Anti-Ransomware Software Overview Update

Topic

New Reply

Martin Brinkmann has updated the ghacks.net Security overview, to 23 May 2017. “There are two types of Anti-Ransomware software programs: those that p
[See the full post at: Anti-Ransomware Software Overview Update]

6 users thanked author for this post.

Ascaris, Elly, SueW, Bobc, JDeC, AJNorth

Reply | Quote

Replies

Something I’d like to see evaluated is how much computer time / resources are used to run typical ransomware protection.

I personally evaluated MalwareBytes not long ago and was surprised at how much it slowed down an otherwise very powerful computer, doing my normal software engineering tasks. Essentially it made the computer run, for normal, typical activities, like one that costs thousands of dollars less and is a generation older. Not insignificant!

Most folks feel, without thinking too hard about it, that “security is good, and more security is better“, right? Trouble is, that the electronic vigilance comes at a price. Computers aren’t infinitely fast, and there are getting to be VERY large numbers of malificent things to check for.

Assuming you have things you need/want your computer to do besides checking for Ransomware, remember to consider the ongoing cost.

-Noel

5 users thanked author for this post.

JohnW, Elly, AlexEiffel, Pepsiboy, Hugo

Reply | Quote

Noel Carboni wrote:

Something I’d like to see evaluated is how much computer time / resources are used to run typical ransomware protection. I personally evaluated MalwareBytes not long ago and was surprised at how much it slowed down an otherwise very powerful computer, doing my normal software engineering tasks. Essentially it made the computer run, for normal, typical activities, like one that costs thousands of dollars less and is a generation older. Not insignificant! Most folks feel, without thinking too hard about it, that “security is good, and more security is better“, right? Trouble is, that the electronic vigilance comes at a price. Computers aren’t infinitely fast, and there are getting to be a VERY large number of malificent things to check for. Assuming you have things you need/want your computer to do besides checking for Ransomware, remember to consider the ongoing cost. -Noel

Can’t comment about Malwarebytes, but I have HitmanPro.Alert resident on my Windows 7 PC and Task Manager says it’s using 19,412KB of RAM in the “Working Set,” while CPU usage registers at “00”.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

JohnW

Reply | Quote

Cybertooth, try this for a practical measurement:

Time how long it takes you to do things for which you wait for the computer. For me it was building software, searching for data, comparing big sets of files, doing backups, etc.

Time it with and without the anti-malware software in question installed. Don’t just disable it, but do without it entirely.

When I did this I was surprised to see some things, actually most of the things I mentioned above, take quite a bit longer when anti-malware software was examining every file access. It can’t be helped IF you assume the proper approach is to assume malware has gotten into your computer and has to be stopped by detecting it going bonkers on your files.

-Noel

Reply | Quote

Noel, noted. This is on my to-do list for the next update.

I agree that resource usage can be a factor. The new Malwarebytes 3 jumped in memory use quite a bit for instance when compared to older versions (even if you add Anti-Malware, Anti-Exploit, and Anti-Ransomware processes).

Thanks for the link Woody 😉

9 users thanked author for this post.

Elly, woody, jelson, Microfix, Ascaris, HiFlyer, satrow, Karlston, Noel Carboni

Reply | Quote

Noel, I am not going to get out a stop watch, well actually the only stop watch I have is on the computer as part of a small utility I use, but, in terms of memory, I’ve seen Cybereason RansomFree (CRF) as low as 5,000 k and as high as 15,000k (so far), a fraction of what Firefox or Thunderbird uses.  That said, it seems to hover, much of the time, in the 5,000-8,000 region.  This puts it, most of the time, just on either side of the memory used by Norton Internet Security.  The mere act of opening a new tab in Firefox does not, necessarily, increase CRF’s memory usage.  While my understanding of computers is somewhat limited, compared with peeps like you, it seems the nature of CRF might lend itself to being less of constant a resource hog than many of the programs on Martin Brinkmann’s list.  But, I imagine, Martin would have a better sense of this than I.

Reply | Quote

I DID get out a stopwatch. I keep one right by my computer (I use it for helping to optimize my own software). But it’s not necessary – often the difference in operations we often wait for – like web pages to display – can literally be seconds. Just watch a clock and estimate start and end times. For example, I can easily estimate that the main AskWoody.com page takes my system about 1 second to show after I click the “Home” link.

I doubt RAM usage is much of a limiting factor in most computer systems any more. With SSDs on tap swapping to disk isn’t as troublesome as it once was.

However… Cutting into CPU performance, slowing down I/O operations because AV / anti-malware / anti-ransomware software has to look the data over in detail for infections isn’t insignificant. What most folks don’t realize is thousands of new threatening malware packages are being developed every day so their computers are having to struggle through ever more checks – all the while continuing to protect from the old threats. I have read that some (many?) AV companies retire old malware signatures so their protection focuses more on modern threats, but it’s still apparent that anti-malware activities are taking more and more compute power away from real work. Obviously there are limits – a system that does nothing but protect from malware in every conceivable way might be very secure – and ultimately of no use to most folks. On the other hand, a system that is kept disconnected from the outside world and never gets any new software might be able to dedicate a full 100% of its capacity to computing – and be of no use to most folks.

It’s all about finding a happy medium.

For a long time I’ve been trying to “think outside the box” and develop low-overhead techniques for improving the odds that malware is kept well away from the computer system that in the first place. Practically speaking, conscientious usage coupled with multiple initiatives to keep malware out in the first place can serve to reduce the odds of getting bit – a lot, to where almost all the computer power can be re-dedicated to just doing its work. “Build a moat and guard the doors heavily” actually can work – opposed to “invite the bad guys in and pay bouncers to roam the halls watching for bad behavior“.

Computing with an online-connected device is all about what level of risk you can be comfortable with, given your knowledge level and expenditure on security. Bear in mind that NO protection is 100% secure at any cost. If there were such perfect solutions available no more malware would exist going forward, yet we know that’s not happening.

-Noel

Reply | Quote

Modern security software is relying increasingly on behavior (for example, when malware starts trying to phone home or to encrypt files) rather than on definition files. The result is that “anti-exploit” programs such as HitmanPro Alert and (I think) EMET are much lighter on computing resources than are the old-style AV resource hogs.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

A problem with that can come in if you happen to do activities that mimic the behavior of some recent exploit, your behavior-based anti-malware subsystem could start to get in the way. Then you’re faced with lowering its protection level or removing it entirely.

I recall using Avast for a while, then finding that they were moving the product philosophically toward the less technical user and I was getting all too many false positives – with less and less control over exceptions at the same time. Avast’s response: If we allowed people to make exceptions they’d just allow the malware to run. Uh, no.

-Noel

Reply | Quote

Why the “or” and not an “and”??

“As far as prevention is concerned, there is more that users can do, for instance making sure they run up to date security software, do back ups of important data and keep the backups detached from the system, or use common sense.”

Replace with “and”, and you should be covered…

Running Win7 with the light-footed Ms Security Essentials… and nothing else. Never been a fan of av- or amw-programs….

Once lost some important data back in ’84 and have ever since been prepared for anything. The most, I can loose, is important text as this being typed.. otherwise a clean system with all data can be restored in about 10 minutes….

 

3 users thanked author for this post.

SueW, Noel Carboni, Karlston

Reply | Quote

Jan K. wrote:

Why the “or” and not an “and”?

That may possibly be down to English not being the first language of the author?

Reply | Quote

FYI…

– https://isc.sans.edu/forums/diary/Jaff+ransomware+gets+a+makeover/22446/
2017-05-24 – “Since 2017-05-11, a new ransomware named ‘Jaff’ has been distributed through malicious spam (malspam) from the ‘Necurs botnet’… This malspam uses PDF -attachments- with ’embedded Word documents’ containing -malicious- macros. Victims must open the PDF attachment, -agree- to open the embedded Word document, then -enable- macros on the embedded Word document to -infect- their Windows computers…”
(More detail at the isc URL)

The machine has no brain.
…      Use your own.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Thanks @pc-tech – see Code Red – security advisories 🙂

Reply | Quote

I’m a great believer in ‘prevention is better than cure’ with these Anti-Ransomware utilities and will wait until in-depth reviews are done.

As it stands, I’m on the ‘cure’ side of the fence for now due to my indecision..

Windows - commercial by definition and now function...

Reply | Quote

Tnx for the link to Martin’s article. He is especially good at research and analysis. It is nice that you guys link to each other’s work. Kudos.

I have been using CryptoPrevent for several years. It is very light on the system and works nicely with other security software. It would be good for a novice as it sets itself up at install. Just use the default setting and click on check for updates to keep the def file current.

I have had MBAM Premium for several years (for AV/PUP detection). MBAM 3 is on my test systems and it is a pig. Having lost EMET on my W7/8 systems, MBAM 3 will be my go-to product. It has a pretty good ant-exploit product and I have found that the ransomware hunter does not interfere with CryptoPrevent (and v/v).

Reply | Quote

I appreciate the sharing of observations.

MalwareBytes as a scanner has gotten a good bit better about getting its job done quickly in version 3, though. On my 2 TB C: drive with a little over 1 TB of files it gets a Threat Scan done in about 5 minutes, listing some 150,000 files as having been checked.

Only problem with just using it for disk file scanning at the moment is they’ve got some kind of gremlin in their “Root Kit Scan” in version 3.1 that causes their service to get stuck. They say they’re working on it.

-Noel

2 users thanked author for this post.

HiFlyer, Hugo

Reply | Quote

Noel Carboni wrote:

It can’t be helped IF you assume the proper approach is to assume malware has gotten into your computer and has to be stopped by detecting it going bonkers on your files.

Maybe not “the” proper approach, but certainly it could be part of a layered approach.  Nothing is without its costs, of course.  I’ve always thought (and I still do) that the main security feature is in the user being aware of malware vectors and how to recognize risks, but sometimes it’s still good to have a plan ‘b’.

The only malware I’ve ever had in any version of Windows was a drive-by download in Windows XP.  I was perusing web sites about guitar strings, and had followed one Google link to a site that had apparently been compromised, and it redirected me to a URL that had some reference to pot in it (not the kind of place I would usually be visiting).

No actual site showed; the page was blank, but immediately, Outpost Security Suite alerted to an unknown file trying to run.  I’d been running Outpost for years in maximum security mode; I’d created tons of rules and answered hundreds, if not thousands of dialogs over the years.  In a moment that chagrins me to this day, I saw myself aiming the mouse cursor for the “allow” button, even as my conscious self seemed to be screaming to stop, that this is the thing we’ve been putting up with those alerts for all these years.  The force of habit was too strong, and I accepted it… but I still had a leg up compared to having no Outpost: I knew something was up.

As soon as I got done allowing it, I quickly used the tray icon to block all, then I went behind the PC and unplugged the ethernet cable.  When I got back to the keyboard,  Outpost had popped up another dialog… an unknown program was trying to set a registry entry.  I hit “block and terminate,” and it appeared to do just that.

I looked through the list of running processes, and I saw none that didn’t belong there.  Upon looking at the Outpost log, I saw that it had allowed the execution of a .exe with a random jumble of uppercase letters, located in the \Documents and Settings\xxx directory.  I went there in File Explorer, and there it was.  I had Outpost’s built-in antimalware scan it (Outpost was a full software firewall, HIPS, and antimalware; in terms of the granularity and ease of creating extremely tight rules, still the best I have ever seen.  Big issues with slowdowns, though).

The Outpost scanner did not alert on my file.  I tried a few other on-demand malware scanners (not sure which ones I used then; probably Malwarebytes, but I am not certain), and none alerted.

I zipped up the malware with a password and sent it to a few of the white-hat guys.  One of them responded a day or so later and told me it was a new malware and they had added it to their signature database.

Even though I was reasonably certain the malware had not gotten very far, I restored the full system image I had for that PC (taking care to save the zipped malware to a USB drive first, lest it be overwritten).  Why worry I missed something when I don’t have to?

The vector of attack was the Java runtime (I can’t remember exactly what the clue was, but it was pretty obvious; I think it may have been something like the Java icon in the system tray right when all of this happened, or something like that, something that is not usually there). I remember checking to see if my Java plugin was up to date; it was, though a day or two later there was another update.  I put it on “never activate” after that, and for the rest of my time using XP, then 7, I never came across any further use for the Java plugin.

Now the Java plugin is blocked on all of the modern browsers, and is known by everyone to be an obsolete malware magnet, but that was a different time.  If it was common knowledge at that time that it was bad news to have the plugin enabled, it escaped me somehow, and that’s not the kind of thing that usually does that.  It’s possible, though… no one is perfect.  I know that the average user is always going to see security popups as “you have to click this button marked ‘allow’ so you can get back to whatever you were doing,” without ever thinking what it means or why it’s there.  I’m not that way, though; I am the one who set up Outpost in the first place, and yet the force of habit got me to okay an obvious malware.

I am glad I had Outpost running, though.  I have no idea what the malware would have done had it gone unnoticed, but it’s not hard to see how it might have.  You can try to reduce the attack surface as much as possible (by disabling Flash and Java, for one), but if the attacker knows of an unpatched zero-day, it’s possible for bad stuff to happen even when you are being reasonably careful.

In this case, I had been running XP in admin mode, which is a risk for sure, but that was the default, and nearly everything expected it (and that is part of the reason I insisted on having Outpost in maximum-paranoia mode).  My 12 year old XP laptop now runs in limited mode (though it is also not connected to the internet), and it’s really frustrating to use.

Still, I hadn’t run an Office macro or .scr file sent by random in the mail.  I didn’t plug in some thumb drive I found somewhere, I hadn’t been tricked to run something I shouldn’t, and I hadn’t gone intentionally to ‘dodgy’ web sites.  I was running an up-to-date browser with an up-to-date plugin on an up-to-date OS, and it broke my perfect no-malware record (still the one and only incident).  I marvel at how many people seem to think that finding malware on a PC is a semi-normal thing.

For now, I am using Microsoft Defender… a poor performer against malware according to the tests, but light on resources.  I had Bitdefender Free, but that thing was so buggy that when I was having some other issue, I uninstalled it for testing purposes and never bothered to reinstall it.  The thing kept quarantining files that I’ve told it over and over to skip, and it wouldn’t restore them or skip them next time.  It was flagging harmless batch files that I’d written as harmful, among others.  No actual malware, though.

I’ve also got Malwarebytes Anti-Exploit free edition installed. I don’t know how well it works or IF it works, but it doesn’t seem to slow things down much.  I’d love to find a quick, light HIPS (quick and light being relative), but one thing I will not do is subscribe to software… and everything in security (even more so than the rest of the software world) seems to be going that way.

If I was doing a lot of work where the slowdown of security software seriously cramped my productivity, I might devote a machine to that kind of work and use another for browsing that had the heavyweight stuff on it (or a Linux box).  Hopefully any errant malware that got into the network would be stopped at the source (assuming that PC was the source) before it got a chance to access the lan.  There’s no free lunch– these security programs can really slow things down, and if you need that performance for something other than running security software (and it does not have to be something serious-sounding like software development or video transcoding… gaming is another thing that can be heavily impacted by the security stuff), something has to give.

Outpost was quite effective in security, but in no way did it live up to its billing as “Stops everything, slows nothing.”  With Outpost installed, online gaming microstuttered and hung for a short time (half a second) frequently… very annoying.  In office software, it may pass unnoticed, but in gaming, it was terrible.  Even exiting the program didn’t help; it had to be removed to get the speed back.

On my laptop, Outpost slowed the wireless throughput by half.  That’s just not an acceptable level of performance loss.  I started to look for a replacement for Outpost when I finally recognized just how much the thing was slowing my PC.  Timing was perfect, as Outpost’s maker Agnitum announced that Outpost was being cancelled as the company had been sold to Yandex.  Yet another lifetime license that isn’t… but with it being as slow as it had gotten, it wasn’t going to work for me anyway.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

5 users thanked author for this post.

HiFlyer, SueW, Elly, AlexEiffel, Noel Carboni

Reply | Quote

My favorite!

https://www.hitmanpro.com/en-us/alert.aspx

 

Windows 10 Pro 22H2

1 user thanked author for this post.

HiFlyer

Reply | Quote

One who wants to maintain performance while reducing risk in a reasonable way might want to consider using the browser in a sandbox if performance is not critical there, then not run any antivirus, if the person is the type of person who doesn’t install many software and/or less obvious software, and not download media files from random places. I would not game on this machine either, but you would get great performance for work. A typical scenario could be someone who do Photoshop/Video editing/CAD/Office software and some browsing.

So, the plan would be :

1) patch, patch, patch everything, so you remove vulnerabilities, maybe with a little delay to prevent patch issues. You can also use some free software to check that everything is patched. This can be nice if you use lots of software where auto updates are not working very well.

2) run the browser in a sandbox like Sandboxie, ideally without any plugin like Reader, Flash and Java. Only flash seems to be sometimes necessary for some people and it should be set to activate on demand only (an option you can set in the add-on section of Firefox) and then you exercise caution when asked to activate. If you can use the 64 bit version of the browser, it is better if you want to benefit from protections such as Address Space Layout Randomization provided by EMET, although I am not sure you would run EMET in conjunction with the sandbox. I run Firefox 64 with EMET, flash on demand and I use Firefox to show pdf on the web, which I think reduces the risk of issues with tainted pdfs compared to showing them directly using Adobe Reader.

When I need to see a pdf offline and it isn’t properly handled by Firefox, I will use Sumatra PDF with the following options gathered from someone here I think: Settings, advanced options, change ChmUI’s “UseFixedPageUI” from false to true (which avoid the use of IE’S explorer engine for .chm files, which results in  avoiding embedded scripts in .chm files). Also, for convenience (better user interface), you can set EbookUI’s “UseFixedPageUI” from false to true.

3) have a frequent backup routine that makes sense for you, maybe a combination of online backups and offline ones. It is important to not leave your backup media plugged at all time to avoid a ransomware encrypting the backup media too, or a surge breaking everything at once. I would advise rotating two backup disks and retiring one once a year to cover the case of “I deleted this file by mistake on my computer and replaced my old backups with newer and now I can’t find it”. Noel has a great post about how he does backups using vssadmin. I like to use 2 HDs configured in REFS with storage space (free on Windows 8 and up) to store data as it provides redundancy in mirror configuration and data protection against bit rot. Although it is great for hardware breakage protection, it does nothing for security, so that is optional.

4) I always run with UAC to the max. I would also recommend running a standard user account and leaving another account with admin rights and a password just to approve installs and OS level modifications.

5) Exercise common sense with the rest.

I am like Ascaris, my main vulnerability would be to a drive-by download because I would have clicked on an apparently legitimate link, and I would be vulnerable if the antimalware didn’t catch the new threat. There is nothing to protect you from that, however careful you are because you don’t have the information to make an enlightened decision every time, so you need to cover that scenario. There is also nothing preventing you to go to a legitimate web site infected by drive-by malware in an ad, except maybe by using blacklists like Noel, but this is still a reactive approach and not a simple one for many, so theoretically not as fool proof as an ideal scenario, although maybe excellent in practice in many cases and good enough for someone like Noel. I think using the sandbox can help regarding this drive-by download danger, because it is not reasonable to ask people to guess in advance which web sites can’t be navigated to with enough accuracy in the long run. You might not have bad luck for many years, but one day, there is a good chance you will click on a legitimate old link that have been replaced by something bad.

I don’t use a sandbox to browse, but I use Avast. It is a pain to configure to my liking, but I don’t mind the performance hit too much. Among this configuration, I set it to prevent any unrecognized executable to run unless I authorize it, which I find nice because if you see some executable from the temp folder asking to run when browsing the web, it might be a good indication something is wrong. I consider any computer infected dead meat that needs to be reinstalled as you can’t ever be sure you cleaned everything, so I strongly believe prevention is the best defense.

One last thing: once in a while, patch your router firmware and make sure it is still supported by the company who made it. If you use your ISP’s router, well, hope they patch it, but don’t hold your breath. You could install a firewall behind for added protection.

Commercial anti-exploit kits can have a good place in your security arsenal depending on the kind of user you are. For me, I feel the free lightweight EMET and the combination of the things I mentioned is enough.

 

 

 

7 users thanked author for this post.

HiFlyer, MrBrian, Noel Carboni, Ascaris, Cybertooth, SueW, Elly

Reply | Quote

Nice summary, Alex.

The only thing I can’t agree with – as I am a power user and think VERY little of UAC – is this:

AlexEiffel wrote:

always run with UAC to the max

Essentially UAC assumes several things not in evidence:

• The user is untrustworthy, and the system needs to protect itself from him/her.
  
• The user WILL try to run malware, and it needs to be stopped at the last possible moment from installing things into the system.

If you don’t choose to adopt that philosophy, it actually is possible to have a system that’s powerful and does your bidding without question. I sense that you are likely a conscientious enough user to achieve that ideal.

To me it seems kind of like the difference between a person who avoids guns because “they’re dangerous” and suggests that everyone should be blocked from owning a gun, vs. someone who seeks training, develops good habits, chooses to use only high quality firearms, and uses their head – then enjoys shooting sports safely for a lifetime.

I’m here to tell you that I have used Windows all day, every day, for many decades. I’m living proof that it’s NOT a given that malware MUST get in and has to be protected-against at the last moment by a UAC prompt. Instead, with appropriate application of protection “at the borders”, a conscientious user can enjoy powerful computing unhindered.

Don’t you find it frustrating when you want to drop a file somewhere and the system pops up a prompt – or worse, responds with “I’m sorry Dave, I’m afraid I can’t do that“? I don’t know about you, but I choose to be the master; the technology is here to do my bidding.

I try to work at the limits of my abilities, because that’s the level I’ve learned to work at to make money. Even one extra distracting/frustrating thing can cause me to lose my train of thought and forget an important detail.

UAC is simply a poor implementation of a bad idea, and I’m willing to debate that seriously.

-Noel

2 users thanked author for this post.

AJNorth, TonyS

Reply | Quote

From 94% of critical Microsoft vulnerabilities mitigated by removing admin rights:

“In total, 530 Microsoft vulnerabilities were reported in 2016, with 36% (189) given a critical severity rating. Of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year.”

Reply | Quote

From the same report

Despite being Microsoft’s newest and ‘most secure’ operating system to date, Windows 10 was found to have the highest proportion of vulnerabilities

Reply | Quote

MrBrian wrote:

“In total, 530 Microsoft vulnerabilities were reported in 2016, with 36% (189) given a critical severity rating. Of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year.”

And yet, somehow I’ve not managed to get one infection – ever. No daily MalwareBytes scan has turned up anything yet. And I don’t even run an active AV package.

It doesn’t really matter what malware would do if it got in if it’s just not getting in. And even if it did get in, I’ve got backups, because even if I do everything I can to avert disaster I still plan for it.

I probably sound a bit like a broken record and of course we’re not talking about “mindless protection for the masses” here. I consider it more like “risk assessment and workable practices for the thinking man“.

Microsoft made UAC configurable in 7, but configurable ONLY through registry manipulation in 8 and 10, which comes with an as it turns out very nice “can’t use Apps without it” feature. More than fine by me, I have yet to see an App that does something interesting.

The more Microsoft tries to push me to their insecure practices, the more it strengthens my resolve to do things my way instead.

-Noel

2 users thanked author for this post.

AJNorth, Sessh

Reply | Quote

Restoring a backup can’t undo previous transfers of data to the bad guys.

Reply | Quote

I’ll wager my systems are far less likely to transfer data to bad guys than most.

Did I mention the use of a deny-by-default firewall? Not to mention blacklists that disallow resolution of bad site names.

-Noel

Reply | Quote

How did Avecto tally this? I would guess by looking for the presence of text such as “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user” in Microsoft’s vulnerability descriptions (example).

Reply | Quote

I almost wrote this one isn’t for Noel because I knew you would chime in on it! We had this discussion before. We have a difference in opinion and it is ok, but I don’t think your way is the way people in general should think, they are not Noel. I think Ascaris, who seems like a great power user too, highlighted the issue very well here. Almost nobody is impermeable to clicking the wrong link by mistake or because we are not omniscient about what hides between each link on the Internet. However careful I am, I simply don’t think that even if it is quite unlikely, I will not one day click on what seems a legitimate link that will bring me to a drive-by download. Accessing a compromised web page is enough to cause issues, you don’t need to download a file or open a tainted document. Sometimes, you will go to an hobbyist page about something that interests you. The person used a standard framework to do the web site, because he is not an IT expert, something happens on the web server or the ad servers his page uses and it starts to serve malware just by visiting the page. There is no amount of carefulness that can with absolute certainty prevents this scenario. This scenario doesn’t happen often, but it is the same as when people thought you could cry wolf about vulnerabilities like the one we just had with SMBv1. Not common, but the theoretical risk is there.

Yes, you mitigate a lot more of the risk than others using your dns filtering technique, but it is still a reactive approach in the sense that the list needs to be populated by people who noticed issues in the first place. Granted, your risk might be very low. Most people here don’t have this protection in place. I feel, even as a power user, more comfortable reducing my risk by reducing my power when not needed, but maybe I just like this idea from the Unix world (wink). I am not really annoyed by UAC as most of my work doesn’t involve responding to UAC prompts. I think it is good advice for the general user to leave UAC to the max. For you and your evaluation of risk/benefits, I understand you choose not to use it and I respect that. I disable it on a test machine. But for production, I use it.

About routers, we also discussed this and I don’t officially agree with everything, but I do the same thing as you at home because I have a similar evaluation of risk/benefit about it since the newer stuff is clearly not made with security in mind in the consumer space and the added complexity of the bloat they add might make those bad devices even worse. At work, I run commercial firewalls that are proactively maintained and kept up to date. How can a firewall be compromised? Just look at any patch list of vulnerabilities from a commercial vendor and you will see how so many vulnerabilities get patched all the time that can be exploited in a similar way than the SMBv1 problem, with a bad packet sent to random IP addresses to fish for treasures.

I knew you would disagree on this one too but there is no truth here, those are opinions and your arguments are good in practice. One has to decide for himself when to stick more with theory and when it doesn’t work too well in practice. I can’t advise folks at home to buy a commercial firewall and configure it themselves + patch it constantly.

 

1 user thanked author for this post.

Noel Carboni

Reply | Quote

I’ll just add:

Virtually anyone can configure their browser not to run software automatically by clicking on links or visiting web sites.

But you’re right; horses for courses.

Regarding my blacklists being “reactive”… Name something that isn’t. My lists update themselves every day (almost 400 changes just today). And beyond them, I have configured my systems to not automatically run things from unknown places. Lo and behold I can still browse; I can still get what I want online.

New malware protection software comes out all the time with new ways to “watch for malicious activity”. How do you think they thought up those features? They are reacting to exploits seen in the wild by some unlucky soul somewhere and reported to them. AV software didn’t lead with “Anti-Ransomware” marketing before there was “Ransomware”.

-Noel

1 user thanked author for this post.

Sessh

Reply | Quote

I am not sure about being able to configure your browser so it doesn’t execute a drive-by download. MrBrian gave you a good example below about how having UAC in place can mitigate issues. Suppose we are in 2014. NSA’s secret list of vulnerabilities have been in the hands of bad guys already but nobody knows it yet so no patch for it. You have a vulnerable library used to decode jpgs in Windows and IE relies on it. You go to a web page, you see the corrupted image automatically loaded by your browser because a browser is an executable that loads tons of potentially corrupted documents in the form of images or media files when it loads and display a web page, so you get a buffer overflow, bang, your IE becomes something different, it runs the malware code embedded as itself with all the privileges you granted it. FrankenIE is now in control of your computer. If you use full admin without UAC, the IE as a malware is much more powerful than the UAC limited IE. Some people even go much more extreme with rights and create a limited user that can’t write to most places except a very specific set of folders, can’t run executables from temp folders, etc. and they use that account for browsing. I think you might be able to do that with SRP or Applocker, but I am not familiar with them. In any case, the idea is to limit privileges as much as possible for browsing, which is a similar idea to UAC or not running root on Unix or even using a VM or sandbox to browse, to some extent. It is an application of the principle of least privilege.  I like this idea and always found Windows lacking in this respect. You never know how much access an MS program needs to not cripple your functionalities if you try to restrict too much. You love having control over your computer. I understand that. I would add I love the idea of having control over what can each app access. Do I want my browser to have the same privileges as me on my local file system or would I prefer it having to ask me? I would prefer the latter.

Yes, anti-exploits are reactive in a way too, but a mitigation can apply to a lot of new malware because it mitigates the problem and not try to find all the places the problem or a bariation on it is exploited on the Internet. UAC is proactive in the sense that it prevents a lot of issues by the fact that it reduces the power of a lot of malware that exist or don’t exist yet. Of course, there might be ways to bypass it just like some EMET mitigations, but I like the idea that it prevents a whole class of problems from affecting you, if you don’t mindlessly click yes each time you see the prompt, plus it is not a drag on resources. For people I help, I set a password so when they get the occasional UAC prompt, they can’t click it away. They have to stop a minute and think. I tell them when it asks for password, ask yourself did I initiate an install that justifies that? Was I just browsing the web? If you are not sure ask for help. I find this can help people be more careful and pay attention to circumstances around the prompt.

I think the main point where we don’t seem to see the same thing is I strongly believe that an executable like a browser can be turned into anything due to the nature of a buffer overflow or similar code injection technique exploiting an unknown/unpatched vulnerability. Starting from there, the question is would you then automatically grant full access to this modified code and let it run as admin, or would you prefer to limit the capacities of this modified on the fly MS app?

3 users thanked author for this post.

JohnW, HiFlyer, MrBrian

Reply | Quote

You make a fair point that a browser could have heretofore unknown latent attack vectors, but I have some faith in the security subsystems already in Internet Explorer (even without UAC on task).

I’ll playfully counter your hypothetical argument by conjecturing that there are likely ways around the UAC prompt for folks smart and well-funded enough to repurpose a browser through a corrupted JPEG. And there is of course the possibility of a mindless click-through, especially by someone who doesn’t like to be questioned by a computer. 😉

I do keep up with updates on the systems on which I browse, if a few weeks after they’re released.

Somehow I’ve clearly reduced my practical risk to be quite low. Lower than most, I’ll wager. I do no small amount of web browsing every day, and the hypothetical situation you describe just hasn’t happened. Frankly I’m a bit amazed at how well multi-sourced blacklists actually work. Quickly leveraging the knowledge of the rest of the world is a very powerful thing. It’s akin to active AV systems downloading new signature lists.

I’ve noticed, by the way, that my lists have been growing lately owing to the good works at permmalwaredomains.com and others… Today I see 66,000+ specific sites and 28,000+ wildcarded names in my compiled lists. Oh, and regarding it being reactive, the wildcarded list does go a bit beyond that. That most web designers name their servers with human-readable, sensible names is no small detail.

The thing at the core of our differences I think is a difference in philosophy: “Minimizing the risk of malware getting in” vs. “limit the damage if it does”. In my opinion the irritation of my computer system second-guessing my every move and blocking my progress is for me the more real thing, since UAC simply cannot be made unobtrusive. It’s the “devil I know”.

-Noel

2 users thanked author for this post.

AlexEiffel, Sessh

Reply | Quote

My philosophy is also try to minimize the risk of malware getting in first, which I think patching and using EMET or some anti-exploit kit is a proactive action in that it prevents the exploitation of some vulnerabilities used by the malware to get in so it often effectively prevents malware from getting in, just like locking your front door.

I also think a layered approach is best and although I understand your inconvenience about using UAC even if I don’t suffer the same, I really don’t see no reason to, instead of using UAC, except the hassle of setting it up initially, not run the browser with low integrity as MrBriand does successfully with Firefox. It is not like it is going to bug you and slow you down once set up, or prevent you from doing anything special you need to do with the browser, unless there is something about your browsing needs I don’t understand. I personally think it is a very nice security addition and would like instructions on how to do it. For me, I would like a browser to have minimal access to my system at all times. Just a download folder and a temp folder that is prevented from executing any file. That’s me being in control of my computer and its apps, not the computer being in control. I think maybe it is a compromise you would accept as a better alternative to UAC, in fact both theoretically and in practice, although it might not work that well with IE. I am not saying you should do it, because you don’t feel you need it and you can certainly think that, but I don’t see any reason to think there is any downside to it besides taking the time to learn how to do it and set it up. Security is always a trade-off of risk/benefits and resources investment. When it is easy to add another layer with not much downside, why not?

You also add more steps than me in the minimization of malware getting in first because of your blacklists. I admit it is something I admire and that I would like to try if it was dead simple, required no time to research and setup, with instructions and didn’t required another machine. However, by itself, although it reduces risk, I don’t see it as a theoretical proof that it is working enough to forego other security measures, just like you were not convinced by the study MrBrian brought. It is very hard to know what is enough in practice. I don’t run blacklists, but I think my approach is not too bad and might be sufficient in most cases. I still would add the blacklists layers if the conditions highlighted higher were met.

You offer anecdotal evidence and inductive thinking based on your experience as a great power user with lots of different things working together to protect you, which is considered a logic flaw in theory but sometimes can be very convincing depending on context. I am glad to hear that you have had such success with this approach and maybe the combination of things you do is really good in practice. I am truly impressed about the results you obtain from the way you configure your environment, I am just a bit surprised that someone as powerful and knowledgeable as you don’t go the step further when it is not an inconvenience (granting that UAC can be inconvenient). So, I would expect someone like you that likes control would be even more strict about what each app is entitled to do and would enjoy having the browser in a restricted area, not leaving Windows free for all control everything just like when so many add-ons were automatically installed without warning by third-party software in Firefox. I would expect someone like you to maybe keep all power as admin to not be bothered, but at least use something to drop the rights of other apps to the minimum needed and maybe not use third-party Windows add-ons too liberally. I just find that a bit out of character, in a way, no offense and with all respect. There is something paradoxical I don’t understand. It adds to the mystery of the character!

1 user thanked author for this post.

MrBrian

Reply | Quote

@AlexEiffel: To run Firefox.exe as a low integrity program:

Here is a slightly modified version of the batch file that I run with admin privileges immediately after firefox.exe is updated: https://pastebin.com/4KZLvYMQ. See also https://www.wilderssecurity.com/threads/running-firefox-in-protected-mode-i-e-with-low-integrity-level-in-vista-or-later.357417/.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

From Reading Your Way Around UAC (Part 3):

“On the mitigation side it’s simple:

DON’T USE SPLIT-TOKEN ADMINISTRATOR ACCOUNTS FOR ANYTHING YOU CARE ABOUT.

Or just don’t get malware on your machine in the first place 😉 About the safest way of using Windows is to run as a normal user and use Fast User Switching to login to a new session with a separate administrator account. The price of Fast User Switching is the friction of hitting CTRL+ALT-DEL, then selecting Switch User, then typing in a password. Perhaps though that friction has additional benefits.

What about Over-The-Shoulder elevation, where you need to supply a username and password of a different user, does that suffer from the same problem? Due to the design of UAC those “Other User” processes also have the same Logon Session SID access rights so a normal, non-admin user can access the elevated token in the same way. Admittedly just having the token isn’t necessarily exploitable, but attacks only get better, would you be willing to take the bet that it’s not exploitable?”

A discussion of this is at https://www.wilderssecurity.com/threads/reading-your-way-around-uac-3-part-blog.394300/.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Thanks for the research.

The whole discussion is a bit too high level for me to grasp quickly and unfortunately I don’t have the time right now to try to understand all the subtleties of it.

It seems to point out in the direction of the conclusions I reached a long time ago, that UAC can’t be considered secure and that OTS elevation is technically a mistake. However, it was maybe a smart tool to help people transition to a model where you don’t run admin by default. How many times have I seen badly written software needing admin rights for no reason and being unable to run as standard user on XP? Even years after the introduction of UAC, you would see some stupid things like Foxit software always needing admin rights each time it starts, just to check for potential updates, instead of having a separate process for that like Firefox, with the idiotic consequence that it would make you run your pdf reader, a prime vector of potential infection, as admin all the time. I think that despite examples like this, UAC in general helped software developers be more aware that maybe they should run compatible with standard user accounts and not be lazy. Everybody gains with that as all software designed to run in standard user accounts helps reduce risks anyway.

I also still think that despite its flaws, it is better to run with UAC than fully admin and that is why MS is still trying to make it work a bit, in response to the question the guy asks at the end of the article. The risk is probably smaller despite the flaws. I activate the requirement to press CTRL-ALT-DEL for each admin prompt in order to defeat a bit of the possible impersonation of the prompt. The question that is still not clear to me and that maybe those links you posted respond to is can a malware process running in standard user account easily run undetected, listen to and intercept UAC prompts from other programs and end up taking over easily this way? If so, then it is true that it is a very big flaw in theory, but I will pull a Noel here of pragmatism and will say that if it is so, there are already so many easier ways to infect a computer that works with users, many of them disabling UAC, that it might not be worth the effort of the bad guys to try harder to circumvent the security of more sophisticated users than to get easy targets. A bit like those million of dollars scams written on purpose with many English mistakes so they filter out from the start people who would likely not go far enough in the scam… Still, if it is too easy to not incorporate it at large in malware, it is worthless. However, in practice, I never heard of any malware exploiting this in the wild at large. I don’t go out of my way to find examples, though, and I know it doesn’t mean it won’t happen. I’m just curious what are your thoughts about that and if you heard about examples. Still, I think UAC is better than nothing, if you know the person won’t run single user account and switch (most normal users that would find that too complicated, although it is as fast as responding to a UAC prompt with password maybe). For home folks like that, I create 2 accounts and activate UAC to the second account on the standard one they use for day to day. Having to respond by a password makes them think and UAC prompts don’t appear very often for these users. They mostly use their computer through apps like Office and the browser.

1 user thanked author for this post.

MrBrian

Reply | Quote

Method found that bypasses UAC even at maximum level for all versions of Windows

Reply | Quote

I have configured Firefox to run as a low integrity program for years. The only places that Firefox is allowed to write are file system and registry locations that are marked low integrity.

Reply | Quote

UAC isn’t considered a security boundary by Microsoft. That’s why I use a standard account, which is considered a security boundary by Microsoft.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

To each his own. I use virtual machines for things that could be risky, like running software I haven’t run before, and my productivity using the things I trust is consistently better because Microsoft doesn’t regularly block me from doing things I need or want to do on my desktop, and I don’t have the system second-guessing everything I choose to do.

No, I can’t guarantee that I will never be devastated by something that shouldn’t have run. But unfortunately, you can’t either. And we both have decades of experience to back up our thinking.

Look at the world – in reality UAC and the practices that Microsoft promotes have done precious little to stem the tide of malware. Imagine that it’s actually possible to think about things beyond Microsoft’s mindset.

The best we can hope to do is leverage our experience and knowledge to minimize the possibility of problems while at the same time maximizing productivity. It’s good that there are multiple ways to do that.

-Noel

Reply | Quote

Yes, and technically, OTS (over the shoulder) elevation is bad practice and should not be used in a professional setting, since it could be anything asking for elevation and impersonating a legitimate process. I do find however, that using UAC prompts with the requirement of a password instead of mindless clicking for some home users helps them pay more attention to what is going on and can help them be more secure.

 

Reply | Quote

Part of what I’m doing this weekend is starting over from scratch with a Win 10 Creator’s installation.

At first I left UAC on for a while.

Ugh.

Every stinkin’ time I start a CMD window elevated I need to answer a prompt? Applications like Autoruns restart themselves privileged. I can’t actually drag and drop files into some folders (e.g., a Program Files subfolder) – they go into a secret user-specific area but LOOK like they go into the folder specified.

Uh, no thanks. The productivity hindrance is huge for someone who’s not a basic user, especially when trying to set up a new system!

It’s off again, and a real breath of fresh air to be able to just do what I need to do.

-Noel

Reply | Quote

I activate UAC at the end of install, because yes, when you set up the computer, it is a much bigger pain than when using it.

Reply | Quote

Internet Explorer can’t be configured to be invulnerable to unwanted code execution. Microsoft regularly fixes such issues. Recent example: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0222.

Reply | Quote

You should consider avoiding using such terms as “invulnerable”. It’s a fantasy that anything could be invulnerable. It’s about risk. Minimizing risk is the best we can hope for.

I would argue my browser has a significantly lower chance of visiting that “specially crafted web site”, or one that tries to exploit an unpatched vulnerability.

What I DON’T allow to run is ads, or ActiveX, or things in iFrames. I see the desired content with greatly reduced risk.

Let us not forget that Microsoft has delivered their browsers with gaping, wide-open security settings configured, even though they could be made much more secure. Think, and you’ll realize that they’re not particularly technically smart about security. Marketers are involved.

-Noel

Reply | Quote

From Paint It Black: Evaluating the Effectiveness of Malware Blacklists (2014):

“Blacklists are commonly used to protect computer systems against the tremendous number of malware threats. These lists include abusive hosts such as malware sites or botnet Command & Control and dropzone servers to raise alerts if suspicious hosts are contacted. Up to now, though, little is known about the effectiveness of malware blacklists.

In this paper, we empirically analyze 15 public malware blacklists and 4 blacklists operated by antivirus (AV) vendors. We aim to categorize the blacklist content to understand the nature of the listed domains and IP addresses. First, we propose a mechanism to identify parked domains in blacklists, which we find to constitute a substantial number of blacklist entries. Second, we develop a graph-based approach to identify sinkholes in the blacklists, i.e., servers that host malicious domains which are controlled by security organizations. In a thorough evaluation of blacklist effectiveness, we show to what extent real-world malware domains are actually covered by blacklists. We find that the union of all 15 public blacklists includes less than 20% of the malicious domains for a majority of prevalent malware families and most AV vendor blacklists fail to protect against malware that utilizes Domain Generation Algorithms.”

1 user thanked author for this post.

Noel Carboni

Reply | Quote

Thanks for the link, though I’m not particularly inclined to buy a paper that refutes my experience just for the purposes of seeing the flaws in how they checked their data (though I admit I’d like to know the list sources they used; there are no doubt some I don’t know about).

And, Springer is not a particularly respectable publisher IMO, and I’m not inclined to pay them. The money might never get back to the author(s). That’s not just an idle statement; I’ve published through them myself.

In my experience most internet badware comes in through ads and ActiveX / Add-ons. Not having the browser retrieve them in the first place, and of course not allowing things to run in iFrames (via alternate browser configuration) is actually very effective, regardless of the doom and gloom the above paper might suggest.

On another front, “data leakage” goes out through tracking. Are you blocking the tracking done by many web sites (including this one)?

[27-May-17 13:36:39] Client 192.168.2.32, ws-na.amazon-adsystem.com A not found (1) --- blacklisted by DNS proxy ---
[27-May-17 13:36:39] Client 192.168.2.32, www.googletagservices.com A not found (1) --- blacklisted by DNS proxy ---
[27-May-17 13:36:39] Client 192.168.2.32, z-na.amazon-adsystem.com A not found (1) --- blacklisted by DNS proxy ---
[27-May-17 13:36:39] Client 192.168.2.32, ir-na.amazon-adsystem.com A not found (1) --- blacklisted by DNS proxy ---

You are always welcome to try what I’m doing for yourself, in addition to whatever protections you have in place. You might find those other protections no longer being tested.

-Noel

1 user thanked author for this post.

MrBrian

Reply | Quote

That paper is available for free on Google Scholar if you are interested.

‘On another front, “data leakage” goes out through tracking. Are you blocking the tracking done by many web sites (including this one)?’

For Firefox, I use Ghostery, Adblock Plus, NoScript, and some others. I think some privacy conscious folks reading this who have never looked into what happens when browsing the web would be amazed, and perhaps not in a good way.

Reply | Quote

MrBrian wrote:

That paper is available for free on Google Scholar if you are interested.

Or, you can download the paper directly from

https://www.ais.rub.de/media/emma/veroeffentlichungen/2014/07/08/TR-HGI-2014-002.pdf

(VirusTotal shows a detection ratio of 0/51 for the downloaded PDF.)

2 users thanked author for this post.

Noel Carboni, Jan K.

Reply | Quote

Thank you. I do have a bit of enlightenment in having seen the paper… The lists they analyzed don’t include those I actually use!

These are my sources, which I find to provide a VERY good set of site and domain names to blacklist in combination with one another:

• MVPs.org
• Malware Domain List
• AdAway
• Dan Pollock (Someone Who Cares)
• Yoyo.org
• Quero
• CAMELEON
• Malware-Domains
• Plus quite a list I’ve put together myself.

In total, I have 66,245 blacklisted servers and 28,238 wildcarded entries (mostly domains of the form of *.baddomain.com, but also things like ads.*, tracking.*, etc.). My own lists (including a fair number of wildcarded entries) I have gathered by watching network traffic over time. It’s likely skewed to protect the kinds of surfing we do here because of that, but hey, it’s here I’m trying to protect. 🙂

I like the ideas in the paper, and knowing them I believe I will strive to give my list compilation process some additional complexities. Some ideas I am considering:

• Elimination of sinkholed or parked domains using the mechanisms the paper outlines.
  
• Creating logic that identifies dynamically generated domain names and blocks them.
  
• I may follow their lead and analyze the sources I do use to try to determine effectiveness.

Thank you for sharing that link, windows7forever!

-Noel

Reply | Quote

Several of those blacklists are included in the included 3rd party filters list of uBlock Origin.

That is the first plugin that I install in every browser used, even if it is in a VM.  🙂

Windows 10 Pro 22H2

1 user thanked author for this post.

AlexEiffel

Reply | Quote

Example of UAC benefit: From WannaCry Ransomware Outburst:

“If you have been hit by WannaCry – during the infection

In some cases (depending on the privileges acquired by the malware during its execution), if your system is running one of the following Microsoft Windows versions:

Windows 7, Windows 8, Windows 8.1, Windows 10 with UAC (User Account Control) and shadow copies enabled -prior to infection,it is possible to prevent the deletion of the backups of the system even if the rest of the files have been encrypted by WannaCry. In order to manage this

Pay attention and DO NOT click YES on the UAC prompt window appearing during the infection

Since the operation for deleting the shadow copies of the system requires local administrator rights the User Account Control will prompt the user for allowing elevated privileges in order to execute the operation.

If the user follows the aforementioned recommendation, the existing shadow copies will not be deleted by the ransomware. Therefore, the user can disinfect the machine and then proceed in restoring all of the files using their shadow copies, which are intact, by following this guide.”

Reply | Quote

MrBrian wrote:

Pay attention and DO NOT click YES on the UAC prompt

Therein lies the rub. People focus on what they want to do, not on what they have to do to make their computer comply with their wishes.

Mindless click through is one of the biggest problems with UAC in general.

YOU wouldn’t, and I probably wouldn’t (if I ever saw such a prompt), but…

-Noel

Reply | Quote

“I recommend these changes from SumatraPDF defaults”

3 users thanked author for this post.

HiFlyer, Jan K., AlexEiffel

Reply | Quote

All credits to you. I remembered it was good advice taken from here!

1 user thanked author for this post.

HiFlyer

Reply | Quote

AlexEiffel wrote:

One last thing: once in a while, patch your router firmware and make sure it is still supported by the company who made it.

This is becoming more and more important as the miscreants are realizing that non-PC devices are soft targets (and this is only set to get worse as “IoT” becomes an unfortunate reality).

My router (WNDR3700, v1) was abandoned by Netgear long ago, but fortunately, it’s a popular model that has DD-WRT available, so it’s updated very often.

If you use your ISP’s router, well, hope they patch it, but don’t hold your breath. You could install a firewall behind for added protection.

I just upgraded my internet service about a month ago, but even now, the modem/router’s wireless AP is inferior to my ~7 year old Netgear.   The ISP’s offering is BGN, 2.4 GHz only.  I doubt its routing performance is any better.

I can pick up about 30 SSIDs from my house at any given time, including all of three on the 5 GHz band (one is mine), with no overlap using 40 MHz bonded channels.  The rest of the wireless users are fighting over 3 non-overlapping channels (and if they’re using the channel bonding N feature, NO non-overlapping 40 MHz channels).

For this reason, I use my trusty old router (which, btw, is still in production, in version 7 or something like that now… mine’s version 1, and any firmware support for v.1 was pretty much forgotten when v.2 arrived).  Netgear used cr**py capacitors that were bulged when I opened the unit to check them, so I did have to replace those, but it’s up and running like new with the better-than-new caps.  The ISP unit gets set to transparent bridging mode (after I have turned off the wireless radio), and my router does the work.

For me, I feel the free lightweight EMET and the combination of the things I mentioned is enough.

So, naturally, with EMET being useful, MS has decided to kill it, supposedly because Windows 10 doesn’t need it, and only Windows 10 matters.  I don’t buy that Windows 10 itself is so good that it eliminates the need for EMET for a moment, personally.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

3 users thanked author for this post.

AJNorth, DeWayne12, AlexEiffel

Reply | Quote

And I call BS on that one. I really don’t think it is true that EMET is not needed on Windows 10. There is no way all the protections EMET contains are offered for third-party apps on Windows 10 and are all turned on by default, or else there would be tons of users complaining some of their old software don’t work, as some of them are not compatible with mandatory ASLR, to name one example, or until recently, Firefox suddenly slowed down when using EAF+ after the last EMET update if using the 32-bit version (strange, strange…).

Since to my knowledge there is no customization of apps mitigation in the protection level of Windows 10, I am pretty sure they only mean “EMET is not needed on Windows 10 for the browser if you use Edge as the browser as the protections are built-in in it”. To me, this is really not sufficient to kill EMET. How will they test new mitigations and offer them ahead for power users if they kill EMET? How will they offer mitigations to third-party software if they kill EMET?

So the future is use only MS products or endure less security than on Windows 7 with EMET?

Reply | Quote

Let’s discuss this…

How might “miscreants” try to compromise a router that’s got its management interfaces and ports shut off to the outside world?

The only ways I can think of, offhand, are:

• Via packets involved with actual routing (e.g. RIP). Can a “miscreant” out in the big, wide world generate such a packet destined for your router? Or would they have to “jack in” to your local link? The chance of the latter seems small. If the router responds to essentially nothing “typical” (i.e., TCP connections or UDP packets) and doesn’t advertise its presence to the world, how could “miscreants” choose to target it?
  
• Via wifi. One should, of course, set up the maximum level of security possible on your wifi, which include using the highest level of wireless security the systems will support. Also invoking things like MAC filtering is a good idea, though not bullet-proof because of the possibility of spoofing. The “miscreant” would have to be just outside and be a determined adversary vs. a casual hacker, which seems to reduce the overall risk.
  
• Via “infections” that have already managed somehow to get into the systems on the LAN, presuming the router’s management interfaces of the router are still open to those systems. Managing local systems carefully against the acquisition of malware is therefore highly important.

As one who can no longer keep my router “up to date” with the latest of the manufacturer’s “cloud-integrated” firmware, which has been dumbed-down to where features I require are no longer available, I need to think about these things. Sure, I could get another router, but this one still works very well in the ways that matter most to me.

I’m under no misconception that “new” means “less vulnerable”. Programmers make mistakes today, just as they did a few years ago. Patches can surely open new vulnerabilities as well as closing old ones. And let’s not forget that the world is just as steeped in malware today as it ever has been. No, newer is not always better.

It has even occurred to me that a non-current device that’s no longer mainstream might have fallen somewhat off the radar for some of the “miscreants” out there. They tend to pay attention to modern, common targets.

-Noel

3 users thanked author for this post.

HiFlyer, AJNorth, DeWayne12

Reply | Quote

I saw that Malwarebytes 3 now includes Anti-Ransomeware. 🙂

I uninstalled my Malwarebytes Home (Premium) which had a lifetime license and then downloaded and installed Malwarebytes 3 and used my Key and License from previous Malwarebytes to register Malwarebytes 3 without a problem!!! 🙂 🙂 🙂

Thought some of you might want to know this if you currently have the previous version of Malwarebytes installed.

This is especially cool since my previous version was a LIFETIME license and they now use a subscription/yearly.

The Lifetime license transferred.

Mike In Texas

2 users thanked author for this post.

DeWayne12, SueW

Reply | Quote

Mike,

I’m using MBPro on two PCs with “forever” licenses. It sounds like you got a very good deal from MB. My few interactions with them (forums, etc.) seemed to deprecate my current model of their program.

Any hitches in that get-along when you updated?

Jim

jimzdoats

Reply | Quote

Jim,

It really isn’t a “deal” since all I did was download the new Malwarebytes 3 and use my previous “forever” license. I didn’t have to talk or interact personally with any rep.

Just thought it was worth trying.

Since the move by many companies from “forever licenses” to yearly subscriptions (MS in the future?) it’s really cool when nearly all my licensed software is “forever”, such as my previous version of Acronis TrueImage Disk backup software.

Why would I accept many of the cheap “upgrade” options to the newest versions (with yearly subscriptions) when the previous software does everything I need and was purchased with “forever” full license at the time? 🙂

I always do two full image backups (2x a month) and prior to doing software upgrades in case I need to restore.

I noticed one positive result of the new Malwarebytes 3 is that the customized scan of my C: drive (500GB SSD) with all options checked is a LOT faster now. 🙂

The only slightly negative thing I noticed is that I used to just X (close) out of Firefox and everything was ok. Now it can still show as a process and I have to kill it in order to open it again. But if I exit out of Firefox it doesn’t leave it’s process in the task manager. I just need to change my habit and exit out.

Other than that it seems to be faster and it found one “pup” that the previous version didn’t in stored old programs.

Mike

Mike In Texas

Reply | Quote

Noel Carboni wrote:

And yet, somehow I’ve not managed to get one infection – ever. No daily MalwareBytes scan has turned up anything yet. And I don’t even run an active AV package.

It doesn’t really matter what malware would do if it got in if it’s just not getting in. And even if it did get in, I’ve got backups, because even if I do everything I can to avert disaster I still plan for it. I probably sound a bit like a broken record and of course we’re not talking about “mindless protection for the masses” here. I consider it more like “risk assessment and workable practices for the thinking man“.

Microsoft made UAC configurable in 7, but configurable ONLY through registry manipulation in 8 and 10, which comes with an as it turns out very nice “can’t use Apps without it” feature. More than fine by me, I have yet to see an App that does something interesting. The more Microsoft tries to push me to their insecure practices, the more it strengthens my resolve to do things my way instead. -Noel

Great post as always. The more I read your posts, the more I see that if I had your levels of experience with these kinds of things, I’d be running my PC exactly like you with the micromanaging what connections come and go and all that stuff. It’s lots of fun to do things like that and I do what I can.

I’ve had to mess around with UAC a bit due to TrustedInstaller getting in my way at times, but not much otherwise. I much prefer to prevent any malware from getting into my PC in the first place and I can’t remember the last time anything serious happened on that front, but it’s been a really long time.

I have my browser configured to not download anything to any location without my explicit permission and instructions and as far as “drive-by” stuff, I have no issues with that between uBlock, ABP and a properly configured uMatrix, nothing has managed to get through that even before I discovered the brilliant uMatrix program. If I click on a site and I get a warning about the site being suspicious and potentially dangerous, I click the back button and either find another site to get the same information or just forget about it altogether. Even then, I rarely get warnings from them as it has become easier to pick out the bad sites from the good ones.

On top of that, I do run MWB Pro, Avast and have added CryptoPrevent in the recent future on top of a firewall and have noticed no slowdowns of any kind even with real-time protection running on all of them. They don’t even warn me anymore because the measures I take in my browser catch anything before it even gets that far, but they would catch it too if I allowed it to and have in the past.

CPU usage is zero and I can’t remember the last time an active scan turned up anything at all and I browse a lot and any issues I had in the distant past were completely my fault and have not happened again. Learning the hard way isn’t ideal for most people, but I find that it is certainly the most effective teacher. Keeping the bad stuff out is certainly possible and does require some things to be precisely configured, but it’s possible to avoid all of it. Discovering uMatrix really completed my web of protection, so I have many layers in place and none of them slow down my PC at all. If they did, I’d get rid of them and replace them.

2 users thanked author for this post.

AJNorth, Noel Carboni

Reply | Quote

AlexEiffel wrote:

I am not sure about being able to configure your browser so it doesn’t execute a drive-by download. MrBrian gave you a good example below about how having UAC in place can mitigate issues. Suppose we are in 2014. NSA’s secret list of vulnerabilities have been in the hands of bad guys already but nobody knows it yet so no patch for it. You have a vulnerable library used to decode jpgs in Windows and IE relies on it. You go to a web page, you see the corrupted image automatically loaded by your browser because a browser is an executable that loads tons of potentially corrupted documents in the form of images or media files when it loads and display a web page, so you get a buffer overflow, bang, your IE becomes something different, it runs the malware code embedded as itself with all the privileges you granted it. FrankenIE is now in control of your computer. If you use full admin without UAC, the IE as a malware is much more powerful than the UAC limited IE. Some people even go much more extreme with rights and create a limited user that can’t write to most places except a very specific set of folders, can’t run executables from temp folders, etc. and they use that account for browsing. I think you might be able to do that with SRP or Applocker, but I am not familiar with them. In any case, the idea is to limit privileges as much as possible for browsing, which is a similar idea to UAC or not running root on Unix or even using a VM or sandbox to browse, to some extent. It is an application of the principle of least privilege. I like this idea and always found Windows lacking in this respect. You never know how much access an MS program needs to not cripple your functionalities if you try to restrict too much. You love having control over your computer. I understand that. I would add I love the idea of having control over what can each app access. Do I want my browser to have the same privileges as me on my local file system or would I prefer it having to ask me? I would prefer the latter. Yes, anti-exploits are reactive in a way too, but a mitigation can apply to a lot of new malware because it mitigates the problem and not try to find all the places the problem or a bariation on it is exploited on the Internet. UAC is proactive in the sense that it prevents a lot of issues by the fact that it reduces the power of a lot of malware that exist or don’t exist yet. Of course, there might be ways to bypass it just like some EMET mitigations, but I like the idea that it prevents a whole class of problems from affecting you, if you don’t mindlessly click yes each time you see the prompt, plus it is not a drag on resources. For people I help, I set a password so when they get the occasional UAC prompt, they can’t click it away. They have to stop a minute and think. I tell them when it asks for password, ask yourself did I initiate an install that justifies that? Was I just browsing the web? If you are not sure ask for help. I find this can help people be more careful and pay attention to circumstances around the prompt. I think the main point where we don’t seem to see the same thing is I strongly believe that an executable like a browser can be turned into anything due to the nature of a buffer overflow or similar code injection technique exploiting an unknown/unpatched vulnerability. Starting from there, the question is would you then automatically grant full access to this modified code and let it run as admin, or would you prefer to limit the capacities of this modified on the fly MS app?

Well said.  That is why I chose HitmanPro.Alert as my anti-exploit defense.  They don’t have to identify all of the malware exploit variants out there.  They just have to plug the known avenues that ALL exploits need to choose from.  That is a finite number, and a good anti-exploit tool should be able to prevent an exploit from hijacking a privileged process, based on any of the known exploit methods, without needing any malware signatures.

Windows 10 Pro 22H2

1 user thanked author for this post.

AlexEiffel

Reply | Quote