Completely securing a computer without using programs

[shmu26]

-Smartscreen is mostly a reputation features alerting about downloaded executables system-wide (means not coming from removable devices)

good explanation Umbra, we are on the same page, maybe you didn't understand my post right because my English prose is pretty complicated.
Anyways, I am all in favor of utilizing the native windows tools of WD+SUA+UAC+SS.
And that is what I do on my own production machine. But I add ERP with my own home-brewed lenient recipe, to protect myself from stupid or sleepy moments.

 

[Deleted member 178]

good explanation Umbra, we are on the same page, maybe you didn't understand my post right because my English prose is pretty complicated.
Anyways, I am all in favor of utilizing the native windows tools of WD+SUA+UAC+SS.
And that is what I do on my own production machine. But I add ERP with my own home-brewed lenient recipe, to protect myself from stupid or sleepy moments.

and you are totally free to use 3rd party apps, just don't compare what is not comparable.

 

[shmu26]

and you are totally free to use 3rd party apps, just don't compare what is not comparable.

I was answering post #65, which made the comparison.
anyway, I gotta get back to work...

 

[shmu26]

@shmu26 What's the benefit over Smartscreen. Don't downloads to those folders require manual execution anyway? How common are unseen downloads downloading to these areas over the person being socially-engineered to execute them?

Hi, as regards the benefit over Smartscreen, I think that issue was sufficiently discussed in the previous posts.

About the need for manual execution, yes, you are right about that. However, one of the greatest things about a default/deny app such as ERP or Voodoo is that it shakes your brain awake when you are about to manually execute a suspicious file.

So even if you were socially engineered into executing it, when you see the serious-looking prompt that pops up in front of your face, you will think twice. This is especially true if the file was supposed to be nothing more than a PDF or a pic, and all of the sudden you see solemn security warnings. I would immediately run for the nearest bomb shelter if that happened to me...

 

[Wave]

So even if you were socially engineered into executing it, when you see the serious-looking prompt that pops up in front of your face, you will think twice. This is especially true if the file was supposed to be nothing more than a PDF or a pic, and all of the sudden you see solemn security warnings.

But relying on an Ai system to auto-detect suspicious PE execution attempts is not a good idea nor reliable, why not just watch what you're doing and not make dumb decisions by trying to run an unknown download in the first place?

 

[509322]

Umbra there are different versions of AppGuard, I've got version 5? What's the difference home version, pro/ent?

Version 4 and 5 are essentially the same at this time. 4 is End-of-Life. Enterprise is a managed service; the user is, by default, locked out of the system. All policies for Enterprise are created and maintained remotely and then distributed to the local system.

For your purposes, use version 5.

 

[509322]

It must be impossible to secure a system without using any software, virtualization, AppGuard etc., is the way forward and offer advanced protection. AppGuard is well priced, follow adding additional settings and rules, lock down mode is very secure!

Hacks and such can increase WIndows' security above its default configuration, but still they aren't going to cover all the bases. In a nutshell, hardening the OS is disabling settings, features, rules, etc that aren't needed or making them use the more secure option available.

Hardening the OS along with informed IT security behaviors goes a long way to improving security, but it isn't going to protect against all potential security issues.

 

[shmu26]

But relying on an Ai system to auto-detect suspicious PE execution attempts is not a good idea nor reliable, why not just watch what you're doing and not make dumb decisions by trying to run an unknown download in the first place?

voodoo does not rely on Ai alone to rate files. For instance, even if Ai says file X is okay, voodoo will still recommend you to block it, if file X is unsigned and it has 1 or more detections in VT.
In other words, voodoo does recognize the limitations of Ai detection.

 

[Andy Ful]

... For instance, even if Ai says file X is okay, voodoo will still recommend you to block it, if file X is unsigned and it has 1 or more detections in VT...

In most cases (sadly) those VT detections come from other AI machines, too. Nothing is perfect.
So in the end, it looks like the total detection heavily depends on AI's and digital signing. For now, it means that Voodooshield must have many false positives (until AI's will be much smarter).

 

[Handsome Recluse]

In most cases (sadly) those VT detections come from other AI machines, too. Nothing is perfect.
So in the end, it looks like the total detection heavily depends on AI's and digital signing. For now, it means that Voodooshield must have many false positives (until AI's will be much smarter).

At least we now have multiple AI's working together which would then promptly take over the world.
You can only be part of the borg to be part of this world.

 

[shukla44]

voodoo does not rely on Ai alone to rate files. For instance, even if Ai says file X is okay, voodoo will still recommend you to block it, if file X is unsigned and it has 1 or more detections in VT.
In other words, voodoo does recognize the limitations of Ai detection.

VS is a superb product. Very nice addition to your traditional AV (IMO). One thing that made me switch is it's command line & restoring settings/snapshot feature. Restoring the settings and whitelist doesn't restore (cause there is no backup, i think) command-lines.

 

[shmu26]

In most cases (sadly) those VT detections come from other AI machines, too. Nothing is perfect.
So in the end, it looks like the total detection heavily depends on AI's and digital signing. For now, it means that Voodooshield must have many false positives (until AI's will be much smarter).

in my experience, there are indeed many false positives, and sometimes even silent blocking of safe things like chrome updates.
Basically, if voodoo says it's okay, it is. If voodoo says it isn't okay, think twice.

 

[Rengar]

using software is the easier route to the goal.

relying only on native windows features is a bigger challenge, and ultimately provides you with less control over fine-tuning your protection.

for those who find default/deny apps to be somewhat of a headache, like I do, so here's the aspirin:
1 install NVT ERP free beta, set to alert mode.
2 in the vulnerable processes list, delete all entries except for the powershell processes and wscript and cscript
3 in safe file locations, add C:\*
(You are done with tweaking ERP)
4 Now, move your downloads folder and your desktop to a location that is off the C drive.
5 do the same for email client storage folder, and torrent client download location.

Now you will have peace of mind to just use your computer, but at the same time, anything you download or run from removable storage will be met by a default/deny prompt.

Just make sure you trust the programs you have already installed.

this idea can be adapted to voodooshield, if you have pro version.

So with this config there is no need for an antivirus or WD or even anti-malware??? Just NVT?

 

[Deleted member 178]

if you have Win10 better keep WD. if you are on Win7, an AV is not needed; just remember nothing is 100% bullet proof is the user is careless.

 

[Rengar]

if you have Windows 10 better keep WD. if you are on Windows 7, an AV is not needed; just remember nothing is 100% bullet proof is the user is careless.

I have W8.1

 

[Handsome Recluse]

I have W8.1

Oh no.

 

[_CyberGhosT_]

Oh no.

Right, I went straight from 7 to 10, never touched 8 at all

 

[Deleted member 178]

win8.1 or win10 is similar

 

[shmu26]

So with this config there is no need for an antivirus or WD or even anti-malware??? Just NVT?

yes, windows 8 is similar to 10. I do recommend leaving WD enabled.

This minimalist config that I suggested is best used together with WD and smartscreen and UAC and standard user account and common sense.

And keep in mind, as others have rightly commented, this is not a "lockdown" config, but rather a no-headache config that provides strong protection.

 

[DC47561]

Software restriction policies - based on local security policy or through the registry editor - limited user account - just some suggestions.