I was wondering what some of the best programs for default deny protection are, i already use vs is there anything else I should use along with it?
OSA is very similar to SRP. Most of the OSA protection is prevention based on attack surface reduction kinda similar to SRP and Windows Policies. Furthermore, OSA (like SRP, Applocker, etc.) will not prevent most techniques used by PE executables (if EXEs are allowed to run).
I would not use the term "detect" in the case of OSA, because OSA cannot see if something is malicious or not.
Of course one can use the "detect" term for many things. But, this will be usually somewhat misguiding (without additional comment). For example, SRP configured by H_C (or SWH) can "detect" in a similar way (several SRP rules) that the script is going to be run directly from the ZIP archive (like in the Sodinokibi analysis).Taken from a sodinokibi ransomware analysis site:
View attachment 259162
If I'm not mistaken, OSA should "detect" this suspicious looking action as long as the relevant Protection is enabled and alert to it before SRP kicks in.
I know....
I'm nervously posting this as I know you are a technical"heavyweight" Andy, but I'm certainly not trying to debate with you Only offering my rationale for combining OSA with SRP as best I can
Many OSA rules can be compared to Defender ASR rules (similar idea). OSA can monitor more system events than SRP and often uses more complex event patterns. Of course, OSA has got many more rules as compared to the Defender ASR rules.OSA is very similar to SRP. Most of the OSA protection is prevention based on attack surface reduction kinda similar to SRP and Windows Policies.
For me the answer is only one - SpyShelter...if you realy want to cooperate with such "talking head"I was wondering what some of the best programs for default deny protection are, i already use vs is there anything else I should use along with it?
For me the answer is only one - SpyShelter...if you realy want to cooperate with such "talking head"I was wondering what some of the best programs for default deny protection are, i already use vs is there anything else I should use along with it?
You cannot use it on Windows 10 64-bit without disabling an important Windows security (driver signature enforcement), because the driver is not signed.Seems last update was 13 days ago to Tuersteher (Bouncer) GitHub: hazelfazel/tuersteher
I am not sure if SpyShelter can be used as a true default-deny. Can you configure it to block all scripts/scriptlets except for some locations like Windows, Program Files, etc.?For me the answer is only one - SpyShelter...if you realy want to cooperate with such "talking head"
Here is its page
and on MT forum you can find some useful topic about SS.Best Free Antispyware Software 2024 | Download SpyShelter
Download SpyShelter Antispyware FREE software. Get instant protection against spyware. Easy to use.www.spyshelter.com
SpyShelter looks interesting. I see in your guide you suggest the Restricted Apps Module is most important to you. It seems to me to be a Windows version of Apparmor, without the ultra-granular control Apparmor provides, allowing selected programs to do only what they're supposed to do (or as determined by the user), and no more.For me the answer is only one - SpyShelter...if you realy want to cooperate with such "talking head"
Here is app page
and on MT forum you can find some useful topic on SSBest Free Antispyware Software 2024 | Download SpyShelter
Download SpyShelter Antispyware FREE software. Get instant protection against spyware. Easy to use.www.spyshelter.com
Yes, it is HIPS - you can exclude files/folders. There is also Application Execution Control in the SpyShelter Firewall.If you allow cmd.exe to do something, then you allow it to do everything permanently. SpyShelter is a HIPS. It is not a granular SRP solution.
In the right hands, SpyShelter will outperform any other security software on the market.
Keep it, if it works for you. Adding more protection is not necessary....
That being said, for the average user looking to use Default Deny protection, what program do you gurus think would provide the most information to an average user so he or she could make an informed decision as to whether to Allow or Deny a particular software from installing and/or executing without being too complicated to use?
For example, I am currently using VSFree, and when it pops a message that it is blocking a file, if I do not recognize the file name, I wait for the analysis to complete. In this case, VS replies "safe", and then I allow the file to run such as an installer of a program that I just downloaded.
Yes, excluding the files/folders in SpyShelter is different from whitelisting in SRP. The exclusions are often related to the actions performed by the restricted application on files/folders, etc. Anyway, all of this is far away from default-deny SRP....
You can whitelist a folder, but the files within that folder might nor might not be auto allowed depending upon the executing process rule.
Create new process
Access data of other processes
Control other processes and threads
Send message to other processes
Load kernel drivers
Access kernel memory/objects
Access physical memory
Access physical disk
Access keyboard in low level
Access registry in low level
Install message/event hooks
Set system time
Shutdown windows
All of that can be eliminated by just not creating any allow rules for LOLBins and unknown processes. With that SS config, there are few alerts.
Then again, how many users know that they are supposed to select the Terminate button in the SS alert as opposed to the Block button for unknown processes ? Or that they should block even a trusted Windows process from injecting into a browser session ? Ad infintum.
Good security requires knowledge. Security is not software. Software shall never ever, like ever, provide anything beyond a basic level of security. Security is a process with a high cost. But hoomans mess that all up. The user is always the problem. That is why any software that requires a typical user to respond to any alert and make a decision is an epic fail.