Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question on Scans, sandboxing, Cryptoprotect, etc.


  • Please log in to reply
63 replies to this topic

#1 Tiger-Heli

Tiger-Heli

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 September 2015 - 06:11 AM

Lots to cover/ask …

 

My computer was recently infected with Ransomware - cleaned up thanks to this forum (so far, at least), but I had some follow-up questions.  Removal thread: http://www.bleepingcomputer.com/forums/t/586174/started-as-u-cash-now-bsod/page-5#entry3823952

 

http://www.bleepingcomputer.com/forums/t/524259/cryptoprevent-vs-cryptolocker-few-srp-questions/#entry3294801 was a good read, as was http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

 

The world is getting scary - That wasn't the answer I wanted. I was hoping for something simple - like "You are unlikely to run across anything like that and if you do, your normal anti-virus should take care of it."

Apparently, it's not that simple.

 

Between the Cryptoprevent and CryptoMonitor applications:

  • Cryptoprevent seems good - but the free version requires manual updates and (among other things), it looks like it requires an updated list of known host servers to block.  The free version is probably okay for me and the Premium version is 30 percent off for forum members, but it looks like they are coming out with a new version which will probably NOT have a lifetime free option.  Looks good in that it just sets some policy exceptions so it doesn't have to run continuously.
  • Cryptomonitor looks a bit more robust - i.e. the program somehow doesn't require updates, runs continuously and implies it protects against ransomware and tor lock as well as Cryptolocker.  Unknown is the pro version is currently free while they develop a new version, but it is not clear how much the new version will cost, or if the existing pro version will stop working once the new version is released.
  • Doesn't seem to be any harm in running both of them and I will probably try that.  Wouldn't mind your opinion on the pro's and con's of each.

Background.

 

I basically figured out what happened to my system - it was a zero-day drive-by flash player exploit.  (Not really zero-day as I probably hadn't updated Flash in a few weeks.)  The thing that bothers me though is it seems to have a delayed payload - i.e. I didn't use the Internet for about a week or more, and then when I plugged the network adapter in, the ransomware screen seemed to come up before I even opened the web browser - more questions on that below.

 

Some research

A few sites I ran across:

 

http://www.howtogeek.com/222275/how-to-uninstall-and-disable-flash-in-every-web-browser/

 

http://www.howtogeek.com/198300/oracle-cant-secure-the-java-plug-in-so-why-is-it-still-enabled-by-default/

 

http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/

 

https://addons.mozilla.org/en-US/firefox/addon/flashblock/

 

http://lifehacker.com/how-to-safely-test-software-without-messing-up-your-sys-1680608496

 

Questions -

 

Basically, my questions fall into five categories:

  • Java - Basically, can/should I disable the Java plug-in (javascript) and or can/should I disable the java console?  What are the consequences of doing either?  (I know anything that uses Javascript won't work, but what am I likely to notice on the PC - what common programs/apps/sites require Javascript?)  (I think the NoScript app bascially disables Javascript as well, but ...)
  • Flash - Most of the programs mentioned are new to me.  From what I can tell:
    • NoScript - I typically run this, but I got lazy and got in the habit of clicking "Temporarily allow all on this page" - bad idea (and based on that, I probably DESERVED to get infected - not that it is right).  However, this seems like a fairly good option otherwise.
    • Flashblock - I have heard of the author from the Mozillazine forum - however, the software says it won't work with NoScript and I don't see that it adds a lot that NoScript would not do.
    • Click to Play - (setting "Ask to Activate" under Firefox plugins) - I can't tell for sure, it looks like this just blocks or allows flash for an entire page, not individual elements.
  • Internet Security Suites - I don't use any of these - I use Avast Free Antivirus, but it doesn't have Internet Security.  Are there any good free ones out there and are they worth running?
  • Sandbox - It isn't practical, but I used to think the best idea was to have a Chromebook or Netbook that ONLY accesses the web and then a main computer that only does everything else and when necessary, programs/files are transferred from the Netbook to the main computer.  The sandbox/virtualbox seems to do this and might be a good idea.  (You take a image of the virtual PC and if it gets infected, you just blow it away and re-install the image) I have lots of questions though:
    • Which of these applications are free, and which work well?
    • What are the advantages and disadvantages of one approach over the other?
    • Is this something that you would suggest?
  • Delayed implementation  - I'm curious what the best strategy to deal with this is?  As I said, the ransomware that hit me didn't show up until I connected the network adapter quite a while after the PC was compromised. So with any of the above solutions - if the virus is set to activate after the computer re-boots 10 times or only on 13 April, even the sandbox or netbook solution wouldn't work.  (i.e. you install the virus on the netbook or virtual PC, everything seems fine, you install it on the main PC and suddenly two weeks later BOTH PC's are infected …)

No real rush on replying to me, but I'm curious what the best solutions are!



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 AM

Posted 22 September 2015 - 07:11 AM

You don't need Java.

Using Java is an unnecessary security risk...especially using older versions which have vulnerabilities that malicious sites can use to exploit and infect your system.

Although Java is commonly used in business environments and many VPN providers still use it, the average user does not need to install Java software.

I recommend just uninstalling Java if you don't use it.

 

If you must use Java, many security researchers and computer security organizations caution users to limit their usage and to disable Java Plug-ins or add-ons in your browsers.

If you need Java for a specific Web site, consider adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site(s) that require(s) it.
Krebs On Security: ...Java

To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment.
US CERT: Disable Java in web browsers

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 AM

Posted 22 September 2015 - 07:16 AM

CryptoMonitor by EasySync is an anti-ransomware solution that was developed to protect a computer or server against all types of crypto-malware encrypting ransomware. CryptoMonitor relies on behavioral detection and several protection methods which allows it to detect encrypting ransomware before it has a chance to encrypt your data. CryptoMonitor will not only block existing ransomware variants but it will also block zero-day and future ransomware. This technology allows the program to detect and protect against new cyrpto-malware as they emerge. CryptoMonitor bypasses UAC on startup and will immediately start protecting your computer when first installed.

CryptoMonitor Protection methods:
1. Entrapment Protection which sends encrypted pattern signals back and forth between CryptoMonitor and themselves constantly. When a ransomware falls into one of these traps, the pattern is broken and CryptoMonitor immediately takes action...the computer is locked down, no file modifications are allowed and CryptoMonitor will send an alert (email) about the infection.

2. Count Protection provides a second layer of protection against crypto-malware. Count Protection will constantly scan running processes and use heuristics to categorize them into absolute trusted, unknown, and suspicious. When the process modifies over a certain number of personal files, under a certain time, then a flag is raised and CryptoMonitor will send an alert (email and text message) so you can take action. Since this method could lead to false positives, it includes the ability to whitelist executables that may exhibit such behavior.

3. CryptoApi Protection will detect what processes want to use crypto functions and then determine if they should be allowed to run.

4. Process Injection Check and LockDown Mode. Process Injection checks for injected code, and if injected code is found, it is then treated as a hostile process. LockDown Mode occurs when CryptoMonitor cannot kill or remove an infection right away. When LockMode is enabled, it blocks the offending processes privileges to everything, making it easy for removal manually or by aa Anti-Virus. Since only the bad process is locked down, you can run any application to help remove the infection when CryptoMonitor cannot.

5. Secure Vault is a protected directory created by CryptoMonitor. Nothing caalled access this directory except for CryptoMonitor, and any other processes that you allow to have access to it. Secure Vault can be used to safely store photos documents, videos, music and backups.

You can ask the developer, Nathan (DecrypterFixer), a question, report an issue or suggestion in the CryptoMonitor Official Discussion & Support Topic.


CryptoPrevent is a security tool that writes 200+ group policy object rules into the registry in order to prevent executables in specific locations from running. CryptoPrevent can be used to lock down any Windows OS to prevent infection by crypto ransomware which encrypts personal files and then offers decryption for a paid ransom. CryptoPrevent artificially implants hundreds of group policy object rules into the registry in order to block executables (*.exe, *.com *.scr and *.pif) and fake file extension executables in certain locations (i.e. %AppData%, %LocalAppData%, %userprofile%, %programdata%, Recycle Bin, Startup Folder) from running. Due to the way that CryptoPrevent works, it protects against a wide variety of malware and ransomware. There are several levels of protection but most users only need to use the default setting - "Set it and forget it" protection. CryptoPrevent Premium offers automatic updates to the program and definitions, email alerts, and custom policy rules.

CryptoPrevent has a filter module (in the installer version) which allows you to apply (enable) or disable suspicious program filtering for .cpl, .scr and .pif files which are executable files. This option is found by opening CryptoPrevent and selecting Advanced > show Advanced Options at the top. The portable version does NOT include the Filter Module...you must get the installer version to use that feature.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 AM

Posted 22 September 2015 - 07:17 AM

All Internet Security products include antivirus and firewall protection plus various other features...that is why the package is called a suite.

Security suites

So called "security suites" were first offered for sale in 2003 (McAfee) and contain a suite of firewalls, anti-virus, anti-spyware and more. They may now offer theft protection, portable storage device safety check, private Internet browsing, cloud anti-spam, a file shredder or make security-related decisions (answering popup windows) and several were free of charge as of at least 2012.

I'm not an advocate of suites. All-in-one tools and suites are filled with extra features (including "bells & whistles") which typically use more system resources than separate programs that do the same task while other suites leave a much smaller footprint. Suites tend to have varying degrees of strengths and weaknesses accorded for each feature they incorporate. Most Internet Security Suites include a Firewall, which IMO is unnecessary since the Windows built-in firewall is adequate protection and many folks also use a router. In contrast, separate tools are designed, built and maintained with a greater focus in a specific area so they are generally of better quality and more effective at what they are designed to do. This means the program's performance for that particular feature is usually superior than their all-in-one counterpart. Further, all-in-one tools generally do not allow the user as much flexibility in tailoring default settings and usage.

If you are adamant about using a suite, then I would recommend one of the following:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 September 2015 - 07:50 AM

Thank you - I need to read through all of the Java links, but I have a few remaining questions also:

 

Cryptomonitor seems a lot more robust than Cryptoprevent, but is it a good idea to install both, or is Cryptomonitor all I really need.

 

Flash - I was confused on this, but I think NoScript and AdBlock Plus are adequate - if, ahem, I utilize them properly.

 

Suites - I didn't really word that properly, I wasn't looking for a suite per-se.  I use Avast Free Antivirus.  There is a paid version of Avast that adds Internet Security.  What I was mainly wondering was "Are there Internet Security programs that I can run on top of Avast that would be good protection (preferably free) and what advantages would they really offer me.

 

Didn't get an answer on the sandbox options or delayed activity viruses ...



#6 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 September 2015 - 08:40 AM

I'm assuming JavaRa will be the best way to completely remove Java.

 

Also - I confused Java and Javascript ...

 

I have both the Java Runtime environment and Java plugin installed on the PC and need to remove them.

 

Javascript is not related to Java, but is blocked by NoScript unless you enable it.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 AM

Posted 22 September 2015 - 02:42 PM

Javascript is a scripting programming language developed by Netscape that runs on web browsers to make web pages functional for specific purposes.

Many users confuse JavaScript with Java, a software package by Oracle installed separately from your browser. Although the name is similar, Java is not the same as JavaScript.


If JavaScript is disabled, the content or the functionality of the web page can be limited or unavailable.

If you disable JavaScript, many websites won’t work properly. This is particularly true for web apps like Gmail and Google Docs, but it’s also true for other websites. Disabling JavaScript may break the ability to log in, post comments, or dynamically request content...If you disable JavaScript, you may be unable to use certain features on a website, the website may break completely, or you may use a version of the website with reduced features for users on older browsers

What Happens if You Disable JavaScript

JavaScript is most commonly used as a client side scripting language. This means that JavaScript code is written into an HTML page. When a user requests an HTML page with JavaScript in it, the script is sent to the browser and it's up to the browser to do something with it.

Javascript General introduction

Some users install the NoScript Firefox extension for added protection since it allows JavaScript, Java and other executable content to run only from trusted domains of your choice. More information about NoScript can be found here.
 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 rp88

rp88

  • Members
  • 3,061 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:51 AM

Posted 22 September 2015 - 02:47 PM

Quietman post #2:

You say "you don't need java", in most cases this is right but in some cases a person might run a desktop program which requires the use of java as an environment in which it must be run. Such users should instead use the options within java's control panel icon to disable all it's browser functionality and make sure to keep it up to date, and make doubly sure it isn't any longer listed as a plugin in any browser. To know if you are such a a person you will have to look up the installation requirements for each and every program you use, and see if any of them need it, if they don't then go ahead and remove java entirely. Or uninstall java and then see if any program stops functioning once it has gone.




Tiger-Heli post #1:
Note that java and javascript are NOT the same thing, they aren't even related.(Quietman, I know you've already said this but I was preparing this post while you were typing yours so I didn't see this until after this was posted).

Java's browser elements are a browser plugin, which used to be used for online simulations and games and such but is rarely if ever used for such things now.
Java itself is an environment for certain programs to run in.

Javascript, unrelated to java entirely, is a bit like html, it's a type of code used on websites, but unlike html it can do more and can let websites exert some "control" over the browser which they wouldn't have if they used just html, it also allows fancier graphics to be made than html can and it allow pages to be made which are interactive. Javascript is involved in most exploit atacks but they don't usually use it alone, the javascript loads a plugin or something, which is then exploited to deliver the infection. Blocking javascript with noscript is helpful, very helpful, but in all except a few zero day attacks against the browser itself javscript isn't the only part in an exploit attack. Noscript helps block javascript from any source you don't choose to allow, the best way to do things is to allow the main domain of a site first (if you need to allow any scripts on the page at all and if the site is a trustworthy one) then allow trustworthy other domains IF they are needed, don't allow utterly unknown domains, advertising domains or known nasty domains. And don't allow all the scripts on a page as that will allow any and every domain there, including any nasty ones that might be present.

What does flashblock do which noscript doesn't? Noscript certainly blocks flash except flash objects you choose to allow, and these flash objects don't even apear for you to choose to allow/deny until after you've allowed certain scripts on the page.

Click to play settings for plugins do indeed allow flash for an entire page or not allow it for that page, but noscript gives you control over individual elements, so put all plugins on click-to-play/ask-to-activate and use noscript as well, that way you have to first allow any plugin you want through noscript, and then you have to allow in firefox as well.

You can add to noscript's protection by using malwarebytes anti-exploit (there is a free version), noscript acts as a defensive layer "infront of" the browser, malwarebytes anti-exploit acts "behind" the browser, I run it myself and it works fine with noscript installed. This might have been able to catch the virus you got after it had slipped past flash blocking but before it could get onto the wider system and run it's infection payload.

Edited by rp88, 22 September 2015 - 02:50 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 AM

Posted 22 September 2015 - 02:53 PM

Quietman post #2:
You say "you don't need java", in most cases this is right but in some cases a person might run a desktop program which requires the use of java as an environment in which it must be run.

That is correct and yes I understand there are still some users which need Java...that's why I explained (and provided links) security experts recommend to disable if you must use Java and limit usage.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 22 September 2015 - 03:50 PM

Still have questions in Reply #5 on Sandboxing and whether Cryptoprevent and Crytomonitor can both be run together.

What does flashblock do which noscript doesn't? Noscript certainly blocks flash except flash objects you choose to allow, and these flash objects don't even apear for you to choose to allow/deny until after you've allowed certain scripts on the page.

 

I think I can answer this - I use Noscript (but not effectively, obviously).  As I read it, flashblock only eliminates flash - so if you don't want to run NoScript and tell it to allow scripts on every page or most pages, flashblock is better for you.  I think I am just going to stay with NoScript and use it more carefully.

 

You can add to noscript's protection by using malwarebytes anti-exploit (there is a free version), noscript acts as a defensive layer "infront of" the browser, malwarebytes anti-exploit acts "behind" the browser, I run it myself and it works fine with noscript installed.

 

I wasn't aware of this, I will add it also - looks like a good idea.  I run scans with MBAM, but didn't know their was active exploit protection available with it.

 

Have another question - I discovered Web of Trust: https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ - seems better than nothing, but there seems to be a potential flaw with it.  Let's say I google Test:

https://www.google.com/search?q=test&gws_rd=ssl - The second link is https:\\www.test.com and has a red circle (athough it probably shouldn't) - if I click it, WOT says the page has a poor rating, but it still loads the page in the background, so if the page had any drive-by virus code, it would already be downloaded.

 

It has 80% of what I want - ideally, what I would like is something that when I click a link or a search result would tell me that a page was a known attack page and ask if I wanted to connect BEFORE it loads the page.  (And of course, this still wouldn't prevent pages with embedded ad viruses on other domains or new pages, etc ...



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 AM

Posted 22 September 2015 - 04:02 PM

Still have questions in Reply #5 on Sandboxing and whether Cryptoprevent and Crytomonitor can both be run together.

I don't use sandboxes but I do use both CryptoPrevent and CrytoMonitor together without problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:51 AM

Posted 22 September 2015 - 04:02 PM

Many site rating vendors (i.e. McAfee SiteAdvisor, WOT, Google's Safe Browsing, Webutation, avast! WebRep, etc) use a system of volunteer testers that continually patrol the Internet to browse sites, download files, and submit information. All the results are documented and supplemented with feedback from users, Web site owners, and analysis from their own employees. The advising site vendor then summarizes the results typically into into a color-coded red, yellow and green ratings scale to help inform Web users as to the safety of each tested site. While these tools are useful, they are not foolproof and sometimes may provide misleading ratings. Just because you visit a risky site, that does not automatically mean the site is bad or that your system has been infected by going there. In contrast, going to a safe site could even prompt a warning. There are legitimate programs which are falsely detected by various anti-virus programs from time to time. This sometimes results in an inaccurate site rating/warning of potentially dangerous software when that is not the case. Thus, the use of such rating sites does not always guarantee an accurate rating of the results they provide. Further, for the novice user, rating sites can provide a a false sense of security.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 23 September 2015 - 07:44 AM

WOT

 

I understand on WOT, SiteAdvisor, etc. - i.e it might have a green circle on a site that was safe last week and hacked this week, or it might have a red circle on a site that is safe.

 

My problem is let's say a site is genuinely malicious and loads a drive-by payload as soon as the site is opened - WOT by default does nothing for you - it will give you a warning, but the virus is already downloaded to your system.

 

There is a good workaround - but it is cumbersome also - if you go to settings - there are two options:

 - Warning Pop-up only (Recommended)

 - Warning Pop-Up and blocking of sites with poor reputation.

 

For better security, I recommend the second option.  The problem I have is there is no button to say "I understand the risks, take me to this page." - So your only options if you want to go to a site that WOT says is red is to white-list the site inside WOT, or change the setting back and then change it again after you leave the site.

 

Also - I found out some more about sandbox/Virtualbox and delayed threats - but I am a novice, so I can't say all of this info will be true:

 

Virtualbox (VB)

 

Tutorial - https://web.archive.org/web/20150320114539/https://ryantrotz.com/2011/11/virtualbox-beginner-tutorial/ - This is fairly old and shows installing VB running Ubuntu on a Mac OS.  For our purposes, you would want VB running the same OS as the host computer so that the VB would pick up viruses that affect the host computer.

 

VB advantages:

  • Probably one of the safest ways to protect the main computer from viruses.

VB disadvantages:

  • Somewhat cumbersome to set up and use.
  • System hog - the website recommends allocating 8 GB to the VB computer and 1 GB of memory to the VB computer.  That is HD space that you will NEVER recover (unless you uninstall the VB) and memory and processor usage that you can't get back when you are running the program.
  • Limited protection against delayed payload threats - more below.

Delayed payload threats

 

There really is no guaranteed protection against this - other than completely isolating the VB from the main system and if you do that, you use the VB 100% of the time and it eventually gets infected and you haven't saved yourself anything.  Again, I am not 100% sure on this, but it really depends on how sophisticated the virus threat is.  Let me give some common scenarios:

  • Drive-By - This was what I got hit by - You visit a website and either a virus loads immediately or loads when you click something on the page and you have no knowledge that it was downloaded - but it might not affect your computer for a few weeks.  The VB works great here.  Since you don't know anything was downloaded, you don't transfer anything to the host machine.  In a few weeks, the VB might be crypto-locked and you laugh at it and delete it's files and re-load it's OS from an image and carry on.
  • Downloaded PDF - Depends how the item is coded - let's say you think you are downloading a file on car A/C repair named CAR_HVAC.pdf, but the file is really CAR_HVAC.pdf.exe.  A poorly coded file will just launch the virus.  You double-click on the file in the VB, nothing happens, you assume it was a bad file and move on.  A well written virus will have two phases - i.e. you double-click the file and it launches the virus AND extracts a PDF on car repair to a temp directory and opens it in Adobe reader.  You then might assume the file is safe and move it to your host computer and infect it the next time you open it.  There are three workarounds:
    • First - of course, disable the stupid windows setting for "hide extensions for known file types" so that you can tell if you are dealing with an .exe or a .pdf.
    • Second - instead of double-clicking the file, try to start Acrobat reader and open the file from there - if it is not a PDF file, it should give you a "Could not open" error and then you will logically delete the file.
    • Third - if you open the file in Acrobat and save it with a new name, it should remove the virus and you can them move the re-named file to the host computer - maybe ...
  • Downloaded program or executable - Probably the hardest to defend against.  Let's say you THOUGHT you were downloading CryptoMonitor, but you didn't download it from the approved site.  A poorly coded virus won't seem to do anything - so you assume it was a bad download and don't do anything on the host computer.  A well thought out virus will load the virus and load a (possibly hacked) version of CM - the virtual machines seems to be running fine and you install the program on the host computer and two weeks later both the VM and the host computer have the virus warning screen.  I don't know of a very good defense against this - you can hope that AV signatures will be updated in a month's time, so one strategy is to run full virus scans on the VM and if it is clean a month after you download the file, it is safe to install it on the host machine, but for files like CM, you might not want the host computer unprotected for a month, and by then there might be an update that you don't know if you can safely install.
  • Downloaded archive - the biggest risk is the self-extracting .zip file (.exe).  The best bet with this is to try to right-click on the file and select "Extract to".  I'm not sure there are other risks other than extra files that might be included in the achive that you didn't expect and should ignore or delete.
  • Downloaded images - I'm not sure if a virus can be imbeded in an image, so this might not be a risk.
  • Downloaded video - Also not sure of the risks here.  If you tend to download video and then play it back with flash player in Internet Explorer - there is a fairly large risk here.  I'm not sure if there are similar vulnerabilities in playing it back in VLC or some other video player software ...


#14 rp88

rp88

  • Members
  • 3,061 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:51 AM

Posted 24 September 2015 - 03:00 PM

Of those infection methods the most dangerous is the drive-by, all the rest require two deliberate actions, downloading of a file then opening it. Also, I suspect, thesedays drive-by is the most common. This is why having some sort of scriptblocking/anti-exploit/both AS WELL as your antivirus is so important.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#15 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:01:51 AM

Posted 02 October 2015 - 10:32 AM

I've learned a lot from these forums ...

 

Here are steps I plan to take on my PC and helpful info for others:

 

Disable "Hide extensions for known file types" and "Hide system and protected Operating System files" - these seemed like bad ideas when Microsoft first introduced them and even more so now.

 

Install Cryptomonitor and CryptoPrevent

 

Install Malware Bytes Anti-Exploit.

 

Update Firefox and Flash Player (and have FlashPlayer update automatically).

 

Remove Java and Java Plugin using JavaRa.

 

Install Noscript WOT and Ad-block Plus, Disconnect, and uBlock add-ons for Firefox.

 

Look into and play with Virtual Box virtual machine  and sandbox options.

 

Some notes:

 

I'm surprised Cryptomonitor and CryptoPrevent are required - I would expect these attacks to be prevented by a basic antivirus. To me, it reminds me of when rootkits first became an issue and the major AV software was like "You wanted protection from those as well - they don't even affect the OS files?"

 

As I understand it, there are four types of prevention:

  • Front side - These apps either block actions from occurring in the web browser, or block access to certain sites.  Examples would be CryptoPrevent, NoScript, AdBlockPlus, Disconnect, uBlock.
  • Warning - These apps try to tell you if an action is safe or not, but don't prevent anything - WOT is an example.  Unfortunately, they tend to lead to either false negatives or false security errors.
  • Back side - These apps typically will let you download a virus or malware or visit a malicious site, but try to keep the malware from doing anything dangerous to the computer.  Examples would be traditional Antivirus, Cryptomonitor, and MalwareBytes Anti-Exploit.
  • Virtualization/Sandbox - For virtualization, this is a different way of looking at the idea of malware - essentially the virtual machine creates a completely separate operating system.  You can run this with no protection at all, b/c if malware attacks the virtual machine, you just wipe the virtual machine files and start over.

Of the Firefox add-ons - NoScript, ABP, Disconnect, and uBlock are similar, but they operate differently and perform slightly different functions:

  • NoScript basically keeps both javascript and flash from running on a website, but you can temporarily or permanently enable either individual items or the entire web site.
  • I really like uBlock - it will automatically block the items from AdBlockPlus blacklist, along with Disconnect's privacy and malware blacklist and malwaredomainlists sites and others.  Also - you can add page elements to your custom filters - for example, some sites I visit have a pop-up to ask if I want to take a survey when I leave the page.  It isn't malware, but it is annoying.  With U-block, I just right-click on the element and I never see it again.
  • AdBlockPlus is a bit older and I'm not sure it is really needed anymore - uBlock filters the same options.  ABP is supposed to add a small flag that makes it easy to block (especially flash) items on a page, but since uBlock seems to do that too and it is just as easy to right-click on a page, I'm not sure ABP is doing anything useful anymore.
  • Disconnect has some privacy protection blocking, but it's main purpose seems to be to delete flash cookies on browser shutdown.

The drawback to these add-ons is they often block legitimate actions on sites and it isn't always obvious that they have done so.  For example, I went to www.cars.com and view all pictures was not working.  It turned out is was blocked by something on disconnect, but without knowing that, the options were disabling all blocking on the site temporarily (dangerous if the site is not trusted), opening the site in an un-protected browser - same risk, or opening the site in an unprotected browser in a virtual environment or a sandbox.  (And this was for a site that I trusted and knew how it was supposed to operate - there would be a lot of sites that might have useful features that were blocked by the plug-ins and I would never know that they offered those options).

 

I haven't tried it but it is worth clarifying that Virtual Box is a different way of looking at things compared to traditional anti-malware - i.e.:

  • With traditional antivirus - say NoScript, I go to a website and I have to white-list the page to tell it is safe and doesn't need to be blocked.  There is probably less than a 1% chance of getting infected, but the stakes are high enough that you don't dare take the risk.
  • With Virtual Box - you don't have to do ANYTHING special.  Really you don't even need an antivirus installed on the Virtual Box - you just browse without worrying about anything and if the virtual box OS gets infected, you just delete it and reload it and start over.  Your main files and not affected.  (It is probably a good idea to at least keep an up-to-date Antivirus installed on the Virtual Box as some viruses will install in the background and not do anything obvious, so the Virtual Box could get infected without your knowledge and since you thought it was clean, you could install the same file on your main system and infect it.

I have some additional questions about Virtual Box and sandbox, but I will start a new thread for those ...


Edited by Tiger-Heli, 02 October 2015 - 10:36 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users