Andy Ful

Level 48
Verified
Trusted
Content Creator
You forgot VoodooShield!

:):)
I did not. :giggle:
VS is anti-exe, and CF is set as anti-exe and has HIPS and firewall (3 elements in one application).

In fact, I totally agree with @Lockdown (he knows it). Sometimes, I try to look at the problem from the opposite point of view to find some sense in the apparent nonsense (twisted bot-logic).
I think that two years ago, I would like such a layered protection.
 
Last edited:

FrankN209

Level 1
i believe there is too much FUD spread around. I think people are breached because of the lack of knowledge. ie, not keeping their computer updated properly. Safe browsing habits, click happy, etc.. knowledge is power..
 

shmu26

Level 83
Verified
Trusted
Content Creator
What is the best and simple way to disable script interpreters in windows 10 pro?
There isn't one.
This is the fine art of OS hardening, and of SRP/anti-exe.
Poke around the forum, you will find a lot on the subject. But I can tell you right now, there isn't a button you can press to effortlessly and safely disable all interpreters.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
You can use SysHardener to:
  • disable VBScript and JScript interpreters (wscript.exe and cscript.exe which can host JS, JSE, VBS, VBE, WSF, WSH files),
  • block PowerShell scripts execution from local drives,
  • block fileless PowerShell script execution (from remote locations) and other advanced functions via Constrained Language Mode.
But there are some other script Interpreters like JavaScript (mshta.exe for HTA files and hh.exe CHM files), etc. which cannot be disabled by the SysHardener ver. 1.5 (actual version). Furthermore, SysHardener does not allow whitelisting.

On Windows Pro (GPO or external configurator), one can use SRP and Windows policies to block any Interpreter. Windows Policies do not allow whitelisting, but SRP allows whitelisting VBScript, JScript, and also CMD scripts (BAT and CMD files). SRP has some advantage of compatibility and system stability, because it can block Interpreters started with medium rights and allow those started with higher rights (may be used sometimes by task scheduler).

When using OSArmor, the user can disable or restrict many Interpreters like VBScript, JScript, JavaScript, PowerShell, etc. OSArmor allow whitelisting the execution of the particular scripts by whitelisting (adding exclusions). Yet, some Interpreters are still allowed, like hh.exe (for CHM files).

There are some other options, like Excubits Bouncer driver, or Anti-Exe applications.
 
Last edited:

DeepWeb

Level 24
Verified
I always go with this graph. Do you have every layer covered? Some programs cover multiple layers like security suites. Others only cover one. If you have a security suite and a good brain capable of being a careful and skeptical Internet user, you really don't have to worry about anything other than intrusion detection and even that is pretty rare in a home environment if you don't draw attention to yourself on the Internet.



But like the graph is showing, the best security is you the user, brain.exe. Everything depends on brain.exe. All the other programs are just for your convenience and automation. I think the most underrated security software is Windows Update, Group Policy and your favorite backup program of your choice. I recommend Group Policy to everyone because it's just like registry tweaks but your security tweaks persists through feature updates and across the entire computer no matter how many users you add or remove.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
...
I recommend Group Policy to everyone because it's just like registry tweaks but your security tweaks persists through feature updates and across the entire computer no matter how many users you add or remove.
The same is true for any configurator program or even the reg tweaks which can apply Windows policies directly into the Windows Registry. The problem with GPO is that there are many security settings scattered in different places. Many of those settings are prepared for managing local networks. I think that over 90% settings are not required in the home environment, and they are already properly set by default.
If the user wants to check the actual setup, that can take a long time, unless he/she remembers exactly where the required settings are located in gpedit. GPO is good for the locked system (little or no changes), but not when the user wants to make quick changes of many policies.
 

DeepWeb

Level 24
Verified
The same is true for any configurator program or even the reg tweaks which can apply Windows policies directly into the Windows Registry. The problem with GPO is that there are many security settings scattered in different places. Many of those settings are prepared for managing local networks. I think that over 90% settings are not required in the home environment, and they are already properly set by default.
If the user wants to check the actual setup, that can take a long time, unless he/she remembers exactly where the required settings are located in gpedit. GPO is good for the locked system (little or no changes), but not when the user wants to make quick changes of many policies.
Well it's less complicated than registry but I agree that they should at least have a search function in Group Policy so people can quickly jump to what they are looking for. Thankfully there are guides that tell people what to configure step by step. I learned from this one:
Penetration Testers’ Guide to Windows 10 Privacy & Security

And since then I've been googling and adding more and more to my Group Policy. But you are right. Thankfully Windows 10's feature updates do a pretty good job at implementing the best policies but there are others where I'm scratching my head.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator

DeepWeb

Level 24
Verified
Applying the policy settings via Windows Security Baseline is not suited to the home users. Those settings are prepared for Enterprises. For example, the settings for MS Office do not block macros, OLE etc.
Eh I didn't apply THAT part. It's indeed too strict. But the rest of the guide is still great. But it's not about applying the things what make this guide good. It's about how it introduces users to what these Group policy objects are doing. Note this guide was created when 1607 came out and many many of the security configurations were not in place in Windows 10 and EMET was still a thing LMAO. I've seen Microsoft adopt these settings with each feature update. But personally I'm a tinfoil hat kind of person and I don't trust the default. I make sure that the Group Policy enforces it as well so nothing can change the "default". (y)
 

Cortex

Level 11
I've been looking at 'EXE Radar Pro' which is a pay product @ version 3 - From my reading version 4 is in beta but may be free. Anyone know if that's true. My VooDoo Shield is near to expire & although I could use the free version, I just wondered about Radar? I really want to put a similar program on my other half's laptop & to buy either program is a bit much for 2 or 3 licences.
 
  • Like
Reactions: oldschool
5

509322

they should at least have a search function in Group Policy so people can quickly jump to what they are looking for.
There is a search\filtering function. It can be found in the File sub-menu.

Most admins don't use Group Policy precisely because they don't want to be bothered with having to spend hours researching only to find tid-bits of infos here and there all across the web. There's no official in-depth Microsoft documentation. That is a huge problem with all things Microsoft.