Alan_B Posted October 4, 2011 Share Posted October 4, 2011 I reserve for "unknown" files the folder E:\Guest-2-Host\ The contents of which I may wish to use after ensuring freedom from infection. I have used CACLS on XP Home to relax access control in my favour. I am not familiar with ICACLS in Windows 7 Ultimate and would like advice on restricting danger by malware within E:\Guest-2-Host\ I envisage applying access restrictions to the folder that will be inherited by all its contents whilst they reside inside. My desktop uses Windows 7 Ultimate x64 and is running VirtualBox The Guest contained by VirtualBox could be identical to the Host if based on yesterday's Macrium image backup, or a non-identical Windows 7 or Windows XP The Guest will be given "FULL" access to the shared folder V:\ so that it can place files in E:\Guest-2-Host\, subject to Desktop creation of V:\ by SUBST V: E:\Guest-2-Host Normally I will NOT create V:\ and "what happens in Guest stays in Guest" and never gets home to Host. When I want to use the Guest to provide files for the Host I will first create V:\, and that opens the door for Guest Malware to enter the Host. Access Controls are to be applied by the Desktop/Host and should prevent execution, both by the Guest/malware and also by Host/me having a clicking accident. Both Guest and Host should have Write and Delete access. The Host must have read and copy access, but the Guest has no such need. There seem to be several dozen flavours of access and rights and grants/denials and Explicit\Inherited. I would appreciate advice on how to "lock down" potential malware as tightly as possible. N.B. If the Desktop/Host needs "execute" or some other blocked access I expect to :- confirm freedom from infection whilst within E:\Guest-2-Host\, and then move/copy the file to a different folder with full inherited permissions. Regards Alan Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted October 5, 2011 Moderators Share Posted October 5, 2011 Is this thread of any use to you Alan? http://www.wilderssecurity.com/showthread.php?t=289165 Spread over a year with lots of good info. Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Alan_B Posted October 5, 2011 Author Share Posted October 5, 2011 Thanks but I was hoping to have my ICACLS homework done for me That article starts with RUNASIL and CMD.EXE gave no help with the DOS command "Runasil /?" So I googled and found I have to download and install it - it is not part of Windows 7 installation. It also appears to regulate WHAT a process or application can do, but not WHERE, whilst I require both the Guest Operating System and the Host O.S. to have standard capabilities within their own boundaries, BUT for both to be totally disarmed from all offensive capability in the "shared folder", which is my "border zone quarantine area" where neither may activate or launch any executable or cause any damage. I do not mind if the Guest gets infected whilst I use it for things I will not risk on my real Desktop, and I do not mind if the Guest should deposit malware in the "Shared Folder", but whatever enters must never be launched/activated/armed whilst in there. After closing down the Guest then the Desktop can do a malware scan on the shared folder, and then I can either copy or move selected files to another folder or drive which does permit execution. The other tool I saw was CHML - something else to download. There was this link http://www.minasi.com/apps/ That seems to be applicable to Folders and possibly my needs. It had several references to No execute up: disabled but never explained that phrase - is it the opposite of "Yes execute Down" ! ! I Googled "No Execute" and found that can be a nono with VMWare http://communities.v...message/1536440 http://communities.v...m/thread/212895 I guess it could also be a problem with VirtualBox That search also gave me http://blog.zeltser....rotection-files Since by default Windows launches processes under the Medium integrity level, user-mode malware running on the victim’s host will be prevented from accessing the file that was assigned the High integrity level. That leaves me concerned that malware can elevate itself (I can read even what I do not understand ) so can malware get launched with High Integrity Level ? CACLS I have used and can probably protect the shared folder. ICACLS has more options to confuse me I think both have explicit grant and explicit deny capability. CHML seems to be very much simpler to configure but I am concerned about whether some extra "explicit denials" would make me safer. Regards Alan Link to comment Share on other sites More sharing options...
Corona Posted October 6, 2011 Share Posted October 6, 2011 This thread warms the CACLS of my heart. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now