Completely securing a computer without using programs

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Does AppGuard (by default) protect against ink, lnk and pif vulnerabilities? I have added them to user space?
 
5

509322

Does AppGuard (by default) protect against ink, lnk and pif vulnerabilities? I have added them to user space?

AppGuard blocks *.pif by default.

Don't add shortcut files to User Space.

Add wscript.exe and cscript.exe to the Guarded Apps list or disable them by adding to User Space (YES). cmd.exe and powershell.exe are already covered, but I recommend that you disable powershell.exe by unticking it in the Guarded Apps list and then adding it to User Space (YES).

See your PM.
 
Last edited by a moderator:
  • Like
Reactions: Wave

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
I'm back on this old post I made some time ago...
I'm quite bored of using COMODO Firewall because I want to optimize my system performance, even if COMODO doesn't use much of resources...
I'm Learning about SRP and Windows Enforcment in my VM, in order to make a security config without the need of security software
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
I will share mine, if you share yours. ;)
[Batch] Windows Tweaks - Pastebin.com


I use it like that for years, no problems here. I do not even use AV on mom's computer, it was too much of a hassle. I have only recently added Windows Firewall, because since 1709, it has got too intrusive when disabled and I got tired of restarting computer every time, just to enable/disable it.
Thanks... I will save your link.... Such a lot of tweaks!!
Are these all really needed? Or you think that SRP+some important ones, like: Disable execution of unsigned programs, disable CMD, disable Powershell, disable remote assistance, disable Windows script host, disable autorun, use Run by smartscreen are OK? I basically know only these by now
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
Are these all really needed?
Not really, most are just customization. Some can be considered as security tweaks, like when Windows/software thinks, there is no internet, it does not try to connect.
capture_11052017_121901.jpg

Or you think that SRP+some important ones, like: Disable execution of unsigned programs, disable CMD, disable Powershell, disable remote assistance, disable Windows script host, disable autorun, use Run by smartscreen are OK?
I like to think, that disabling WSH and removing powershell protects PC from 99% of malware, I have not seen ransomware, which would be able to infect PC without them. Note that I say removing powershell, not disabling it. Restriction policies can be bypassed, but if PS is not there, you can not run ps scripts, no matter what.

It is also interesting, that by blocking adult webpages, about 10-30% of malware gets blocked (malc0de links), they can not be downloaded either, unless IP is used.
 

Attachments

  • capture_11052017_123017.jpg
    capture_11052017_123017.jpg
    164.1 KB · Views: 367
  • capture_11052017_123413.jpg
    capture_11052017_123413.jpg
    233.4 KB · Views: 360
Last edited:

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
Interesting... How can these be bypassed? Taking a look at @Andy Ful Hard configurator,this "block sponsors" should be able to prevent restriction policies bypass
That is nice. I am not an expert like Andy and others, I am just trying to cover the basics as I understand them. I would say, whatever works you, but restrictions can be bypassed, so could be restrictions of the restrictions, once altered by malware. There is never enough restrictions in place. I prefer to go all the way using unconventional methods, which are not known to malware coders, like disabling bash malware simply by preventing it from being enabled using DISM. If you look at how malware works (like the scary SeTcbPrivilege), it checks for restrictions, etc and once it elevates to system rights, it will change settings to whatever it wants to.

15 Ways to Bypass the PowerShell Execution Policy
 

Attachments

  • capture_11052017_125754.jpg
    capture_11052017_125754.jpg
    39.9 KB · Views: 350
Last edited:

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
That is nice. I am not an expert like Andy and others, I am just trying to cover the basics as I understand them. I would say, whatever works you, but restrictions can be bypassed, so could be restrictions of the restrictions, once altered by malware. There is never enough restrictions in place. I prefer to go all the way using unconventional methods, which are not known to malware coders, like disabling bash malware simply by preventing it from being enabled using DISM. If you look at how malware works (like the scary SeTcbPrivilege), it checks for restrictions, etc and once it elevates to system rights, it will change settings to whatever it wants to.

15 Ways to Bypass the PowerShell Execution Policy
Interesting... I looked at your config and that's what I would like to use... Except I want to add also SRP..
RISKY - TairikuOkami's Crippled Windows
What are these? mshta.exe/msra.exe/psexec.exe/bash.exe/nc.exe/nc64.exe/netsh.exe?
OK, with this kind of setup one can safely disable Windows Defender. But what about Windows Firewall? I think one should keep it eneabled to prevent Attacks from the internal network.


Now, let's focus on an other case. Signed malware. Really rare, but can happen (see CCleaner case). If an admin runs CCleaner, this config will be bypassed.
I knew forcepoint (the guys protecting avast servers, I think), were able to intercept the backdoor with their firewall. Also Cisco anti-exploit software was able to intercept it... Do you know any Windows Firewall tweak/other software that can protect from this kind of supply-chain signed malware attack?
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
What are these? mshta.exe/msra.exe/psexec.exe/bash.exe/nc.exe/nc64.exe/netsh.exe?
Those are commonly used by malware, I add them on the go, just for the reference, I use disallow policy, which is not very effective, since it works only for the current user, I am thinking about SRP as well.

msra.exe - used by remote assistance
mshta.exe - used by scripting malware
bash.exe - linux subsystem malware, AVs are unable to stop it
netsh.exe - can be used for various network commands, like add/change windows firewall rules
psexec.exe/nc.exe/nc64.exe - not present by default, but hackers usually do not bother renaming them

nc.exe | ThreatExpert statistics

Beware of the Bashware: A New Method for Any Malware to Bypass Security Solutions - Check Point Research

OK, with this kind of setup one can safely disable Windows Defender. But what about Windows Firewall? I think one should keep it eneabled to prevent Attacks from the internal network.
Because of, or I might say, thanks to insufficient IP4 adresses, virtually everyone is behind a router, which blocks inbound requests and unsolicited traffic (which helps to avoid a higher CPU/network usage). But even without a router and if you do not use a firewall, all ports are blocked, that is the same like stealthed, in both cases, all inbound requests are dropped. A computer can be exploited only when you have a process running, which keeps the port open. Usually the attacker scans the computer and if he finds an open port, he tries to exploit, otherwise there is not much he can do.


Now, let's focus on an other case. Signed malware. Really rare, but can happen (see CCleaner case). If an admin runs CCleaner, this config will be bypassed.
I knew forcepoint (the guys protecting avast servers, I think), were able to intercept the backdoor with their firewall. Also Cisco anti-exploit software was able to intercept it... Do you know any Windows Firewall tweak/other software that can protect from this kind of supply-chain signed malware attack?
CCleaner sure made a mess of things. If you have a trusted software, you allow it, otherwise it would not be able to run/work properly. The basic rule is obviously do not allow more than needs to be, like no outbound, unless needed. "Luckily", CCleaner was already infected with malware, so they did not use too sophisticated technics for it, I believe a firewall was able to simply block its outbound requests, but if someone used its remote functionality or auto-updating, that would not help them, unless they would setup an allowed IP range, if you are using a firewall, you should take advantage of it, like setup IPs for DNS, etc.
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
CCleaner sure made a mess of things. If you have a trusted software, you allow it, otherwise it would not be able to run/work properly. The basic rule is obviously do not allow more than needs to be, like no outbound, unless needed. "Luckily", CCleaner was already infected with malware, so they did not use too sophisticated technics for it, I believe a firewall was able to simply block its outbound requests, but if someone used its remote functionality or auto-updating, that would not help them, unless they would setup an allowed IP range.
Thanks a lot! How one can be able to confgure a firewall before, in order to prevent these kind of intrusions? Like, nobody knew CCleaner was infected, so how can one protect against supply-chain Attacks?
 
  • Like
Reactions: Deletedmessiah

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
how can one protect against supply-chain Attacks?
If it is a simple malware like in CCleaner's case, settings up an allowed IP range should help. Lets say, that you use it just auto-updating, you would allow only TCP Out to piriform.com via port 80/443 and UDP to your DNS servers via port 53. It is pain to setup everything, but once done, it provides much safer environment. It will not protect against malware injecting to other processes or more advanced technics, but it is a start.
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
If it is a simple malware like in CCleaner's case, settings up an allowed IP range should help. Lets say, that you use it just auto-updating, you would allow only TCP Out to piriform.com via port 80/443 and UDP to your DNS servers via port 53. It is pain to setup everything, but once done, it provides much safer environment. It will not protect against malware injecting to other processes or more advanced technics, but it is a start.
Thanks a lot for all your help!
 

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,782
iDK about Aandy tool but Rehips can block this!
from fixer:
There is a PowerShell built-in execution policy. Like, allow only scripts signed by a trusted publisher. You can think of it as of some kind of SRP (software restriction policies) extension. And it can be bypassed. That's why we don't rely on SRP and ReHIPS uses its own monitoring.
ReHIPS operates on a higher level than this built-in execution policy. So these bypasses don't affect it.
 
Last edited:

Prorootect

Level 69
Verified
Nov 5, 2011
5,855
It seems, that "Seconfig Xp" can work on all Windows versions... or am I wrong?
Seconfig XP - freeware security configuration utility for Windows

  • A free tool to close (not just shield) most exploited Windows security holes.
  • Can close ports 135, 137-139, 445, 1025 (used by file and printer sharing, Windows domains, other Microsoft Networks access and widely exploited by worms, hackers etc.), 1900, 5000 (used by UPnP) and other...
  • Can disable most dangerous Windows services.
  • Can protect Windows side against most ARP spoofing/poisoning attacks.
  • Can configure many other hidden security related Windows TCP/IP settings.
  • Works only with registry (no files, services, drivers etc.).
  • Includes three easy to use presets for average home (standalone) computers, Microsoft Networks members and standalone computers with VPN client access to Microsoft Networks.
 
  • Like
Reactions: Sunshine-boy

Emanuel.

Level 2
Verified
Nov 28, 2016
80
I will share mine, if you share yours. ;)
[Batch] Windows Tweaks - Pastebin.com


I use it like that for years, no problems here. I do not even use AV on mom's computer, it was too much of a hassle. I have only recently added Windows Firewall, because since 1709, it has got too intrusive when disabled and I got tired of restarting computer every time, just to enable/disable it.



It leaves you without Internet connection. The Start button doesn't work and I don't know how many other problems. Thank you in the same way. Best regards.
 

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,685
It leaves you without Internet connection. The Start button doesn't work and I don't know how many other problems.
You can disable "network store service" and internet will work way more stable without "network optimizations", which cause more problems than they are worth (but this one also disables Windows Firewall). You just have to setup network settings manually. Though some services have be re-enabled for Windows Updates.
 

Attachments

  • capture_11052017_155842.jpg
    capture_11052017_155842.jpg
    333.9 KB · Views: 334

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top