Battle Best programs for default deny protection

Software comparison
Vs comodo
Feature comparison
  1. Ease of use
  2. Proactive protection (anti-exploit, behavior blocker, IDS-HIPS, sandbox)
  3. Machine learning and A.I. capabilities

wat0114

Level 3
Verified
Apr 5, 2021
145
OSA is very similar to SRP. Most of the OSA protection is prevention based on attack surface reduction kinda similar to SRP and Windows Policies. Furthermore, OSA (like SRP, Applocker, etc.) will not prevent most techniques used by PE executables (if EXEs are allowed to run).
I would not use the term "detect" in the case of OSA, because OSA cannot see if something is malicious or not.:unsure:

Fair enough, maybe a poor verb choice, but I have seen OSA leap into action on potentially suspicious parent-child process interactions before SRP would kick in, such as cmd.exe launching a harmless batch file on my desktop. That's all I meant by "detect' as in alerting to process interactions, especially where known LOLBins are involved. Hope this makes sense.

Taken from a sodinokibi ransomware analysis site:

1624191965831.png

If I'm not mistaken, OSA should "detect" this suspicious looking action as long as the relevant Protection is enabled and alert to it before SRP kicks in.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,168
Taken from a sodinokibi ransomware analysis site:

View attachment 259162
If I'm not mistaken, OSA should "detect" this suspicious looking action as long as the relevant Protection is enabled and alert to it before SRP kicks in.
Of course one can use the "detect" term for many things. But, this will be usually somewhat misguiding (without additional comment). For example, SRP configured by H_C (or SWH) can "detect" in a similar way (several SRP rules) that the script is going to be run directly from the ZIP archive (like in the Sodinokibi analysis).:)
In this case (script embedded in ZIP attachment) both SRP and OSA can block the CmdLine on the same infection stage. The SRP could block it earlier when the similar CmdLine was executed via the shortcut (*.lnk). Generally, SRP alerts will kick in before OSA so in most cases you will not feel OSA at all.
 
Last edited:

wat0114

Level 3
Verified
Apr 5, 2021
145
Admittedly that batch file OSA alerted on, for instance, was already whitelisted in SRP, but what I like about the alert is that OSA offers some details on exactly how the batch file is launched, in this case: [%PROCESSCMDLINE%: "C:\Windows\System32\cmd.exe" /C "C:\Users\username\Desktop\OSArmorDevSvc.bat"]

This is going to be meaningless to novices, but for those with some in-depth knowledge of Windows, it could arouse suspicion after one decides to download something they think is probably safe, then they whitelist the installer, but OSA alerts on some kind of suspicious parent->child interactions, for as maybe a better example, especially if Powershell is being invoked.

I'm nervously posting this as I know you are a technical"heavyweight" Andy, but I'm certainly not trying to debate with you :eek: Only offering my rationale for combining OSA with SRP as best I can :)
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,168
...
I'm nervously posting this as I know you are a technical"heavyweight" Andy, but I'm certainly not trying to debate with you :eek: Only offering my rationale for combining OSA with SRP as best I can :)
I know.:)
There can be several advantages of using OSA over SRP even in the Home environment. But, most of them can shine not when you want to use default-deny setup. On the contrary, OSA has so many different rules to make security sensibly weaker (compared to default-deny SRP) for good reasons.

In most settings, OSA does not focus on blocking potentially dangerous files by default, but tries to identify the suspicious actions by paths, child processes, URLs, etc. In this meaning, some of the OSA rules "detect" predefined suspicious patterns. The default-deny setup is more preventive / restrictive.

One can still use default-deny SRP + OSA and switch between two kinds of protection:
  1. SRP for default-deny (OSA will not add much to this).
  2. Switch off SRP and use a less restrictive OSA setup.
Anyway, for most users, such a combination will be too complex and problematic. Most of them will probably skip SRP or OSA.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,168
OSA is very similar to SRP. Most of the OSA protection is prevention based on attack surface reduction kinda similar to SRP and Windows Policies.
Many OSA rules can be compared to Defender ASR rules (similar idea). OSA can monitor more system events than SRP and often uses more complex event patterns. Of course, OSA has got many more rules as compared to the Defender ASR rules.:unsure:
Only a few Defender ASR rules are based on system events that are not covered in OSA, and many OSA rules can cover suspicious actions ignored by Defender ASR rules.

Edit.
In some way, the H_C (with Microsoft Defender) is a concise and simplified version of default-deny SRP + OSA (OSA is replaced by Defender ASR rules and Firewall Hardening settings). One can easily switch OFF/ON SRP restrictions (if necessary) via the SwitchDefaultDeny tool.
 
Last edited:

ichito

Level 10
Verified
Content Creator
Dec 12, 2013
479
I was wondering what some of the best programs for default deny protection are, i already use vs is there anything else I should use along with it?
For me the answer is only one - SpyShelter...if you realy want to cooperate with such "talking head" :)
Here is its page
and on MT forum you can find some useful topic about SS.
 

ichito

Level 10
Verified
Content Creator
Dec 12, 2013
479
I was wondering what some of the best programs for default deny protection are, i already use vs is there anything else I should use along with it?
For me the answer is only one - SpyShelter...if you realy want to cooperate with such "talking head" :)
Here is app page
and on MT forum you can find some useful topic on SS
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,168
For me the answer is only one - SpyShelter...if you realy want to cooperate with such "talking head" :)
Here is its page
and on MT forum you can find some useful topic about SS.
I am not sure if SpyShelter can be used as a true default-deny. Can you configure it to block all scripts/scriptlets except for some locations like Windows, Program Files, etc.?
I think that this can be done for EXE, BAT, VBS files with some effort, but there will be a problem with PowerShell scripts, MSI installers, and such scriptlets as JAR, HTA, or CHM files (dropped to disk). :unsure:

Edit.
Anyway, SpyShelter can restrict the system pretty well.
 
Last edited:

valvaris

Level 5
Verified
Jul 26, 2015
223
Since all in the IT is build upon Layers (OSI)- I would suggest a Hardware Firewall - Most are setup from the get go as default deny and have a rule for the LAN to WAN with all Ports open (Means from the Inside Network LAN going to the Internet WAN)

There are Open-Source ones like:
-PFsense
-OPNsense
Free to use ones at Home:
-Untangle (Moar features or IPs cost money)
-SophosUTM (Old Version)
-SophosXG (Current Version) NGFW
[Both Sophos Home Editions come with a Home License witch is a Fullguard License but for free for Home Use]

If I missed a few I am sorry! - Those are the ones I tested myself and can highly recommend them.

As a software I myself use NetLimiter with a Default Deny for things going towards the Internet. ^^

Best regards
Val.
 

wat0114

Level 3
Verified
Apr 5, 2021
145
For me the answer is only one - SpyShelter...if you realy want to cooperate with such "talking head" :)
Here is app page
and on MT forum you can find some useful topic on SS
SpyShelter looks interesting. I see in your guide you suggest the Restricted Apps Module is most important to you. It seems to me to be a Windows version of Apparmor, without the ultra-granular control Apparmor provides, allowing selected programs to do only what they're supposed to do (or as determined by the user), and no more.
 
Last edited:

SearchLight

Level 12
Verified
Jul 3, 2017
591
It was alluded in some of the postings above about having to make the decision of whether to Allow or Deny a legitimate and/or suspicious file. For those PC users not too familiar with some of the files and programs on their PC, the aspect of knowledge is power comes into play. I personally, am not an IT specialist so my knowledge, and experience has come from software trial and error, PC crashes and restoration, and reading comments by knowledgeable users on forums such as this one, MT.

That being said, for the average user looking to use Default Deny protection, what program do you gurus think would provide the most information to an average user so he or she could make an informed decision as to whether to Allow or Deny a particular software from installing and/or executing without being too complicated to use?

For example, I am currently using VSFree, and when it pops a message that it is blocking a file, if I do not recognize the file name, I wait for the analysis to complete. In this case, VS replies "safe", and then I allow the file to run such as an installer of a program that I just downloaded.

I am aware that some of these programs automatically whitelist what they call safe programs to spare users of making unnecessary and/or potentially harmful choices.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,168
If you allow cmd.exe to do something, then you allow it to do everything permanently. SpyShelter is a HIPS. It is not a granular SRP solution.

In the right hands, SpyShelter will outperform any other security software on the market.
Yes, it is HIPS - you can exclude files/folders. There is also Application Execution Control in the SpyShelter Firewall.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,168
...
That being said, for the average user looking to use Default Deny protection, what program do you gurus think would provide the most information to an average user so he or she could make an informed decision as to whether to Allow or Deny a particular software from installing and/or executing without being too complicated to use?

For example, I am currently using VSFree, and when it pops a message that it is blocking a file, if I do not recognize the file name, I wait for the analysis to complete. In this case, VS replies "safe", and then I allow the file to run such as an installer of a program that I just downloaded.
Keep it, if it works for you. Adding more protection is not necessary.

Generally, maintaining any default-deny setup requires more attention and some additional knowledge/skills. The most informative for most users will be tweaked Kaspersky:

If you like Norton 360 then it can be supported by Simple Windows Hardening (SWH) to get smart default-deny.

If you prefer Windows build-in protection then you can try H_C (with any AV) or SWH with Defender (ConfigureDefender with all ASR rules enabled).
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,168
...
You can whitelist a folder, but the files within that folder might nor might not be auto allowed depending upon the executing process rule.
Yes, excluding the files/folders in SpyShelter is different from whitelisting in SRP. The exclusions are often related to the actions performed by the restricted application on files/folders, etc. Anyway, all of this is far away from default-deny SRP.
 

wat0114

Level 3
Verified
Apr 5, 2021
145
@SearchLight

a typical classic HIPS with all its protection features enabled triggers far too many alerts, even for someone with in-depth knowledge of Windows inner workings. I can't remember which one of them I used years ago that could monitor all of these inter-process actions and so forth...

Code:
Create new process

Access data of other processes

Control other processes and threads

Send message to other processes

Load kernel drivers

Access kernel memory/objects

Access physical memory

Access physical disk

Access keyboard in low level

Access registry in low level

Install message/event hooks

Set system time

Shutdown windows

...but it was way too much, and you will likely find yourself being assaulted with a bombardment of endless alerts. I've used several HIPS programs over the years but found them too overwhelming and unnecessary. Most HIPS monitoring functions can be "trimmed down" quite a bit, so that they can function more or less as anti-execuatbles only, which makes answering alerts easier. Cruel Sister's setup for Comodo, from what I can tell and others have said, does this very well. Of course there is simply SRP in default-deny for executables only, via Group Policy in Pro Windows or Hard_Configurator is effective; It allows or doesn't allow - no grey area whatsoever.
 

wat0114

Level 3
Verified
Apr 5, 2021
145
All of that can be eliminated by just not creating any allow rules for LOLBins and unknown processes. With that SS config, there are few alerts.

I can't speak for SS as I've never used it, only several other HIPS programs in the past years. Absolutely there were many ways to significantly reduce alerts such as whiteliting whole directories and contents (C:\Windows\System32\*) for example, disabling alerts modules for selected or all processes, whitelisting Parent process such as explorer.exe, etc...
Then again, how many users know that they are supposed to select the Terminate button in the SS alert as opposed to the Block button for unknown processes ? Or that they should block even a trusted Windows process from injecting into a browser session ? Ad infintum.

Right, this takes willingness to learn the OS in-depth, which is not for most average home users.
Good security requires knowledge. Security is not software. Software shall never ever, like ever, provide anything beyond a basic level of security. Security is a process with a high cost. But hoomans mess that all up. The user is always the problem. That is why any software that requires a typical user to respond to any alert and make a decision is an epic fail.

Yes, knowledge I agree is essential, and the software is the tool that can help facilitate putting the knowledge to use. However, humans are not infallible; we make mistakes and a good security program configured properly can bail one out of a screwup.
 

valvaris

Level 5
Verified
Jul 26, 2015
223
To be honest - It all reads as people run a Multimillion Dollar company and have to restrict access as much as possible.

I am all for it when it comes to implement RBAC (Role-based access control) and to transfer those limitations to Applications too. (Windows AppLocker)

But there is a problem with implementing that solution:
- First Domain-Controller (Active Directory)
- Very good knowledge on (AD-Administration)
- A Server and so on and so on...

What I want to say is that you install Software to limit Software - Were Windows OS and perhaps other OS's too have build in features but are designed for Ent. usecase.

Already SRP is super restrictive if configured right and @Andy Ful has done a very good job with his Tools to make it understandable. (Try reading the Microsoft Docs not as much fun as Andy's Tool) ;)

Even if all is configured there is always that tradeoff:

Security eats Comfort eats Usability - Depends on Implementation - Sometimes MOAR, Sometimes LESS - It can cause Administrative Nightmares if not Documented correctly.

Even with the use of Andy's Tool's - I document what I did so if something fails I can reconstruct the issue or even resolve it.

The Point is Balance - If you want to be that secure - Simple run a Live CD / Live USB ^^ <- Easy Administration - Burn it / Write it - Use it - Browse it - Reset it >>>> XD

Sincerely
Val.
 
Top