DDACS
2.0.1 Use Cases
PROTECT YOUR IMPORTANT FILES
You have some important information in files. It may be:
* credit card numbers, bank account/password for internet
access details
* family private information
* business customers information database
* etc.
THREAT:
If such information could be read unattended by you, it can be sent
somewhere to the internet and known or otherwise used by anybody
without even you knowning. If if can be written or deleted, it can be
destroyed.
SOLUTION:
Such information should be protected from both reading and modification
(writing, deleting) by any program, except those that you use. E.g. for
a text file you will need two file filesystem rules - one general and
one exception:
a) create a rule that blocks read, write, create, delete access to
these files to ANY program - general
b) create a rule that allows any access to these files to the programs
that you use to work with them (e.g. notepad.exe for text files,
msaccess.exe for Microsoft Access database) - exception
If you have several programs to work with the file(s), you need to
create an exception rule per program
IMPORTANT:
You must trust the program(s) that you choose to except from the
"block" rule and take measures to protect them from tampering
[TotalAdmin][Free]
--------------------------------------------------------------
PROTECT PROGRAMS FROM MODIFICATION
Programs are files that the operating system can read and execute.
Programs are the most important to trust: you rely on them doing what
you intend them to do and not doing what they are not supposed to do.
THREAT:
It would be dangerous if the program that you trust and use is changed
unattended to you. It could be modified by malware in order to exploit
your use of that program and let it steal or destroy your files. On th
other hand, modification by malware may be to just erase your
important programs from disk.
Another threat is a practice deployed by many viruses and warms -
create copies of themselves under random names and in random folders,
re-running the new copy and deleting the old one, so that it's hard to
follow after such a program with regular visual tools.
SOLUTION:
Programs should be protected from writing, creating and deleting.
DDACS comes with ready rules that warn you when any program wants to
create, delete or modify a program. You then have a rich choice,
ranging between allow program access that it's attempting, prevent it,
allow or prevent it once, block this program from further running and
immediately suspend its execution
and block it from further running.
When you make a choice other than allow or block once, a new rule will
be created for that program and access that it tries. If you chose
"block program" or "suspend and block program", you will find this
program in "Program Blocker" tab, and it will not run in the future
IMPORTANT:
In some cases creating, deleting or modifying a program is legitimate:
by an installer or upgrader program, by program build tools or by copy
/ backup tools. If this activity is expected (you know that you ran the
appropriate legitimate program), you may choose "Trust this program"
from an Alert menu. The
activity will continue uninterrupted then. After it's done, if you did
installation or copy / backup, don't save rules; remove the "Trust"
rule that you added when were asked. If you are a developer and used
build tools, save them, so
that your build tools remain trusted
[TotalAdmin][Free]
--------------------------------------------------------------
PROTECT LIBRARIES, DRIVERS AND SYSTEM FILES
FROM MODIFICATION
Libraries are parts of programs that are put aside so that many
programs may share the same code instead of including its copies.
Drivers are system programs that run all the time and handle system
very high-privilege tasks: control devices, filter traffic, implement
protocols for entire system.
System files carry some sort of data, configuration, database or cache
for system programs.
THREAT:
If libraries are modified, all programs that use them will work
differently. When DLL is modified by malware, its exploitation is
similar to modified programs: it may steal your files, record your
activity and send it over internet or erase important files or
programs. A special problem with modified DLLs
is that it's hard to control activities by programs that use them and
that a DLL can't be "blocked" as a program: preventing it from loading
would effectively block all programs that use it.
Because of very high privileges open to drivers, threats associated
with drivers are also very high. A special problem with modified
drivers that that if they are prevented from loading, hardware that it
handles or system-wide functionality that it implements, will be
unavailable.
Changing them will change behavior of system programs. Compared to
modified libraries and drivers, threat associated with chaning system
files is lower, but it's still undesirable to allow unattended changes
to system files
SOLUTION:
Libraries, drivers and
system files should be protected from writing, creating and deleting.
DDACS comes with ready rules that warn you when any program wants to
create, delete or modify a program. You then have a rich choice,
ranging between allow program access that it's attempting, prevent it,
allow or prevent it once, block this program from further running and
immediately suspend its execution
and block it from further running.
When you make a choice other than allow or block once, a new rule will
be created for that program and access that it tries. If you chose
"block program" or "suspend and block program", you will find this
program in "Program Blocker" tab, and it will not run in the future
IMPORTANT:
In some cases creating,
deleting or modifying a libraries and drivers is legitimate:
by an installer or upgrader program, by program build tools or by copy
/ backup tools. If this activity is expected (you know that you ran the
appropriate legitimate program), you may choose "Trust this program"
from an Alert menu. The
activity will continue uninterrupted then. After it's done, if you did
installation or copy / backup, don't save rules; remove the "Trust"
rule that you added when were asked. If you are a developer and used
build tools, save them, so
that your build tools remain trusted
[TotalAdmin][Free]
--------------------------------------------------------------
SETTING PROGRAM AS AUTO-START
Setting program as auto-start means that it will start every time when
you reset the computer or when you login, without notifying you.
Auto-start programs start when the computer boots or when you login.
Some system programs must be allowed to auto-start in order to allow
correct system operation, some
others (like Skype) offer it to you as convenience.
THREAT:
Usually you control starting programs by clicking on an icon, choosing
from a menu or typing its name in command prompt. You have control on
starting a program. If malware installs itself as auto-start, you will
not know that it runs.
Additionally, such programs may be also set to auto-start once, do some
malicious job and then remove themselves.
SOLUTION:
Set a Registry protection rule to Alert on auto-start modification
(Software\CurrentVersion\Run). Consider if the program that attempts to
modify auto-start configuration is supposed to do it. You may open the
Windows Registry Editor and allow once the access. Examine what program
was set to auto-start and consider if you want it. If not, you may
delete the value in Registry Editor.
[TotalAdmin]
--------------------------------------------------------------
CONNECTING TO UNKNOWN INTERNET SITES
Connecting to internet sites is the first step of any internet use.
Some sites to which you cooect are known to you (you type their name in
URL bar) or bookmark them. Some other sites are connected to because
these sites known to you direct your browser to connect.
THREAT:
If you got malware installed and it runs, it may want to connect to
internet sites with such purposes:
* Send your data files or other important information about
you or your computer
* Download and install more malware that is better suited to
exploit specifically your computer
* Provide a service to remote human examination and
exploitation of your computer: spying, data serving (stealing), etc. It
is possible in this way to use your computer as a server for illegal
content or illegal activities (hacking, stealing information,
distributing stolen/illegal content, etc.)
SOLUTION:
You may prevent internet access to all programs except the few that you
use to browse and communicate (browser, e-mail, Skype etc). Create
rules to prompt alert you on connect and send requests for all external
sites. This will start with alerting you even on programs such as
Chrome, Internet Explorer or
Skype. When you are sure that this is the program that you use in order
to communicate to internet, set it as trusted.
Some other programs that need to connect to internet are updaters. Most
programs include an updater that from time to time needs to connect to
the vendor site, check for updates and if found, install them. An
updater may be a separate program that comes together with an
installation, or part of the main
program. Usually you will detect them by their names and target
(update) sites where they want to connect. You may allow accesses that
look logical, and if such programs don't show suspicious behavior,
eventually you may set them as
"trusted".
Programs that are not used to communicate or update shouldn't connect.
If a program looks like it may need to connect, but the target site
doesn't look relevant, it shouldn't connect. Such an activity is
suspicious.
You may choose to block the requested particular access. But you may
want also at first to block once particular connect request and watch
further program's behavior. If the program keeps trying to connect to
sites unknown to you, then the program is apparently malware. Here you
may choose accordingly to
what the program is:
* if it's a program that you got from internet, you may want
to immediately suspend it and block from further execution
* if it's a legitimate useful program, then it (or one of
its libraries) was infected by malware. In this case you may want to
just block this particular connect request. You may also choose this
way if you have good use of this program, and just want to block the
suspicious
Programs that are alerted with send request, rather than connect,
attempt to send information via connectionless UDP protocol. Legitimate
uses for this communication are only a few: communication programs
(like Skype), video and audio players or streamers. For other programs
this is suspicious activity.
You may act similarly to alert on connect request: suspend and block
the program if you don't have other use of it, or not sure - or just
block particular access if you need this program for other things
[TotalAdmin]
--------------------------------------------------------------
PREVENTING ACCESS TO INAPPROPRIATE SITES
Internet is an all-free communication medium. You can't affect what
people post and host on the internet, be it legal or not. What you can
affect is what you allow browsers (or other communication programs)
connect to and display to you.
Some sites for some reason you may consider inappropriate.
This use case is related to letting other people use your computer. If
you don't want to visit a site that you consider inapppropriate, you
just won't go there. But when giving your computer to other's use you
may want to limit their ability to visit some sites that you may be
visiting and using yourself
THREAT:
You use some sites for yourself due to work, hobby, social occupation,
education or entertainment. But don't want others to access them or
even know that you use them and what is the content. You may not want:
* kids to visit erotic/pornography, hate, explosives
crafting, catastrophes, shock content, gambling or gaming sites
* others to have access to your social networks and dating
sites pages, where particular details about you are revealed
* others to have access to your e-web mail, where they may
read your correspondence or impersonate and send on your behalf
* others to visit your work, bank accounts or other sites
that require particular trust from you personally; others may misuse or
abuse and cause harm
SOLUTION:
Create list of the sites that you want to block. Then create a rule
that blocks connection to each site in Website Blocker or in TCP
Clients panel. Specify "any" port for destination and set the same
Policy Name to all added rules, such as "Block sites to strangers".
Save the rules by Policy Name in a
separate file.
When you give your computer to others to use, load these additional
rules.
When you get your computer back to your use, remove the rules by Policy
Name
[TotalAdmin][Free]
--------------------------------------------------------------
ACCEPTING CONNECTIONS FROM INTERNET
When a communication over internet starts, mostly one side acts as
"server" (waits for arriving connections and serves them), and the
other - as "client" (initiates connections). A server program starts
listening for connections, sending a request to the operating system to
route relevant connections to it.
Most programs that you run on computer act as clients: they connect to
servers somewhere depending on their functionality and your needs.
Intel and Microsoft even call Windows endpoint computers (laptops,
desktops) also "clients" for that reason.
Running an internet server on an endpoint computer is an unusual case.
If you do it, then you know what you do and why. If an internet server
runs on your computer and you don't know what it serves and why, it's
suspicious.
THREAT:
Threats are the same as with "CONNECTING TO UNKNOWN INTERNET SITES":
* Send your data files or other important information about
you or your computer
* Download and install more malware that is better suited to
exploit specifically your computer
* Provide a service to remote human examination and
exploitation of your computer: spying, data serving (stealing), etc. It
is possible in this way to use your computer as a server for illegal
content or illegal activities (hacking, stealing information,
distributing stolen/illegal content, etc.)
Slight difference of this case is that while if a program connects to
an website unknown to you, it may still be legitimate activity, keeping
a stealth server on an endpoint computer is for sure abnormal.
SOLUTION:
Create a rule to alert you when a program requests to accept a
connection or receive unconnected data. If a program makes such
request, you will be prompted with an alert window. If you know that
it's a server that you installed, just set the program as trusted.
Otherwise you will probably want to suspend
and block the program
[TotalAdmin]
--------------------------------------------------------------
CONTROLLING PROGRAMS RUN
Running programs turn your computer from a box with boards, wires and
devices inside into a very useful and valuable instrument. Every task
that you do with the help of computer you so by running and using
programs. However, you don't use programs that you wrote yourself, so
that you could be sure about
what they do and what they don't. (Even if you are a programmer, almost
all programs that you use are written by others). With good intentions
the program is written in order to enable you and other users do what
it documents. However,
we get most of software from the internet, and intentions of people who
wrote the program (or part of it) are not known for us.
THREAT:
- You happen to run a
malicious program and it launches one
of miriads of attacks: stealing, destroying information; spreading
malware; exploiting your computer resources; impersonating; denial of
service and many more
- You want to prevent other
people (guests), to whom you let
use your computer, from running some programs that you consider private
use.
SOLUTION:
DDACS provides several handy tools to control programs run
- Detection. If you encounter
a cyber threat, first of all,
you need to detect suspicious activity and get more detailed
information. For example, you downloaded an innocent game from the
internet, and DDACS alerts you that it is trying to create a
random executable.
When an Alert dialog is activated, the program thread that requested
access is stopped, waiting for your decision. Until you answer, further
suspicious accesses will be denied.
- Decision. Alert dialog
offers you many choices. Among the
choices you are offered to "Block Program" and "Suspend And Block".
"Suspend And Block" immediately stops the program - it doesn't run
anymore - and creates a Program Blocker rule that will prevent
it from
ever running.
- Program Blocker tab
allows you to prevent a program from
starting - always, or at specific times. It is suitable to handle
privacy (human) threat: block programs for specific time, when your
guest may be using your computer.
Create a list of programs that you
don't
want your guests to use. Create Program Blocker rules to block these
programs. If you give your computer to others to use at the same time
on the same days of week, or you leave your computer for a
longer period, like a
month, you may create "periodic" rules. If you plan sporadic computer
sharing, create always blocking rules. Provide a Policy Name. If you
are OK with periodic blocking, you may save rules in the main
auto-loaded rules
file. Otherwise, save them to a separate "guest-access" rules file.
Then, when giving computer to a guest, load "guest-access" rules from
file. When you get it back, delete the "guest-access" rules by
Policy Name
IMPORTANT:
Program Blocker tool is available in Free Edition, Suspend tool - only
in Totaladmin
[TotalAdmin][Free]
--------------------------------------------------------------
HANDLING VIRUSES AND OTHER MALWARE
So happened that you are running a virus on your computer, even though
you may not know it yet. May be you got it long ago from somewhere. Or
may be you just downloaded an interesting program from a source with
uncertain reputation or copied an infected game from your friend.
Virus is a computer program that includes two distinguished functional
parts: spreading and malicious. Spreading part is responsible for
replicating the virus: finding executables or libraries and infecting
them (modifying them to include a copy of virus). Malicious part
contains the algorithms, for
the purpose of running which the virus was created.
In order to have more chances to run the malicious part the virus may
create a standalone program of itself and set is as auto-start. Often
viruses also try to make it harder to find them: attempt abnormal
activity at random times, constantly creating a new standalone copy and
deleting the old one, etc.
Trojan is a program that also includes two distinguished functional
parts: appealing and malicious. Appealing part is the visible useful,
entertaining or other functionality that make you want to install and
run the program. Malicious part is hidden, and is the reason why the
appealing part was developed.
In most cases viruses first arrive at your computer as trojans (even if
the trojan program itself was infected, rather than designed as trojan).
THREAT:
Once your computer hosts a virus, part of its resources are used to run
the malicious part. The malicious part may have many different
applications:
- it may be targeted at you
(stealing information,
destroying files and programs, preventing you from doing work)
- it may be used to exploit
your computer for malicious
purposes (host illegal content, be part of security cracking cluster or
part of launching distributed network attacks)
- it may be used as a
service for remote human operaion on
your computer: exploring your files and activities, deliberately
stealing or destroying information, and virtually anything else.
An additional difficulty to recognize some kinds of attacks is that
they execute malicious part once and then remove themselves. If you
miss this time, the hard is done and you will never know about it.
SOLUTION:
DDACS provides the same solution for all kinds of attacks: access
control. If malware can't get the dangerous access, it can't harm -
neither spread nor do malicious part.
- In order to spread the
virus needs to create or modify
executables and libraries (DLLs). By forbidding creation of executables
you prevent a virus from spreading and moving itself. If you set Alert
rules for modifying executables and DLLs, you will also find out which
program misbehaves. DDACS comes with ready Alert rules
- In order to auto-start
the virus writes specific
information into registry and/or startup files. DDACS comes with ready
Alert rules to prevent and detect
- In order to steal your
information, the virus needs to
read your files. Protect them by making non-accessible for all programs
except for those that you use to work with them
- In order to destroy your
files and programs, the virus
needs to delete the relevant files. Protect by making important files
not deletable by random programs
- In order to send any
information about you, your computer
or your files, the virus needs to request Connect or Send. Protect by
forbidding these requests to programs that are not supposed to
communicate
- Forbid running system
programs that may do harm on behalf
of the virus: cmd.exe, reg.exe etc. (or forbid running all $WINDIR
programs altogether). Forbid also reading such system programs to
prevent the virus from copying them
to a different place under
different name and running from there
You may want to examine for some time what the program does by choosing
"Forbid Once" when Alert dialog shows suspicious activity. Once you got
enough evidence that the program behaves differently from what is
expected according to its advertised functionality, you may choose
"Suspend And Block" on Alert
dialog. The program will not continue running and will not start in the
future. After rebooting Windows you may delete it or pack and send to
security researchers
IMPORTANT:
When you get an Alert dialog, carefully read the diagnostic: what the
program tries to do, to what file and what is the Policy that triggered
the alert. Even if the program's appealing part is indeed applealing,
don't hurry to push "Trust This Program" if it hit policy "Alert on creating/changing
executables" or "Alert on creating/changing DLLs"
Consider the Alert details with what the program is supposed to do. For
example, if you are using compiler, it is supposed to create
executables, so if you are running a build, it's legitimated and
desired. Some other tasks, such as creating disk copies, or an
archive or running installer or updater may also create executables and
DLLs. But for most other programs such an activity is inexpected and
suspicious.
Once
the suspected program is stopped with Alert dialog, go to folder where
the program resides (use full path displayed in the dialog) and examine
the executable file. Does it have a valid digital signature, is the
signature expected when you look on author/copyright details? Go to one
of online files information and reputation databases, such as file.net
and look up the program's name. Is it an important program? Is its
short functional description appropriate to make an access that popped
up Alert dialog? Is it known to cause problems, raise security issues,
or to have its name being abused by hackers? Make up your mind whether
the access is important to take the risk and if the program can be
trusted (at least that it wasn't compromised), before you click on
a choice button.
Protection against auto-starting programs is available only in
TotalAdmin edition. "Suspend", "Suspend And Block" tools are available
also only in TotalAdmin. If you are using a Free edition and hit the
Alert after which you would choose "Suspend And Block" if you had
TotalAdmin, you may do the following:
1. Open DDACS CP and activate Program Blocker
2. Click on "Add Rule" button
3. Carefully copy full path of the Program in Alert dialog
to Add Rule dialog and click OK
4. Click on Save Rules
5. Reset Windows
[TotalAdmin][Free]
--------------------------------------------------------------
TEST-DRIVING A PROGRAM
You downloaded a useful or entertaining program from the internet. Now
you want to install and use it, but programs arriving from the internet
are the main security threat to your computer, and you are not sure if
you can use this program safely. How to make it sure?
THREAT:
Programs that come from the internet are the main security threat to
your computer. Unless they are among the most popular used by millions
of people you can't be sure that it was not designed as malware. Even
if it is one of those very popular programs, it may have been infected.
If you bet on safety of the downloaded program and lose, you are
exposed to all the threats that the internet offers:
* stealing information
* destroying files and programs
* redistributing malware (infecting other programs and
libraries)
* exploiting your computer for illegal, stealth or in any
case unauthorized by you purposes
* impersonating
* opening your computer for remote human hacker to explore
and use
and more.
SOLUTION:
DDACS provides instrumentation to test-drive untrusted programs. The
programs are run in a restrictive set of network, file and registry
rules that alert on any possibly suspicious activity:
* all network requests: connect, send, accept, receive
* all registry modification
* all modification to files outside its ProgramFiles and
ProgramData directories
* all attempts to execute any external program
When running the program and seeing alerts, understand what the program
tries to do and if it fits with program description and modification.
If access attempt is logical, you may particularly allow it. Otherwise
you forbid it once. Note what the program attempts to do and think what
it tries to achieve.
If the program hits legitimate alerts and you create allow rules for
them, you will see less and less alerts coming. After some time you may
remove all the restrictive rules specific to this program.
If the program continuously makes suspicious attempts, choos Forbid to
create blocking rules on it. In principle, even if you got malware,
eventually you may be able to completely disable its malicious part
with restrictive blocking rules and keep using its appealing part.
Though in any case if you
needed to create a number of blocking rules in order to prevent its
abnormal activity, you ought to pack the program, send it to security
researchers and delete it from your computer
IMPORTANT:
Sometimes it's hard to decide if the activity of a test-driven program
that pops up Alert dalogs is legitimate or not. In such a case you may
resort to sandboxing it. See WATCHING ACTIVITIES AND SANDBOXING.
Registry protection is available only with TotalAdmin edition.
[TotalAdmin][Free]
--------------------------------------------------------------
INSTALLING A PROGRAM
You downloaded a program from internet and are going to install it. You
are concerned with security aspects of the program, but what about
installer itself?
Installer is either a program itself or .MSI installation package that
includes installation instructions and data for the Windows msiexec.exe
program. So it's a program that will run on your computer with one
distinction: installer will virtually always require Administrator
privileges, which only rises
threats. Another distinction is that installers legitimately create
executables (the programs being installed)
THREAT:
Running an installer presents all the threats of running a program:
* stealing information
* destroying files and programs
* redistributing malware (infecting other programs and
libraries)
* exploiting your computer for illegal, stealth or in any
case unauthorized by you purposes
* impersonating
* opening your computer for remote human hacker to explore
and use
and more.
SOLUTION:
Run installer with a test-drive set of restrictive rules. See
TEST-DRIVING A PROGRAM. If your installer is a program (.EXE), set
test-drive rules on it; if it is .MSI set test-driver rules on
msiexec.exe. During installation you will receive numerous Alert dialog
pop-ups. Carefully read the diagnostic -
what the installer attempts to do. Unlike other programs, some
activities by installer are legitimate:
* Creating executables and DLLs in the installation
directory (e.g. C:\Program Files\InstalledProgram). Not rarely the
installer may want to install DLLs to Windows system directory, like
MSVC redistributables. Creating
executables in other places or modifying
existing programs is suspicious (except for temporary directories).
Writing random DLLs to Windows system directory is also suspicious
* Setting program as auto-start may be legitimate for the
installer. You will have a choice about that even if the installer
doesn't prompt you
* Connecting to internet may be legitimate. In order to save
traffic and space on distribution sites many installers that you
download contain only the starter; the main installation data
(including programs) are donwloaded by
that starter. Also installers may need
to register at the vendor's site. Consider if the site where the
installer wants to connect looks like the vendor's site
Requests to accept connections, send and
receive connectionless data are not legitimate and dangerous
By end of installation you may remove the test-driver rules that you
set especially for the installer program or msiexec.exe
IMPORTANT:
Due to their nature, installers' threats are not easy to counter, since
most of their legitimate functionality is suspicious for other kinds of
programs. Installers are especially suitable for carrying "one-and-run"
attacks - attacks that are designed to run only once and not leave
traces on the target.
In some situations you may trust the installer: if it comes from a
vendor with good reputation (e.g. drivers from a hardware vendor or
software from a well-known vendor) and you downloaded it from the
vendor's site. In such a case
you may just choose to trust the installer when Alert pops up. Be
careful: if you downloaded even good vendor's installer from a
third-party distribution site, you can no longer bluntly trust it.
If you can't decide during test-drive installation if you can trust the
program or not, you may resort to sandboxing it. See WATCHING
ACTIVITIES AND SANDBOXING.
Registry protection, including setting programs to auto-run, is
available only with TotalAdmin edition.
[TotalAdmin][Free]
--------------------------------------------------------------
WATCHING ACTIVITIES AND SANDBOXING
Sometimes you can't trust the program yet, but are not sure that it's
malware either. (In particular this is relevant to installers that
legitimately do many things that are suspicious for other programs).
Suppose that you installed a free version of program, that unlike the
paid version displays
advertisement. In order to display ads the programm will try to connect
to ads sites, which may look suspicious in the Alert prompt. However,
this is legitimate activity since you know that you installed the free
version, this behavior is
documented.
Another problem: you get Alert on some activity that you are not sure
you can safely allow. You choose to forbid it once, then it hits some
more Alerts and comes silent. However, the program was denied some
access and didn' attempt to do what it would if the access was granted.
These unattempted activities
may have make it more sure it the program is clean or malicious, but
you are reluctant to allow the accesses that hit Alerts.
What to do?
THREAT:
All threats of running a program:
* stealing information
* destroying files and programs
* redistributing malware (infecting other programs and
libraries)
* exploiting your computer for illegal, stealth or in any
case unauthorized by you purposes
* impersonating
* opening your computer for remote human hacker to explore
and use
and more.
SOLUTION:
1. Create a VM (for VmWare Player or VirtualBox) with a
fresh Windows installation (preferably the same version that you have
on you computer) and install DDACS on it. For the purpose of sandboxing
you may want to install
DDACS without automatically
loading default rules. This VM will be used as sandbox to run suspected
programs.
2. Copy the VM and run it
3. If you want to check the installed program, install it.
If you want to check the installer, just prepare it to run
4. Set watching rules for this program (if installer is
.MSI, set rules for msiexec.exe). Watching rules are Log rules for all
file, registry and network activiteis. You may remove all other rules
in all panels.
5. Go to File System, Application Firewall, click on Log and
then click on Clear Log
5. Run the program and use it. Try to execute as many
options as possible.
6. When done, end the program. Go to File System,
Application Firewall and Registry panels and read Logs.
File System, Application Firewall and Registry logs will contain all
relevant activity that the program does if it's allowed everything.
Examine especially things that would prompt suspect Alerts:
* creating executables (unless it's an installer, and if it
is - creating suspicious executables)
* connecting to unknown internet sites, requesting to accept
connections, send and receive unconnected data
* writing registry entries
If you are checking a complex program, you may want to use it for some
time in a VM logged sandbox. If there is a lot of activities, you may
want to clean logs before every next run. For straight-forware utility
programs, such as installers, one run is enough.
IMPORTANT:
Don't use the same VM to check different programs. Create a separate
copy of the clean VM (step 2) that you created in step 1.
Registry examination is available only with TotalAdmin edition.
[TotalAdmin][Free]
--------------------------------------------------------------
INSTALLING AND MODIFYING SERVICES
Services are system "stealth" programs that run with Administrator
privileges. They don't have standard input and output and don't have a
window naturally (even though they may open a console or a window).
Services are not started as regular programs; instead they are recorded
in the registry as
services, together with start method. Start method may be automatic or
manual.
Also a service may be a driver rather than a program. Drivers run in
kernel mode and have a lot more privileges than programs even with
Administrator privileges.
DDACS is limited in filtering drivers' activities. Drivers run in
context of different processes, not having their own; that means that
if a driver attempts some access DDACS will not be able to relate it to
a program rule correctly.
Some drivers run on level that DDACS can't filter.
THREAT:
During installation malware installs itself as service. It will start
automatically with computer boot and do malicious work all the time.
Threats are the same as with running programs:
* stealing information
* destroying files and programs
* redistributing malware (infecting other programs and
libraries)
* exploiting your computer for illegal, stealth or in any
case unauthorized by you purposes
* impersonating
* opening your computer for remote human hacker to explore
and use
and more.
Addidionally, services run similar to auto-start programs without a
window or a terminal, mostly unnoticed.
SOLUTION:
DDACS comes with a ready set of rules to alert you when modification to
services happens. If you were in process of installing or removing
something that may need system-level software: hardware drivers pack,
VM manager, VPN etc. then it's probably legitimate access. Otherwise
it's suspicious; especially
if at the moment you were not installing or removing anything, it's
suspicious and dangerous activity.
[TotalAdmin]
--------------------------------------------------------------
ALLOWING OTHERS USE YOUR COMPUTER
You want to let others use your computer for some time. It may be your
spouse, your kids, your relatives and friends. While you are not
nearby, you want to limit their use so that they don't have access to
your private social pages, work materials or clients database and
anything else you consider strictly
private.
THREAT:
There is a number of privacy and security threats associated with
letting others use your computer with your privileges, by intention or
by humbleness
* Your guests may get access to your private information: on
your social pages, on your disk. They may realize that you are involved
in activities that you wouldn't want them to know
* They may get access to personal information of other
people who trust you and whose details you keep on the computer
* They may destroy your personal information or personal
information of other people (like your customers, work documents etc.)
- by mistake or on purpose
* They may impersonate as you and act
* They may participate in illegal activities from your
computer
* They may install and run malware
SOLUTION:
DDACS provides the necessary tools for you to limit others' access to
your computer. The solution includes:
* Creating another user than yours for all others to work
under (it may even be allowed to run programs as Administrator). This
is to prevent others see and answer DDACS Alert dialogs
* Creating Filesystem rules to prevent any access to your
private files and those of others that you keep on your computer
* Creating Filesystem or Program Blocker rules to block some
programs from running - those that may be used to read and edit your
private information
* Create TCP clients or Website Blocker rules to prevent
access to sites that you consider private and for which you have e.g.
automatically saved passwords
* Create Filesystem rules to prevent any access to DDACS
files (not programs; now having your DDACS password your guests will
not be able to operate DDACS anyway)
For activites that you don't want to happen create Block (not Alert)
rules. Remember - you don't allow your guests operate Alert rules.
Rules set as Alert will function as "block" anyway, and you will have
several Alerts unnecessarily waiting for you when you later switch user
to yourself.
Save all guest-specific rules in separate files with distinguished
Policy Name (e.g. "Guest Access Rules"). When you prepare your computer
to give to others, load these rules. When you take back your computer,
remove all these rules by
Policy Name.
[TotalAdmin][Free]
--------------------------------------------------------------
PARENTAL CONTROLS
You are letting your kids use your computer. You want to prevent them
from destroying your important files (that possibly contain personal
information about other people), from accessing your social accounts
and from installing malware on your computer. Additionally to that, as
a responsible parent you
want to prevent them from visiting sites and using content that may be
too early for them to comprehend and judge correctly.
THREAT:
* Your guests may get access to your private information: on
your social pages, on your disk. They may realize that you are involved
in activities that you wouldn't want them to know
* They may get access to personal information of other
people who trust you and whose details you keep on the computer
* They may destroy your personal information or personal
information of other people (like your customers, work documents etc.)
- by mistake or on purpose
* They may impersonate as you and act
* They may participate in illegal activities from your
computer
* They may install and run malware
* They may expose to information and content that you
consider for them inappropriate (e.g. too early for their age to get
and judge right)
SOLUTION:
DDACS provides you with the necessary tools to limit your kids access
to your computer.
* CONTROLLING WHAT AND WHEN CAN BE ACCESSED
You apparently don't want your kids to be able to operate DDACS. If you
don't give them your DDACS password, they will not be able to access
tools, but still can answer Alert dialogs if you allow them use your
account. You may create a separate set of rules for them that will not
include any Alert rules.
Or you may create a separate account for them; in this case Alert rules
will pop up dialog in your account and further Alert accesses will turn
to Forbid.
Protect your account with a password and don't give them. Thus they
will not be able to reboot into Safe mode and remove DDACS protection.
Apply Filesystem rules to forbid any access to your private / personal
files.
Apply Registry rules to forbid installation of drivers / services and
setting auto-run programs.
* CONTROLLING WHAT AND WHEN RUNS
Use Program Blocker rules to control time when programs can run. You
may define dates and days of week when the program can't run;
alternatively you can just define program blocker rules, apply them
before you give your computer and remove them when you get it back
* CONTROLING WEBSITES VISITING
Use TCP Client rules to control time when websites can be accessed. You
may define dates and days of week when the sites can't be accessed by
specific program or any program; alternatively you can just define
program blocker rules, apply them before you give your computer and
remove them when you get it back.
Note: instead of using timed rules (that are easier), you may schedule
changing rules at particular times
TCP Client and other program-specific network control is available in
TotalAdmin edition only. Registry control (services installation,
auto-run programs control) is available in TotalAdmin edition only.
[TotalAdmin][Free]
--------------------------------------------------------------
EMPLOYER CONTROLS
You give your computers to employees to perform their work duties. You
may be permitting some reasonable personal use, but want to prevent
other uses, in particular illegal or compromising. On the other hand,
employees that have Administrator privileges on their computer may
remove or disable some
automatic programs that they think interfere with their work, but you
consider important to have them running
THREAT:
* Your employees may extend personal use beyond what you
consider reasonable
* They may use the computer for illegal activities or
otherwise activities that are against your company policies
* They may install and run malware
* If your employees must have Administrator privilege on the
computer, they may disable or uninstall/remove auto-run programs that
you consider important, but they may feel interfering with their work
SOLUTION:
DDACS provides you with the necessary tools to limit your employees'
unwanted use of the computer.
* CONTROLLING WHAT AND WHEN CAN BE ACCESSED
Don't give your employees DDACS password, so that they can't operate it
and change your policies. If your employees need Administrator access,
create a set of rules without Alerts. E.g., forbid all programs
creating or modifying executables except for updates; if your employees
need to build
programs, create Allow rules for build tools.
If your employees with Administrator access need to change system
programs (possibly drivers) on local machine frequently, set programs
that can copy to system directories as Trusted. DDACS default rules
make "explorer.exe" a trusted program; you may add others as
convenient. Important: define as trusted
only programs that can't be run unattendedly by malware; e.g. don't
make "cmd.exe" a trusted program.
Apply Filesystem rules to not allow any access to system /
protection-related files.
Apply Registry rules to forbid installation of drivers / services and
setting auto-run programs.
Unless the work duties really require it, don't give your employees
Administrator access. if duties require, conduct them a training on
relevant DDACS basics.
* CONTROLLING WHAT AND WHEN RUNS
Use Program Blocker rules to control time when programs can run. E.g.
if your employee's work duties don't require constant internet
communication, you may limit browsers use to specific hours.
* CONTROLING WEBSITES VISITING
If your employee's work duties require constant internet communication,
you may limit websites access only to those that are needed for work.
Other sites you may allow for reasonable personal use during specific
hours using TCP Client
rules.
Note: instead of using timed rules (that are easier), you may use your
Administrator access from remote to change rules at particular time
TCP Client and other program-specific network control is available in
TotalAdmin edition only. Registry control (services installation,
auto-run programs control) is available in TotalAdmin edition only.
[TotalAdmin][Free]
--------------------------------------------------------------
DEFINING TRUSTED PROGRAMS
You know that some programs need legitimate access to create
executables, libraries, services etc. It may be a system updater, build
tools or shell that you use to copy files, create or open archives. You
don't want to answer all the time Alerts that the program tries to
create (or delete) another
executable or DLL - even if you choose Allow in Alert dialog, it will
create a rule to allow only specific access to specific file.
THREAT:
If you by mistake define malware as trusted program, you actually give
it all access by your own hands.
SOLUTION:
When a program requests an access that pops up Alert, choose Trust This
Program. This will create an "allow all access" for this program for
particular filter (Filesystem, Registry or Program Firewall). If you
know in advance which program you want to make trusted, you may just
add manually rules for
this program that allow all access in Filesystem, Registry and
Application Firewall panels. Assign to these rules maximum priority
(100).
Caution: consider carefully when you are going to define a program as
trusted. If the program popped an alert, consider what it requests to
do with its documented functionality. Check the program's security
certificates (if they exist) to check that it wasn't modified since
created by the vendor.
When defining a program as trusted, you may also forbid any
modification to it, except for its own updater. If you don't, watch
carefully if another program tries to change your trusted program.
Registry control is available in TotalAdmin edition only.
[TotalAdmin][Free]
--------------------------------------------------------------
PERFORMING TEMPORARY TRUSTED TASKS
Sometimes you need to run a temporary trusted program for specific
task. It may be an installer or a shell that you use to copy files, but
don't want to keep it trusted permanently; often you want only the
particular instance of the program to be trusted.
THREAT:
If you by mistake define malware as trusted program, you actually give
it all access by your own hands.
SOLUTION:
When a program requests an access that pops up Alert, choose Trust This
Program. This will create an "allow all access" for this program for
particular filter (Filesystem, Registry or Program Firewall). If you
know in advance which program you want to make trusted, you may just
add manually rules for
this program that allow all access in Filesystem, Registry and
Application Firewall panels. Assign to these rules maximum priority
(100).
Create a Program Blocker rule that blocks this program for running.
This will leave only the currently running instance(s) trusted; others
will not be able to run.
When you are done with a trusted task, remove the "allow-all" rule for
that program and Program Blocker rule that prevents it from running
Registry control is available in TotalAdmin edition only.
[TotalAdmin][Free]
--------------------------------------------------------------
AUTOMATING RULES SWITCHING
There are cases when you need to switch policies (many rules at once).
Usually you will want to change many rules when you give your computer
to others to use. When you are logging in to your employee's computer
you may need to change rules to allow yourself apply important updates.
You may create two distinct sets of rules and switch between then or
create one basic set of rules and another one that modifies it
(addition restrictions, or to the contrary, relaxing).
If you are creating two distinct sets:
1) Create one set that you want to be loaded from computer
start-up and save it in GUI (you may already have it)
2) Create the second set, possibly by modifying the first
(deleting and adding rules). Likely you won't want to add here Alert
rules
3) Save it to the different rules file using command-line
utilities
Then, when you want to switch rules, remove all rules and load rules
from alternative rules file. You may want to put the remove / load
commands into a simple script.
If you are creating a basic and modification set:
1) Create one set that you want to be loaded from computer
start-up and save it in GUI (you may already have it)
2) Add to it modification rules (Allow, Forbid). Likely you
won't want to add here Alert rules. Assign to all modification rules
the same Policy Name.
3) Using command-line tools, save modification rules by
Policy Name to a different rules file
When you want to switch by adding modification rules, use command-line
tools to load from the alternative file. When you want to switch back
to basic rules set, use command-line tools to remove rules by Policy
Name. You may want to put the remove / load commands into a simple
script.
[TotalAdmin][Free]
--------------------------------------------------------------
PROTECTING YOUR PASSWORD
If you are giving your computer to use by others (guests, kids,
employees) and create special restricting rules for their use, you
won't want them to use DDACS and remove the restrictions. DDACS tools
(both GUI and command-line) are protected with a password. DDACS comes
with an empty password, you will
probably want to set it right after installation using GUI or
command-line password tool.
Password function (not the password itself) is kept in "adm-pass" file.
The file itself is protected with DDACS self-protection from
modification other than by DDACS password tools.
If you automate rules switching, you will keep scripts that add or
remove many rules. Adding and removing rules requires passwords, so the
script file will keep password in the execution line. You will probably
want to prevent your guests from reading the password, so when giving
access to others, set
a rule to prevent any access to your scripts. When switching back,
remove that rule.
[TotalAdmin][Free]
--------------------------------------------------------------
PREVENTING GUESTS' USE OF DDACS
If you are giving your computer to use by others (guests, kids,
employees) and create special restricting rules for their use, you
won't want them to use DDACS and remove the restrictions.
The most important is to protect your password and not give it to your
guests. [See PROTECTING YOUR PASSWORD]. Next, you will probably want to
prevent uninstalling DDACS - set a Program Blocker rule on uninstaller.
It's important not to allow your guests run scripts for automated
policies switch. In order
to achieve that the guest rules should prevent any access to your
scripts, but you have probably done it already as part of password
protection.
[TotalAdmin][Free]
--------------------------------------------------------------
REGAING CONTROL OVER INFECTED SYSTEM
You can regain control on the system that was already infected by the
time when DDACS is installed, without reinstalling Windows. If you
install DDACS with default rules, it will immediately trap attempts to
create and modify executables, libraries, services, scripts etc. Pay
attention to names
of programs that attempt suspicious access. Some malware splits into
many programs with random names that run from random locations on disk.
Other malware may have infected legitimate and useful programs; then
those programs would
attempt unexpected suspicious access.
When you identify a malicious access with an Alert, even from a useful
program that you have installed, you may choose Suspend And Block
Program. The suspicious access will be denied, the program will stay in
suspended state and a Program Blocker rule will be set to prevent it
from running again. Then
you may try to terminate it with Program Killer. If you succeed, you
may remove its program file from disk. If not, you will be able to do
so after reset.
Note that Suspend option exists only in TotalAdmin edition. In Free
edition the closest that you can get to this use case is not answer
Alert with anything; instead create a Program Blocker rule to block
this program and issue hard reset to the computer.
Remember in all cases to save the rules that were set (in this
situation the Program Blocker rule).
If you found that important programs had been infected, you may try to
reinstall them (including repairing Windows installation from an
installation media if Windows programs were infected)
[TotalAdmin][Free]
--------------------------------------------------------------
CREATING TRUST ZONES
By "trusted zone" we mean a set of rules that makes a policy. E.g. most
access is forbidden, but exception rules to allow certain programs
access are also set. They you create rules to protect that more trusted
program more than you protect other programs.
E.g.
- Create a rule to block
all access to your sensitive
important files
- Create an exception rule
to allow a program that works
with these files access ("more trusted" program)
- Create a rule to block
all modification access to that
more trusted program and its files in installation directory. If
trusted program can be run with parameters by any program, potentially
also by malware (such as cmd.exe
- from Windows
installation),
you may also want to create a rule to forbid running it by untrusted
programs 4) Create an exception rule to allow that program access to
own files. Possibly allow it or an updater in its installed folder
modify that program in order to allow updates
[TotalAdmin][Free]
--------------------------------------------------------------
HELPING TO IMPROVE DDACS
Please report bugs, issues and suggest improvements to us.
ddacssec@gmail.com
--------------------------------------------------------------