XPE Security - virus and hacker attacs

[Carl Johan Jensen]

Hello !

When my XPE system is delivered, it will "live alone" so no-one will update
virus checkers or update the XPE system when new viruses emerges.
How can I make sure that my XPE system hanging on a network connected to the
internet, is robust against virus and
hacker activity ?

I am using the EWF with FLASH. Does the write protection help preventing
virus infections ?

How can I remove the Internet explorer application and the mail systems ?
(It seems like they are unremovable - although I remove the components from
my design, the applications is still found in my image)

brgds

Carl Johan Jensen

 

[KM]

Carl ,

When my XPE system is delivered, it will "live alone" so no-one will update
virus checkers or update the XPE system when new viruses emerges.
How can I make sure that my XPE system hanging on a network connected to the
internet, is robust against virus and hacker activity ?

Nobody can guarantee you that the system on open network is robust enough, especially considering the fact that new viruses, worms
and malicious software appers each day.
Having updatable virus DB always helps and is the best choice since you can rely on an expert source for checking your system daily
(weekly, monthly, etc.).

I am using the EWF with FLASH. Does the write protection help preventing virus infections ?

A bit. Consider these negative facts:
- there may be viruses out there that know how to disable/commit EWF
- some viruses may change MBR (or unprotected partitions data) and therefore easy pass around EWF
- there are many virues out there that do not require a client machine reboot and your system gets infected each time you launch
OS (some of our customers suffered from this)

How can I remove the Internet explorer application and the mail systems ?

Why not? This is componentized OS.

(It seems like they are unremovable - although I remove the components from
my design, the applications is still found in my image)

Check if "Auto-Resolve Dependencies" option is turned off in TD.

 

[JC]

Konstantin,

Great Ideas... The other thought that comes to mind is a 3rd party
intrustion detection system. there are tools out there that can "stand
alone" and help from several of the more nasty network borne viruses...
contact me offline, and I can make some suggestions.

Regards,
JC

--
JC- BSquare Corp.
If you wish to reply directly to me, remove the <nospam_ > from the address.

Carl ,


Nobody can guarantee you that the system on open network is robust enough,

especially considering the fact that new viruses, worms

and malicious software appers each day.
Having updatable virus DB always helps and is the best choice since you

can rely on an expert source for checking your system daily

(weekly, monthly, etc.).
virus infections ?

A bit. Consider these negative facts:
- there may be viruses out there that know how to disable/commit EWF
- some viruses may change MBR (or unprotected partitions data) and therefore easy pass around EWF
- there are many virues out there that do not require a client machine

reboot and your system gets infected each time you launch

 

[KM]

JC,

Yes, this is true and there are some good intrusion detection system. You can also (and this would be advised) built-in and turn on
a firewall (not only MS ICF but there are some good firewalls available for XP/XPe), close most network ports as much as possible,
etc.

Although, I believe, the best standalone protection system would be "your own" (non public) implementation. E.g., replacing TCP/IP
stack, having some encryptions in your custom protocol implementations, etc.

But hackers' minds are not stuck. Any system could be broken (intentionally, or with a virus). So, only consistent system monitoring
is and keeping up-to-date is a "absolute" choice (if there is such).

Anyway.. I am not a security expert so I don't talk about the Windows security here

 

[JC]

I hear ya... I actually meant this reply for Carl... Sorry about that.
JC

--
JC- BSquare Corp.
If you wish to reply directly to me, remove the <nospam_ > from the address.

JC,

Yes, this is true and there are some good intrusion detection system. You

can also (and this would be advised) built-in and turn on

a firewall (not only MS ICF but there are some good firewalls available

for XP/XPe), close most network ports as much as possible,

etc.

Although, I believe, the best standalone protection system would be "your

own" (non public) implementation. E.g., replacing TCP/IP

stack, having some encryptions in your custom protocol implementations, etc.

But hackers' minds are not stuck. Any system could be broken

(intentionally, or with a virus). So, only consistent system monitoring

 

[Doug G]

I just recently had this type of problem. My system uses EWF so that it
cannot itself become infected. However, due to a known issue with lsass.exe,
it was possible for an infected system on the network to periodically attack
the XPE system, causing it to reboot. Again, the XPE system was not infected
with the worm, but obviously the customer was upset about the continual
reboots.

I don't know any ultimate solution except for applying QFEs to the
distributed image and updating them in the field as applicable, as well as
telling the customer to clean up his network.

Doug Gordon

 

[Andy Allred [MS]]

The story should be along the lines of "update your device" and "lock
it down". Updating can be either via our solution (Device Update Agent)
or any other 3rd party solution. Locking it down should include
deploying images with either the Windows Firewall (wait 'till you see
the SP2 component and it's configui) or a 3rd party firewall solution.

Check out this componentized solution from Sygate for XPe devices
regarding protecting and managing:
http://www.sygate.com/solutions/xpe-solutions.php

 

[Doug Hoeffel]

Doug G:

Sasser generates traffic on TCP ports 445, 5554 and 9996. Do you need these
inbound ports open? If not, then implement tcp/ip port filtering now. This
can be scripted via WMI and deployed to your boxes in the field.

Most of these issues can be avoided by locking down your box even without
the QFE's. Of course, you could certainly apply these QFE's via DUA or
rebuild your image withe the QFE's added to your component database.

I'm beginning to sound like a broken record... run Retina
(http://www.eeye.com/html/Products/Retina/index.html) and you will certainly
see what you are vulnerable too. Most of what Retina finds can be easily
resolved.

HTH... Doug H.