Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,121
OS
Windows 10
Antivirus
Microsoft
#41
If you use Application Execution Control, you need to use also "Ask user" mode, because if you don't, it eventually will make a * in some of the key applications, for instance, Explorer, thus allowing all future processes started by Explorer. This will ruin the default/deny.
Yes, I found it (Ask User), but this is only for Certified applications, and the user will be alerted only for the suspicious applications (not for all applications). This feature is not for blocking the malware, but rather for avoiding blocking the legal applications.
.
Anyway, I found one useful feature related to folders:
"Exclude existing files and any future files in this folder - This option will exclude all currently existing files in the folder as well as all future files. It is less safe than first option; however, it might be useful for users who often modify files."
.
The above can be used for whitelisting/blacklisting folders.
There is an option 'Make it denied", that will apply all SpyShelter rules to this folder (I think). This would work as default-deny for suspicious applications. Yet, if the malware can behave like the legal software, then SpyShelter HIPS (deny template) can be bypassed, so this kind of security is only close to default-deny. The alerts can be suppressed by ticking the option 'Auto-block suspicious behaviour'.
One should test such setup to know how strong it can be.
.
Edit.
I think that the same thing can be done with Sandboxie (paid), by sandboxing disks or folders in a highly restricted sandbox.
 
Last edited:

shmu26

Level 70
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,949
OS
Windows 10
#42
Yes, I found it (Ask User), but this is only for Certified applications, and the user will be alerted only for the suspicious applications (not for all applications). This feature is not for blocking the malware, but rather for avoiding blocking the legal applications.
When I used Spyshelter Firewall in Ask user mode, it seemed to me that it alerted for every application execution, regardless of where or what or why. It was total default/deny, with lots and lots of prompts. I don't have it installed any more, not even sure if my license is still valid.
Maybe @ichito can clarify, he is an expert user of Spyshelter. @Lockdown is also a long-time expert user of SSF.
 

Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,121
OS
Windows 10
Antivirus
Microsoft
#43
When I used Spyshelter Firewall in Ask user mode, it seemed to me that it alerted for every application execution, regardless of where or what or why. It was total default/deny, with lots and lots of prompts. I don't have it installed any more, not even sure if my license is still valid.
Maybe @ichito can clarify, he is an expert user of Spyshelter. @Lockdown is also a long-time expert user of SSF.
I think that you did not thick the option 'Auto-block suspicious behaviour'. If you did it and activated 'Ask User' then only suspicious Certified applications would be alerted.
 

Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,121
OS
Windows 10
Antivirus
Microsoft
#44
Back to the topic, another no signature setup:
Shadowdefender + Sandboxie paid (sandboxed User Space, MS Office, etc.) + forced SmartScreen (to check application installers).
 
Last edited:

CMLew

Level 23
Verified
Joined
Oct 30, 2015
Messages
1,212
OS
Windows 10
Antivirus
Default-Deny
#45
Back to the topic, another no signature setup:
Shadowdefender + Sandboxie paid (sandboxed User Space, MS Office, etc.) + forced SmartScreen (to check application installers).
looks good. Sandboxie might not really need it if you're into Chrome and Edge mostly.

Shadow Defender is a really good software to use. Alternative to this is from ToolWiz (though Im sure if it still exist currently).
 

Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,121
OS
Windows 10
Antivirus
Microsoft
#46
looks good. Sandboxie might not really need it if you're into Chrome and Edge mostly.
...
You probably had in mind Sandboxie free for protecting the web browser.
Yet, Sandboxie (paid) in this setup is not for protecting web browsers, but mainly for:
  • Running sandboxed all vulnerable applications, like: Office applications, Document viewers, etc.
  • Opening all files from the vulnerable folders / disks in the sandboxes. This has to be a paid version because the free version has not got such features.
The user can prepare as many different sandboxes as he wants. I used, for example, a sandbox that killed opening / running any file from some folders. In the above setup, Sandboxie works similarly to Comodo Firewall with CS settings (without Trusted Vendors List) - SmartScreen is a replacement for Trusted Vendors List and File Lookup features.
 
Last edited:
Likes: harlan4096

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,568
OS
Windows 10
Antivirus
Default-Deny
#47
If you use Shadow Defender on-boot , you don't need Sandboxie, just a anti-logger to detect & block malware to call home
 

Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,121
OS
Windows 10
Antivirus
Microsoft
#48
@Umbra is right in the case when all storage sources are in the shadow mode. But, such setup is great only for the cautious users and many people will consider it as inconvenient.
.
I use Shadow Defender with only system partition in the shadow mode, and sometimes (rarely) forget to commit changes (losing a few documents, downloaded files, etc.). Generally, all data is stored on other partitions / disks (not in shadow mode).
.
So, If the user keeps only the system partition in the shadow mode, then something like Sandboxie is required to isolate the malware embedded in media, documents, etc.
Sandboxie can be useful even when all disks/partitions are in shadow mode, because Shadow Defender + anti-keylogger do not prevent stealing the files with personal content. The user can prepare the sandboxes which cannot access such data.
Furthermore, one cannot keep all storage sources in the shadow mode. There is always a danger for pendrives, backup USB disks, etc. that the malware can embed something malicious in the stored documents and other files. One could avoid this by restarting the system before connecting external sources and disconnecting them as soon as possible, but as I said before, for many people that will be inconvenient.
 
Last edited:

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,182
#49
Is there a free version of AppGuard at all?

~LDogg
Currently, there is no free version of AppGuard. EdgeGuard SOLO, which was mentioned, is decade-old ancient history.

All of default-deny solutions mentioned here consume very low resources.

What you have to figure out is what works best for you personally on your specific system(s). The only way to accomplish that is to try the various programs for yourself.
 
Last edited:

CMLew

Level 23
Verified
Joined
Oct 30, 2015
Messages
1,212
OS
Windows 10
Antivirus
Default-Deny
#50
You probably had in mind Sandboxie free for protecting the web browser.
Yet, Sandboxie (paid) in this setup is not for protecting web browsers, but mainly for:
  • Running sandboxed all vulnerable applications, like: Office applications, Document viewers, etc.
  • Opening all files from the vulnerable folders / disks in the sandboxes. This has to be a paid version because the free version has not got such features.
The user can prepare as many different sandboxes as he wants. I used, for example, a sandbox that killed opening / running any file from some folders. In the above setup, Sandboxie works similarly to Comodo Firewall with CS settings (without Trusted Vendors List) - SmartScreen is a replacement for Trusted Vendors List and File Lookup features.
Agreed.
Precisely why I ditch most of the vulnerable applications such as MS Office, Adobe, etc... Trying hard to find a decent replacement.
 
Likes: Andy Ful

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,568
OS
Windows 10
Antivirus
Default-Deny
#51
@Umbra is right in the case when all storage sources are in the shadow mode. But, such setup is great only for the cautious users and many people will consider it as inconvenient.
Indeed and then we are back to the same old principle that made Windows a failure security wise:

- sacrificing security for convenience.


I use Shadow Defender with only system partition in the shadow mode, and sometimes (rarely) forget to commit changes (losing a few documents, downloaded files, etc.). Generally, all data is stored on other partitions / disks (not in shadow mode).
As a very old Shadow Defender user, i will tell you how i use SD on boot:

Usually i couple it with an anti-exe or SRP or any anti-logger (since most like SpS or ZAL usually have some sort of HIPS) to prevent keyloggers and other malware.

1- SD is set on boot (all partitions) for non-admin task (aka surfing, watching movies, torrenting, etc...). So clean system every boot.
- for admin task (updating the OS), i reboot once (restoring a clean system), get out SD mode > update > turn SD On when done.
(this is the only moment the system isn't protected by SD and i don't connect anything to the net.)

2- i never but never commit changes (this is the weakness to me),
- if i want save some docs/files , i check them with any OD scanners or VT Uploader and save them to any cloud.
- if in use a External drive, i use one that was only plugged to my clean system.
- USB contents from other machines are checked, then if clean, i copy the content to the cloud, unplug the USB, then i reboot SD again to be sure.

By doing this normally, you are on a clean system every boot, ext-drive is clean, USBs are clean, files are clean.

of course those steps are not so "convenient" but personally i wont sacrifice security to save some clicks.

So, If the user keeps only the system partition in the shadow mode, then something like Sandboxie is required to isolate the malware embedded in media, documents, etc.
Sandboxie can be useful even when all disks/partitions are in shadow mode, because Shadow Defender + anti-keylogger do not prevent stealing the files with personal content. The user can prepare the sandboxes which cannot access such data.
if you work on personal content, you must reboot to load a clean system. Sandboxie is useless then.

Now i don't say you shouldn't use Sbie with SD, but i find the combo redundant. :)
 
Joined
Jan 5, 2018
Messages
179
OS
Windows 10
Antivirus
Isolation
#52
The question I wonder when people accuse Windows of being a security failure is what if Linux was the OS over 90% of the market share and almost everyone was using it thus being the main focus for malware creators and hackers.

Would it hold up to that much focus of trying to break its security barriers? Or would we be talking about the many weaknesses of Linux security today? Even the biggest walls crumble under enough pressure.
 
Last edited:
Likes: oldschool

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,568
OS
Windows 10
Antivirus
Default-Deny
#53
The question I wonder when people accuse Windows of being a security failure is what if Linux was the OS over 90% of the market share and almost everyone was using it thus being the main focus for malware creators and hackers.

Would it hold up to that much focus of trying to break its security barriers? Or would we be talking about the many weaknesses of Linux security today? Even the biggest walls crumble under enough pressure.
Linux did the one thing MS greatly failed at: user seaparation. (but now they start copying Windows for...? convenience....)
Linux users don't start with full right accounts, they start with limited accounts, truly separated from each other, and MS still doesn't get it...
 
Joined
Jan 5, 2018
Messages
179
OS
Windows 10
Antivirus
Isolation
#54
Linux did the one thing MS greatly failed at: user seaparation. (but now they start copying Windows for...? convenience....)
Linux users don't start with full right accounts, they start with limited accounts, truly separated from each other, and MS still doesn't get it...
True but if the entire malware community was focused on breaking into it there could be a reveal of a weakness that shatters our perception of its security. Just questions that float around my head. :geek:
 
Likes: oldschool

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,182
#55
True but if the entire malware community was focused on breaking into it there could be a reveal of a weakness that shatters our perception of its security. Just questions that float around my head. :geek:
Any OS or system can be hacked - no matter what security softs or other security measures a user has installed and configured. On difficult-to-hack systems, it is just a matter of determination (and money). A money-yielding hack is simply a matter of accurate, targeted social engineering. Malc0ders pull this off every single day - by the hundreds, if not thousands.

Linux is full of (undiscovered and unpatched) weaknesses and vulnerabilities - just like any other software.
 
Joined
Sep 26, 2017
Messages
453
Antivirus
Microsoft
#56
The question I wonder when people accuse Windows of being a security failure is what if Linux was the OS over 90% of the market share and almost everyone was using it thus being the main focus for malware creators and hackers.

Would it hold up to that much focus of trying to break its security barriers? Or would we be talking about the many weaknesses of Linux security today? Even the biggest walls crumble under enough pressure.
If you want an honest opinion, is extremely easy to exploit Linux compared to Windows, Windows has lots of holes patched and systems (with more every year) in place that make it a chore.

Linux users truly believe they're more secure, when they're not, people are just not interested in attacking them.

Speaking outside of exploits, you don't need to spend much time on Linux to find an annoying bug..
 

Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,121
OS
Windows 10
Antivirus
Microsoft
#57
Indeed and then we are back to the same old principle that made Windows a failure security wise:

- sacrificing security for convenience.
...
Now i don't say you shouldn't use Sbie with SD, but i find the combo redundant. :)
.
I like your safety procedures with ShadowDefender config. I think that many advanced users will like them too.:)
But, using 'ShadowDefender + SRP' or 'Shadowdefender + Anti-Exe' is just another kind of security, just as 'Shadow Defender + Sandboxie'. SRP, Anti-Exe or Sandboxie make such setup safer and more usable.(y)
 
Last edited:

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,568
OS
Windows 10
Antivirus
Default-Deny
#58
True but if the entire malware community was focused on breaking into it there could be a reveal of a weakness that shatters our perception of its security. Just questions that float around my head. :geek:
I dont talk about pentesting or PoC the OS, which is absolutely a different perspective.
I talk about out of the box security for the classic user and for that Linux still own Windows.
 

Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,121
OS
Windows 10
Antivirus
Microsoft
#60
since vista i don't use an antivirus, no realtime protection only srp. and adguard. so far so good
You are pretty much safe, because you know how to set SRP properly. Most SRP users, are hardly as safe as they think. They do not recognize the shortcut, macros, and scriptlet vulnerabilities, which can easily bypass the standard SRP configuration. They do not know how many Windows folders have writable & executable permissions and allow dropping executables to whitelisted folders without UAC prompt. But, when using a good on demand or file reputation scanner + safe web browser, they are probably as safe as using the standard free AV.
Anyway, if someone wants to try SRP the below links can be helpful:
SRP: Protecting Windows Folder in Win 10
Tutorial - How do Software Restriction Policies work (part 1) ?
Tutorial - How do Software Restriction Policies work (part 2) ?
Tutorial - How do Software Restriction Policies work (part 3) ?
 
Last edited: