Completely securing a computer without using programs

[Andy Ful]

I downloaded it and I liked it, but one little thing: I couldn't get it to block powershell, although it blocked wscript just fine. What did I do wrong?
windows 10 x64

Thanks.
This reg tweak disables PowerShell script execution, when you are trying to run PS1 files by 'Run by PowerShell' from Explorer context menu. The PowerShell console is showing up, but the script cannot run. When you are trying to run PS1 file by double click like any executable, the script should be opened by default with notepad. You can still use PowerShell commands in the PowerShell console, but not external scripts.
Windows Script Host registry tweak disables it completely by SAFER API, even if you copy wscript.exe or jscript.exe to another folder, or rename those executables.

EDIT.
The PowerShell reg tweak works also, when malware tries to bypass PowerShell 'AllSigned' (or other execution policy) using command prompt or shortcut with commands like:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'Path_to_the_script'"

 

[TheMalwareMaster]

Thanks a lot for your comments. Maybe keeping to use Voodooshield is best because it is able to protect also against Signed adware thanks to VirusTotal blacklist and whitelist engine

 

[Andy Ful]

Thanks a lot for your comments. Maybe keeping to use Voodooshield is best because it is able to protect also against Signed adware thanks to VirusTotal blacklist and whitelist engine

Voodooshield is a good option (very interesting project). The problem with signed adware, may be irritating, but if the adware is accepted by SmartScreen Filter, it is mostly not dangerous at all, and can be simply uninstalled. Also, the inexperienced user can use something like Unchecky.
The benefit of Windows built-in security is evident only if you have stability/compatibility issues. Also, using truly system wide SmartScreen, has some advantages with blocking fresh 0-day malware files (not important for home users), and less false positives (not important for advanced users).

 

[shmu26]

Thanks a lot for your comments. Maybe keeping to use Voodooshield is best because it is able to protect also against Signed adware thanks to VirusTotal blacklist and whitelist engine

using software is the easier route to the goal.

relying only on native windows features is a bigger challenge, and ultimately provides you with less control over fine-tuning your protection.

for those who find default/deny apps to be somewhat of a headache, like I do, so here's the aspirin:
1 install NVT ERP free beta, set to alert mode.
2 in the vulnerable processes list, delete all entries except for the powershell processes and wscript and cscript
3 in safe file locations, add C:\*
(You are done with tweaking ERP)
4 Now, move your downloads folder and your desktop to a location that is off the C drive.
5 do the same for email client storage folder, and torrent client download location.

Now you will have peace of mind to just use your computer, but at the same time, anything you download or run from removable storage will be met by a default/deny prompt.

Just make sure you trust the programs you have already installed.

this idea can be adapted to voodooshield, if you have pro version.

 

[Av Gurus]

Add C:\Windows\System32\mshta.exe or not?

 

[Andy Ful]

using software is the easier route to the goal.

relying only on native windows features is a bigger challenge, and ultimately provides you with less control over fine-tuning your protection.

for those who find default/deny apps to be somewhat of a headache, like I do, so here's the aspirin:
1 install NVT ERP free beta, set to alert mode.
2 in the vulnerable processes list, delete all entries except for the powershell processes and wscript and cscript
3 in safe file locations, add C:\*
(You are done with tweaking ERP)
4 Now, move your downloads folder and your desktop to a location that is off the C drive.
5 do the same for email client storage folder, and torrent client download location.

Now you will have peace of mind to just use your computer, but at the same time, anything you download or run from removable storage will be met by a default/deny prompt.

Just make sure you trust the programs you have already installed.

this idea can be adapted to voodooshield, if you have pro version.

NVT ERP is also one of my favorities.
Yet, on my wife's computer I would rather adopt Windows built-in security/restrictions. She is very upset when alerts are showing up.
I noticed that Windows built-in security is a practical solution for inexperienced users (with some occasional help from experienced one).

 

[shmu26]

Add C:\Windows\System32\mshta.exe or not?

personally, I don't think it is so crucial, because it usually will just be used to run another script interpreter.
But yeah, add it. It don't bother you.

 

[TheMalwareMaster]

Basically, no Windows native feature will be able to block signed adware/PUA? (thinking about software restriction policies, ValidateAdminCodeSignatures)

 

[Andy Ful]

using software is the easier route to the goal.

relying only on native windows features is a bigger challenge, and ultimately provides you with less control over fine-tuning your protection.

for those who find default/deny apps to be somewhat of a headache, like I do, so here's the aspirin:
1 install NVT ERP free beta, set to alert mode.
2 in the vulnerable processes list, delete all entries except for the powershell processes and wscript and cscript
3 in safe file locations, add C:\*
(You are done with tweaking ERP)
4 Now, move your downloads folder and your desktop to a location that is off the C drive.
5 do the same for email client storage folder, and torrent client download location.

Now you will have peace of mind to just use your computer, but at the same time, anything you download or run from removable storage will be met by a default/deny prompt.

Just make sure you trust the programs you have already installed.

this idea can be adapted to voodooshield, if you have pro version.

It is an interesting setup.
Yet, I think that many bad things can happen through BAT files (they are blocked by SRP in Windows built-in security), also malware can use scripts, dropping sponsors (cscript.exe, wscript.exe, powershell.exe) to C:\* . The second is not important, because malware files in the wild are not so smart.
Of course the cmd.exe could be added to NVT ERP vulnerable processes list (and some other sponsors) - it depends on how many alerts the user can accept in daily work.
Anyway NVT ERP is a great tool.

 

[509322]

using software is the easier route to the goal.

relying only on native windows features is a bigger challenge, and ultimately provides you with less control over fine-tuning your protection.

for those who find default/deny apps to be somewhat of a headache, like I do, so here's the aspirin:
1 install NVT ERP free beta, set to alert mode.
2 in the vulnerable processes list, delete all entries except for the powershell processes and wscript and cscript
3 in safe file locations, add C:\*
(You are done with tweaking ERP)
4 Now, move your downloads folder and your desktop to a location that is off the C drive.
5 do the same for email client storage folder, and torrent client download location.

Now you will have peace of mind to just use your computer, but at the same time, anything you download or run from removable storage will be met by a default/deny prompt.

Just make sure you trust the programs you have already installed.

this idea can be adapted to voodooshield, if you have pro version.

If I am reading this correctly, you are whitelisting C:\*

You state to add C:\* to "safe file locations" = Trusted Folders (I assume this is what you meant.)

If, indeed, this is what you meant by the above, then...

The policy of whitelisting the entire C:\ drive has a gigantic hole in it. What do you propose to do if an application installed on C:\* is exploited and a payload is dropped ? That malicious payload will be allowed to run from C:\* ! And this is just one sore point. There's too much to cover here.

One counter-measure is to install an anti-exploit.

Another workaround that is more of a hassle is to install and run all commonly exploited applications to a non-system partition, but that basically means using portable apps otherwise there will breakages.

Just sayin'... but you might want to re-examine and re-think your policy logic.

Why don't you give me your IP address so I can pay you a visit ? You won't know what happened...

 

[TheMalwareMaster]

Is this a concept for a project or for personal use?

it was for personal use

 

[Andy Ful]

Basically, no Windows native feature will be able to block signed adware/PUA? (thinking about software restriction policies, ValidateAdminSignatures)

It could be done in SRP, but it would be impractical. Many signed adware/PUA are blocked by SmartScreen. Only very popular applications or programs with EV code signing certificates, can pass SmartScreen Filter.

 

[509322]

There's a "How to Harden Windows 7, 8, 10" guide online. You can buy a CD\USB I think for around $10. It will apply a comprehensive list of OS hardening techniques.

If anyone uses it, just make sure you make an image backup of your pre-hardened system because there are no scripts to revers all the settings\OS changes.

I think some of you guys are nuts... scouring the net for OS hardening hacks, collecting them from different sources, then combining them to be coherent. It takes days. I know because I've done it before. Comparatively, the CD\USB method is blazingly fast.

 

[Andy Ful]

If I am reading this correctly, you are whitelisting C:\*

You state to add C:\* to "safe file locations" = Trusted Folders (I assume this is what you meant.)

If, indeed, this is what you meant by the above, then...

The policy of whitelisting the entire C:\ drive has a gigantic hole in it. What do you propose to do if an application installed on C:\* is exploited and a payload is dropped ? That malicious payload will be allowed to run from C:\* ! And this is just one sore point. There's too much to cover here.

...

I am not sure, but maybe in NVT ERP it only means the root C:\ , but not folders and subfolders on C: ?
I also do not like whitelisting the entire C:\ drive.

 

[509322]

I am not sure, but maybe in NVT ERP it only means the root C:\ , but not folders and subfolders on C: ?
I also do not like whitelisting the entire C:\ drive.

That's why I said "If this is what you mean..." as I haven't used NVT ERP in a long time. I can't recall how it will behave when adding C:\* to Trusted Folders, but I expect that it will result in a complete C:\ file system whitelist.

If you whitelist C:\*, then it's pointless to use NVT ERP or another other security software at all.

 

[Andy Ful]

That's why I said "If this is what you mean..." as I haven't used NVT ERP in a long time. I can't recall how it will behave when adding C:\* to Trusted Folders, but I expect that it will result in a complete C:\ file system whitelist.

If you whitelist C:\*, then it's pointless to use NVT ERP or another other security software at all.

I can understand the idea of whitelisting all C: drive. It is a 'baby-sitter" type of security. It can prevent the user from executing you_are_the_winner.pdf.exe from download directory (which is moved to another drive). It cannot prevent execution of any malware dropped to C: drive. Adding to NVT ERP vulnerable processes list some sponsors: cscript.exe, wscript.exe, powershell.exe, and some others, can stop many malware scripts.
It can be OK, if AppCointainer or sanboxed applications related to Internet, documents, and media are used in daily work.

 

[TheMalwareMaster]

It could be done in SRP, but it would be impractical. Many signed adware/PUA are blocked by SmartScreen. Only very popular applications or programs with EV code signing certificates, can pass SmartScreen Filter.

Oh, nice! So basically, if one applies all the tweaks listed in the poll and use windows defender, the config would be nearly lockdown?

 

[_CyberGhosT_]

If I am reading this correctly, you are whitelisting C:\*

You state to add C:\* to "safe file locations" = Trusted Folders (I assume this is what you meant.)

If, indeed, this is what you meant by the above, then...

The policy of whitelisting the entire C:\ drive has a gigantic hole in it. What do you propose to do if an application installed on C:\* is exploited and a payload is dropped ? That malicious payload will be allowed to run from C:\* ! And this is just one sore point. There's too much to cover here.

One counter-measure is to install an anti-exploit.

Another workaround that is more of a hassle is to install and run all commonly exploited applications to a non-system partition, but that basically means using portable apps otherwise there will breakages.

Just sayin'... but you might want to re-examine and re-think your policy logic.

Why don't you give me your IP address so I can pay you a visit ? You won't know what happened...

Well said, glad I read this before responding

 

[_CyberGhosT_]

I am not sure, but maybe in NVT ERP it only means the root C:\ , but not folders and subfolders on C: ?
I also do not like whitelisting the entire C:\ drive.

Whitlisting the Entire C Drive would defeat the purpose, never a good idea

 

[Andy Ful]

Oh, nice! So basically, if one applies all the tweaks listed in the poll and use windows defender, the config would be nearly lockdown?

The answer is No, if you mean : Poll - Do you use security reg tweaks?
The answer is partially YES, if you add default deny SRP, and know SmartScreen limitations.
The answer is practically YES, if you add SRP, and truly system wide SmartScreen (<Run As Smartscreen> option in Hard_Configurator).
Please remember that the above heavily depends on the proper reaction to SmartScreen alerts.
The proper reaction is always 'Do not run', and next investigate.
The same situation is with all anti-exe solutions (except when you turn ON the silent lockdown). But, using SRP you have less alerts, because system processes can run safely (for Home computers) without disturbing the user.