OPSEC Basic: Antivirus, VirusTotal and Firewall - DOS and DON'TS

 

I. Intro

The main topics in this section are as follows:

Antivirus: Things to keep in mind when using it in daily work to minimize the risk of exposing internal documents and sensitive info. Especially for those doing red teaming.

VirusTotal: The issue of misuse or misapplication leading to the potential for sensitive data exposure.

Windows firewall: Keep the configuration so you can stay off the hacker's radar, while also ensuring comfort and convenience in your work tasks.

This is the second part of a series of articles on basic OPSEC, providing you with basic security measures to turn your computer into a safe place to store personal files like photos and documents, and to stay safe on the Internet.

II. Main Part

In addition to worrying about data breaches, you also need to pay attention to the exposure of personal data through the use of software tools on a daily basis.

When discussing the issue of OPSEC, one cannot overlook antivirus and personal firewalls. These are two powerful and effective tools to help you stay safe from malware and ransomware attacks. However, if not used carefully, personal data may unintentionally be exposed.

1. Antivirus: Two-Faced with high trustworthiness

A. Antivirus vs Malware

If you analyze closely, you'll see that the functions of antivirus are pretty similar to the Command and Control (C2 or CnC) of a malware.

C2 malware refers to malicious software that allows attackers to remotely control infected systems. The characteristic features of CnC malware include:

1. Remote Control: Allows attackers to remotely control infected systems. After being installed, the antivirus completely takes control of your computer.
2. Data Exfiltration: Capable of stealing sensitive data from compromised systems. Most antivirus programs have the functionality to upload sample files to their analysis servers.
3. Botnet Management: Manages a network of infected computers (botnet) for coordinated attacks. Antivirus programs have the capability to deploy bulk updates and signature databases to installed machines.
4. Payload Delivery: Delivers additional malicious payloads to infected systems.
5. Stealth Techniques: Uses various methods to avoid detection and maintain persistence. Antivirus operates without any concealment, but at the kernel level. If malware operates at this level, it is referred to as a rootkit.

Although quite similar to each other, the purpose of antivirus software is to protect your computer, so in most cases, installing and using it is always prioritized. Don't search for "how to disable antivirus" right away, but instead look for ways to take full control of it.

The most significant risk and hassle arise when you have sensitive, private, or confidential internal documents. When antivirus programs perform a virus scan, these documents run the risk of being accidentally uploaded to the cloud servers of the antivirus software.

This becomes extremely dangerous when you are working with highly confidential documents, especially in government or military organizations, financial institutions, banks, and companies with proprietary secrets.

One of the most concrete examples is the scandal involving the leak of documents by an NSA employee. The individual managing the leaked data faced legal risks, while the antivirus company suffered damage to its business reputation. You can find more details at: NSA Data leak

Antivirus software might accidentally upload private or internal documents to cloud servers due to several reasons:

1. Misconfiguration: Incorrect settings or configurations can lead to unintended uploads.
2. Automatic Scanning: Some antivirus solutions automatically upload files for scanning without explicit user consent.
3. Integration Issues: Integration with cloud services might not be properly managed, causing accidental uploads.
4. Software Bugs: Bugs or glitches in the antivirus software can result in unintended behavior.

Especially when you are working on programming related to Windows API or red teaming, activating a virus scan is more likely to result in accidental file uploads.

When programming, using Windows APIs increases the likelihood that after compilation, your program will be scanned and analyzed by antivirus software. This is because malware also frequently utilizes Windows APIs to operate, particularly those related to Process, Thread, File I/O, Network I/O, and Registry.

When using redteam software, which often consists of hacking tools, antivirus programs also closely monitor these files.

These issues not only pose a risk of data leakage but also hinder your work. For example, the program you just compiled may be deleted, and when running tests, it could be placed in a sandbox, leading to inaccurate results. When using tools for red teaming, they are often blocked, deleted, or sent to a sandbox.

B. Should you use antivirus software or not?

For the average user, your data is not overly sensitive and does not require a high level of confidentiality. For example, if you use your computer for content creation, filing taxes, paying bills, handling HR-related tasks, or gaming, you should use antivirus software. Keep in mind that Antivirus providers also have an obligation to maintain a reasonable level of confidentiality for your data in the event that it is inadvertently uploaded to their servers..

For those working in red teaming, individuals who handle critically important data, high need for anonymity. Intelligence-related data, military, government agency information, or extremely sensitive data for individuals and organizations—it is best not to use antivirus software. At the very least, they should disable features like automatic virus scanning, automatic uploads and analysis through the cloud, and automatic uploads of suspicious samples.

These considerations also apply similarly to Microsoft Windows Defender, depending on the privacy level and sensitivity of the data, you will decide whether to enable or disable features such as automatic sample uploads and cloud analysis.

Microsoft Windows Defender, now known as Microsoft Defender Antivirus, is a built-in antivirus and anti-malware component of the Windows operating system. It provides real-time protection against various types of malware, including viruses, spyware, and ransomware.

One thing you should always keep in mind is to keep Windows Defender up to date.

Or it is best to use endpoint antivirus solutions with the entire system set up and controlled internally, without going through third-party servers.

C. How to disable the Auto Upload file feature in Microsoft Windows Defender

You can disable these features of Windows Defender by following the steps below.

1. Open Windows Settings

2. In the Settings window, select "Privacy & security"

3. Next, select "Windows Security", then "Virus & thread protection". You can quickly open this window by typing "Virus" in the Windows search box.

4. In the Virus & threat protection settings section, click on "Manage settings"

5. In the new window that opens, when you scroll down a bit, you will see "Cloud-delivered protection" and "Automatic sample submission" You should turn off both of these features.

2. Always keep a firm grip on the reins when using VirusTotal: Data leak

A. The risks associated with VirusTotal

VirusTotal is a free online service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malware. It aggregates many antivirus engines and tools to provide a comprehensive report on the safety of a file or website. Users can upload files or enter URLs to see if they are flagged as malicious by any of the integrated security tools. It is widely used by security professionals and researchers to quickly assess potential threats.

While VirusTotal is a valuable tool for scanning suspicious files. Instead of performing traditional virus scan, it shares uploaded files with multiple security vendors and other businesses using its premium services. This means your private or sensitive information could potentially be exposed.

Like other major tech companies, even Virüs Total has suffered from Accidental Data Exposure. The company's personnel accidentally uploaded a file containing customer information to the VirusTotal platform, resulting in the exposure of this information to the customers. You can learn more at the following link: VirusTotal data leak

Companies and organizations often mistakenly use it as a substitute for antivirus, a usage that unwittingly exposes data such as factory blueprints to intellectual property online. More info

Risks Associated with Automatic Uploads to VirusTotal:

1. Privacy Concerns: Sensitive or confidential files may be exposed to third parties. Virüs Total shares uploaded files with over 80 different security vendors and potentially with businesses using its paid services.
2. Data Retention: Once uploaded, files may be retained indefinitely and used for research or shared within the security community.
3. Legal and Compliance Issues: Uploading certain data could violate privacy regulations or corporate policies.

B. Use it the right way

VirusTotal best practices:

1. Manual Review: Manually review files before uploading to ensure no sensitive information is included.
2. Configuration: Carefully configure the settings to limit automatic uploads or select specific file types.
3. Anonymization: Where possible, anonymize data to remove personally identifiable information before uploading.

Especially for who work as redteam, you should always remember that virüs total retains information about who, where, and when a file is uploaded. Therefore, it is best to steer clear of it when using redteam software.

3. Windows Firewall, the barrier for your data stronghold.

A. You should use a personal firewall!

Although this section's topic is about personal firewalls, I will focus on the built-in Windows Firewall.

Windows Firewall is a security feature that helps protect your device by filtering network traffic that enters and exits your device. Some key effects:

1. Network Traffic Filtering: It filters traffic based on criteria like IP addresses, protocols, and port numbers.
2. Inbound and Outbound Control: You can configure it to block or allow traffic based on the services and applications installed on your device.
3. Protection Against Threats: It helps reduce the risk of network security threats by blocking viruses, ransomware, and other malicious software.
4. Data Protection: Integrates with IPsec to enforce authenticated, end-to-end network communications, protecting sensitive data.
5. Network Profile Management: Applies different security settings based on the network type (e.g., public or private)

If you are wondering whether to use a firewall in general or Windows Firewall specifically, the answer is definitely yes. The more pressing issue is the question of how to use them effectively.

Regardless of the personal firewall in use, the principle should adhere to the standards of a whitelist firewall rule. This means that only what is explicitly allowed can pass through, while everything else will be completely blocked. This helps ensure that certain covert activities that are not on your radar cannot establish a connection.

B. The way Windows Firewall handles: Public vs Private network

Understanding the differences between public and private networks can help you configure your device for better security and functionality:

Public Network:

• Visibility: Your device is hidden from other devices on the network.
• Security: More restrictive settings to prevent unauthorized access and threats. Network discovery and file sharing are typically disabled.
• Location: Public places such as cafes, airports, and hotels.

Private Network:

• Visibility: Your device is visible to other trusted devices on the network.
• Security: Less restrictive settings to facilitate easier communication and resource sharing. Network discovery and file sharing are typically enabled.
• Location: Your home or workplace.

Windows Firewall has three main profiles: Public, Private, and Domain. However, in this article, we will focus solely on Public and Private profiles.

Public Profile:

• Network Discovery: Disabled by default to prevent your computer from being visible to other devices on the network.
• File and Printer Sharing: Disabled by default to enhance security.
• Firewall Rules: More restrictive to protect against potential threats from untrusted networks, such as public Wi-Fi hotspots.

Private Profile:

• Network Discovery: Enabled by default to allow your computer to be visible to other devices on the network.
• File and Printer Sharing: Enabled by default to facilitate sharing within a trusted network, such as your home or workplace.
• Firewall Rules: Less restrictive compared to the Public profile, allowing more network traffic for easier communication within trusted networks.

The public profile is always more restrictive than the private profile. Therefore, you should always prioritize selecting it, especially when you are unsure which profile to choose.

But better than anything is to adjust the default firewall access list to block everything first, and then add individual whitelist firewall rules for the programs you agree to allow connections.

C. How to change the Windows Firewall profile to Public profile

Simply changing the profile of the network connection will automatically switch the Windows firewall profile to the corresponding mode.

Assuming I am using the Private profile as follows.

Windows Firewall Private Profile

Open PowerShell with Administrator privileges. Then run the command "Get-NetConnectionProfile"

 

Get-NetConnectionProfile output

Pay attention to the "Name" section. This is the name of the network for which you want to change the profile. Currently, mine is "Network 2" After identifying the network that needs to be changed, make sure to note the value of the "InterfaceAlias" field.

Then run the command with the InterfaceAlias being the value you just noted above:

Set-NetConnectionProfile -InterfaceAlias "NetworkInterfaceName" -NetworkCategory Public

After successfully executing the command, if you check again, the Windows Firewall should now be set to the Public profile.

Windows Firewall Public Profile

III. Conclusion

When building an OPSEC checklist, antivirus and personal firewall are always the first bullet points.

For antivirus, you should install and use one for your computer, or simply keep Windows Defender running. Depending on the importance of the data and its privacy level, you can disable features such as automatic sample uploads and cloud analysis. In more restricted environments, you may choose to completely disable these functions.

The optimal solution is to use endpoint model antivirus, with servers located internally and tightly controlling the connections of these servers.

When using VirusTotal, you should avoid using software that automatically uploads samples to this system. Before uploading any file, you should review it to check for any sensitive information it may contain.

You should always keep your personal firewall active. Always maintain the firewall access list according to the whitelist model. Adhere to the principle: block everything by default, allowing only what is explicitly permitted to pass through.

When using Windows Firewall, if possible, you should always prioritize selecting the Public profile.

After this article, I hope you have gained a better understanding of how to use antivirus and personal firewalls in accordance with your work needs. Most importantly, I hope you have learned some more basic security measures to help protect sensitive files and stay safe on the Internet.