Slyguy

Level 42
Verified
We've got Panda in the lab this week and I am playing with settings and tweaks in my home lab.

So far - they've fixed all of the bugs I reported to them months ago, such as;

1) Notifications not popping. (be sure to have Windows 10 notifications on)
2) Stalling on unknown processes accessing X folders.
3) Stalling on unknown processes modifying X files.
4) Broken firewall policy hierarchy under some conditions.
5) Port amount limitations on blacklisting.
6) GUI lag.

Also note, they appear to have make the product a good bit lighter to the point it feels about as lightweight as anything I have tried lately. I will elaborate more later, but I'm calling these settings "PA w/SG". A blatant ripoff of CF w/CS. These settings utilize knowledge of firewalls and cascading policies as well as exploiting the application control and data shield aspects of the product to help harden the system. Upon setup make the following changes - to which I will elaborate more on later, including screenshots, and maybe a video of some testing.

Here's what we did. (Please note, these tweaks aren't available on the free version of Panda)

1) Scroll the interface down to the firewall button, click it, set it to PUBLIC.
2) Click the gear in the upper right to access firewall settings.
3) Go to the RULES section, ADD new rule. Select "ALL Inbound and Outbound", BLOCK, then enter a large list of normal Trojan Ports then make this rule the TOP RULE in the policy list. (I will provide detailed instructions later)
4) Go to DATASHIELD, set 'BLOCK' for unknown applications accessing files. Then go up and enter a list of file extensions we created. Then set the directory to the ROOT 'C:\'
5) Go to APPLICATION CONTROL, set it to deny accessing data for all unknown processes.

So what this does is

1) Prevents all processes from ingress/egress out all commonly exploited ports. (21, 22,23, whatever) Further strengthening the system via the firewall as the first policy in the cascade preventing all malware-like port activity on the system.
2) Sets your Windows Drive (C:\) as a fully protected drive under DATASHIELD. Sets all generally used file types as protected file types. Then designates those files as off-limits for all unknown/unclassified processes. We've included DLL's, INI, Script Engines, Powershell, Batches and everything else in this list.
3) Automatically block unknown applications/processes from accessing all protected areas of the system. (Application Control)

So far the results are quite nice. In testing we created an executable designed to go around the system and modify some files. (INI, BAT, DLL etc) Then we attempted to launch this file and run the modification scripts which were all denied. We setup a script to launch this file repeatedly, over and over to flood Panda, and it successfully blocked it. We then set this file up to trigger on launch and modify random files on boot, which was successfully blocked without any system degradation or stuttering. We used a penetration test tool to attempt to ex-filtrate data out from the system. SSH, Telenet, BO, etc. All of those were blocked by the Panda firewall because at the top of the policy list are blocking for all 'generally' used malware ports.

Next we will test ITW malware and see how effective these modifications are. Also, we're looking into setting the firewall up to block ALL PORTS except explicitly needed ones (53, 80, 8080, 443, 4443, whatever whitelisted then block everything else) This would be trickier to setup as virtually every game/application/system has to be factored to create a master whitelist, but would provide impressive system protection once completed.
 
Last edited:

SHvFl

Level 35
Verified
Trusted
Content Creator
UAC blocks access to protected areas of the system but anw i can accept it sometimes get bypassed so i pass.
The datashield thingy will help with ransomware of all type.
Rest are yet to be seen when you test with something not covered by your settings.

Don't see how it's comparable with cs settings tbh as your ransomware are not contained but only actions that change files and OS are blocked and they even have internet if i understand correctly.
 
  • Like
Reactions: Handsome Recluse

Slyguy

Level 42
Verified
Not comparing it to CF/CS other than in name only. In that unique customizations are being applied. No assumptions other than name only, neither in protection level, or setting comparisons.

The interesting thing is, Datashield when configured in such a manner, should help against almost all operational malware because any modification of virtually any file on the system would be denied if the acting agent is an unknown and untrusted entity. In general, a lot of malware likes to modify this or that on a system, which this - in theory - should fully prevent.

That is, any 'unknown' program attempting to modify INI, Registry, CPL (and any module within CPL), DLL's, LNKs, or anything else should be fully prevented from doing this. My theory on this is - by doing this it would basically 'break' the functionality of unknown malware at the outset, rendering it inert. By Datashielding the entire drive, and all known extensions for unknown processes it should (in theory) prevent all sorts of modifications and tampering from unknown processes.
 
Last edited:

uninfected1

Level 10
Verified
Great job slyguy. Really appreciate you posting your findings, recommended settings etc.I won't ask you too much at the moment because my questions will probably be answered as you proceed, but just one for now. Is the safe browsing module working? Last time I tried it with a few phishtank samples and it didn't block any of them (Eset blocked the lot). Panda didn't even block the AMTSO phishing test page.
 

Slyguy

Level 42
Verified
Here's a couple examples. Since Panda Firewall works on a cascade policy based system, policy based firewalls are the most powerful as they mirror enterprise grade firewalls in policies being exercised from top down. In this case, the first policy is a policy to block all of the 'common' Trojan/RAT/Botnet ports. Of course there could be thousands of different ports used, it's often found many of them use the same ports. So we're addressing those ports here;

Panda Ports.png


Since this is the first policy it will SUPERSEDE all other policies so the first thing the firewall will do is block all general trojan/rat/botnet ports before any other application. So even if a RAT got on and started to work, as long as it used one of the generalized malware ports it wouldn't traverse. We'll continue to refine the port list here.

21,22,23,25,31,121,139,445,456,555,666,777,1000,1001,1011,1015,1033,1042,1170,1207,1234,1243,1245,1269,1349,1492,1509,1600,1807,1981,1999,2000,2001,2023,2115,2140,2283,2565,2583,2716,2801,3024,3129,3150,3700,3791,4092,4567,4590,5000,5001,5011,5031,5321,5400,5401,5402,5521,5550,5569,5742,6000,6400,6669,6670,6771,6883,6912,6939,6969,7000,7300,7301,7306,7307,7308,7597,7789,8787,9400,9872,9873,9874,9875,9989,10067,10167,10607,11000,11223,12223,12345,12346,12361,12362,16969,20001,20034,21544,22222,23456,26274,30100,30101,30102,31337,31338,31339,31666,33333,34324,40412,40421,40422,40423,40426,47262,50505,50766,53001,54321,61466

Second, we assign DATASHIELD to work on the entire root drive (C:\) so it can protect all manner of files on the system from modification/manipulation from unknown processes. This functions like a really nice, zero weight system hardening system for the most part. Since unqualified, unknown processes will quite readily be blocked from doing virtually anything on the system, including registry modifications.

Panda Data.png


This will block unknown processes from modifying virtually everything on the system. We will continue to refine the blocklist since Panda doesn't allow Wildcards here. We've started with a grand list of the most commonly manipulated files by malware of various types. Be sure to set unknown processes to DENY in this section rather than ASK.

386,ACCDB,ADT,APPLICATION,ARJ,ASP,BAT,BIN,BOO,CAB,CBT,CHM,CLA,CLASS,CMD,COM,CPL,CSC,DLL,DOC,DOCM,DOCX,DOT,DOTM,DOTX,DRV,EML,EXE,GADGET,GZ,HLP,HTA,HTM,HTML,HTT,INI,INF,JAR,JPEG,JPG,JS,JSE,LNK,LZH,MDB,MPD,MPP,MPT,MSC,MSG,MSH,MSH1,MSH2,MSHXMP,MSH1XML,MSH2XML,MSI,MSO,MSP,NWS,OCX,OFT,OVL,PDF,PHP,PIF,PL,POT,POTM,POTX,PPAM,PPS,PPSM,PPSX,PPT,PPTM,PPTX,PRC,PS1,PS1XML,PS2,PS2XML,PSC1,PSC2,PST,PRF,RAR,REG,RTF,SCF,SCR,SHS,SYS,TAR,TMP,VB,VBE,VBS,VSD,VSS,VST,VXD,WML,WS,WSC,WSH,WSF,XLA,XLAM,XLS,XLSB,XLSM,XLSX,XLT,XLTM,XLTX,XML,Z,ZIP

Under testing, Panda utilizes the above methods, along with Application Control set to DENY and throws off a whole lot of fun stuff on unknown, specifically coded test malware that scores 0% detection on VT and bypasses anything else we're tested it on.

Panda Block.png
 
Last edited:
D

Deleted Member 3a5v73x

1) Scroll the interface down to the firewall button, click it, set it to PUBLIC.
In 18.06.00 rules don't change no matter which location is set, Home, Work, Pub.

Recommended rules by Panda lab sometimes dublicate and make double entries, no idea if it's a visual bug or they actually overlap, but restart helps with that matter.

Panda can also be broken by using Shadow Defender under Application Control.

Also have noticed in rare occasions that Panda hides WSC icon from tray menu. It's not disabled nor altered by panda in registry, it permanently goes MIA. Panda uninstalls resolve it.

There's also other annoying things, but none of my reported bugs have been resolved in 18.06.00 and UI lag is still there for me. The good thing is Panda devs are working, just not as fast as you were expect them to.
 

Slyguy

Level 42
Verified
Setting public enables the public Recommended rules by Panda Lab. That's why I mention toggling that.

I haven't noted any of the old bugs so far. Most importantly, the stupid system freezing/non-response when the Datashield would trip off is gone, that was a game breaker as it broke my method to use datashield to boost system security way up. I have no GUI lag anymore so no idea what changed there. Maybe they offloaded some to the GPU now and my test box has a 1070 GTX in it.

I don't use Shadow Defender, and I hide all Windows 10 system icons, so I didn't notice those issues. :unsure:

I've updated my firewall port rules. This time I added port ranges to clean it up, and this change eliminates about 95-98% of all botnets now, providing a little extra protection. Covering most RAT, Botnet, Trojan ports now with some new ports being added shortly.

21-25,31,42,113,121,135,137,139,445,456,555,666,777,903,1000,1001,1011,1015,1025,1033,1042,1170,1207,1234,1243,1245,1269,1349,1433,1492,1509,1600,1807,1981,1999,2000,2001,2023,2115,2140,2283,2565,2583,2716,2745,2801,3024,3127,3129,3150,3306,3410,3700,3791,4092,4567,4590,5000,5001,5011,5031,5321,5400,5401,5402,5521,5550,5569,5742,6000,6129,6400,6660-6669,6670,6771,6883,6912,6939,6969,7000,7300,7301,7306,7307,7308,7597,7789,8787,9400,9872,9873,9874,9875,9989,10067,10167,10607,11000,11223,12223,12345,12346,12361,12362,16969,20001,20034,21544,22222,23456,26274,30100,30101,30102,31337,31338,31339,31666,33333,34324,40412,40421,40422,40423,40426,47262,50505,50766,53001,54321,61466
 
D

Deleted Member 3a5v73x

s the safe browsing module working? Last time I tried it with a few phishtank samples and it didn't block any of them (Eset blocked the lot). Panda didn't even block the AMTSO phishing test page.
Yes, safe browsing module works, but I wouldn't completely relay on it. AMTSO phishing test page is supposed to be blocked by their business solutions. Safe module intercepts malicious https requests by connection reset, and http requests by Pandas warning.

1.jpg2.PNG3.PNG
 

Slyguy

Level 42
Verified
Connection reset because it doesn't inject into the browser or MiTM the 443. So it can 'appear' like it's not working, so nice find here.

Remember, filtration usually works like this;

DNS(router)-->Router(if you have UTM)-->Endpoint Protection-->Browser Itself. Often with pre-browser security malware websites will not resolve and product a connection reset screen rather than a landing page. That's actually better for your security than a landing page, but also it makes it harder to test because you aren't exactly sure if something is blocked or the domain isn't working.
 

Cortex

Level 11
I was over at my brothers yesterday who uses Dome & we applied the changes recommended by Slyguy & had no issues, as mentioned above Shadow Defender does not sit well with Dome, anyone found any sort of fix for that as he liked to run Shadow when the grandchildren etc. come round, Thanks Slyguy btw appreciated. :)
 

harlan4096

Level 63
Verified
Staff member
Malware Hunter
I will try some packs in MWT Hub with those settings, since only enabling Application Control and Data Shield (both in Deny) is not enough to prevent the system infection, just see the last pack I tested this weekend in the Hub... PDP does not manage very well the malicious scripts...
 
Last edited:

Slyguy

Level 42
Verified
I will try some packs in MWT Hub with those settings, since only enabling Application Control and Data Shield (both in Deny) is not enough to prevent the system infection, just see the last pack I tested this weekend in the Hub... PDP does not mamage very well the malicious scripts...
Great, did you get a chance with the latest pack?
 

Slyguy

Level 42
Verified
With the last I'm going tomorrow, finished testing KFA2019 and tomorrow in the morning will go with PDP...
That last pack is brutal I see. Even 'good' products for Script (Norton) are infected. Gdata, gasp, infected and Gdata rarely fails. Be sure to follow my instructions above and I will be curious of the result. This should be a good test of if Panda can be hardened enough against advanced activity like this.
 
Last edited:

harlan4096

Level 63
Verified
Staff member
Malware Hunter
That last pack is brutal I see. Even 'good' products for Script (Norton) are infected. Gdata, gasp, infected and Gdata rarely fails. Be sure to follow my instructions above and I will be curious of the result. This should be a good test of if Panda can be hardened enough against advanced activity like this.
Just finished to test last pack #24 from @silversurfer with PDP18.06 + Your settings... :sick: It was hard! PDP only detected 5 samples on demand from the total of 24, so I had to test in dynamic 19 samples!!! even after about 14 hours later since the pack was published here...

The results were interesting, the system was protected (no malware running) but was infected/"damaged" via many registry keys, and a couple of inactive exe files in \AppData\Local\Temp but blocked by "Application Control", my Final Status for this is "Protected - Not Clean", will publish the results soon, be a bit patient, now I want my eyes to get a bit of resting :geek:
 
Last edited: