Everything posted by Synja
With all due respect you didn't specify anything, you vaguely cited ACL's, temp folders, alternate credentials, sensitive areas of the system, services that do not actually require NT Authority\Local System or other unusual priveleges and GPO's. I do like the approach , but it would be interesting if you could provide some examples, lists of the services, etc. jaclaz Touche I did a rather involved writeup of the general concept a few years ago, I'll see if I can dig up a copy tonight. If I can't, I'll post it when I get back home tomorrow morning-ish. I listed out the various autorun locations, permission examples, and some general guidelines for this. Unfortunately, this approach can sometimes require tailoring to specific environments; the concepts remain the same though.
trying a new way of blocking virus's
Synja replied to net_user's topic in Malware Prevention and SecurityUntil something comes in over SSL, Flash, Java, or any of the more common methods?
Rather than relying on common and ineffective security theory, why not actually create an effective layered system? Use ACLs to deny execute permission on temp folders for the standard users, configure your browser(s) to run under alternate credentials without read/write access to sensitive areas of the system, and the same alternate credentials technique can be used to run services that do not actually require NT Authority\Local System or other unusual priveleges.You can also use GPO to limit application access to other areas of the system and/or user accounts. The ACLs I specified to deny execute permission on temp folders can be applied to autorun/load locations in the registry. This I why I specify separate accounts; if by some miracle a malicious application exploits something, even with administrative priveleges write access to locations can be limited to specified accounts instead of groups. Also remember that every realtime security application you add to a system increases the complexity and attack surface of the system.
Is a boot scan better ?
Synja replied to mike13's topic in Malware Prevention and SecurityThere is a tradeoff in detection capability. Most active AV evasion techniques can be defeated with a boot time scan, but anything with a custom cryptor (or at least one without a signature) will not be detected. Heuristic detection is almost entirely useless at boot time, not that most AV offerings even have useful heuristic capabilities. Removal is easier, detection is not in most cases. It's really academic at this point, with a boot time scan not being prevention or security of any sort, it's just another cleanup method.