by Dr. Nikolai Bezroukov.
Copyright: Dr. Nikolai Bezroukov 1994-2013.
Unpublished notes. Version 0.80.October, 2013
Contents :
Foreword :
Ch01 :
Ch02 :
Ch03 :
Ch04 :
Ch05 :
Ch06 :
Ch07 :
Ch08 :
Ch09 :
Ch10 :
Ch11 :
Ch12 :
Ch13
Chapter 3: Architectural Methods of Malware Defense
Architectural methods of increasing Windows malware protection level
Around architectural steps that help to increase Windows security are (in the
order of increasing complexity and return on investment):
- Predominant usage of non-privileged account
for Web browsing and mail. Windows does not have a standard component like
su and sudo in Unix for "on the fly" change of privilege,
but you can login via VNC as administrator in a separate screen. Windows provide
much better protection of user accounts then the account with admin privileges.
Unfortunately the dominant culture of Windows usage is to use all powerful admin
account for everything. Only some large enterprises limit their users to proper
"less powerful" accounts as they can afford to administer PCs by a separate
dedicated staff and they are more interesting in unification and security of
corporate data then productivity of the users.
- Using
a separate "user data" partition: dual
partition Windows configuration. Splitting the "system" hard drive into
smaller C partition (say $100-120GB) and a larger Data partition is a very simple
in windows 7 (which can shrink system partition on the fly) and logical step
that makes restoration of your OS from backup much more easier (as user data
will be a separate partition) and your personal data more secure and more easily
recoverable. On desktops instead of shrinking system partition and creating
an new one for data it is easy to install a second harddrive, This approach
is also possible on laptops with replaceable media bay, for example Dell Latitude
Laptops -- you can simply replace DVD with the second harddrive and use USB
DVD when needed.
Not only this simple step makes both backup and reinstallation of Windows much
simper. It also permits using
Softpanorama Spyware removal
strategy. The key idea behind this strategy is that a good disk image
creating program is worth a dozen of anti-spyware, anti-virus tools. It does
not mean that the are useless. Microsoft Security essentials is a good free
AV tool that is well integrated and well tested with Windows for compatibility.
So to ignore it is unwise. the same applied to Windows Defender which is also
adequate as most modern malware are worms not viruses if we use a strict definition
of what computer virus is. But even for company with huge resources like Microsoft,
it is very difficult to cleanly uninstall sophisticated malware which was designed
with one or several mechanisms of recreating itself if some part is preserved
after the cleanup. But by using an image restoration you can defeat even the
most sophisticated spyware. The only precaution is that you should have multiple
(for example daily) backups as the point of infection can be quite remote in
time from the point of detection. It also make sense to perform a full
backup of drive C before installation of any new programs. Windows 7 64 bit
has around 60GB on system partition (without user data). Windows XP system partition
footprint is typically 50GB or less (if user data are stored on the different
partition). That will take less that an hour to backup such a partition
which is a minuscule amount of time in comparison with the time usually spend
in restoring Windows system after the infection (two or three days are common).
You can do it daily or weekly but in any case this way you always have several
previous versions that might be not infected. Existence of full C-partition
backup also provides a baseline that gives you an opportunity to understand
what changes the installation performed on your system. Add to this registry
snapshot (less then 200MB) and you are well equipped to resist even the most
sophisticated malware. Unlike AV program which depends on the
recency and quality of their database this approach will work as it does not
need to understand what this malware is about. It just return you to the "status
quo".
- Dual
browser arrangement and periodic cleaning of cookies. Using two browsers
instead of one can dramatically increase your security from Web exploits. For
example, you can use IE in high security mode that allow no scripts to be executed
and Firefox for trusted sites. You can also set IE to delete its temp cache
when you close the browser (it does this in "In private" browsing mode, and
this mode should be used as the most secure was to access "grey" sites. It makes
it more challenging for malware authors to infect IE8 or IE9 in this mode --
malware authors typically are oriented on a "typical setup" and are keen to
exploit some third party full of security holes application (standard Trojan
horses of all PCs -- Adobe Acrobat and Flash plug-in;-). Also using IE in high
security mode partially cuts "snoopers" like Facebook (no cookies are allowed).
- Eliminating most odious snoopers from your software. The line when
a software that performs snooping can be classified as malware is very fuzzy.
In addition to Facebook which is an information collection site masquerading
as a social site, many legitimate sites and programs now have snooping components
and connect to "mothership" periodically to transmit some information from your
computer. So line between spyware and legitimate programs gradually becomes
more and more fuzzy. For example programs developed by Goggle (Google
toolbar, Chrome, etc) also have a huge appetite for collecting information
about your browsing activities, especially if you login as Google user so that
activity can be associated with your account. It looks like with Google++
Google business model is not that different from Facebook and that's why that
promote Google Groups++ as there is no tomorrow. That means that as a
browser or email software developer Google is much less attractive than as an
author of search engine.
Periodic cleaning of cookies also helps to preserve your privacy and should
be scheduled as a weekly activity. It is also possible to preserved just selected
cookies for the sites you trust as cookies are often used to simplify authentication
to the site. At least this shows all those jerks who collect information on
you who is in control :-). Requires some discipline but can be implemented
by all Windows users. Stronger version of this defense uses browser of am second
(possibly virtual) PC (see below).
- Running "trusted computer" on one computer and Web browser from
the second computer (virtual or "real") with the "disposable" image.
The best way is to create "disposable computer" on a real PC is use Remote Desktop
to the second computer from your main machine. That can be Linux machine (in
this case you can use VNC). When you enable Remote Desktop on a server,
by default anyone who belongs to the local Administrators
group on the machine can log on to it remotely using Remote Desktop Connection.
If you are a power user the other way to achieve this is to run
Windows Disk Protection
on XP or emulate it on Windows 7. Windows 7 Professional and Ultimate allows
running second Windows instance (so called XP-mode) which can be used for his
purpose. Requires qualification to setup the second computer
as "disposable image computer" and to use Remote Desktop. See also
Managing Remote Desktop
and Windows
Disk Protection for more information.
- Periodic (say weekly) prophylactic reimaging of your computer from trusted
image. This method is often used at university labs and proved to be quite
efficient as for malware protection and especially from RATS -- remote access
Trojans -- which convert your PC into remotely controlled zombie. On
most PCs the set of installed applications nowadays is quote static and this
fact makes creating so called "trusted image" much simpler. In you update your
trusted image in parallel with main computer then restoring it when you are
infected or need to perform some highly secure activities like filing your annual
tax return (it goes without saying that you tax return should be copied
from the harddrive to USB dives and backup CR-ROM. Do not leave highly confidential
data like you tax return on your primary computer. You can also use a
separate computer for highly confidential activities. Many households have such
computers collecting dust in the closet. Reimage it once a year (tax preparation)
or each time you need to do something that needs additional security. Do not
use it for Internet browsing.
You can use "brute force" approach and restore the image using Ghost-like program
( for example Acronis
True Image ) or linux live CD and Partimage. If your laptop has SSD this method
is pretty fast, with restore less then 20 min. In this case the "Windows of
opportunity" for malware is the period between re-imaging of the computer. Moreover
as image is static you are better equipped for scanning dynamically registry,
system and /Users folders for new executables that entered the system.
This method is OK mainly for advanced Windows users and IT professionals.
- Using a Web proxy. This is a typical method used in enterprise environment
for protecting users. If you have a box with a Web proxy (either real
of virtual) you can point to it your Web browsers and this does much more in
increasing your security then is possible just by using two browsers in different
security modes. For home office and small firms Squid can be used. For larger
firms appliances like Blue Coat are typically used. This method can protect
you from many threats as well as excessive attention of Facebook and other information
collecting monsters. It also moved the definition of "trusted sites" to
the proxy level. For corporate environment it also can serve as anonimizer as
all requests are coming from a single IP address. That method requires
some Linux qualification and the desire to learn squid or other Web proxy configuration.
- Tandem computing for users with one disposable computer possibly firewalled
from trusted computer. Using two computers with common SAMBA partition:
one disposable that is recreated from image on each reboot and used for insecure
services like Web browsing and one "trusted" that does not have Web browser
installed. The second "disposable computer can be either Linux or Windows (this
means that you will be limited to Firefox as your primary and only browser).
All Web browsing is done only via disposable computer to which you connect either
via Windows remote desktop or VNC. This arrangement can be enhanced using firewall.
Disposable computer can be either physical computer or virtual instance. Windows
7 professional and higher allows running Windows XP which can be you "disposable
system" which permit using this configuration on laptops. This method requires
good understanding of networking and ability to configure samba, remote desktop
or VNC...
- Introduction "on the fly" integrity checking and/or baseline checking
of registry and critical directories. With current laptops with SSD drives
and 3 GHz dual core CPUs scanning harddrive does not consume much resources
and if it is artificially slowed done it is not even noticeable. The simplest
way is to compare critical directories and critical parts of registry with the
baseline. This is the only method that detects critical changes of configuration
as soon as they occurred "in real time". But this method require quit
a bit of discipline in maintaining baseline and installing/upgrading applications
and OS on your computer. Typically installation of applications and upgrade
of OS should be done of a reference computer on which there is no user activity.
Individual user can create such reference computer by buying second harddrive
identical to the one that is installed on the desktop/laptop for system image
and replacing it each time one need to install software. Without maintaining
reference image is difficult to sport the infection of you primary computer.
In addition existence of reference image simplifies verification that nobody
run anything in addition to what is installed on the computer. This is the way
images are created in corporate environment. Usually this method requires
existence of support personal who is at least part time are responsible for
the maintenance of the reference image. It is difficult to implement for individual
user. But this is the only method that allow you to protect yourself from the
compromise introduced by the insider who has physical access to the computer.
For example a corporate spy who tried to install some programs on your computer.
Although in modern PCs you can install boot password making booting your computer
without credentials much more difficult. Some laptops also have capability
to use smart cards for boot authentication (Dell Latititude is one example).
- Firewalling your network controlling traffic to Internet via Web proxy
and address translation. This allow logs all the rejection and as such provide
"on the fly" information as for components of PC which are trying to communicate
to outside world without your permission and outside your control. Typically
that setup requires high level of qualification and is support intensive so
it is limited to large corporate environment. Although I saw them in some computer
enthusiasts home networks.
- Usage of your own DNS root servers. Running your own DNS root
server stops many attacks cold as after infection they will be no able to figure
out how to communicate back to "mothership". Still they can do damage like deleting
or modifying information on the computer. Several major corporation use this
approach for protecting internal networks (not just DMZ but all internal network).
This is a major undertaking and requires good knowledge of DNS and analysis
of typical activity on the computer.
Society
Groupthink :
Two Party System
as Polyarchy :
Corruption of Regulators :
Bureaucracies :
Understanding Micromanagers
and Control Freaks : Toxic Managers :
Harvard Mafia :
Diplomatic Communication
: Surviving a Bad Performance
Review : Insufficient Retirement Funds as
Immanent Problem of Neoliberal Regime : PseudoScience :
Who Rules America :
Neoliberalism
: The Iron
Law of Oligarchy :
Libertarian Philosophy
Quotes
War and Peace
: Skeptical
Finance : John
Kenneth Galbraith :Talleyrand :
Oscar Wilde :
Otto Von Bismarck :
Keynes :
George Carlin :
Skeptics :
Propaganda : SE
quotes : Language Design and Programming Quotes :
Random IT-related quotes :
Somerset Maugham :
Marcus Aurelius :
Kurt Vonnegut :
Eric Hoffer :
Winston Churchill :
Napoleon Bonaparte :
Ambrose Bierce :
Bernard Shaw :
Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient
markets hypothesis :
Political Skeptic Bulletin, 2013 :
Unemployment Bulletin, 2010 :
Vol 23, No.10
(October, 2011) An observation about corporate security departments :
Slightly Skeptical Euromaydan Chronicles, June 2014 :
Greenspan legacy bulletin, 2008 :
Vol 25, No.10 (October, 2013) Cryptolocker Trojan
(Win32/Crilock.A) :
Vol 25, No.08 (August, 2013) Cloud providers
as intelligence collection hubs :
Financial Humor Bulletin, 2010 :
Inequality Bulletin, 2009 :
Financial Humor Bulletin, 2008 :
Copyleft Problems
Bulletin, 2004 :
Financial Humor Bulletin, 2011 :
Energy Bulletin, 2010 :
Malware Protection Bulletin, 2010 : Vol 26,
No.1 (January, 2013) Object-Oriented Cult :
Political Skeptic Bulletin, 2011 :
Vol 23, No.11 (November, 2011) Softpanorama classification
of sysadmin horror stories : Vol 25, No.05
(May, 2013) Corporate bullshit as a communication method :
Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000):
the triumph of the US computer engineering :
Donald Knuth : TAoCP
and its Influence of Computer Science : Richard Stallman
: Linus Torvalds :
Larry Wall :
John K. Ousterhout :
CTSS : Multix OS Unix
History : Unix shell history :
VI editor :
History of pipes concept :
Solaris : MS DOS
: Programming Languages History :
PL/1 : Simula 67 :
C :
History of GCC development :
Scripting Languages :
Perl history :
OS History : Mail :
DNS : SSH
: CPU Instruction Sets :
SPARC systems 1987-2006 :
Norton Commander :
Norton Utilities :
Norton Ghost :
Frontpage history :
Malware Defense History :
GNU Screen :
OSS early history
Classic books:
The Peter
Principle : Parkinson
Law : 1984 :
The Mythical Man-Month :
How to Solve It by George Polya :
The Art of Computer Programming :
The Elements of Programming Style :
The Unix Hater’s Handbook :
The Jargon file :
The True Believer :
Programming Pearls :
The Good Soldier Svejk :
The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society :
Ten Commandments
of the IT Slackers Society : Computer Humor Collection
: BSD Logo Story :
The Cuckoo's Egg :
IT Slang : C++ Humor
: ARE YOU A BBS ADDICT? :
The Perl Purity Test :
Object oriented programmers of all nations
: Financial Humor :
Financial Humor Bulletin,
2008 : Financial
Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related
Humor : Programming Language Humor :
Goldman Sachs related humor :
Greenspan humor : C Humor :
Scripting Humor :
Real Programmers Humor :
Web Humor : GPL-related Humor
: OFM Humor :
Politically Incorrect Humor :
IDS Humor :
"Linux Sucks" Humor : Russian
Musical Humor : Best Russian Programmer
Humor : Microsoft plans to buy Catholic Church
: Richard Stallman Related Humor :
Admin Humor : Perl-related
Humor : Linus Torvalds Related
humor : PseudoScience Related Humor :
Networking Humor :
Shell Humor :
Financial Humor Bulletin,
2011 : Financial
Humor Bulletin, 2012 :
Financial Humor Bulletin,
2013 : Java Humor : Software
Engineering Humor : Sun Solaris Related Humor :
Education Humor : IBM
Humor : Assembler-related Humor :
VIM Humor : Computer
Viruses Humor : Bright tomorrow is rescheduled
to a day after tomorrow : Classic Computer
Humor
The Last but not Least Technology is dominated by
two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt.
Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org
was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP)
without any remuneration. This document is an industrial compilation designed and created exclusively
for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong
to respective owners. Quotes are made for educational purposes only
in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness
of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be
tracked by Google please disable Javascript for this site. This site is perfectly usable without
Javascript.
Last modified:
March 12, 2019