Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Security -- Some basic Questions

11 Feb 2019   #1
dw85745

Win 7 Pro x32
 
 
Security -- Some basic Questions

Note: see: Security with Someone Elses ActiveX



Following is somewhat duplicate post of above (with more questions)

------------------
Background
------------------

secpol.msc appears to be where Microsoft addresses system security.
But we have other areas such as Services that are running.

Also like most people I have some software written by someone else.
That software uses various API's in order to function. However, API's are a two edge sword.
They can be used for both good or bad.
So how does one determine what that software is in fact doing.
"CALL HOME" is a simple example of this issue.

----------------
Questions
'--------------
1) Is there anyway to determine what affects what on the system?
For example if one checks certain boxes in secpol.msc, will ths override a particular "service(s)"
and if so what "service(s) are affected. Conversely, if one toggles a service, will that override
settings in secpol.msc.

2) Wireshark and other software can be used to monitor traffic. However, for calls made from within,
such as "Call Home" -- that occur infrequently -- how does one identify that piece of software?


Example/Clarification:
DEP as I understand it is still dealing with an outsider (e.g. virus) getting in - or having got in -- and then accessing memory in a Process it is not supposed to have access to. What I'm trying to address is 3rd party software getting out and how to monitor it.
For example, say I install program A -- or -- receive an ActiveX control (or library) to be used to link to someone elses server. I need the program or the ActiveX. However, the vendor will Not provide the source code for the software or the ActiveX. Hence, I really have no knowledge what is embedded in that code. Just like Call Home, when the software is installed who knows what went on behind the scenes. With the ActiveX I have a little more control, but since it is interfacing with someone elses server, embedded in that ActiveX can be APIs calls to do whatever. While DEP --hopefully -- would limit access outside of the Process that is executing the ActiveX, the ActiveX still would have access to the code in which it is embedded and I'm NOT real sure what else (??? basis for question) . So can one control any of this or is it back to the "TRUST" issue with No VERIFY?

3) Is there a master list of where to go and what affects what in regard to system security?


My System SpecsSystem Spec
.
05 Mar 2019   #2
F22 Simpilot

Windows 7 Ultimate x64
 
 

First and foremost. ActiveX is very, very bad business and only Internet Explorer uses it. I in fact used to block it at the router level when I ran the third-party router firmware DD-WRT. Now I run ASUS Merlin says my new router is an ASUS branded router and that firmware doesn't have ActiveX blocking. At least not that I'm aware of without SSHing into the router and doing some nerdy magic. So in a nutshell, I wouldn't use any ActiveX crap at all. There are alternatives.

I'm not too sure how to monitor calls from processes, etc. But I'm aware of a few tools that may help. One is called Ring3 API Hook Scanner. And the other is called Whatchanged. With Ring3 it does at it says. IDs hooks withen processes. Not sure how good it is at doing what it claims however. But I use it as part of my malware scanning regimen I periodically run. Which for me is mostly just a sanity check since I never get malware anyway. Whatchanged also does what it implies. What you do is run a baseline on the system. It will not all directories and registry values. Then when you run Whatchanged again it will list all of what changed both with directories and registry values. Now this doesn't really cover the idea of seeing what an API is doing, but it can help you know if some funny business just went down. The thing with Whatchanged is that it can create very large files on things that have changed. So it's best to do a before and after scan during your use of an untrusted API. That way you can sort of get a behind the scenes presentation.

Something else that might be worthwhile is to use Process Hacker and watch a process. You right click a process, select properties and you can see its environment, modules and threads, etc.

On the subject of malware prevention, I also use another tool called StreamArmor which is more or less another sanity check tool. If something creeps in bypassing your anti-virus, StreamArmor may find it. Though there may be false positives and I found getting rid of streams is a real pita. There are tools that supposedly do it, but I had no luck.


Detect Inline, IAT and EAT hooks with Ring3 API Hook Scanner | NoVirusThanks

Download What Changed - MajorGeeks

Stream Armor : Free Tool to Scan & Clean Malicious Alternate Data Streams (ADS) | www.SecurityXploded.com

I'd use Notepad ++ to read the WhatChanged log files. All you'd have to do is right click the logs and open in Notepad ++.
My System SpecsSystem Spec
05 Mar 2019   #3
dw85745

Win 7 Pro x32
 
 

F22 SimPilot: Thanks for taking the time to respond.


Quote:
ActiveX is very, very bad business and only Internet Explorer uses it.
Sorry to burst your bubble but ActiveX is implemented as part of M$ COM (Component Object Model) and consequently can be in any software if the developer decided to use ActiveX as part of that Application.



Quote:
Ring3 API Hook Scanner
Thanks for mentioning it. As I recall the Kernel has 3 Rings with Ring3 being the least secure. SO most likely the software is looking for Keyboard or Mouse Hooks. Here's a bit more info from Wiki if of interest.Protection ring - Wikipedia


Quote:
Whatchanged
Used it once or twice myself but found cumbersome. Sadly, most file / registry change tools want a complete disk copy to subsequently compare to. Personally would prefer -- haven't found one -- that will monitor and record (files / registry entries, etc) the installation of a single Application -- like a master log file just for that specific Application which one could refer to if needed.



Quote:
Process Hacker
Had forgot about this. Never used it but heard good things.


Quote:
StreamArmor
Never heard of it but will check it out.
My System SpecsSystem Spec
.

06 Mar 2019   #4
F22 Simpilot

Windows 7 Ultimate x64
 
 

Process Monitor:Process Monitor - Windows Sysinternals | Microsoft Docs

RegScanner: RegScanner: Alternative to RegEdit find/search/scan of Windows

And there's another one I'll have to check my other computer on.


What I meant about ActiveX is that it's not used in many browsers other than IE. It is indeed bad business.
My System SpecsSystem Spec
Reply

 Security -- Some basic Questions




Thread Tools




Similar help and support threads
Thread Forum
Basic questions about using Windows 7
How do you do a hard drive search in Windows 7? How do you explore? How do you get to the option of opening all folders in the same window or each in its own window? Thanks for any help! David
General Discussion
New to Win 7 pro 64 - Serious basic questions
Had this new Dell for about a month - delivered with Win 7 Pro x64 SP1 installed. 1st thing - made a system image disk set - using Dell utility. 2nd - Tried to make a rescue disk - Dell Utility looks for a USB drive greater than 100mg < 3 TB. instered 16 Gig thumb drive - NOPE - wants an...
Windows Updates & Activation
New laptop with Win 7 and some basic questions
I am getting a new laptop for Christmas and will be using Win 7 64bit for the first time. I've been using Win XP and since I was the only one using the laptop, I only had an admin account which I now know is a big no-no. So..... I will be creating an admin account and a user account with...
General Discussion
Sr. Citizen Basic Questions, Please
Hello, Will blame my inability to figure this out on my age now. Would be most grateful for any help. New PC; trying to get everything set up. Boy, it sure is different than my old one with XP. a. During the first turn-on, it asked for a Password, which I assigned. I really don't...
Installation & Setup
A Few Very Basic Questions Re a Cat 5e Cable
Hello, Really showing my ignorance here, but please bear with me. a. When going from my Comcast modem (broadband) to the input of a new PC, I guess I will need a Cat 5e cable. Do I want the "Crossover" type ? (if not, just so I can learn, how and where is a "Crossover" type used ?)
Network & Sharing


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 07:35.
Twitter Facebook