artek

Level 4
I used to be uber-paranoid, hence the "how to setup a layered security strategy" guide imade here, was quite popular; but at the end, i never got even a single threat requiring my security softs to kick in... lol.
At the end, i'm finally using what Windows 10 offers me, and eventually one security soft to toy with.
I haven't seen any piece of malware on my personal use machines in like 10+ years. And the only time in my life that I actually got infected with anything, the malware blew right past my hips program like it wasn't even there.
 

Umbra

Level 15
Verified
Online Armor. Though to its credit I did see all of the outbound connections it had been making for the past six hours after I ran the media file.
Yeah Online Armor was my favorite at that time, but you had to tweak it to make it "almost" bulletproof, unlike what most people think and all those alternative setup guides i saw, there is only one way to use an HIPS properly, use it at its tightest mode (Paranoid Mode or whatever they call it), because HIPS were made to alert about every changes; whitelisting and cloud rep were added for convenience because people can't or are lazy to set them properly via rules.
the worst for me was this Cruel Comodo joke, to be honest, using a HIPS program without using the HIPS...come on...in that case just use a real sandbox LOL
 
Last edited:

Umbra

Level 15
Verified
Which is the problem with auto-sandboxes, if the users don't have the skills to differentiate legit from malicious processes, it becomes useless, you are better if with an anti-exe. I don't even talk about sandbox-aware malware.
 

artek

Level 4
Yeah Online Armor was my favorite at that time, but you had to tweak it to make it "almost" bulletproof, unlike what most people think and all those alternative setup guides i saw, there is only one way to use an HIPS properly, use it at its tightest mode (Paranoid Mode or whatever they call it), because HIPS were made to alert about every changes; whitelisting and cloud rep were added for convenience because people can't or are lazy to set them properly via rules.
the worst for me was this Cruel Comodo joke, to be honest, using a HIPS program without using the HIPS...come on...in that case just use a real sandbox LOL
I don't specifically remember how I had it set up, but I would usually lean towards the more paranoid settings back then. I did read about a windows zero day vulnerability with media files a few days after this happened but I had wiped the system by that point. I remember as I ran the file I looked at the file size (it was a TV show and the size was only a few megabytes) and I immediately thought it could be malware but what's the worry my hips will notify me. It sketched me out for a while after and I noticed it connecting out when I checked the outbound connections. I felt like the French with their Maginot line.
 
  • Like
Reactions: venustus and AtlBo

notabot

Level 15
I don't specifically remember how I had it set up, but I would usually lean towards the more paranoid settings back then. I did read about a windows zero day vulnerability with media files a few days after this happened but I had wiped the system by that point. I remember as I ran the file I looked at the file size (it was a TV show and the size was only a few megabytes) and I immediately thought it could be malware but what's the worry my hips will notify me. It sketched me out for a while after and I noticed it connecting out when I checked the outbound connections. I felt like the French with their Maginot line.
From the sounds of it, you were the victim of an exploit hitting a legitimate app. There's no satisfactory solution to this imo, even today. Ie if an mp4 does a buffer overflow to VLC player and VLC player is a trusted app, no whitelisting will stop this, and from my discussion in another thread with an AV developer it sounded like no BB would realistically catch this either.

If you want to cast the movie (I never watch anything on a laptop anymore), I'm not sure how well sandboxing solutions would work with Chromecast, if someone has tried and chromecast did work for them, that would be an interesting approach, sandboxing the player only for "risky" movies/mp4s etc.

Another solution would be to enforce very strict policies even for legitimate apps but this would be a nightmare to maintain with updates etc.

Probably the best solution to isolate this threat vector would be to run downloaded movies inside a container ( real container, that uses kernel namespaces ) on your media server which can access only LAN IPs and use XWindows on your desktop machine to control the container. It would take something really advanced to take this down eg a kernel exploit on the media server to cross the containerization gap.
For even more security a VM in your media server instead of a container would also be viable ( albeit responsiveness of vt-x VMs is disappointing ).
For less security an AppContainerized player.
 
  • Like
Reactions: venustus

davisd

Level 2
Verified
So what's the strongest #2 after Kaspersky?
Stop with this. It's so misguiding question from all security perspectives to new users, what difference does it make comparing Antivirus suites? None is first and none is last, all are more or less equal default-allow. TAM, HIPS, etc, Application Control like settings which makes some suites stand out in particular has advantage over competitors, but only when tweaked.
 

artek

Level 4
From the sounds of it, you were the victim of an exploit hitting a legitimate app. There's no satisfactory solution to this imo, even today. Ie if an mp4 does a buffer overflow to VLC player and VLC player is a trusted app, no whitelisting will stop this, and from my discussion in another thread with an AV developer it sounded like no BB would realistically catch this either.

If you want to cast the movie (I never watch anything on a laptop anymore), I'm not sure how well sandboxing solutions would work with Chromecast, if someone has tried and chromecast did work for them, that would be an interesting approach, sandboxing the player only for "risky" movies/mp4s etc.

Another solution would be to enforce very strict policies even for legitimate apps but this would be a nightmare to maintain with updates etc.

Probably the best solution to isolate this threat vector would be to run downloaded movies inside a container ( real container, that uses kernel namespaces ) on your media server which can access only LAN IPs and use XWindows on your desktop machine to control the container. It would take something really advanced to take this down eg a kernel exploit on the media server to cross the containerization gap.
For even more security a VM in your media server instead of a container would also be viable ( albeit responsiveness of vt-x VMs is disappointing ).
For less security an AppContainerized player.
Yes you could do all of that or just don't run suspiciously small video files. My point was that you can crawl up your own posterior trying to run some perfect security mechanism but all of that goes out the window when the user does something stupid.
 

notabot

Level 15
Yes you could do all of that or just don't run suspiciously small video files. My point was that you can crawl up your own posterior trying to run some perfect security mechanism but all of that goes out the window when the user does something stupid.
doesn't need to be a small one It could be a big one as well, it could be payload + movie. Containerisation is one of the most effective ways to isolate potentially dangerous processed, including exploited ones. Opening non-trusted files in a container is exactly avoiding doing something stupid
 
  • Like
Reactions: Gandalf_The_Grey