Novell Home

Extra Protection from Viruses

Novell Cool Solutions: Feature
By Ruud Hanegraaf

Digg This - Slashdot This

Posted: 23 Dec 2002
 

Here's an easy way to protect yourself against the majority of viruses, even without having an up-to-date virus scanner or all those pesky security updates. It works with Windows NT and Outlook 98, but the idea should also be usable with higher versions.

We use the following registry settings, which are imported every time the user logs in.

REGEDIT4

;
; Disable dangerous extensions
;
[HKEY_CLASSES_ROOT\VBSFile\Shell\Open\command]
@="%1"

[HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\command]
@="%1"

[HKEY_CLASSES_ROOT\piffile\Shell\Open\command]
@="."

[HKEY_CLASSES_ROOT\scrfile\Shell\Open\command]
@="."

;
; Redirect sound files
;
[HKEY_CLASSES_ROOT\MIME\Database\
Content Type\audio/mid]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKEY_CLASSES_ROOT\MIME\Database\
Content Type\audio/midi]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKEY_CLASSES_ROOT\MIME\Database\
Content Type\audio/mpeg]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKEY_CLASSES_ROOT\MIME\Database\
Content Type\audio/wav]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKEY_CLASSES_ROOT\MIME\Database\
Content Type\audio/x-midi]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKEY_CLASSES_ROOT\MIME\Database\
Content Type\audio/x-wav]
"CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}"
;
; Run in Outlook in restricted zone
;
[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\
Outlook\Options\General]
"Security Zone"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Internet Settings\Zones\4]
"Flags"=dword:00000003
"1001"=dword:00000003
"1004"=dword:00000003
"1200"=dword:00000003
"1201"=dword:00000003
"1400"=dword:00000003
"1402"=dword:00000003
"1405"=dword:00000003
"1406"=dword:00000003
"1407"=dword:00000003
"1601"=dword:00000001
"1604"=dword:00000001
"1605"=dword:00000000
"1606"=dword:00000003
"1607"=dword:00000003
"1800"=dword:00000003
"1802"=dword:00000001
"1803"=dword:00000003
"1804"=dword:00000003
"1805"=dword:00000001
"1A00"=dword:00010000
"1A02"=dword:00000003
"1A03"=dword:00000003
"1C00"=dword:00010000
"1E05"=dword:00010000

The first few settings remove the file associations for .vbs, .pif and .scr files.

  • .vbs files are Visual Basic Scripting files. We don't use VBS on our workstations - hardly anybody does - so we delete the scripting host (Whost.exe) and disable the association.
  • .pif files are the predecessors of shortcut files (.lnk). They were used in Windows 3.x to start MS-DOS programs and don't have to be used anymore. If you still use them, replace them with shortcuts.
  • .scr files are Windows screen savers. In a normal situation there's no need to be able to start a screen saver by double-clicking it. Screen savers will still be activated by Windows if you remove the association, so there's no risk involved here.

You can also remove .bat or .cmd as an association. This means you can't start batch files directly from Windows (but so can't viruses). From MS-DOS or login scripts, you can still run them though, or by using 'cmd /c something.bat' from Windows. To remove .bat and .cmd, copy the piffile key and change 'piffile' to 'batfile' and/or 'cmdfile'.

Removing all these associations means that even new viruses (for which there are no virus definitions yet), can't be run if they use one of these extensions. Of the last 8000 viruses we received here, these were the extensions used:

  • .scr 51.7 %
  • .pif 20.7 %
  • .bat 8.2 %
  • .vbs en .cmd were negligible. VBS had its heyday with LoveLetter, but isn't used much anymore.

So remove the associations and with one big bang you're protected against 80 percent of all existing and future viruses.

Most recent viruses (like BugBear and Yaha) work by using a bug in Outlook, which enables a virus to start itself from the preview pane. It does this by fooling Outlook and telling it the message contains an embedded sound file it must play, while in fact it is a virus:

------------GFHE75IKB2EYWCI
Content-Type: audio/x-midi;
	name=funny.scr
Content-Transfer-Encoding: base64
Content-ID: <9ViLXI4X1zGfb>

------------GFHE75IKB2EYWCI--

There are several patches available for this bug, but the above settings also help. It redirects all sound files to the CLSID of Notepad. This means nothing happens when an infected mail is viewed or opened in Outlook. The virus can't be seen anymore, saved or run. Gone forever.

The only disadvantage is that real embedded sound files are also not played anymore from Outlook. But then again, have you ever seen a legitimate business mail with sound? Me neither.

The last part of the .reg file makes sure Outlook always runs in the restricted internet zone. It also disables anything that has to do with scripting in that zone. That way no HTML mail can execute malicious code.

We use these settings as an extra layer of defense. It has stopped viruses which slipped through our scanner or which were so brand new, we didn't have updates for the definition files yet.

If you have any questions you may contact Ruud at r.hanegraaf@laurus.nl


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell