1.How does ThreatFire protect agaist Buffer Overflows?
Does it detect Buffer overflows, prevent them from taking place or only prevent the malware installed through Buffer Overflows?

2.What exactly is an non-interactive process? (custom rules section):confused:

3.Can anyone share your custom rules that protect against file infector viruses? :)

Thank you !

1. ThreatFire has hard coded rules to prevent the BO behavior, not just the malware.
2. A non-interactive process is any program that doesn’t create a window. Just about any simple malware would be non-interactive.
3. We do not have a feature to enable sharing of Custom rules ... yet.

Thank you for your reply djames,


3. We do not have a feature to enable sharing of Custom rules ... yet.

Actually you did not need answer my Question 3.

I just wanted to ask the members of this forum to share their custom rules against file infector viruses.

Shaheen saw this threat too:

http://www.pctools.com/forum/showthread.php?t=48576



2- TF should detect following behaviours:

- Rapidly delete many files( malware behav)
- Rapidly overwrite many executables( malware behav)
- Making an exact copy of itself( worm behaviour)

Is it possible?

Thanks

Can you test ThreatFire as mention in the following document for BO protection? :)

http://www.ngsec.com/docs/whitepapers/NGSEC-Windows_overflow_protection_comparison.pdf

Thank you!

http://www.pctools.com/forum/showpost.php?p=170667&postcount=7

See the custom rules short guide post for more (or Wilders Security forums)

http://www.pctools.com/forum/showpost.php?p=170667&postcount=7

See the custom rules short guide post for more (or Wilders Security forums)

Thank you Kees1958,


I suggest to add the following keys for custom registry protection in your guide http://www.wilderssecurity.com/showthread.php?t=183020:



For registry keys

HKLM\SOFTWARE\Classes\txtfile\shell\open\command\
HKLM\SOFTWARE\Classes\regfile\shell\open\command\
HKLM\SOFTWARE\Classes\scrfile\shell\open\command\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\servic es\lanmanserver
\parameters\


For registry values
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced\Folder\Hidden\SHOWALL
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\DisableRegistryTools
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\DisableCMD
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\DisableTaskMgr
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\DisableCMD
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\DisableRegistryTools
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced\HideFileExt


HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride


HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUp date\DoNotAllowXPSP2
HKLM\Software\Microsoft\SecurityCenter\UpdatesDisa bleNotify

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Win dowsUpdate\Auto Update\AUOptions

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WIn dowsUpdate\AutoUpdate\AUOptions
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrict anonymous

HKLM\Software\Policies\Microsoft\WindowsFirewall\D omainProfile\EnableFirewall
HKLM\Software\Policies\Microsoft\WindowsFirewall\S tandardProfile\EnableFirewall


HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Star t
HKLM\SYSTEM\ControlSet001\Services\wscsvc\Start
HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr\Sta rt
HKLM\SYSTEM\ControlSet001\Services\TlntSvr\Start

HKLM\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\zones\1001
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\zones\1001
HKLM\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\zones\1004
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\zones\1004
HKLM\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\zones\1200
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\zones\1200
HKLM\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\zones\1809
HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\zones\1809



HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\NoFind
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\NoRun
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\NoCloseKey
HKCU\software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\DisallowRun
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoFileOpen

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Policies\System\DisableTaskMgr
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\DisableTaskMgr

May contain errors ( please editor ) and I just found these registry values from antivirus companies' websites that describe the lower security behaviour of some worms or ircbots.

My rule against viruses

When any non-interactive process
tries to write|TriggerAccessFlags 20|TriggerCount files
within 2|TriggerSeconds seconds
named *.asp or *.bat or *.com or *.dll or *.doc or *.exe or *.gif or *.htm or *.jpg or *.jsp or *.mp3 or *.php or *.ppt or *.scr or *.sys or *.txt or *.vbs or *.wma or *.xls|TriggerFiles
except when the source process is in the system process list
or the source process is in the trusted process list


My rule against virus that delete files

When any non-interactive process
tries to delete|TriggerAccessFlags 20|TriggerCount files
within 2|TriggerSeconds seconds
named *.bat or *.com or *.dll or *.doc or *.exe or *.gif or *.jpg or *.mp3 or *.php or *.ppt or *.scr or *.sys or *.txt or *.vbs or *.wma or *.xls|TriggerFiles
except when the source process is in the system process list
or the source process is in the trusted process list

These rules was written based on the behaviours of some viruses and target the behaviour of massly overwrite/delete files in a short time.

These rules have not generate any false positive so far without the need to add any exception manually (used default exceptions).

These rules cannot protect against some viruses
examples:
a. overwrite 5 files and stops for 5 seconds and infects other files.
b. overwrite files alternately
overwrite File A and then ignore File B and then overwrite File C

So if anyone think of any rules that can combat the mentioned ways of infection ( with low rate of false positives :) ),please tell me.

Thomas,

You seem to be able to capture the internally stored rules of ThreatFire. Where did you find them?

Regards Kees

My rule against viruses

When any non-interactive process
tries to write|TriggerAccessFlags 20|TriggerCount files
within 2|TriggerSeconds seconds
named *.asp or *.bat or *.com or *.dll or *.doc or *.exe or *.gif or *.htm or *.jpg or *.jsp or *.mp3 or *.php or *.ppt or *.scr or *.sys or *.txt or *.vbs or *.wma or *.xls|TriggerFiles
except when the source process is in the system process list
or the source process is in the trusted process list


My rule against virus that delete files

When any non-interactive process
tries to delete|TriggerAccessFlags 20|TriggerCount files
within 2|TriggerSeconds seconds
named *.bat or *.com or *.dll or *.doc or *.exe or *.gif or *.jpg or *.mp3 or *.php or *.ppt or *.scr or *.sys or *.txt or *.vbs or *.wma or *.xls|TriggerFiles
except when the source process is in the system process list
or the source process is in the trusted process list

These rules was written based on the behaviours of some viruses and target the behaviour of massly overwrite/delete files in a short time.

These rules have not generate any false positive so far without the need to add any exception manually (used default exceptions).

These rules cannot protect against some viruses
examples:
a. overwrite 5 files and stops for 5 seconds and infects other files.
b. overwrite files alternately
overwrite File A and then ignore File B and then overwrite File C

So if anyone think of any rules that can combat the mentioned ways of infection ( with low rate of false positives :) ),please tell me.


Thomas,

We have CyberHawk Pro (now ThreatFire free) and GeSWall Pro. Because a lot of the data file extentions are treated by GeSWall Pro as untrusted aps, I do not need to put them in my ruleset.

Thanks for the tips, I will also check the registry suggestions you have submitted (there is some overlap, and I want to understand what I am monitoring).

Thanks

Kees1958 Thomas,

You seem to be able to capture the internally stored rules of ThreatFire. Where did you find them?

Regards Kees

The rules I posted were not internally stored at all.

I have just copied the description:

http://www.sjc.edu.hk/~thomas486/ThreatFire/infector.jpg

By clicking Ctrl-C.


Thank you for spending time checking my registry settings:) .

How good is ThreatFire's buffer overflow protection?
Can ThreatFire protect against the following exploits by detecting buffer overflow behaviour?
( Please post relevant screenshots if available )

Microsoft XML Core Services overflow,
WebViewFolderIcon overflow,
ANI overflow,
WinZip ActiveX overflow,
QuickTime overflow

Reference Information about the vulnerabilities:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9032338&pageNumber=1
:)