SECURE Evjl's Rain's security config

Discussion in 'PC Security Configuration' started by Evjl's Rain, Feb 15, 2017.

  1. Evjl's Rain

    Evjl's Rain Level 29
    Trusted AV Tester

    Apr 18, 2016
    1,800
    13,175
    Vietnam
    Windows 8.1
    Avast
    I just block the processes by name regardless of their paths. So if they update or change their path, they will still be blocked, unless they are renamed by malwares. Fortunately, I used group policy to block .jar execution just in case the processes are renamed

    Capture.PNG
     
  2. steel9

    steel9 Level 3

    Jun 23, 2017
    142
    398
    Sweden
    Windows 10
    F-Secure
    Is it possible to block specific extensions (.scr for example) from executing via the registry if you run Windows 10 Home? Thanks
     
    Evjl's Rain and Der.Reisende like this.
  3. Evjl's Rain

    Evjl's Rain Level 29
    Trusted AV Tester

    Apr 18, 2016
    1,800
    13,175
    Vietnam
    Windows 8.1
    Avast
    I'm afraid we can't do it
    perhaps, it's possible but may require some skills
    we can use apps like Hard_configurator to do something similar

    maybe, @Windows_Security can teach us how to do it?
     
  4. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,881
    Holland
    Windows 7
    Default-Deny
    #124 Windows_Security, Dec 4, 2017
    Last edited: Dec 5, 2017
    EDIT: better use Hard Configurator, see Andy's post below
     
  5. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,881
    Holland
    Windows 7
    Default-Deny
    #125 Windows_Security, Dec 4, 2017
    Last edited: Dec 5, 2017
    Block unsigned elevation (allow unsigned programs to run, but not elevate to admin

    Save as UAC_Block_Unsigned_Elevation.reg
    ------------------------------------------------------
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ValidateAdminCodeSignatures"=dword:00000001

    ----- end


    Allow unsigned elevation (allow unsigned programs to run, but not elevate to admin

    Save as UAC_Allow_Unsigned_Elevation.reg
    ------------------------------------------------------------------
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "ValidateAdminCodeSignatures"=dword:00000000
     
    ZeroDay, bribon77, steel9 and 3 others like this.
  6. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,881
    Holland
    Windows 7
    Default-Deny
    #126 Windows_Security, Dec 4, 2017
    Last edited: Dec 5, 2017
    I have put this on my wife's laptop (which runs Windows 10 Home) and it seems to run fine.

    I have to thank @Evjl's Rain, because he asked for registry tweaks to block certain file extensions, I realised that by removing EXE, DLL and MSI from the list of guarded extension I could realize this with an SRP-registry tweak.

    Blocking dangereous extensions (while allowing EXE, DLL, MSI) and blocking unsigned elevation (while allowing them to run) should not interfere with normal usage (you can still run programs from user space), but stops 90% of the malware.
     
    ZeroDay, bribon77, steel9 and 4 others like this.
  7. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,698
    business
    Poland
    Windows 10
    Microsoft
    Hard_Configurator can block any file extension in default deny mode (SRP). But it seems to me that you would like to block file extensions in SRP default allow mode. That can be done using the program Simple Software Restriction Policies, when changing some default settings and adding the global Disallowed rules: *.scr, *.hta , *.bat, *.cmd, etc. in the configuration file.
    Blocking the extensions via SRP is good for blocking double extension malware like *.pdf.scr, *.jpg.hta, etc . So, the file will be blocked when the user will try to execute it by the mouse-click or pressing the ENTER key.
    This protection does not prevent opening the files like *.hta , *.bat, *.cmd by the malware that already runs in memory.
     
    ZeroDay, bribon77, harlan4096 and 2 others like this.
  8. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,881
    Holland
    Windows 7
    Default-Deny
    #128 Windows_Security, Dec 4, 2017
    Last edited: Dec 5, 2017
    @Andy Ful

    Maybe give an example using Hard_Configurator with some screen shots?

    regards Kees (and keep up the good work guys
    ( @Andy Ful for Hard configurator, @Evjl's Rain for posting tests)
     
  9. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,698
    business
    Poland
    Windows 10
    Microsoft
    #129 Andy Ful, Dec 5, 2017
    Last edited: Dec 5, 2017
    With Hard_Configurator it is rather simple. Just download and install Hard_Configurator
    Hard_Configurator/Hard_Configurator_setup(x64)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
    Hard_Configurator/Hard_Configurator_setup(x86)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
    x64 is for 64-bit Windows and x86 is for 32-bit Windows.
    .
    Next, run Hard_Configurator. Accept making System Restore Point and checking autoruns (see the picture 1h.png).
    After this is finished, you can close the TOOLS window and the main window will be activated.
    In the normal (not tweaked) system all options will be OFF (see picture 2h.png).
    Press <Recommended SRP> and next <Recommended Restrictions> buttons. Hard_Configurator settings will be changed (see picture 3h.png). Yet, some settings require LogOFF to be fully activated by Windows.
    Press <APPLY CHANGES> button to LogOFF from the account. If you LogON again the Hard_Configurator settings will be activated.
    .
    To uninstall Hard_Configurator press <Tools> button and next from the TOOLS window press the red button <Restore Windows Defaults> (see 4h.png). Next use the standard Windows uninstallation procedure.
     

    Attached Files:

    • 1h.png
      1h.png
      File size:
      101.8 KB
      Views:
      91
    • 2h.png
      2h.png
      File size:
      23.9 KB
      Views:
      93
    • 3h.png
      3h.png
      File size:
      25.1 KB
      Views:
      71
  10. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,099
    4,698
    business
    Poland
    Windows 10
    Microsoft
    #130 Andy Ful, Dec 5, 2017
    Last edited: Dec 5, 2017
    Hard_Configurator recommended settings are kind of default deny + whitelisting setup. Any executable file from C:\Windows, C:\Program Files (and C:\Program Files (x86) for 64-bit Windows) + whitelisted paths, will be allowed, but the rest will be blocked.
    .
    The only way to bypass default deny is to run executable using Explorer context menu (right mouse click on the file) and choose 'Run As SmartScreen' option. This will execute any EXE or MSI file with SmartScreen check and with Administrator privileges. This option can be used for the installations of the new programs.
    .
    Not dangerous files like documents, photos, media, etc. can be opened without problems from any locations by mouse-click or pressing Enter key, because they are not executable for SRP.
    .
    Files downloaded by web browser cannot be executed within the web browser. One should navigate to the Download folder and execute the file using Explorer context menu ('Run As SmartScreen').
    .
    This setup blocks many files that may contain executable content like *.exe, *.msi, *.scr, *.hta, *.bat, *cmd, *.jar, *.vbs, *.js, *.ps1, and many others. Files with protected extensions cannot be run by the user when mouse-clicking or pressing the Enter key - that protects users from being fooled by double extension malware (*.pdf.scr, *.jpg.exe, *.avi.msi, *.doc.hta, *.txt.bat, *.mp3.ps1, etc.).
    But, if the malware is already running in the system, it can open them (except *.exe, *.scr, *.msi, *vbs, *.vbe, *js, *.jse, *wsf, *.wsh, that has extended protection). Also, PowerShell scripts can only be run by malware in Constrained Language mode that blocks PowerShell trojan downloaders, and most penetration tools based on PowerShell.
     
  11. Evjl's Rain

    Evjl's Rain Level 29
    Trusted AV Tester

    Apr 18, 2016
    1,800
    13,175
    Vietnam
    Windows 8.1
    Avast
    Removed:
    - Emsisoft AM: too high RAM usage (struggled to play games on my 8Gb laptop), unforgivable bug (exited EAM using the tray icon -> re-opened using start menu icon (a2start.exe) -> all protections were disabled + missing tray icon -> tried to open a2guard.exe -> all shields were on + the tray icon re-appeared -> exited EAM again -> performed the same steps above -> "A major problem prevents..." + tray icon never appeared again. Could no long start EAM anymore except a reboot)

    Installed:
    - Avast free: managed to be bug-less
     
  12. Evjl's Rain

    Evjl's Rain Level 29
    Trusted AV Tester

    Apr 18, 2016
    1,800
    13,175
    Vietnam
    Windows 8.1
    Avast
    Removed:
    - Avast: higher memory usage in the latest version
    - Checker Plus for Gmail
    - DiskMax

    Added:
    - KIS 2018
    - Notifier for Gmail
    - NVT OSArmor
    - Wise Disk Cleaner
     
  13. Syafiq

    Syafiq Level 7

    May 8, 2017
    330
    2,134
    Student
    Indonesia
    Windows 10
    Emsisoft
    @Evjl's Rain You're using KIS again, right ? You were said that you dislike the KIS's Performance in the past, is it feels light now ? Just asking :)
     
    shmu26 likes this.
  14. Evjl's Rain

    Evjl's Rain Level 29
    Trusted AV Tester

    Apr 18, 2016
    1,800
    13,175
    Vietnam
    Windows 8.1
    Avast
    #134 Evjl's Rain, Jan 2, 2018
    Last edited: Jan 3, 2018
    the performance impact comes from application control especially during app installation the rest is fine. I usually disable KIS while installing apps because I don't want it to break the installation process so it's tolerable
     
    shmu26, Syafiq and harlan4096 like this.
  15. beefsteak

    beefsteak New Member

    Today
    1
    0
    Singapore
    #135 beefsteak, Jan 18, 2018 at 1:53 AM
    Last edited: Jan 18, 2018 at 2:24 AM
    thanks
     
Loading...
Similar Threads Forum Date
Evjl's Rain's security config SCW Archive May 30, 2016
Evjl's Rain Zemana Report - January 2017 Zemana Jan 11, 2017
Android Rain's S7 Mobile Security Configuration Aug 4, 2017