XhenEd Security Configuration

[JM Safe]

Update!

Added: Virtualbox as my VM software


I'm planning on testing some AVs (or any softwares) within VM against malwares. What do you suggest that I should do for precautions? From what I understood, VMs are pretty much secured. But according to my research, there might be vulnerabilities within VM that might expose the Host OS.

I'm not an expert on cyber-security, so what I'm just gonna do is to scan the malwares with AVs. If the malwares aren't detected, then I will run them. Is this okay? I have snapshots in place. What I'm afraid of is that there might be malwares that might infect the Host OS. However, my Host OS has the security configuration that I think is enough to stop any malware from running. So, what can you suggest?

Hi @XhenEd some types of malwares can infect also the host OS, obviuously this happens only with the more dangerous malwares, infact also with the VM we aren't completely secured. Anyway if you only use the VMs for scan malwares, to testing Antivirus products you can do it, but pay attention if you want to run them, because even if you are in a virtual machine the risk of an host os infection can be also high.
Especially if you want to test malwares, which can connect to malicious hosts or IPs, it could be very dangerous in some cases because the malware can infect the host OS through the internet connection.
In addition if you want to start Malware Analysis you can do it in a Virtual Machine, but it is better to do only static analysis, because the dynamic analysis can infects the real system.
Anyway good addition, thanks for sharing

 

[XhenEd]

Hi @XhenEd some types of malwares can infect also the host OS, obviuously this happens only with the more dangerous malwares, infact also with the VM we aren't completely secured. Anyway if you only use the VMs for scan malwares, to testing Antivirus products you can do it, but pay attention if you want to run them, because even if you are in a virtual machine the risk of an host os infection can be also high.
Especially if you want to test malwares, which can connect to malicious hosts or IPs, it could be very dangerous in some cases because the malware can infect the host OS through the internet connection.
In addition if you want to start Malware Analysis you can do it in a Virtual Machine, but it is better to do only static analysis, because the dynamic analysis can infects the real system.
Anyway good addition, thanks for sharing

Thanks! I'll take that into account.
I configured the firewall to "ask" whatever incoming or outgoing connections are happening for both unknown and trusted programs. I'm currently testing Emsisoft Internet Security 10.

My first test is from here: http://malwaretips.com/threads/30-mixed-malware-samples-2015-09-24.51306
There are files which were not detected. So, I ran one of them. And it ran without any detection from EIS, even from its BB.


I have EIS 10, AppGuard (Lockdown mode), HitmaPro.Alert and CryptoPrevent in my host machine. So, I think I'm covered. And besides, I have backups just in case the worst will happen.

 

[JM Safe]

Thanks! I'll take that into account.
I configured the firewall to "ask" whatever incoming or outgoing connections are happening for both unknown and trusted programs. I'm currently testing Emsisoft Internet Security 10.

My first test is from here: http://malwaretips.com/threads/30-mixed-malware-samples-2015-09-24.51306
There are files which were not detected. So, I ran one of them. And it ran without any detection from EIS, even from its BB.


I have EIS 10, AppGuard (Lockdown mode), HitmaPro.Alert and CryptoPrevent in my host machine. So, I think I'm covered. And besides, I have backups just in case the worst will happen.

Very good

 

[XhenEd]

Very good

Are there malwares that can damage the host OS from the infected guest OS? What I mean is that even without dropping anything to the host OS, the malware can damage it remotely. Is that possible? That would be scary, if possible.

 

[JM Safe]

Are there malwares that can damage the host OS from the infected guest OS? What I mean is that even without dropping anything to the host OS, the malware can damage it remotely. Is that possible? That would be scary, if possible.

It is an interesting question, anyway, yes the most dangerous malwares can do this, but your host os is very secured, so I think that the risk for you is low, even because only some types of malwares can do it.

 

[XhenEd]

It is an interesting question, anyway, yes the most dangerous malwares can do this, but your host os is very secured, so I think that the risk for you is low, even because only some types of malwares can do it.

Okay. Thanks for the info and assurance!

 

[LabZero]

XhenEd

The quality of antivirus is measured running malware and not performing a context scan, so you need to create a suitable environment to test live malware, as you know I am assembling a PC for malware analysis : Klipsh's LabZero War PC Security Config (in progress...)
I implemented VBox but for reliability tests, malware should be started on a real system because some sophisticated samples have anti-virtualization routine so they don't behave like malware in the VM (these are the best to be analyzed).
I advise you to use an old PC with XP absolutely dedicated to malware testing and empty of any data or personal information that might be stolen and shared on the internet by malware.
As you say properly, the VM is a software and may have unknown vulnerability but known by who creates malware and you could risk infecting the Host.
The VBox must be configured without shared folders, guest additions and extensions (drivers) and you have to be careful not to create links (network drives or otherwise) between the Host system and virtualized (Guest).
To avoid having to clean up, or at least not risk leaving traces of malware, you can create a snapshot of the virtual disk.
I suggest, for the first few times, anyway to turn off the internet when you run your malware.

 

[XhenEd]

XhenEd

The quality of antivirus is measured running malware and not performing a context scan, so you need to create a suitable environment to test live malware, as you know I am assembling a PC for malware analysis : Klipsh's LabZero War PC Security Config (in progress...)
I implemented VBox but for reliability tests, malware should be started on a real system because some sophisticated samples have anti-virtualization routine so they don't behave like malware in the VM (these are the best to be analyzed).
I advise you to use an old PC with XP absolutely dedicated to malware testing and empty of any data or personal information that might be stolen and shared on the internet by malware.
As you say properly, the VM is a software and may have unknown vulnerability but known by who creates malware and you could risk infecting the Host.
The VBox must be configured without shared folders, guest additions and extensions (drivers) and you have to be careful not to create links (network drives or otherwise) between the Host system and virtualized (Guest).
To avoid having to clean up, or at least not risk leaving traces of malware, you can create a snapshot of the virtual disk.
I suggest, for the first few times, anyway to turn off the internet when you run your malware.

Thanks for this!
I have a spare laptop, but its monitor is broken. I need an external monitor for it. If I have that, then I can probably do real machine live malware testing. My external monitor for that laptop is borrowed by my cousin currently, sadly.

For now, I'll just focus on VM. I won't run live malwares frequently, anyway. I'll just run them if I feel good about testing.
I'm not really into serious malware testing. I just want to have an experience of malwares infecting the OS while an AV or other security software sits idle. It would also be interesting to see that AV or other security software will stop the malware from even running.

 

[XhenEd]

Update!

Removed: Emsisoft Internet Security 10
Added: Avast Internet Security 2015
Changed: Yes, I download Malware Samples

I was just trialing EIS 10. EIS 10 was good (in fact, very good). But I want to experience another AV, so that I'll know if the problems I encountered sometimes (e.g. slow download speed, slow boot, slow pc response) are caused by EIS.

I was caught up by Avast. So, in order to satisfy my curiousity, I decided to install Avast Free. After I installed Avast Free, I downloaded and installed Comodo Firewall. However, HMP.A couldn't work well (i.e. couldn't open protected programs due to errors). So, I ditched CF. Fortunately, I saw a deal from Windowsdeal offering 180 days trial for Avast Internet Security. I grabbed it. So, yeah, I have it now.

I also changed to "Yes, I download Malware Samples" because I sometimes test malware samples in my VM.

 

[Online_Sword]

installed Comodo Firewall. However, HMP.A couldn't work

I guess this problem is caused by comodo.
Comodo has a feature that can prevent shell code injection.
On some computers, it disables sbie.
They solve this problem by excluding SBIE from shell code injection prevention.
You can also try it.

 

[XhenEd]

I guess this problem is caused by comodo. Comodo has a feature that can prevent shell code injection. On some computers, it disables sbie. They solve this problem by excluding SBIE from shell code injection prevention. You can also try it.

Yep! It's caused by incompatibility with Comodo Firewall.
I uninstalled it and the problem is gone.

 

[XhenEd]

Update!

Removed: Avast Internet Security 2015
Added: ESET Smart Security 8

I like the technologies in ESET. But as I have read through the tests by itman of Wilders, ESET is somewhat ineffective against non-network based exploits. Nevertheless, I have HMP.A for that. So, I should be covered.

 

[JM Safe]

Update!

Removed: Avast Internet Security 2015
Added: ESET Smart Security 8

I like the technologies in ESET. But as I have read through the tests by itman of Wilders, ESET is somewhat ineffective against non-network based exploits. Nevertheless, I have HMP.A for that. So, I should be covered.

Good update, friend. Yes you are covered enough, HMP.A for me is a good and reliable software.

 

[XhenEd]

Update!

Removed: ESET Smart Security 8
Added: Emsisoft Internet Security 10 and HitmanPro

This has been for awhile now. I just forgot to update.
A shout-out to @Malware1 for giving me a license for HitmanPro.Alert, which enabled me to also get HitmanPro as an on-demand scanner.

 

[XhenEd]

Update!

Removed: Emsisoft Internet Security 10
Added: Kaspersky Internet Security 2016

I also tested Bitdefender Internet Security 2016 for one day before switching to KIS 2016. I switched back to Kaspersky because they already released Patch C which fixes some of its limitations with Windows 10.
Sadly, though, Kaspersky still has limitations with Windows 10. That is on top of its limitations with 64-bit systems.

 

[JM Safe]

Update!

Removed: Emsisoft Internet Security 10
Added: Kaspersky Internet Security 2016

I also tested Bitdefender Internet Security 2016 for one day before switching to KIS 2016. I switched back to Kaspersky because they already released Patch C which fixes some of its limitations with Windows 10.
Sadly, though, Kaspersky still has limitations with Windows 10. That is on top of its limitations with 64-bit systems.

Hi @XhenEd it is a good changelog, Kaspersky is one of the best antivirus, for detection, real-time protection, etc.
Then I tink that KIS will not have the same problems in the future months or weeks, there will be plenty of updates, obviously for manage the problems with Windows 10. Thanks for sharing

 

[XhenEd]

Update!

Added: Rollback RX 10.4
Removed: EaseUS Todo Backup Home, MyDefrag, BatteryCare

I added Rollback RX 10.4 (the version with Windows 10 compatibility) for backup, albeit the perceived danger of using it. Obviously, in order for Rollback RX to work, I needed to uninstall EaseUS Todo Backup Home and MyDefrag. However, if AX64 Time Machine is gonna launch its new version, I might remove Rollback RX to try the safer AX64 Time Machine.

I removed BatteryCare since it drived my download connection crazy. I have no idea why it did that.

 

[XhenEd]

Just updated my security config!

 

[safe1st]

Solid and pretty simple config!

 

[JM Safe]

Just updated my security config!

Good updates @XhenEd I think it is light, but really efficient config. For me nothing to add! Thanks for sharing!