus when Mblaster came out and
> many others to date.
>
> It's well know that a antivirus can protect you after infection, not
> before, Mblaster, Mydoom, Netsky, Sasser, etc, are very good examples
> of that. Who never downloaded the last remove tool for a last worm or
> virus before they could have time to criate a "cure" for it?
>
> I am not against antivirus software, not at all, but they have some
> limitations, some are not smart enought to identify if a change that
> you are making in your system are benefic or not, some will prevent
> system modifications other won't.
>
> As I have said before, i came from a Linux enviroment and in moust
> cases a non root user can't do any damage to the system, this is also
> true with the last Windows Systems that use NTFS partition.
>
> After nights of research, i've find out that the only way to get
> infected in OS Windows 200x/XP with NTFS partition is that I must have
> administrative permission to make system changes. My tests shows that
> a worm or virus would not add it self to system partition without
> permission or make changes in registry, in special the key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
> Following the linux security basics I've make some changes to the
> system.
>
> 1 - Create a restricted user for a daily use (read e-mail, access
> pages, work).
> 2- Remove the group EVERYONE and set permission to the GROUP USERS as
> READ AND EXECUTE ONLY.
> 3- Keep FULL CONTROL only to SYSTEM, ADMINISTRATORS and CREATOR OWNER.
>
> The Windows 2000 Adv Server that i have here to test (demo) have the
> C:\ partition as EVERYONE FULL CONTROL.
>
> To administrators that would try to implement this modifications a
> warning, you will get some problems if you don't know what you are
> doing, that's why this solution is for corporate enviroment.
>
> Some users may have problems to write in %WINDIR%\temp
> (C:\Windows\Temp or C:\WINNT\Temp), that you system administrator
> must set the apropriate permission to this folder or other that your
> company use.
>
> Users will not be able to install appplications in this system or make
> any changes in to the registry, to do so, they need to use "Run as.."
> to install aplications or what ever that will make changes in the
> system (drivers for example).
>
> After installed, users will use their aplications normaly, maybe some
> aplications need a special permission to run with all users, but this
> is up to the administrator to set this permissions that can be sone
> easy with programs like regmon and filemon.
>
> The Microsoft Brasil events that i could participate, they never
> talked about this before, maybe after the document spread for a while
> some one will take credits for it (nothing new about that) or you
> will find a new security paper telling you why to use restricted user
> in daily basis.
>
> This is what the document was all about, restrictions and user
> permissions, i've done the tests my self and some companies that don't
> want their names involved, and prove to be true.
>
> It take some time to make many tests, and from December of 2003, none
> my computer or the companies involved got infected by ANY virus or
> worm. This procedure also did worked out fine, to prevent
> modifications in your IE browser by browser hijack techinics.
>
> The original document (PDF) in portuguese is here:
> http://members.fortunecity.com/wellingtonuemura/protec/
>
> I hope people make good use of it and let me know if some one have any
> comment about it.
>
> Wellington Terumi Uemura
> wellingtonuemura (at) hotmail.com