Security -- Some basic Questions


  1. Posts : 199
    Win 7 Pro x32
       #1

    Security -- Some basic Questions


    Note: see: Security with Someone Elses ActiveX



    Following is somewhat duplicate post of above (with more questions)

    ------------------
    Background
    ------------------

    secpol.msc appears to be where Microsoft addresses system security.
    But we have other areas such as Services that are running.

    Also like most people I have some software written by someone else.
    That software uses various API's in order to function. However, API's are a two edge sword.
    They can be used for both good or bad.
    So how does one determine what that software is in fact doing.
    "CALL HOME" is a simple example of this issue.

    ----------------
    Questions
    '--------------
    1) Is there anyway to determine what affects what on the system?
    For example if one checks certain boxes in secpol.msc, will ths override a particular "service(s)"
    and if so what "service(s) are affected. Conversely, if one toggles a service, will that override
    settings in secpol.msc.

    2) Wireshark and other software can be used to monitor traffic. However, for calls made from within,
    such as "Call Home" -- that occur infrequently -- how does one identify that piece of software?


    Example/Clarification:
    DEP as I understand it is still dealing with an outsider (e.g. virus) getting in - or having got in -- and then accessing memory in a Process it is not supposed to have access to. What I'm trying to address is 3rd party software getting out and how to monitor it.
    For example, say I install program A -- or -- receive an ActiveX control (or library) to be used to link to someone elses server. I need the program or the ActiveX. However, the vendor will Not provide the source code for the software or the ActiveX. Hence, I really have no knowledge what is embedded in that code. Just like Call Home, when the software is installed who knows what went on behind the scenes. With the ActiveX I have a little more control, but since it is interfacing with someone elses server, embedded in that ActiveX can be APIs calls to do whatever. While DEP --hopefully -- would limit access outside of the Process that is executing the ActiveX, the ActiveX still would have access to the code in which it is embedded and I'm NOT real sure what else (??? basis for question) . So can one control any of this or is it back to the "TRUST" issue with No VERIFY?

    3) Is there a master list of where to go and what affects what in regard to system security?
    Last edited by dw85745; 15 Feb 2019 at 13:56.
      My Computer


  2. Posts : 0
    Windows 7 Ultimate x64
       #2

    First and foremost. ActiveX is very, very bad business and only Internet Explorer uses it. I in fact used to block it at the router level when I ran the third-party router firmware DD-WRT. Now I run ASUS Merlin says my new router is an ASUS branded router and that firmware doesn't have ActiveX blocking. At least not that I'm aware of without SSHing into the router and doing some nerdy magic. So in a nutshell, I wouldn't use any ActiveX crap at all. There are alternatives.

    I'm not too sure how to monitor calls from processes, etc. But I'm aware of a few tools that may help. One is called Ring3 API Hook Scanner. And the other is called Whatchanged. With Ring3 it does at it says. IDs hooks withen processes. Not sure how good it is at doing what it claims however. But I use it as part of my malware scanning regimen I periodically run. Which for me is mostly just a sanity check since I never get malware anyway. Whatchanged also does what it implies. What you do is run a baseline on the system. It will not all directories and registry values. Then when you run Whatchanged again it will list all of what changed both with directories and registry values. Now this doesn't really cover the idea of seeing what an API is doing, but it can help you know if some funny business just went down. The thing with Whatchanged is that it can create very large files on things that have changed. So it's best to do a before and after scan during your use of an untrusted API. That way you can sort of get a behind the scenes presentation.

    Something else that might be worthwhile is to use Process Hacker and watch a process. You right click a process, select properties and you can see its environment, modules and threads, etc.

    On the subject of malware prevention, I also use another tool called StreamArmor which is more or less another sanity check tool. If something creeps in bypassing your anti-virus, StreamArmor may find it. Though there may be false positives and I found getting rid of streams is a real pita. There are tools that supposedly do it, but I had no luck.


    Detect Inline, IAT and EAT hooks with Ring3 API Hook Scanner | NoVirusThanks

    Download What Changed - MajorGeeks

    Stream Armor : Free Tool to Scan & Clean Malicious Alternate Data Streams (ADS) | www.SecurityXploded.com

    I'd use Notepad ++ to read the WhatChanged log files. All you'd have to do is right click the logs and open in Notepad ++.
      My Computer


  3. Posts : 199
    Win 7 Pro x32
    Thread Starter
       #3

    F22 SimPilot: Thanks for taking the time to respond.


    ActiveX is very, very bad business and only Internet Explorer uses it.
    Sorry to burst your bubble but ActiveX is implemented as part of M$ COM (Component Object Model) and consequently can be in any software if the developer decided to use ActiveX as part of that Application.



    Ring3 API Hook Scanner
    Thanks for mentioning it. As I recall the Kernel has 3 Rings with Ring3 being the least secure. SO most likely the software is looking for Keyboard or Mouse Hooks. Here's a bit more info from Wiki if of interest.Protection ring - Wikipedia


    Whatchanged
    Used it once or twice myself but found cumbersome. Sadly, most file / registry change tools want a complete disk copy to subsequently compare to. Personally would prefer -- haven't found one -- that will monitor and record (files / registry entries, etc) the installation of a single Application -- like a master log file just for that specific Application which one could refer to if needed.



    Process Hacker
    Had forgot about this. Never used it but heard good things.


    StreamArmor
    Never heard of it but will check it out.
      My Computer


  4. Posts : 0
    Windows 7 Ultimate x64
       #4

    Process Monitor:Process Monitor - Windows Sysinternals | Microsoft Docs

    RegScanner: RegScanner: Alternative to RegEdit find/search/scan of Windows

    And there's another one I'll have to check my other computer on.


    What I meant about ActiveX is that it's not used in many browsers other than IE. It is indeed bad business.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 07:08.
Find Us