Advanced Plus Security ErzCrz Security Config 2024

Last updated
May 19, 2023
How it's used?
For home and private use
Operating system
Windows 11
On-device encryption
BitLocker Device Encryption for Windows
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
Off
Network firewall
Enabled
About WiFi router
Sky Router with built-in IPV4/IPv6 Firewall
Real-time security
Comodo Internet Security .8012
CyberLock
Firewall security
Other - Internet Security (3rd-party)
About custom security
CIS .8012 in Proactive Config with Containment Set to Untrusted
Cyberlock - ON - Create In/Out Firewall Rules for Unsafe Items.
Periodic malware scanners
Norton Power Eraser
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
Primary: Edge with uBO in Medium Mode - Netcraft/BD:TL
Secondary - Firefox with uBO in Medium Mode - Netcraft/BD:TL
Secure DNS
Provided by ISP Sky Shield though occasionally Cloudflare DNS over HTTP.
Desktop VPN
None. Browsing primarily on home private network.
Password manager
KeepassXC
Maintenance tools
Windows built-in Disk Clean-up and Storage Sense.
File and Photo backup
Seagate - Toolkit - Weekly Backup
Active subscriptions
    • None
System recovery
External Drive - Backup of Documents and folders.
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Downloading software and files from reputable sites
    • Gaming
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Notable changes
22.01.2022 - Reverted to Comodo Internet Security setup with Firefox as default browser and Thunberbird email client.
15.05.2022 - Reverted to Hard_Configurator setup following errors after uninstall and PC reset with Edge as default browser for MD integration while also sticking to Thunderbird for email & Updated backup routine.
13.08.2022 - Swapped to built-in backup solution.
12.09.2022 - General update in line with new guidelines.
29.10.2022 - Edge Exploit Tweaks re-implimented
15.11.2022 - Edge Exploit Tweaks removed. Removed OneDrive backups.
18.11.2022 - Firefox now my primary browser & Thunderbird primary email client.
12.12.2022 - updated Dec 2022 changes, backup now manual and onedrive. Experimenting with Comodo Internet Security but not fully committed to it yet.
11.01.2023 - Updated Security Configuration for new laptop and having won Emisoft giveaway.
22.01.2023 - Reverted to MD, ConfigureDefender - High & Enabled CFA, FWHardener, Added NPE to scanner, Edge exploit tweaks.
01.02.2023 - Now using Seagate Toolkit for Backup of Documents and Folders
18.05.2023 - Using H_C Beta and few unticks/ticks of PC use.
24.06.2023 - Back to Emsisoft Anti-Malware Home, Changed Password Manager to KeepassXC
02.09.2023 - Switched from Emsisoft Setup to CF/MD Configuration
20.10.2023 - Switched to Firefox, no longer using VPN for as work now has Azure cloud servers. Temporarily removed custom exploit settings.
01.11.2023 - Back to MD H_C setup
12.12.2023 - Added Anti-Exploit Tweaks and uBO in Hard Mode with noop rules.
20.12.2023 - Removed custom exploit rules as having some Edge freezes. Moved back to Comodo Firewall with Cruelsister Configuration.
21.12.2023 - Firefox now primary browser.
27.12.2023 - Edge changed to Primary Browser
06.01.2024 - Removed WFC, Implemented WFH & CL create firewall rules for not safe items.
08.01.2024 - Re-Added WFC
03.01.2024 - Firefox now primary browser.
21.01.2024 - Changed Primary Browser to Edge
28.01.2024 - Removed WFC and replaced with CF
05.02.2024 - Returned to WFC
31.12.2023 - New config for 2024 - MD (DefenderUI), CyberLock,WFC
28.02.2024 - Adjusted uBO Rules & Added Netcraft & BD:TL extensions
25.03.2024 - Changed to CIS .8012
Disclaimer we use date format DD/MM/YYYY here in the UK
What I'm looking for?

Looking for minimum feedback.

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
My planned security setup to continue through 2022. I did a lot of back and forth between this and Comodo Internet Security the past year but determined to stick with this option. If Comodo comes out with a product update I may revisit it .

Controlled Folder Access is still something I'm not solidly using but I think I just need to understand it a bit better or whitelist what I need to. I also stopped running WD in it's own sandbox since Tamper Protection became a MD feature and it slowed things randomly on my machine.

Edge Exploit settings:

Exploit Protection settings for browsers (thanks to @Umbra @oldschool ). These have broken anything yet, e.g. extensions crashing.
- for Brave, Edge and Firefox:

Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

ADD for Edge Chromium only: Code integrity guard - ON (with or without Also allow images signed by M$ Store CHECKED)

uBlock Origin Dynamic and Static rules:
Advanced user ticked for hard mode/medium mode

Dynamic rules:

no-csp-reports: * true
no-large-media: behind-the-scene false
no-popups: * true
no-strict-blocking: 192.168.0.1 true
* * 3p block
* * 3p-frame block
* * 3p-script block
* com * noop
* eu * noop
* info * noop
* io * noop
* net * noop
* org * noop
* uk * noop
behind-the-scene * * noop
behind-the-scene * 1p-script noop
behind-the-scene * 3p noop
behind-the-scene * 3p-frame noop
behind-the-scene * 3p-script noop
behind-the-scene * image noop
behind-the-scene * inline-script noop

Static Filters:
! Block beacons, plugins and websockets everywhere
||*$ping,object,websocket

! Block potentially unsafe third-party content to unencrypted websites
|HTTP://*$third-party,~document,~stylesheet,~image,~media

! Block opening webpages on top level domains and countries I never visit
||*$document,~stylesheet,~image,~media,~script,~subdocument,~xmlhttprequest,domain=~com|~info|~io|~eu|~net|~org|~uk

! Inject javascript to blur Google FLOC interest tagging
*##+js(no-floc)

! Block switch to Chrome popop on google domains (search, maps, etc)
||ogs.google.*/widget/callout$all

! Block Google search URL paramater tracking
||google.*/search$removeparam=biw
||google.*/search$removeparam=bih
||google.*/search$removeparam=dpr
||google.*/search$removeparam=sa
||google.*/search$removeparam=source
||google.*/search$removeparam=aqs
||google.*/search$removeparam=sourceid
||google.*/search$removeparam=ei
||google.*/search$removeparam=gs_lcp
||google.*/search$removeparam=gclid

! youtube.com
||youtube.com/subscribe_embed?$third-party
||youtube.com/subscribe_widget$third-party
youtube.com###alert-banner > .ytd-browse > .yt-alert-with-actions-renderer
youtube.com###mealbar\:3 > ytm-mealbar.mealbar-promo-renderer
youtube.com###notification-footer
youtube.com###secondary-links
youtube.com###yt-feedback
youtube.com###yt-hitchhiker-feedback
youtube.com###yt-lang-alert-container
youtube.com##.yt-consent
youtube.com##.ytd-banner-promo-renderer.style-scope.ytd-banner-promo-renderer-content
youtube.com##.ytd-banner-promo-renderer.style-scope.ytd-banner-promo-renderer-background
youtube.com##.ytd-primetime-promo-renderer
youtube.com##.ytd-statement-banner-renderer
youtube.com##.ytp-ce-playlist
youtube.com##.ytp-pause-overlay
youtube.com##.ytp-title-channel
youtube.com##+js(json-prune, *.playerResponse.adPlacements)
youtube.com##+js(json-prune, *.playerResponse.playerAds)
youtube.com##+js(json-prune, 2.playerResponse.adPlacements playerResponse.adPlacements playerResponse.playerAds adPlacements playerAds)
youtube.com##+js(json-prune, 2.playerResponse.adPlacements)
youtube.com##+js(json-prune, playerResponse.adPlacements)
youtube.com##+js(json-prune, playerResponse.playerAds)
youtube.com##+js(set, ytInitialPlayerResponse.adPlacements, null)
youtube.com##div[class^="ytd-consent"]
youtube.com##ytd-popup-container > .ytd-popup-container > #contentWrapper > .ytd-popup-container[position-type="OPEN_POPUP_POSITION_BOTTOMLEFT"]
youtube.com#@##consent-bump
||gstatic.com/youtube/img/promos/*.jpeg$image,domain=youtube.com

Hopefully not to many major changes as this works well.
 
Last edited by a moderator:

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
I have reverted to my Comodo Internet Security setup with Firefox as default browser and Thunberbird email client. Reverted Edge Expoit tweaks as it kept showing alerts with Comodo running.

I hadn't planned to change back but uses less resources than MD and a good default deny setup. Comodo does take a fair bit of tweaking but does what it does well. I'm sure I'll end up switching back at some point to the H_C config.
 

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
Just for info, one of the motivations that made me I switch from MD as default protection is that I'm still on an old machine, I don't plan on upgrading yet, I have basic Windows 10 Home version that was upgraded from 8.1 and I'm not subscribing to 365 so I'm inherently less protected by default than someone who has the current / Win 11 compatible kit. That and Comodo uses about 24meg of ram running whereas MD with ConfigureDefender set to High uses 240meg average (140 with default setting).

Edge is good but CIS/CF seems to flow better with FF though CIS's web protection only seems to work with http.

Hard_Configure / SimpleWindowsHardening enables most of those features which is great so I may see about a H_C or SWH combination with CIS or CF at some point once I work out how best to get the two working together without issue.
 
F

ForgottenSeer 92963

As you are hardening the web browser using uBlockOrigin advanced features, this one might be worth evaluating

! Block eval javascript command
*##+js(noeval)

! Allow using eval for example.com
example.com.#@#+js(noeval)
 
Last edited by a moderator:
F

ForgottenSeer 92963

@ErzCrz,

Since you are using Firefox (chromium based browser users can set this in site permissions), you could limit first-party website in the same way you did with third-party. I removed INFO on purpose in the 3p NOOP since those websites are mostly first-party, for the same reason I did not include IO in the no-scripting FALSE, because they are mostly used as third-party

_____ restrict first-party similar to third-party in MY RULES ______

no-scripting: * true
no-scripting: com false
no-no-scripting: eu false
no-scripting: info false
no-scripting: net false
no-scripting: org false
no-scripting: uk false

* * 3p block
* * 3p-frame block
* * 3p-script block
* com * noop
* eu * noop
* io * noop
* net * noop
* org * noop
* uk * noop
 

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
@ErzCrz,

Since you are using Firefox (chromium based browser users can set this in site permissions), you could limit first-party website in the same way you did with third-party. I removed INFO on purpose in the 3p NOOP since those websites are mostly first-party, for the same reason I did not include IO in the no-scripting FALSE, because they are mostly used as third-party

_____ restrict first-party similar to third-party in MY RULES ______

no-scripting: * true
no-scripting: com false
no-no-scripting: eu false
no-scripting: info false
no-scripting: net false
no-scripting: org false
no-scripting: uk false

* * 3p block
* * 3p-frame block
* * 3p-script block
* com * noop
* eu * noop
* io * noop
* net * noop
* org * noop
* uk * noop
That's a huge help, thanks so much!

Loving how my setup is now labelled Advanced Plus Security now. Maybe the system has to be hardened to make it complete.

Anyway, these are useful whichever setup I use so I should augment my Edge rules as well. I expect I'll be back to MD before long but I'm still experimenting with tweaks and comparing things. Plan wasn't to do that this year but it's not been exactly going to plan :D
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
Hard_Configure / SimpleWindowsHardening enables most of those features which is great so I may see about a H_C or SWH combination with CIS or CF at some point once I work out how best to get the two working together without issue.

I am not sure if this would be recommendable. Your current setup seems to be sufficiently complex. Anyway, you can ask @cruelsister if there are some loopholes that should be hardened.(y)
 

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
I am not sure if this would be recommendable. Your current setup seems to be sufficiently complex. Anyway, you can ask @cruelsister if there are some loopholes that should be hardened.(y)
Thanks, just exploring options. I like both setups and my helping knowledge is more Comodo based. I doubt there's any need for hardening with Comodo but worth a look.

Today's test showed less resources used with Edge H_C CD High setup compared to Comodo FF configuration but it's more about browser resource usage for that. Also CD set to High was misinterpreted as 240mb idle previously but I hadn't realized a scan was running in the background. Currently MD using 150mb average.

Anyway, thanks for the info/reply.
 
F

ForgottenSeer 92963

@Andy Ful and @ErzCrz

Andy what about adding SWH with SRP enabled (standard) and Windows Hardening disabled. In this way Comodo deals with executables and scriptors and SWH is just an additional hardening of user space to stop first stages of advanced attacks by blocking risky file extensions in userland for standard user/medium integrity processes only?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful and @ErzCrz

Andy what about adding SWH with SRP enabled (standard) and Windows Hardening disabled. In this way Comodo deals with executables and scriptors and SWH is just an additional hardening of user space to stop first stages of advanced attacks by blocking risky file extensions in userland for standard user/medium integrity processes only?

Unfortunately, I do not use Comodo so I cannot say with confidence which SWH settings are not necessary.
I guess that there exists a Comodo setup with some restricted LOLBins which does not need SWH at all.

Edit.
I am not a fan of Comodo's HIPS, because no one really knows how is their impact on Windows system processes (current and introduced in the future). The auto-sandbox feature is more predictable. The Comodo's features are very strong - this can be sometimes a disadvantage for Windows stability.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
At first glance, it seems that SWH can make the Comodo setup more convenient if the user needs scripting. The scripts cannot be whitelisted in Comodo. So, the user can allow scripting in Comodo and use SWH to restrict scripts. A similar problem can be with some other LOLBins (Sponsors). But, I would not fully disable <Windows Hardening> in SWH. Disabling several remote features, SMB protocols, or hardening MS Office (Adobe Reader) will not hurt.
 

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
Just updating... Blocking java via noeval seems to be working pretty well. I have had to whitelist a few websites that I use regularly but otherwise going well with uBO tweaks. Thanks again @Kees1958 :D

! Block eval javascript command
*##+js(noeval)

! Allow using eval for example.com
website.*#@#+js(noeval)

CIS configuration going okay without much issue though nothing logged over the past 7 days of browsing etc though files automatically added to trusted file list. CIS and MD with H_C are certainly two different approaches.

Anyway, interesting experiment so far.
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
It might be amusing for you to run an innocuous Scriptor on your setup: Download and run Kaspersky Virus Removal Tool. KVRT will drop a cmd script initially (into Local/Temp) to be run when you close the application. This script will delete the application files that the original installer unpacks (also in Local/Temp) as well as deleting a driver that was dropped in Windows/System and a run once (for the Script) registry entry. Although totally fine, these commands can as well be used by horrible people in malware to do truly nasty things (not that I would know, of course).

Now determine who blocks what and when...
 

ErzCrz

Level 21
Thread author
Verified
Top Poster
Well-known
Aug 19, 2019
1,004
It might be amusing for you to run an innocuous Scriptor on your setup: Download and run Kaspersky Virus Removal Tool. KVRT will drop a cmd script initially (into Local/Temp) to be run when you close the application. This script will delete the application files that the original installer unpacks (also in Local/Temp) as well as deleting a driver that was dropped in Windows/System and a run once (for the Script) registry entry. Although totally fine, these commands can as well be used by horrible people in malware to do truly nasty things (not that I would know, of course).

Now determine who blocks what and when...
Hmm, interesting. In that circumstance I'd be better with a hardened system but it's a bit over my head to be honest. Hard_Configurator would probably stop that script I'm guessing.

Anyway, you make a interesting point as always :)
 
F

ForgottenSeer 92963

@SecureKongo and @ErzCrz

Simple Windows Hardening blocks running scripts in user space and optionally sets some registry keys to make powershell less prone to misuse. SWH also has an option to disable Wscript but not CMD (I have had a long conversation with Andy on this, but I could not convince him to add that also).

With Hard_Configurator you can also block executing sponsors. H_C in recommended settings allows admins to overrule the Software Restriction Policies. This means you can always install stuf by right-click "run as admin". On top of that H_C has two usability modes to make life easier for you:

  1. Update mode (set to ON)
    This allows software to update from the ProgramData and %UserProfile%\AppData folders (by allowing EXE, MSI and TMP). Most installed software updates from Temp folder or their own folders in ProgramData or AppData. This is like SWH only for two specified folders.

  2. Allow EXE, TMP and MSI (globally)
    This is basically the same as SWH, only with the added security to block sponsors as well.

Link to manual: Hard_Configurator/Hard_Configurator - Manual.pdf at master · AndyFul/Hard_Configurator

To reassure you: I block sponsors since I am running a Windows Pro version (XP Pro), since Windows10 (I think from 2019) I am also blocking CMD and Wscript through Group Policy for current User with no problems (but I am running a Microsoft Office + Edge setup with SyncBack Free and Macrium Free on my standard user and additionally FileZilla plus Visual Studio on my admin account).
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@SecureKongo and @ErzCrz
...
With Hard_Configurator you can also block executing sponsors. H_C in recommended settings allows admins to overrule the Software Restriction Policies. This means you can always install stuf by right-click "run as admin".

The H_C and SWH can also prevent admins to overrule the Software Restriction Policies. The H_C must be run with "-p" switch and SWH has got a special option * Policy Scope * . I do not recommend preventing admins in H_C, except for Basic_Recommended_Settings + a few Sponsors blocked.

On top of that H_C has two usability modes to make life easier for you:

  1. Update mode (set to ON)
    This allows software to update from the ProgramData and %UserProfile%\AppData folders (by allowing EXE, MSI and TMP). Most installed software updates from Temp folder or their own folders in ProgramData or AppData. This is like SWH only for two specified folders.

  2. Allow EXE, TMP and MSI (globally)
    This is basically the same as SWH, only with the added security to block sponsors as well.

Link to manual: Hard_Configurator/Hard_Configurator - Manual.pdf at master · AndyFul/Hard_Configurator

These settings can be loaded via the Windows_10_Basic_Recommended setting profile.

To reassure you: I block sponsors since I am running a Windows Pro version (XP Pro), since Windows10 (I think from 2019) I am also blocking CMD and Wscript through Group Policy for current User with no problems ...

In H_C, one can use <Block Sponsors> and "Script Interpreters" <ON> + "Enhanced" <ON> to block popular script interpreters and LOLBins. This is a better solution compared to GPO, because the blocked events can be easily seen via <Tools><Blocked Events / Security Logs>.
If the computer is used both at home and work, then it is possible to prevent also admins to bypass SRP (-p switch).(y)
 
Last edited:
F

ForgottenSeer 92963

For normal home use SRP should never be applied for admins (which Miccrosoft describes as "for all users, except Admins"). As most tests show, most premium brand AntiVirus will block 99,99% of all ordinary executables. By blocking risky file extensions and blocking sponsors for "all users, except Admins" with SRP, the average home user is well protected without having to deal with popups or negative impact on functionality (executing programs).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top