That is outbound *monitoring*, whereas Sebastian was talking about outbound *filtering*. It is undisputed that outbound monitoring can give you pointers in case of an infection, but that has nothing to do with the fact that outbound *filtering* is not reliable and should thus not be regarded as a security measure.
cu
59cobalt
Could you *please* fix your quoting? It is common practice to prefix quoted text with ">" or "> " instead of putting it in quotes. Most newsreaders will display prefixed text in a different color, thus making it easier for the reader to distinguish between quoted text and your text.
There's a lot of things you can do, e.g.:
- Use a system (and filesystem) that does support privilege separation.
- Use a normal user account. Use the admin account only to accomplish admin tasks.
- Keep your system and all the software on it up-to-date, preferrably through automated updates.
- Install a virus scanner and keep it up-to-date.
- Avoid IE and OE like the plague. Use some other web-browser, mail- client and newsreader instead.
- Disable autostarts for removable media.
- Configure your software correctly. Most so-called "phone homes" are misinterpreted valid, though probably unnecessary requests.
- Don't install software you don't trust.
- Don't open attachments from mail if you didn't request that attachment. ...
Yes. Well, sort of. It would have been even better if they had decided to run services only when they are needed, and allow to bind them only to the interfaces they're needed on. Mac OS X gives a good example of how this can be done.
cu
59cobalt
Any experience with rootkits? Some tips on detection, software or technique?
Currently I'm using Sysinternals rootkit revealer, any other suggestion?
Yes: get a serious, working software. Seriously, once I sufficiently securely configure a Windows box, Rootkit Revealer stops working for multiple issues/defects.
There are various other tools that provide better analysis points. System Virginity Verifier, VICE, Rootkit Detector 2, Gmer, Ice Sword, DarkSpy, Flister, knlps and IAT Hooks Analyzer.
At any rate, these are only good for verifying an assumed compromise or for analyzing suspicious system behaviour. General detection is no good idea (rather try to prevent it in first place), and cleaning (as offered by some) is an even more stupid idea.
And, as well, you should know what you're doing. You should know what software hooks which functions (with what functionality) for which purpose. I don't wonder that the Toshiba ACPI Driver Utilities hook FlushCurrentTLBEntry (which is related to ACPI functionality) or that PolicyMaker AppSecurity hooks NtCreateProcess (obvious).
I noticed that. I don't need it for my Windows box.
Thx on info.
I know but I have to say to somebody why I'm formating his/her disk, and reason have to be "visible".
No, you don't. You have to give reasons why you would do it, being visible or not, and let them decide. If they don't want to follow your suggestion, then stop the procedure immediately, charge them the money for your service so far, and leave.
And actually use the features! :-)
2To err is human. But to achieve maximum damage you have to run as an admin, at best without even knowing it."And also provides good documentation on this topic. Ever seen Mandriva Linux? Paps X11, CUPS and SUN-RPC to the internet and doesn't even contain any hint on configuration.
suggestion?
I've not come across any rootkits as yet. Not without the delivery system being caught by the AV, anyway.
Regular checks on the system include running InCtrl5 to look for basic system changes and an offline scan once a week for any alternate data streams and a full hash check of all system files.
Hopefully I should pretty much catch anything hiding there.
Bogwitch.
Sebastian Gottschalk wrote in news: snipped-for-privacy@mid.dfncis.de:
It's all semantics, I find the term layered security actually describes a process better than Defence in Depth, each to their own.
I tried to use Forte, quite some time ago and I did not like it. I've not revisited since. I've not tried Thunderbird ar 40tude Dialog but if I get the time, I will check them out.
Accepted. Still, if your user was truly malicious, is there much you can really do?
Actually, the largest complaint was the inability to add workstation shared printerns. Not one complaint about random screensavers but we have a strong policy in place! :-)
Bogwitch
Sebastian Gottschalk wrote in news: snipped-for-privacy@mid.dfncis.de:
It's interesting to see what connection attempts are made after connection to a rogue website, often sites on dynamic DNS are most interesting.
You were talking about malware hijacking a browser session, once a session had been establised. Using AtGuard I can point my browser at a web address I know (e.g. 1.1.1.1) and tell AtGuard to talk to that address. If the browser then requests a page from a different address, AtGuard will then ask me again, listing the DST address.
I have. My hardware is of a low enough spec to prevent a VM running.
Because, as I said, I like the UI. I know enough about OE and I have sufficient controls around it to make it safe for me to use.
I think I've explained why I run as admin, just to reiterate. I run as admin to allow malware to infect my system.
Unlikely, I'm on dynamicIP.
Depends how AtGuard is configured. I have it configured to alert me of any outbound connections attempts and to leg them. It is also configured to silently log any inbound connection attempts.
Thanks for the info. I will investigate the tools. However, AtGuard gives me the alerting, logging and blocking functionality I require.
Why? I don't want the malware to perform it's evil deeds.
OK, nothing directly from my machine. :-)
Bogwitch
As earlier stated 100% security is just a wish and has nothing to do with reality. That is no reason for doing nothing or stating that only incoming filtering is useful.
arja.
Treating him as such?
If now I'd understand what's so interesting about that...
And the malware will silently insert an image load request into about any legitimate website. Anyway, AtGuard won't ask you, since it can't know what you typed in the adress bar, but just what was requested - which is already a different destination.
Looking at the current vulnerabilities, this is obviously a lie.
Just to reiterate: That's a totally broken concept.
Well, then why did you reboot?
And the vulnerabilities you require.
The malware will perform its evil deeds beside AtGuard or any other useless trial of blocking. Didn't you say that you run with admin rights? AtGuard won't even get to see any connection attempt from the malware.
You don't need any reason to do nothing. Actually it's common sense that doing something dumb as way worse than not doing anything dumb by doing nothing.
Even that is hardly the case for home computer. Now could you tell where the need for packet filtering for home computers should come from? I mean technical arguments, not stupid users believing marketing bullshit.
I wasn't talking about "100% security", but about reliability, which is not the same.
The lack of reliability *is* a reason.
cu
59cobaltSebastian Gottschalk wrote in news: snipped-for-privacy@mid.dfncis.de:
If I had a malicious user, I would sack him. Simple as that. The problem is, you do not know who your malicious user is/ are. The best you can hope for is detection after the event.
I suspect the security concerns of my organisation and the security concers of yours are wildly different.
Bogwitch.
Sebastian Gottschalk wrote in news: snipped-for-privacy@mid.dfncis.de:
The way I have AtGuard configured on this machine, it WILL ask me about EVERY connection attempt.
No it's not. Look, I'm surfing to all sorts of peculiar places, I pick up malware left right and centre. I have security controls to ensure I detect the malware and I do not cause any harm, discomfort or irritation to others. Never have, never will.
Works for me
Sorry, I thought a change of IP would be implied if I said 'reboot'
Might I suggest you actually understand the software before you tell me what it can and what it can't do?
Bogwitch.
If the malware has admin rights, it can trivially bypass AtGuard. You WON'T get ANY connection attempt to see.
Well, it's just totally unrelated...
May I suggest you doing the same?
Sebastian Gottschalk wrote in news: snipped-for-privacy@mid.dfncis.de:
Bring it back to the _REAL_ world, Sebastian, please name ONE piece of malware that is AtGuard aware.
I *DO* understand the software. You don't, otherwise you would not be spouting the inaccuracies you have thus far.
Anyway, back to the subject. I can see real world uses for an outbound port blocking firewall, particularly a personal firewall.
Bogwitch.
Agobot. Nuff said.
BTW, security is about something called *reliability*.
But you don't understand Windows. AtGuard might do what it wants, the Windows kernel remains the ultimate authority in the system, and if the malware runs with admin rights, it has full access to the kernel. This is cat-and-mouse game, whereas AtGuard is always the loser on the long run.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.