Advanced Plus Security ErzCrz Security Config 2024

[ErzCrz]

My planned security setup to continue through 2022. I did a lot of back and forth between this and Comodo Internet Security the past year but determined to stick with this option. If Comodo comes out with a product update I may revisit it .

Controlled Folder Access is still something I'm not solidly using but I think I just need to understand it a bit better or whitelist what I need to. I also stopped running WD in it's own sandbox since Tamper Protection became a MD feature and it slowed things randomly on my machine.

Edge Exploit settings:

Exploit Protection settings for browsers (thanks to @Umbra @oldschool ). These have broken anything yet, e.g. extensions crashing.
- for Brave, Edge and Firefox:

Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

ADD for Edge Chromium only: Code integrity guard - ON (with or without Also allow images signed by M$ Store CHECKED)

uBlock Origin Dynamic and Static rules:
Advanced user ticked for hard mode/medium mode

Dynamic rules:

no-csp-reports: * true
no-large-media: behind-the-scene false
no-popups: * true
no-strict-blocking: 192.168.0.1 true
* * 3p block
* * 3p-frame block
* * 3p-script block
* com * noop
* eu * noop
* info * noop
* io * noop
* net * noop
* org * noop
* uk * noop
behind-the-scene * * noop
behind-the-scene * 1p-script noop
behind-the-scene * 3p noop
behind-the-scene * 3p-frame noop
behind-the-scene * 3p-script noop
behind-the-scene * image noop
behind-the-scene * inline-script noop

Static Filters:
! Block beacons, plugins and websockets everywhere
||*$ping,object,websocket

! Block potentially unsafe third-party content to unencrypted websites
|HTTP://*$third-party,~document,~stylesheet,~image,~media

! Block opening webpages on top level domains and countries I never visit
||*$document,~stylesheet,~image,~media,~script,~subdocument,~xmlhttprequest,domain=~com|~info|~io|~eu|~net|~org|~uk

! Inject javascript to blur Google FLOC interest tagging
*##+js(no-floc)

! Block switch to Chrome popop on google domains (search, maps, etc)
||ogs.google.*/widget/callout$all

! Block Google search URL paramater tracking
||google.*/search$removeparam=biw
||google.*/search$removeparam=bih
||google.*/search$removeparam=dpr
||google.*/search$removeparam=sa
||google.*/search$removeparam=source
||google.*/search$removeparam=aqs
||google.*/search$removeparam=sourceid
||google.*/search$removeparam=ei
||google.*/search$removeparam=gs_lcp
||google.*/search$removeparam=gclid

! youtube.com
||youtube.com/subscribe_embed?$third-party
||youtube.com/subscribe_widget$third-party
youtube.com###alert-banner > .ytd-browse > .yt-alert-with-actions-renderer
youtube.com###mealbar\:3 > ytm-mealbar.mealbar-promo-renderer
youtube.com###notification-footer
youtube.com###secondary-links
youtube.com###yt-feedback
youtube.com###yt-hitchhiker-feedback
youtube.com###yt-lang-alert-container
youtube.com##.yt-consent
youtube.com##.ytd-banner-promo-renderer.style-scope.ytd-banner-promo-renderer-content
youtube.com##.ytd-banner-promo-renderer.style-scope.ytd-banner-promo-renderer-background
youtube.com##.ytd-primetime-promo-renderer
youtube.com##.ytd-statement-banner-renderer
youtube.com##.ytp-ce-playlist
youtube.com##.ytp-pause-overlay
youtube.com##.ytp-title-channel
youtube.com##+js(json-prune, *.playerResponse.adPlacements)
youtube.com##+js(json-prune, *.playerResponse.playerAds)
youtube.com##+js(json-prune, 2.playerResponse.adPlacements playerResponse.adPlacements playerResponse.playerAds adPlacements playerAds)
youtube.com##+js(json-prune, 2.playerResponse.adPlacements)
youtube.com##+js(json-prune, playerResponse.adPlacements)
youtube.com##+js(json-prune, playerResponse.playerAds)
youtube.com##+js(set, ytInitialPlayerResponse.adPlacements, null)
youtube.com##div[class^="ytd-consent"]
youtube.com##ytd-popup-container > .ytd-popup-container > #contentWrapper > .ytd-popup-container[position-type="OPEN_POPUP_POSITION_BOTTOMLEFT"]
youtube.com#@##consent-bump
||gstatic.com/youtube/img/promos/*.jpeg$image,domain=youtube.com

Hopefully not to many major changes as this works well.

 

[ErzCrz]

I have reverted to my Comodo Internet Security setup with Firefox as default browser and Thunberbird email client. Reverted Edge Expoit tweaks as it kept showing alerts with Comodo running.

I hadn't planned to change back but uses less resources than MD and a good default deny setup. Comodo does take a fair bit of tweaking but does what it does well. I'm sure I'll end up switching back at some point to the H_C config.

 

[ErzCrz]

Just for info, one of the motivations that made me I switch from MD as default protection is that I'm still on an old machine, I don't plan on upgrading yet, I have basic Windows 10 Home version that was upgraded from 8.1 and I'm not subscribing to 365 so I'm inherently less protected by default than someone who has the current / Win 11 compatible kit. That and Comodo uses about 24meg of ram running whereas MD with ConfigureDefender set to High uses 240meg average (140 with default setting).

Edge is good but CIS/CF seems to flow better with FF though CIS's web protection only seems to work with http.

Hard_Configure / SimpleWindowsHardening enables most of those features which is great so I may see about a H_C or SWH combination with CIS or CF at some point once I work out how best to get the two working together without issue.

 

[ForgottenSeer 92963]

As you are hardening the web browser using uBlockOrigin advanced features, this one might be worth evaluating

! Block eval javascript command
*##+js(noeval)

! Allow using eval for example.com
example.com.#@#+js(noeval)

 

[ErzCrz]

As you are hardening the web browser using uBlockOrigin advanced features, this one might be worth evaluating

! Block eval javascript command
*##+js(noeval)

! Allow using eval for example.com
example.com.*#@#+js(noeval)

Thanks, not considered adding eval javascript block before, added that now

 

[ForgottenSeer 92963]

@ErzCrz,

Since you are using Firefox (chromium based browser users can set this in site permissions), you could limit first-party website in the same way you did with third-party. I removed INFO on purpose in the 3p NOOP since those websites are mostly first-party, for the same reason I did not include IO in the no-scripting FALSE, because they are mostly used as third-party

_____ restrict first-party similar to third-party in MY RULES ______

no-scripting: * true
no-scripting: com false
no-no-scripting: eu false
no-scripting: info false
no-scripting: net false
no-scripting: org false
no-scripting: uk false

* * 3p block
* * 3p-frame block
* * 3p-script block
* com * noop
* eu * noop
* io * noop
* net * noop
* org * noop
* uk * noop

 

[ErzCrz]

@ErzCrz,

Since you are using Firefox (chromium based browser users can set this in site permissions), you could limit first-party website in the same way you did with third-party. I removed INFO on purpose in the 3p NOOP since those websites are mostly first-party, for the same reason I did not include IO in the no-scripting FALSE, because they are mostly used as third-party

_____ restrict first-party similar to third-party in MY RULES ______

no-scripting: * true
no-scripting: com false
no-no-scripting: eu false
no-scripting: info false
no-scripting: net false
no-scripting: org false
no-scripting: uk false

* * 3p block
* * 3p-frame block
* * 3p-script block
* com * noop
* eu * noop
* io * noop
* net * noop
* org * noop
* uk * noop

That's a huge help, thanks so much!

Loving how my setup is now labelled Advanced Plus Security now. Maybe the system has to be hardened to make it complete.

Anyway, these are useful whichever setup I use so I should augment my Edge rules as well. I expect I'll be back to MD before long but I'm still experimenting with tweaks and comparing things. Plan wasn't to do that this year but it's not been exactly going to plan

 

[Andy Ful]

...
Hard_Configure / SimpleWindowsHardening enables most of those features which is great so I may see about a H_C or SWH combination with CIS or CF at some point once I work out how best to get the two working together without issue.

I am not sure if this would be recommendable. Your current setup seems to be sufficiently complex. Anyway, you can ask @cruelsister if there are some loopholes that should be hardened.

 

[ErzCrz]

I am not sure if this would be recommendable. Your current setup seems to be sufficiently complex. Anyway, you can ask @cruelsister if there are some loopholes that should be hardened.

Thanks, just exploring options. I like both setups and my helping knowledge is more Comodo based. I doubt there's any need for hardening with Comodo but worth a look.

Today's test showed less resources used with Edge H_C CD High setup compared to Comodo FF configuration but it's more about browser resource usage for that. Also CD set to High was misinterpreted as 240mb idle previously but I hadn't realized a scan was running in the background. Currently MD using 150mb average.

Anyway, thanks for the info/reply.

 

[ForgottenSeer 92963]

@Andy Ful and @ErzCrz

Andy what about adding SWH with SRP enabled (standard) and Windows Hardening disabled. In this way Comodo deals with executables and scriptors and SWH is just an additional hardening of user space to stop first stages of advanced attacks by blocking risky file extensions in userland for standard user/medium integrity processes only?

 

[Andy Ful]

@Andy Ful and @ErzCrz

Andy what about adding SWH with SRP enabled (standard) and Windows Hardening disabled. In this way Comodo deals with executables and scriptors and SWH is just an additional hardening of user space to stop first stages of advanced attacks by blocking risky file extensions in userland for standard user/medium integrity processes only?

Unfortunately, I do not use Comodo so I cannot say with confidence which SWH settings are not necessary.
I guess that there exists a Comodo setup with some restricted LOLBins which does not need SWH at all.

Edit.
I am not a fan of Comodo's HIPS, because no one really knows how is their impact on Windows system processes (current and introduced in the future). The auto-sandbox feature is more predictable. The Comodo's features are very strong - this can be sometimes a disadvantage for Windows stability.

 

[Andy Ful]

At first glance, it seems that SWH can make the Comodo setup more convenient if the user needs scripting. The scripts cannot be whitelisted in Comodo. So, the user can allow scripting in Comodo and use SWH to restrict scripts. A similar problem can be with some other LOLBins (Sponsors). But, I would not fully disable <Windows Hardening> in SWH. Disabling several remote features, SMB protocols, or hardening MS Office (Adobe Reader) will not hurt.

 

[ErzCrz]

Just updating... Blocking java via noeval seems to be working pretty well. I have had to whitelist a few websites that I use regularly but otherwise going well with uBO tweaks. Thanks again @Kees1958

! Block eval javascript command
*##+js(noeval)

! Allow using eval for example.com
website.*#@#+js(noeval)

CIS configuration going okay without much issue though nothing logged over the past 7 days of browsing etc though files automatically added to trusted file list. CIS and MD with H_C are certainly two different approaches.

Anyway, interesting experiment so far.

 

[cruelsister]

It might be amusing for you to run an innocuous Scriptor on your setup: Download and run Kaspersky Virus Removal Tool. KVRT will drop a cmd script initially (into Local/Temp) to be run when you close the application. This script will delete the application files that the original installer unpacks (also in Local/Temp) as well as deleting a driver that was dropped in Windows/System and a run once (for the Script) registry entry. Although totally fine, these commands can as well be used by horrible people in malware to do truly nasty things (not that I would know, of course).

Now determine who blocks what and when...

 

[ErzCrz]

It might be amusing for you to run an innocuous Scriptor on your setup: Download and run Kaspersky Virus Removal Tool. KVRT will drop a cmd script initially (into Local/Temp) to be run when you close the application. This script will delete the application files that the original installer unpacks (also in Local/Temp) as well as deleting a driver that was dropped in Windows/System and a run once (for the Script) registry entry. Although totally fine, these commands can as well be used by horrible people in malware to do truly nasty things (not that I would know, of course).

Now determine who blocks what and when...

Hmm, interesting. In that circumstance I'd be better with a hardened system but it's a bit over my head to be honest. Hard_Configurator would probably stop that script I'm guessing.

Anyway, you make a interesting point as always

 

[Kongo]

Hard_Configurator would probably stop that script I'm guessing

Simple Windows Hardening should too if H_C is too complex.

 

[ForgottenSeer 92963]

@SecureKongo and @ErzCrz

Simple Windows Hardening blocks running scripts in user space and optionally sets some registry keys to make powershell less prone to misuse. SWH also has an option to disable Wscript but not CMD (I have had a long conversation with Andy on this, but I could not convince him to add that also).

With Hard_Configurator you can also block executing sponsors. H_C in recommended settings allows admins to overrule the Software Restriction Policies. This means you can always install stuf by right-click "run as admin". On top of that H_C has two usability modes to make life easier for you:

1. Update mode (set to ON)
   This allows software to update from the ProgramData and %UserProfile%\AppData folders (by allowing EXE, MSI and TMP). Most installed software updates from Temp folder or their own folders in ProgramData or AppData. This is like SWH only for two specified folders.
   
   
2. Allow EXE, TMP and MSI (globally)
   This is basically the same as SWH, only with the added security to block sponsors as well.

Link to manual: Hard_Configurator/Hard_Configurator - Manual.pdf at master · AndyFul/Hard_Configurator

To reassure you: I block sponsors since I am running a Windows Pro version (XP Pro), since Windows10 (I think from 2019) I am also blocking CMD and Wscript through Group Policy for current User with no problems (but I am running a Microsoft Office + Edge setup with SyncBack Free and Macrium Free on my standard user and additionally FileZilla plus Visual Studio on my admin account).

 

[Andy Ful]

@SecureKongo and @ErzCrz
...
With Hard_Configurator you can also block executing sponsors. H_C in recommended settings allows admins to overrule the Software Restriction Policies. This means you can always install stuf by right-click "run as admin".

The H_C and SWH can also prevent admins to overrule the Software Restriction Policies. The H_C must be run with "-p" switch and SWH has got a special option * Policy Scope * . I do not recommend preventing admins in H_C, except for Basic_Recommended_Settings + a few Sponsors blocked.

On top of that H_C has two usability modes to make life easier for you:

1. Update mode (set to ON)
   This allows software to update from the ProgramData and %UserProfile%\AppData folders (by allowing EXE, MSI and TMP). Most installed software updates from Temp folder or their own folders in ProgramData or AppData. This is like SWH only for two specified folders.
   
   
2. Allow EXE, TMP and MSI (globally)
   This is basically the same as SWH, only with the added security to block sponsors as well.

Link to manual: Hard_Configurator/Hard_Configurator - Manual.pdf at master · AndyFul/Hard_Configurator

These settings can be loaded via the Windows_10_Basic_Recommended setting profile.

To reassure you: I block sponsors since I am running a Windows Pro version (XP Pro), since Windows10 (I think from 2019) I am also blocking CMD and Wscript through Group Policy for current User with no problems ...

In H_C, one can use <Block Sponsors> and "Script Interpreters" <ON> + "Enhanced" <ON> to block popular script interpreters and LOLBins. This is a better solution compared to GPO, because the blocked events can be easily seen via <Tools><Blocked Events / Security Logs>.
If the computer is used both at home and work, then it is possible to prevent also admins to bypass SRP (-p switch).

 

[Andy Ful]

ErzCrz,​

What is the status of popular script interpreters in your Comodo setup?
I mean: cmd[.]exe, cscript.exe, mshta.exe, powershell.exe, powershell_ise.exe, wscript.exe.

 

[ForgottenSeer 92963]

For normal home use SRP should never be applied for admins (which Miccrosoft describes as "for all users, except Admins"). As most tests show, most premium brand AntiVirus will block 99,99% of all ordinary executables. By blocking risky file extensions and blocking sponsors for "all users, except Admins" with SRP, the average home user is well protected without having to deal with popups or negative impact on functionality (executing programs).