- Jul 3, 2015
- 8,153
It's a good thing we have Hard_Configurator, to take care of all this stuff for us.
Does oneself really need an Antivirus?
- Thread starter LDogg
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Dec 23, 2014
- 8,130
Hard_Configurator makes the proper SRP configuration much easier, but still in most cases, it is the task to do for advanced users.
It is best practice to use an antivirus alongside SRP and ad blocker. Not using an antivirus should be reserved for a low resource, decrepit system that is basically a real pain to use if an antivirus is running. I have yet to find a system that I cannot run an antivirus on... even a 10 year old Toshiba with a low-end Pentium chip and only 3 GB RAM. Instead of packing that system with a bunch of programs, I carefully choose what to install on it to accommodate the security soft resource overhead. It's the smart way to do things.
Windows is more secure only to the extent that discovering, reporting and patching vulnerabilities and other weaknesses is ongoing. However, the rate of doing so is not fast enough. It will never be fast enough. It probably can never be substantially faster than it is today.. There are a ton of undiscovered and upatched vulnerabilities and weaknesses in Windows and the programs that run on it. And malc0ders are developing new and innovative ways to compromise Windows systems. So Microsoft and everybody else always remain behind the 8 Ball.
It is not economically rewarding to target and attack Linux. That is why malc0ders do not target the OS.
Malware and making money from it is a numbers game. The more systems you attack with widely-used, popular software\OS, the more financially rewarding that it is. Since Windows is the most prevalently used OS world-wide, and users run the most exploited programs on it along with generally poor or non-existent security practices, the malc0ders target Windows.
Windows, and programs that run on Windows, are a treasure trove of undiscovered and unpatched vulnerabilities and weaknesses.
Last edited by a moderator:
- Dec 12, 2013
- 541
Hi...here are my observations after making some short test connected to level protection of SS and "default deny/allow" feature...each one made with enabled "Auto-block suspicious behaviour" option and empty list of rules (in "Aplication Execution Control" also)
- "Ask user" level - with no rules nothing can be launched...you can't run any process including system/MS processes e.g. Control Panel and you can't even switch-off the system (of course you can power-off phisical machine), every rule added to the list is "block". In this context I don't think that "Certified applications" can play some role...for me they are useless in such settings.
- "Auto allow - high..." - known apps can be launched but SS automaticaly creates "block" rules for some specific (suspicious for SS) actions/behaviours...here trusted signers can play the role by allowing to run apps and acting only "non-critical" actions
- "Auto allow - medium..." similar to mentioned abowe but most of actions are automaticaly allowed without adding to the list of rules...I noticed only blocked (and added to the list) actions that are "very critical" for system like #26,48,50
- Allow Microsoft" - I didn't noticed blocked actions of diferent apps/processes but only automaticaly allowed and added to the list...maybe such processes don't present suspicious behaviour?
- Dec 23, 2014
- 8,130
Did you try to block the %UserProfile% via "Exclude existing files and any future files in this folder" and 'Make it denied"? I think that after blocking it, the user could exclude some programs by applying the concrete settings per program. It would be interesting to know if 'Make it denied' is more restrictive than 'Auto allow - high ...' or 'Allow Microsoft'.
Last edited:
- Dec 12, 2013
- 541
@Andy Ful
I've never tested feature to block whole excluded folder with its content because such option is designed to exclude - in manual they say "meaning, that you don't want to block" - so actualy means to set folder free from protection. I'm using instead it option to restrict folder that one can find and add to the list in "Restricted apps" tab...by this way I have added folder for downloaded content and additionaly that one in which I have more than two thousend installators (it's my archive) of not only security apps and its versions. Of course we can't forget add for restricted folder important option to write and save inside - "folders with write access" tab.
But back to your question - I've checked what will happened when we make denied user folder/folders...because of my Vista I've used to make deny whole folder "C:\Users\my_name\"...and actualy nothing interresting have happened with usual (installed) apps - it looks that they still work properly. Some interresting things I found when tried to install new app using .exe installator - in my case it was NVT OSArmor - insttalation process was broken with special system alert...see screenshot
Some actions was blocked also when I've tried to run zipped portable apps image browser CPix...but app would launch and open window. I've tested also UNetbootin that is single .exe file - it was executed from the same folder as mentioned above and nothing have been blocked - it worked as usual.
So...It's still "mistery" for me what is the rule/base of SS that allow specific app (its actions) or block another ones. It looks that thing which pass thru temp user folders sometine is just blocked and sometime only some actions off app are blocked. I attached some lines from log file of SS to show such issue
"2018-05-29 18:33:51,2192,C:\Moje programy\FreeCommander\FreeCommander.exe,53,Allowed ;Execution of an application ("C:\testy\unetbootin-windows-661.exe" )
2018-05-29 18:34:01,2192,C:\Moje programy\FreeCommander\FreeCommander.exe,53,Allowed ;Execution of an application ("C:\Users\xxx\AppData\Local\Temp\FreeCommander2192\2\CPix.exe" )
2018-05-29 18:34:01,4060,C:\Users\xxx\AppData\Local\Temp\FreeCommander2192\2\CPix.exe,50,Blocked ;Accessing the network via DNS Resolver service
2018-05-29 18:34:01,4060,C:\Users\xxx\AppData\Local\Temp\FreeCommander2192\2\CPix.exe,48,Blocked ;Outgoing network access
2018-05-29 18:34:15,4060,C:\Users\xxx\AppData\Local\Temp\FreeCommander2192\2\CPix.exe,26,Blocked ;Modifying protected registry key (HKLM\SOFTWARE\Classes\CPix.bmpfile\shell\open\command,)
2018-05-29 18:35:42,2000,C:\Windows\System32\taskeng.exe,53,Allowed ;Execution of an application (C:\Windows\system32\wermgr.exe -queuereporting)
2018-05-29 18:36:02,2192,C:\Moje programy\FreeCommander\FreeCommander.exe,53,Allowed ;Execution of an application ("C:\testy\osarmor_setup_1.4_test67.exe" )
2018-05-29 18:36:02,2964,C:\testy\osarmor_setup_1.4_test67.exe,53,Allowed ;Execution of an application ("C:\Users\xxx\AppData\Local\Temp\is-1CBGV.tmp\osarmor_setup_1.4_test67.tmp" /SL5="$220426,8243353,57856,C:\testy\osarmor_setup_1.4_test67.exe" )
2018-05-29 18:36:09,2448,C:\Users\xxx\AppData\Local\Temp\is-1CBGV.tmp\osarmor_setup_1.4_test67.tmp,26,Blocked ;Modifying protected registry key (HKLM\SYSTEM\ControlSet001\Control,ServicesPipeTimeout)"
I've never tested feature to block whole excluded folder with its content because such option is designed to exclude - in manual they say "meaning, that you don't want to block" - so actualy means to set folder free from protection. I'm using instead it option to restrict folder that one can find and add to the list in "Restricted apps" tab...by this way I have added folder for downloaded content and additionaly that one in which I have more than two thousend installators (it's my archive) of not only security apps and its versions. Of course we can't forget add for restricted folder important option to write and save inside - "folders with write access" tab.
But back to your question - I've checked what will happened when we make denied user folder/folders...because of my Vista I've used to make deny whole folder "C:\Users\my_name\"...and actualy nothing interresting have happened with usual (installed) apps - it looks that they still work properly. Some interresting things I found when tried to install new app using .exe installator - in my case it was NVT OSArmor - insttalation process was broken with special system alert...see screenshot
Some actions was blocked also when I've tried to run zipped portable apps image browser CPix...but app would launch and open window. I've tested also UNetbootin that is single .exe file - it was executed from the same folder as mentioned above and nothing have been blocked - it worked as usual.
So...It's still "mistery" for me what is the rule/base of SS that allow specific app (its actions) or block another ones. It looks that thing which pass thru temp user folders sometine is just blocked and sometime only some actions off app are blocked. I attached some lines from log file of SS to show such issue
"2018-05-29 18:33:51,2192,C:\Moje programy\FreeCommander\FreeCommander.exe,53,Allowed ;Execution of an application ("C:\testy\unetbootin-windows-661.exe" )
2018-05-29 18:34:01,2192,C:\Moje programy\FreeCommander\FreeCommander.exe,53,Allowed ;Execution of an application ("C:\Users\xxx\AppData\Local\Temp\FreeCommander2192\2\CPix.exe" )
2018-05-29 18:34:01,4060,C:\Users\xxx\AppData\Local\Temp\FreeCommander2192\2\CPix.exe,50,Blocked ;Accessing the network via DNS Resolver service
2018-05-29 18:34:01,4060,C:\Users\xxx\AppData\Local\Temp\FreeCommander2192\2\CPix.exe,48,Blocked ;Outgoing network access
2018-05-29 18:34:15,4060,C:\Users\xxx\AppData\Local\Temp\FreeCommander2192\2\CPix.exe,26,Blocked ;Modifying protected registry key (HKLM\SOFTWARE\Classes\CPix.bmpfile\shell\open\command,)
2018-05-29 18:35:42,2000,C:\Windows\System32\taskeng.exe,53,Allowed ;Execution of an application (C:\Windows\system32\wermgr.exe -queuereporting)
2018-05-29 18:36:02,2192,C:\Moje programy\FreeCommander\FreeCommander.exe,53,Allowed ;Execution of an application ("C:\testy\osarmor_setup_1.4_test67.exe" )
2018-05-29 18:36:02,2964,C:\testy\osarmor_setup_1.4_test67.exe,53,Allowed ;Execution of an application ("C:\Users\xxx\AppData\Local\Temp\is-1CBGV.tmp\osarmor_setup_1.4_test67.tmp" /SL5="$220426,8243353,57856,C:\testy\osarmor_setup_1.4_test67.exe" )
2018-05-29 18:36:09,2448,C:\Users\xxx\AppData\Local\Temp\is-1CBGV.tmp\osarmor_setup_1.4_test67.tmp,26,Blocked ;Modifying protected registry key (HKLM\SYSTEM\ControlSet001\Control,ServicesPipeTimeout)"
- Dec 23, 2014
- 8,130
SS allows execution but applies the restrictions to executed programs from denied folders.
The question is if it applies all possible restrictions (I suspect so). From your log it follows, that the below actions were blocked:
Accessing the network via DNS Resolver service
Outgoing network access
Modifying protected registry key
I suspect that executing some other applications, you would also see other actions blocked (there are many left). Another question is if it possible to exclude some blocked actions for the concrete program, for example allowing to modify protected registry keys by OSArmor.
If so, then SS could be really used to protect all UserProfile and other user folders/partitions/disks by adopting a light sandbox for any program trying to execute from those locations.
Last edited:
- Dec 23, 2014
- 8,130
I made a quick SpyShelter test. There are two different ways of applying SS restrictions to folders/subfolders:
.
Sadly for the point 1 solution, I could not change restrictions of the concrete program located in such folders or exclude subfolders. So this solution has limited usability as default-deny protection for the UserProfile.
.
Exclusions are possible for the point 2 solution via the options 'Exclude file' or 'Exclude folder'.
So, this could be used to apply a kind of smart-default-deny security based on restrictions in the light sandbox. It shows 'All general actions' set to Deny for the program located in a denied location, but anyway allows Hard disk access. So, only some restrictions are applied, and the user cannot choose Custom option to activate all possible restrictions.
- Restricted apps list -> choose folder
- Rules -> Exclude folder -> choose folder to exclude -> Make it denied
.
Sadly for the point 1 solution, I could not change restrictions of the concrete program located in such folders or exclude subfolders. So this solution has limited usability as default-deny protection for the UserProfile.
.
Exclusions are possible for the point 2 solution via the options 'Exclude file' or 'Exclude folder'.
So, this could be used to apply a kind of smart-default-deny security based on restrictions in the light sandbox. It shows 'All general actions' set to Deny for the program located in a denied location, but anyway allows Hard disk access. So, only some restrictions are applied, and the user cannot choose Custom option to activate all possible restrictions.
Last edited:
- Dec 12, 2013
- 541
Yes...you are right that some other actions can be blocked autmaticaly but perhaps it needs time, patience and diferent apps to see something more
Exclusion of some action in case "excluded folder" aren't possible for both decision (allow-block)...you can't open advanced rules editor. But I think...it's only speculation...that you can add OSArmor to trusted signers list and by this way use another feature which you can find on the list of monitored actions (Settings/List of monitored...). There you can see empty box called "Auto-allow action for a component signed by a trusted signer"...if you tick it "on" you automaticaly allow all monitored action to be allowed and now you should manualy edit each one and make it "yes" or "no". I think priority of that settings is higher than rules made automaticaly while using app and detecting new actions that should be blocked.
Your way #2 is for me a bit "tricky" and actualy not well checked and documented...so it's rather "proof of concept" that needs to be deeper researched. That's why I'm sticking rather to #1 which is for me used for some time.
BTW...thansk for such interresting and explorative discuss
- Dec 23, 2014
- 8,130
The way #2 is probably weaker than #1, so it is better to stick with #1.Yes...you are right that some other actions can be blocked autmaticaly but perhaps it needs time, patience and diferent apps to see something more
Exclusion of some action in case "excluded folder" aren't possible for both decision (allow-block)...you can't open advanced rules editor. But I think...it's only speculation...that you can add OSArmor to trusted signers list and by this way use another feature which you can find on the list of monitored actions (Settings/List of monitored...). There you can see empty box called "Auto-allow action for a component signed by a trusted signer"...if you tick it "on" you automaticaly allow all monitored action to be allowed and now you should manualy edit each one and make it "yes" or "no". I think priority of that settings is higher than rules made automaticaly while using app and detecting new actions that should be blocked.
Your way #2 is for me a bit "tricky" and actualy not well checked and documented...so it's rather "proof of concept" that needs to be deeper researched. That's why I'm sticking rather to #1 which is for me used for some time.
BTW...thansk for such interresting and explorative discuss
- Jan 8, 2011
- 22,361
Surprised I hadn't replied yet, but the answer is.... Yes.
Keep in mind Windows is not the only operating system, there is Linux, macOS, Android and iOS - the main ones.
You don't need latest and best $100 "Security Suites", but something to aid your existing security and knowledge is sufficient.
Additional security measures and safeguards may be required for business devices and networks.
I'll await someone to moan about the Average Joe not knowing the difference between Recovery and Backup.
Keep in mind Windows is not the only operating system, there is Linux, macOS, Android and iOS - the main ones.
You don't need latest and best $100 "Security Suites", but something to aid your existing security and knowledge is sufficient.
- Router + Hardware Firewall + Secure Wireless network
- Latest OS + Security Updates
- Modern Browser + Content Blocker
- Real-time Security
- Encryption + Backup
- Emergency Recovery
Additional security measures and safeguards may be required for business devices and networks.
I'll await someone to moan about the Average Joe not knowing the difference between Recovery and Backup.
- Nov 26, 2017
- 708
So, What do you think about this combo?
HMPA + H_C with srp on + SysHardener (or OSArmor)
Virustotal app to check files if needed.
Optional: Firewall with strict default deny rules.
I feel antivirus is just useless with good habits and legal software and gives false sense of security
HMPA + H_C with srp on + SysHardener (or OSArmor)
Virustotal app to check files if needed.
Optional: Firewall with strict default deny rules.
I feel antivirus is just useless with good habits and legal software and gives false sense of security
good enough, almost my old combo (but with AppGuard instead of H_C) when i was using HMPA.
- Dec 23, 2014
- 8,130
Too complex and asking to break Windows Updates.
- Mar 9, 2014
- 544
They are important because many users can't tell whether or not a particular file should be run, malware is sometimes hidden in ads or parts of web pages in legit websites, etc.
Similar threads
-
- Question
