Re: Windowx 200x/XP virus proof document released

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 05/31/04

  • Next message: Wellington Terumi Uemura: "Re: Windowx 200x/XP virus proof document released" 
    Date: Mon, 31 May 2004 13:40:15 -0400

    Wow - my brain hurts. Yes, antivirus is no cure-all - nor is a firewall -
    nor is anything. A combination of these, plus common sense & suspicion &
    'safe hex' is really the answer.

    Wellington Terumi Uemura wrote:
    > Hello!
    >
    > Some time ago, i was asking people to send me virus and worms to my
    > personal research:
    >
    http://www.derkeiler.com/Newsgroups/microsoft.public.security.virus/2004-03/1673.html
    >
    > And I did receive many jokes about it, people talling me that "if was
    > that good others "specialists" would have released the information
    > before" or that this kind of "stuff" is IMPOSSIBLE. E-mail from every
    > where, includind some people from Microsoft Brasil telling me to show
    > then what this "magic" was all about.
    >
    > The good part is that, after sending this document to a person in
    > Microsoft Brasil, it never replyed or make any comments about it or
    > others "specialists" that got the document some how, telling me that
    > "I knew that, nothing new about it"!
    >
    > Is strange that security magazines and sites, their focus about worms
    > and virus issue is "Firewall and antivirus" or don't open unknow files
    > that come in to your e-mail box, don't do this, don't do that. I know
    > that users dont care about it thinking that a antivirus will prevent
    > infection, many os us was using antivirus when Mblaster came out and
    > many others to date.
    >
    > It's well know that a antivirus can protect you after infection, not
    > before, Mblaster, Mydoom, Netsky, Sasser, etc, are very good examples
    > of that. Who never downloaded the last remove tool for a last worm or
    > virus before they could have time to criate a "cure" for it?
    >
    > I am not against antivirus software, not at all, but they have some
    > limitations, some are not smart enought to identify if a change that
    > you are making in your system are benefic or not, some will prevent
    > system modifications other won't.
    >
    > As I have said before, i came from a Linux enviroment and in moust
    > cases a non root user can't do any damage to the system, this is also
    > true with the last Windows Systems that use NTFS partition.
    >
    > After nights of research, i've find out that the only way to get
    > infected in OS Windows 200x/XP with NTFS partition is that I must have
    > administrative permission to make system changes. My tests shows that
    > a worm or virus would not add it self to system partition without
    > permission or make changes in registry, in special the key:
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    >
    > Following the linux security basics I've make some changes to the
    > system.
    >
    > 1 - Create a restricted user for a daily use (read e-mail, access
    > pages, work).
    > 2- Remove the group EVERYONE and set permission to the GROUP USERS as
    > READ AND EXECUTE ONLY.
    > 3- Keep FULL CONTROL only to SYSTEM, ADMINISTRATORS and CREATOR OWNER.
    >
    > The Windows 2000 Adv Server that i have here to test (demo) have the
    > C:\ partition as EVERYONE FULL CONTROL.
    >
    > To administrators that would try to implement this modifications a
    > warning, you will get some problems if you don't know what you are
    > doing, that's why this solution is for corporate enviroment.
    >
    > Some users may have problems to write in %WINDIR%\temp
    > (C:\Windows\Temp or C:\WINNT\Temp), that you system administrator
    > must set the apropriate permission to this folder or other that your
    > company use.
    >
    > Users will not be able to install appplications in this system or make
    > any changes in to the registry, to do so, they need to use "Run as.."
    > to install aplications or what ever that will make changes in the
    > system (drivers for example).
    >
    > After installed, users will use their aplications normaly, maybe some
    > aplications need a special permission to run with all users, but this
    > is up to the administrator to set this permissions that can be sone
    > easy with programs like regmon and filemon.
    >
    > The Microsoft Brasil events that i could participate, they never
    > talked about this before, maybe after the document spread for a while
    > some one will take credits for it (nothing new about that) or you
    > will find a new security paper telling you why to use restricted user
    > in daily basis.
    >
    > This is what the document was all about, restrictions and user
    > permissions, i've done the tests my self and some companies that don't
    > want their names involved, and prove to be true.
    >
    > It take some time to make many tests, and from December of 2003, none
    > my computer or the companies involved got infected by ANY virus or
    > worm. This procedure also did worked out fine, to prevent
    > modifications in your IE browser by browser hijack techinics.
    >
    > The original document (PDF) in portuguese is here:
    > http://members.fortunecity.com/wellingtonuemura/protec/
    >
    > I hope people make good use of it and let me know if some one have any
    > comment about it.
    >
    > Wellington Terumi Uemura
    > wellingtonuemura (at) hotmail.com

  • Next message: Wellington Terumi Uemura: "Re: Windowx 200x/XP virus proof document released"
    • Quantcast