Comments on: Preventing Malicious Documents from Compromising Windows Machines

By: Michael Lim

Michael Lim — Wed, 28 Oct 2009 10:33:46 +0000

I used to use http://sudown.sourceforge.net on my shared machine at home, but I had hard time when installing most of the programs. In the end I lost track of which users installed this program and that programs.

By: Preventing Applications From Starting (Malicious) Applications « Didier Stevens

Mon, 05 Oct 2009 00:02:37 +0000

[...] Software, PDF, Vulnerabilities, bpmtk — Didier Stevens @ 0:00 Another very effective way to prevent malicious documents from infecting PCs, is to prevent vulnerable applications from starting other applications. As almost all shellcode [...]

By: Didier Stevens

Didier Stevens — Sun, 04 Oct 2009 10:27:39 +0000

@krazykatfelix

Thanks! To restrict the rights of explorer.exe and all the programs it starts, it’s even better to create an Image File Execution Options for explorer.exe This way, explorer.exe will never start with full rights.

By: krazykatfelix

krazykatfelix — Sun, 04 Oct 2009 09:09:51 +0000

Hello,

No comment

start taskkill /IM explorer.exe /F
c:\DropMyRights\DropMyRights.exe “c:\windows\explorer.exe ”

not so bad !

By: Machine Manufacturing

Machine Manufacturing — Tue, 29 Sep 2009 10:50:52 +0000

Thanks for sharing this important information. This article is very useful and can help anyone who wants to protect his/her PC from malicious documents and viruses.

By: Didier Stevens

Didier Stevens — Mon, 28 Sep 2009 18:03:54 +0000

@kurt wismer
Neither do I had real issues running as a non-admin on XP. Except when developing COM and ActiveX components with VS6.

By: Quickpost: SAFER and Malicious Documents « Didier Stevens

Quickpost: SAFER and Malicious Documents « Didier Stevens — Mon, 28 Sep 2009 17:52:54 +0000

[...] under: My Software, Quickpost — Didier Stevens @ 17:50 I wasn’t going to mention SAFER to restrict the rights of an application, because Software Restriction Policies can be bypassed. But a Tweet by Edi Strosar made me review [...]

By: kurt wismer

kurt wismer — Mon, 28 Sep 2009 17:37:02 +0000

y’know, i’ve never really had much difficulty running as a non-admin on my XP box. i only ever run as an admin when i’m applying updates (no more than once a week if that) or need to install something new (which i try my best to keep to a minimum – to the point of opting for portable apps instead).

that said, i also use sandboxie, not just for browsing and email but for reading documents from the outside world as well.

and i use application whitelisting which, if i’m not mistaken, would likely stop the 3rd step of the system compromise you describe (unless further exotic execution is used).

By: Didier Stevens

Didier Stevens — Sun, 27 Sep 2009 17:06:56 +0000

Hi Xavier.

Yes, sandboxes are great tools too, I remember your blogpost. I use Sandboxie myself.

The advantage of DropMyRights and StripMyRights is that they are easy to deploy. You could use an AD GPO to deploy them in case of an emergency, for example a new vulnerability is being massively exploited and you can’t update the vulnerable program immediately.

By: TwittLink - Your headlines on Twitter

TwittLink - Your headlines on Twitter — Sun, 27 Sep 2009 15:02:31 +0000

[...] Preventing Malicious Documents from Compromising Windows Machines « Didier Stevens [...]