re: At Least This Snake Oil Is Free

Chris Quirke — Fri, 27 Jul 2007 12:15:21 GMT

Process monitoring (Task Manager, firewalls, etc.) has two other generic flaws.

The first is the "glove puppet" effect, when a generic wrapper such as SVCHost or RunDLL is the reported process, or a process is open to plugins and automation as is the case with web browsers.

The second is code within an ADS, which is typically reported as the base file. Because ADS code is not within the base file, an MD5 check of the base file will be meaningless. IMO, code should not be run from ADS and any resident OS service that processes ADS should strip all code when found.

re: At Least This Snake Oil Is Free

Karl Levinson — Fri, 27 Jul 2007 00:31:33 GMT

Definitions of snake oil usually mention the cure being worthless as part of the definition. As you point out near the end of the post, outbound host-based firewall filtering is NOT worthless. But the sentences mentioning snake oil leave the reader with the wrong impression that such filtering is worthless.

Such filtering is not 100% effective, but neither are antivirus or firewalls or most every other countermeasure. Such filtering 1) raises the bar that malware must surpass and 2) offers an opportunity for the OS to detect and alert when the firewall is modified or bypassed in certain ways, even if it cannot prevent it.

Also, host-based firewall settings can become somewhat more secure from tampering if it is run in a security context other than the current user or some form of user authentication, CAPTCHA, etc. is required to modify settings. If these don't apply to the way Windows Firewall implements outbound filtering, well, maybe they should?

The current Windows architecture lets even malware running as GUEST bind an executable to a listening TCP/IP port, something *nix can prevent. So, at this point I'll take pretty much any kind of user access control on TCP/IP that I can get out of MS Windows, whether it's robust or not.