Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by yes_noscript » Sat Dec 24, 2016 7:50 pm

Thanks.

I add Accept from chrome

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by barbaz » Sat Dec 24, 2016 5:17 pm

@yes_noscript: known bug viewtopic.php?p=85536#p85536

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by yes_noscript » Sat Dec 24, 2016 10:39 am

I dont know why but the rule #1 break .asc & .sig (PGP) files with NoScript 2.9.5.2rc5
The funny thing is, that open the file with browser works, but if i try to save it, a error pop up and in error console i get that:

Code: Select all

Deny INCLUSION on {GET <URL> <<< chrome://browser/content/browser.xul - 1}
#1

Code: Select all

Site ^(?:[0-9A-Za-z-]+tps?|wss?)://[^/:]+[/:].*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct|com)(?:[^0-9A-Za-z/].*)?$
Deny INC
You can test it with:
"https://download.documentfoundation.org ... 64.msi.asc"
"http://www.palemoon.org/pgp/palemoon-27 ... er.exe.sig"

It look it make difference if the link is HTTPS or not. HTTPS seams to work, but HTTP not. :shock:


The spam filter here is strange. I musst remove URLs and other stuff.

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by ruy.benton » Sun Sep 06, 2015 9:53 pm

barbaz wrote: All the connections that I see are ones that I initiated.
Test 10 ... 15 min or 1 hour interv.
barbaz wrote:I just went through & deinstalled the online scopes, is that not enough?
Ubuntu -> Privacy other OS ... diferent names.
"Click if you want your history ... " files, png, jpg, odt, pdf

Alert: W$n 10 in last versions ... it's code in Kernal
We de-select and they ( OS ) send.
We need take other action ... Install software and change some var.

Kind Regards,
Ruy

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by barbaz » Fri Sep 04, 2015 10:25 pm

ruy.benton wrote:You can test with "netstat -a" or "netstat -an and see if there is conn. when you enable the wifi or ether.
It's immediate after enable.
All the connections that I see are ones that I initiated.
ruy.benton wrote:The other problem is search ... files, msg ... doesn't mater ... he send to some hosts ... disable in System Settings.
I just went through & deinstalled the online scopes, is that not enough?

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by ruy.benton » Fri Sep 04, 2015 9:57 pm

barbaz wrote: Thanks, but I think I'm good there. This is part of the reason I'm using *L*ubuntu and not Ubuntu.
In Ubuntu 14.04 I could only partially remove that stuff, but I think I was able to remove it all in a Ubuntu 15.04 VM. Lubuntu (at least the 14.04.1 ISOs) doesn't come with any of it.
(And I don't especially care for the versions of Unity for Ubuntu > 12.04.x anyway.)
You can test with "netstat -a" or "netstat -an and see if there is conn. when you enable the wifi or ether.
It's immediate after enable.

The other problem is search ... files, msg ... doesn't mater ... he send to some hosts ... disable in System Settings.

Thank you for your comments and prompt reply

Ruy

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by barbaz » Thu Sep 03, 2015 11:19 pm

ruy.benton wrote:Ubuntu send some info ... de-install Amazon ... and he connect to geo.ubuntu.com
I can guide to disable all that ...
Thanks, but I think I'm good there. This is part of the reason I'm using *L*ubuntu and not Ubuntu.
In Ubuntu 14.04 I could only partially remove that stuff, but I think I was able to remove it all in a Ubuntu 15.04 VM. Lubuntu (at least the 14.04.1 ISOs) doesn't come with any of it.
(And I don't especially care for the versions of Unity for Ubuntu > 12.04.x anyway.)

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by ruy.benton » Thu Sep 03, 2015 10:51 pm

Thrawn wrote:ABE is specifically for filtering HTTP requests. It's a web firewall, not a general-purpose one. FTP is out of scope
:( lets search another option

Thank you

barbaz wrote:And I missed yet another detail in the rule...

Code: Select all

Site ^(?:[0-9A-Za-z-]+tps?|wss?)://[^/:]+[/:].*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct|com)(?:[^0-9A-Za-z/].*)?$
Deny INC
Apparently there is also a "ws" protocol that communicates with Internet...
Thanks

barbaz wrote:Yep. (Well, had to dual boot anyway, but using Lubuntu as my main OS.) I'd rather not get into the details of why here.
(see viewtopic.php?p=74942#p74942 for some of it)
Ubuntu send some info ... de-install Amazon ... and he connect to geo.ubuntu.com
I can guide to disable all that ...
RedHAT and Fedora much NSA :lol:

barbaz wrote: ...
Oddly I didn't have very much better luck even starting with a pre-built VM that already had a desktop environment (again, I could use it "as-is" but getting other software onto it was still a problem.)
Any advice for me for next time I decide to try it again?
Yeap no problem ... I test in my side

ruy.benton wrote:Nooooooo ... you sug. Sandbox ...

"I would like a plugin, to alert Firefox -> write files in the system.
I can use lsof ... but lots of work"
barbaz wrote:Well a sandbox will know everything that's written through it... so am I misunderstanding what you're wondering about?
I need only the info ... the path he write ... but i can't find.

And for full protection KVM linux, XEN, Virtualbox, OpenVZ ... for ex.
barbaz wrote:https://l3net.wordpress.com/projects/firejail/
This link looks very interesting to me for a number of reasons. Thanks! :)
I can send more ... other subjects :lol:

Kind Regards,
Ruy

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by barbaz » Thu Sep 03, 2015 6:18 am

And I missed yet another detail in the rule...

Code: Select all

Site ^(?:[0-9A-Za-z-]+tps?|wss?)://[^/:]+[/:].*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct|com)(?:[^0-9A-Za-z/].*)?$
Deny INC
Apparently there is also a "ws" protocol that communicates with Internet...
ruy.benton wrote:Need switch to Lubuntu in a INTEL MAC?
Yep. (Well, had to dual boot anyway, but using Lubuntu as my main OS.) I'd rather not get into the details of why here.
(see viewtopic.php?p=74942#p74942 for some of it)
ruy.benton wrote:FreeBSD don't work? ... I have several servers ...
I've tried to set up a FreeBSD VM for myself from the install CD, and I just couldn't get it going in the way I wanted... my machine doesn't have the specs to compile tons of stuff (& building things from source almost always goes wrong for me) and all I could do with FreeBSD in any case was a basic install and then use the resulting system exactly as it was. I simply could not find a way to add software to the machine, see what software was on it, or even update the machine's existing software... all the suggestions I found on the Internet failed one way or another.
I'm not looking to use FreeBSD as a server anyway. What I want to make work is the latest available FreeBSD release (at whatever time I attempt to first install it), with a graphical environment* & my favorite applications. It would be quite helpful to me if I can have proper experience with, and a VM of, the most popular *BSD distro (aside Mac OS X of course).

Oddly I didn't have very much better luck even starting with a pre-built VM that already had a desktop environment (again, I could use it "as-is" but getting other software onto it was still a problem.)

Any advice for me for next time I decide to try it again?

* Please not GNOME 3. My favorite desktop environments are LXDE and Openbox, but I can work with KDE3/Trinity, XFCE, & fvwm. I'm fine with the KDE 4+ desktop environment as well, but as much as I like the Oxygen look & certain individual KDE apps.. for the same reason I cannot use OS X > 10.7.x, let's keep the actual DE of KDE in a VM ;)
ruy.benton wrote:Nooooooo ... you sug. Sandbox ...

"I would like a plugin, to alert Firefox -> write files in the system.
I can use lsof ... but lots of work"
Well a sandbox will know everything that's written through it... so am I misunderstanding what you're wondering about?
ruy.benton wrote:There is several Sandbox for Mac, Linux:

[...]
https://l3net.wordpress.com/projects/firejail/
This link looks very interesting to me for a number of reasons. Thanks! :)
Thrawn wrote:ABE is specifically for filtering HTTP requests. It's a web firewall, not a general-purpose one. FTP is out of scope.
Oh, so it doesn't intercept any non-HTTP requests at all? I'm not aware of how ABE is implemented internally.

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by Thrawn » Thu Sep 03, 2015 2:41 am

ruy.benton wrote: FTP
Ex.
ftp://ftp.us.dell.com/network/
Any .exe ... DON'T BLOCK ANY .EXT ... DON'T WORK :(
ABE is specifically for filtering HTTP requests. It's a web firewall, not a general-purpose one. FTP is out of scope.

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by ruy.benton » Thu Sep 03, 2015 1:36 am

barbaz wrote: Hmm is what you want to not able to even download these manually? Then change Deny INC to Deny & remember to disable that rule when you actually want to download those type of code. (Then it is indeed useful to keep it in its own ruleset.)
I need to test your code ...

HTTP, FTP, Telnet, Gopher, Bitorrent ...

HTTP

Ex. http://products.kaspersky-labs.com/engl ... 4en-gb.exe
Block any .ext correct ... work :D

FTP
Ex.
ftp://ftp.us.dell.com/network/
Any .exe ... DON'T BLOCK ANY .EXT ... DON'T WORK :(


barbaz wrote:Used to be Mac OS X Lion until recently when I had to switch to Lubuntu 14.04.
But I've played with a lot of different OSes - I've got (or had) VM's for most popular Linux distros as well as OpenBSD & NetBSD (never could make FreeBSD work). Also have a pre-built OpenSolaris VM somewhere...
Need switch to Lubuntu in a INTEL MAC?

FreeBSD don't work? ... I have several servers ...


barbaz wrote:Oh.. yeah, I use VirtualBox too & it's awesome. I was thinking that didn't require booting another OS - for use in a VM so that can have a REALLY disposable environment.
Nooooooo ... you sug. Sandbox ...

"I would like a plugin, to alert Firefox -> write files in the system.
I can use lsof ... but lots of work"

Here is an example:
https://addons.mozilla.org/en-us/firefox/addon/priv8/



There is several Sandbox for Mac, Linux:

http://hints.macworld.com/article.php?s ... 8044558156

https://www.romab.com/ironfox/

https://l3net.wordpress.com/projects/firejail/

http://www.linux-magazine.com/Issues/2015/173/Firejail

Kind Regards,
Ruy

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by barbaz » Tue Sep 01, 2015 11:29 pm

ruy.benton wrote:Ex.
http://products.kaspersky-labs.com/engl ... 4en-gb.exe
I can't Download ... :D

ftp://ftp.us.dell.com/network/
Any exe ... I can Download :cry:
Hmm is what you want to not able to even download these manually? Then change Deny INC to Deny & remember to disable that rule when you actually want to download those type of code. (Then it is indeed useful to keep it in its own ruleset.)
ruy.benton wrote:I have several products for enclose the OS and Delete the OS and FS after use ... and save only the bookmark

Ex. https://www.virtualbox.org/wiki/Screenshots

I use this in some class and college. We setup a virtual machine ... and as the class close we delete the virtual machine and copy a fresh HD.
Oh.. yeah, I use VirtualBox too & it's awesome. I was thinking that didn't require booting another OS - for use in a VM so that can have a REALLY disposable environment.
ruy.benton wrote:I use BSD, MacOSX, Linux ... your main OS ... ?
Used to be Mac OS X Lion until recently when I had to switch to Lubuntu 14.04.
But I've played with a lot of different OSes - I've got (or had) VM's for most popular Linux distros as well as OpenBSD & NetBSD (never could make FreeBSD work). Also have a pre-built OpenSolaris VM somewhere...

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by ruy.benton » Tue Sep 01, 2015 10:52 pm

barbaz wrote:
ruy.benton wrote: TO MODERATOR - > PLEASE MOVE THIS TO ABE SUB-FORUM
SURE, DONE
Thank you very much

ruy.benton wrote:Add .com, need change:
Site ^(?:[0-9A-Za-z-]+tps?|wss)://.*/.*\.(?:gz|com)
Deny
Or he blocks all domains with .com :lol:
barbaz wrote:OK try this:

Code: Select all

Site ^(?:[0-9A-Za-z-]+tps?|wss)://[^/:]+[/:].*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct|com)(?:[^0-9A-Za-z/].*)?$
Deny INC
Ex.
http://products.kaspersky-labs.com/engl ... 4en-gb.exe
I can't Download ... :D

ftp://ftp.us.dell.com/network/
Any exe ... I can Download :cry:
ruy.benton wrote:The malicious code could bypass the warning ... and install any code
barbaz wrote:Not unless it's already got a full hold of the browser, at which point the user anyway has bigger problems than an unwanted xpi and the malicious code could do more than just bypassing the warning to and installing an xpi.
Yeap and any code not only the XPI

ruy.benton wrote:I would like a plugin, to alert Firefox -> write files in the system.
I can use lsof ... but lots of work
barbaz wrote:Well for Windows there exists a program called sandboxie that Tom T. used to recommend (I know nothing of it myself being that I'm not a Windows user.)
Don't have any ideas for other OSes, sorry.
I have several products for enclose the OS and Delete the OS and FS after use ... and save only the bookmark

Ex. https://www.virtualbox.org/wiki/Screenshots

I use this in some class and college. We setup a virtual machine ... and as the class close we delete the virtual machine and copy a fresh HD.


I use BSD, MacOSX, Linux ... your main OS ... ?

Kind Regards,
Ruy

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by barbaz » Tue Sep 01, 2015 1:10 am

ruy.benton wrote:TO MODERATOR - > PLEASE MOVE THIS TO ABE SUB-FORUM
SURE, DONE :arrow: :arrow:
ruy.benton wrote:Add .com, need change:
Site ^(?:[0-9A-Za-z-]+tps?|wss)://.*/.*\.(?:gz|com)
Deny
Or he blocks all domains with .com :lol:
OK try this:

Code: Select all

Site ^(?:[0-9A-Za-z-]+tps?|wss)://[^/:]+[/:].*\.(?:exe|bat|dll|sh|dmg|cmd|cpl|lnk|pif|scr|vbs|vbe|vb|ws|wsc|wsf|msi|reg|jse|bas|chm|scf|sct|com)(?:[^0-9A-Za-z/].*)?$
Deny INC
ruy.benton wrote:And if lots of dots in the file name puff
what? :?:
ruy.benton wrote:ftp ... don't work
In what way?
ruy.benton wrote:The malicious code could bypass the warning ... and install any code
Not unless it's already got a full hold of the browser, at which point the user anyway has bigger problems than an unwanted xpi and the malicious code could do more than just bypassing the warning to and installing an xpi.
ruy.benton wrote:"if you know other treats ... updates in main kernel"
The main part of Firefox ... the program and the lib ex: libnspr4.so, libssl3.so and many others




I would like a plugin, to alert Firefox -> write files in the system.
I can use lsof ... but lots of work
Well for Windows there exists a program called sandboxie that Tom T. used to recommend (I know nothing of it myself being that I'm not a Windows user.)
Don't have any ideas for other OSes, sorry.

Re: Block files -> .exe .bat .dll .sh .dmg .cmd .cpl .lnk

by ruy.benton » Tue Sep 01, 2015 12:39 am

TO MODERATOR - > PLEASE MOVE THIS TO ABE SUB-FORUM



Add .com, need change:
Site ^(?:[0-9A-Za-z-]+tps?|wss)://.*/.*\.(?:gz|com)
Deny
Or he blocks all domains with .com :lol:

And if lots of dots in the file name puff

ftp ... don't work
ruy.benton wrote:Yes, most of the time I see the warning ... and we click in preferences ...
... if you know other treats ... updates in main kernel
barbaz wrote:When don't you see any warning when trying install extension in Firefox through Firefox?
And what do you mean "if you know other treats ... updates in main kernel"?
The malicious code could bypass the warning ... and install any code

"if you know other treats ... updates in main kernel"
The main part of Firefox ... the program and the lib ex: libnspr4.so, libssl3.so and many others




I would like a plugin, to alert Firefox -> write files in the system.
I can use lsof ... but lots of work

Thank you for your comments

Top