Basic Appguard Configuration question

[shmu26]

If I use the default policy, plus I add c:\*powershell* and c:\*script.exe to user space, and set them to "yes". are there any other potentially malicious file types that a user could click on and run?
I am not asking about Office macros and browser exploits etc, I am just asking about clickable files that could pose a security risk.
Powershell is unticked in power apps, so that the user space list will be enforced.

 

[509322]

If I use the default policy, plus I add c:\*powershell* and c:\*script.exe to user space, and set them to "yes". are there any other potentially malicious file types that a user could click on and run?
I am not asking about Office macros and browser exploits etc, I am just asking about clickable files that could pose a security risk.
Powershell is unticked in power apps, so that the user space list will be enforced.

The default policy covers the most commonly encountered stuff.

How paranoid are you ? Or, how paranoid of a configuration do you want ? How much do you want to block ?

Block *bitsadmin* if you are worried about malicious shortcut (*.lnk) files. It's deprecated, but it is still on your system. Malicious shortcuts can also call interpreters. Block hh.exe because of .chm files, but a malicious .chm will usually just call wscript or cscript to download other malicious files from the internet so you're already covered with the C:\*script.exe policy. We can sit here and make a long list of potentially abused file types. The vast majority of stuff is blocked by disabling interpreters and the user space policies. For a second opinion on this general concept you can ask @Andy Ful.

My best advice, the best course of action is to install AppGuard and soon after just bite the bullet and configure it hard-core one time. What you're doing, really, is protecting against cmd.exe and many exploits. Beyond this initial configuration it is just maintenance and disable stuff temporarily when you need it. Then backup the xml. Ask @Umbra.

After you get that worked out - instead of fiddling around with security softs, their bugs and the problems they cause on your system, you can focus on learning about malware. You focus on security knowledge instead of the damn tools to protect your system.

Whatever you do, you should use what you like and stick with it.

 

[shmu26]

The default policy covers the most commonly encountered stuff.

How paranoid are you ? Or, how paranoid of a configuration do you want ? How much do you want to block ?

Block *bitsadmin* if you are worried about malicious shortcut (*.lnk) files. It's deprecated, but it is still on your system. Malicious shortcuts can also call interpreters. Block hh.exe because of .chm files, but a malicious .chm will usually just call wscript or cscript to download other malicious files from the internet so you're already covered with the C:\*script.exe policy. We can sit here and make a long list of potentially abused file types. The vast majority of stuff is blocked by disabling interpreters and the user space policies. For a second opinion on this general concept you can ask @Andy Ful.

My best advice, the best course of action is to install AppGuard and soon after just bite the bullet and configure it hard-core one time. What you're doing, really, is protecting against cmd.exe and many exploits. Beyond this initial configuration it is just maintenance and disable stuff temporarily when you need it. Then backup the xml. Ask @Umbra.

After you get that worked out - instead of fiddling around with security softs, their bugs and the problems they cause on your system, you can focus on learning about malware. You focus on security knowledge instead of the damn tools to protect your system.

Whatever you do, you should use what you like and stick with it.

Thanks. I didn't know that bitsadmin worked that way.
I am looking in windows default apps "by file type," and I don't even see .ink in the list. Doesn't that mean it is not clickable as a file?

 

[509322]

Thanks. I didn't know that bitsadmin worked that way.
I am looking in windows default apps "by file type," and I don't even see .ink in the list. Doesn't that mean it is not clickable as a file?

.lnk = shortcut file that you see on your Desktop for all your programs. It's not in the default apps.

 

[Deleted member 178]

After you get that worked out - instead of fiddling around with security softs, their bugs and the problems they cause on your system, you can focus on learning about malware. You focus on security knowledge instead of the damn tools to protect your system

That is the thing what i keep saying everywhere lol. Choose one or two real strong softs , learn them to the core, then all the others apps became irrelevant.

 

[illumination]

After you get that worked out - instead of fiddling around with security softs, their bugs and the problems they cause on your system, you can focus on learning about malware. You focus on security knowledge instead of the damn tools to protect your system.

Been trying to convey this in many posts now. These statements are indeed spot on.

 

[shmu26]

Wilderssecurity has some interesting posts and discussions.
BleepingComputer articles usually get linked here on MT.
@Lockdown @Umbra @PathFinder where do you guys go to get your fix of malware knowledge?

 

[illumination]

Wilderssecurity has some interesting posts and discussions.
BleepingComputer articles usually get linked here on MT.
@Lockdown @Umbra @PathFinder where do you guys go to get your fix of malware knowledge?

Most of mine was gathered from hands on testing and a whole lot of Google Search.

 

[shmu26]

Yeah, the more knowledge the better, but I don't see why every user has to reinvent the wheel.
OSArmor has a ready-made policy, ReHIPS has a ready-made policy, Florian from Excubits Bouncer maintains a list of vulnerables. They are there to be used, and it makes sense to me to use them.

 

[509322]

Yeah, the more knowledge the better, but I don't see why every user has to reinvent the wheel.
OSArmor has a ready-made policy, ReHIPS has a ready-made policy, Florian from Excubits Bouncer maintains a list of vulnerables. They are there to be used, and it makes sense to me to use them.

Ready-made is no problem if the user understands the what is happening behind the ready-made. But given the fact that the vast majority of users have so very many problems with ready-made, it is proof that the missing ingredient is user knowledge. And the only way to learn is by doing. However, it comes down to personal priorities. Some people just don't want to do it. And the fact of the matter is, unless you are a high-risk user doing the most overtly at-risk behaviors, that probability protects systems more than any security soft does, such that fussing with security configurations past a certain point is a waste of time in the grand scheme of things. Security configurations are insurance policies. Nothing more, nothing less. That is reality.

 

[mekelek]

Ready-made is no problem if the user understands the what is happening behind the ready-made. But given the fact that the vast majority of users have so very many problems with ready-made, it is proof that the missing ingredient is user knowledge. And the only way to learn is by doing. However, it comes down to personal priorities. Some people just don't want to do it. And the fact of the matter is, unless you are a high-risk user doing the most overtly at-risk behaviors, that probability protects systems more than any security soft does, such that fussing with security configurations paste a certain point is a waste of time in the grand scheme of things. Security configurations are insurance policies. Nothing more, nothing less. That is reality.

I have to agree, OSArmor's premade rulesets are so not fitting for me that I have it disabled most of the times.
Especially when the exclusion list is not getting anything done..

 

[meltcheesedec]

After you get that worked out - instead of fiddling around with security softs, their bugs and the problems they cause on your system, you can focus on learning about malware. You focus on security knowledge instead of the damn tools to protect your system.

Well said, @Lockdown .

Related question:
What do you think of those of us who might occasionally come here to MT to review latest trends, tools, advance, etc, in security software, but after putting together a configuration including including AppGuard in Locked Down mode (e.g., mine is SECURE - Meltcheesedec Security Configuration 2018 ), start to feel safe and spend more progressively less time learning about malware?

 

[illumination]

Well said, @Lockdown .

Related question:
What do you think of those of us who might occasionally come here to MT to review latest trends, tools, advance, etc, in security software, but after putting together a configuration including including AppGuard in Locked Down mode (e.g., mine is SECURE - Meltcheesedec Security Configuration 2018 ), start to feel safe and spend more progressively less time learning about malware?

To break it down simply, security starts with safe surfing habits/maintenance habits. You should rely on your security only as a back up. It is good to learn about certain threats, and how they may be introduced to your system as well, as it is part of safe surfing habits, knowing what to look for.

There is no need to dwell on security every second of the day, and not utilize your machine for what it is intended for.

 

[Deleted member 178]

@Lockdown @Umbra @PathFinder where do you guys go to get your fix of malware knowledge?

Testing + Google most of the time, twitter is good source too which often leads to github.

 

[shmu26]

Testing + Google most of the time, twitter is good source too which often leads to github.

When you test malware samples, what tool(s) do you use, to see what's happening?
I know that @Lockdown likes SpyShelter for this, but what do you use?

 

[illumination]

When you test malware samples, what tool(s) do you use, to see what's happening?
I know that @Lockdown likes SpyShelter for this, but what do you use?

Im not sure what Umbra uses, but thought i would leave a list here of tools i use when im testing. I may or may not add other tools depending on what im testing and how, but this is the base line of tools i utilize mainly.

These 2 products "Regshot,FolderChangesView" allow you to record changes in realtime as the sample executes and makes changes to the system. This is especially important when testing Dynamic portions of a security product. Behavior blockers for example allow a sample to execute and run while monitoring its behavior, this allows it to make changes to the system, what changes are being allowed, which ones are leaving changes after the product has supposedly secured you, how badly is the system corrupted/damaged by those changes most are not even aware happened. If you really want to get into the meat and potatoes of testing, dig deep, to see how samples effect the system, and how the product does as well. Reset the snapshot of your VM between every sample to get the best accurate results while recording all changes and traffic.

Process Explorer
Autoruns
TCPview
PeStudio
Microsoft Message Analyzer
Regshot
FolderChangesView
Hashmyfiles

 

[AMD1]

Another basic question.....

Just installed AppGuard for the first time and put myself on a bit of a learning curve. I am getting a message saying "prevented google chrome from writing to the registry"

Is it best simply to set this to select "ignore" this message in future ? - what's best ?

I am sure that after a few prompts/answers from more experienced users, I will get the hang of it but for now please bear with me !

 

[Deleted member 178]

Is it best simply to set this to select "ignore" this message in future ? - what's best ?

Expected alert so if it is really annoying you, you can ignore it, but personally i let it, i like to know what happens.

Also, it is better to ignore events from: activity report window > select event and right click > ignore message, than directly from the popup.

 

[Mr.X]

Also, it is better to ignore events from the activity report tab > right click > ignore message, than directly from the popup.

How so?

 

[Deleted member 178]

How so?

if my memory is good, back in the days, clicking on the popup's checkbox "do not show this message again" disabled ALL popups. lol