Basic Security Evjl's Rain's security config

Last updated
Sep 17, 2018
Windows Edition
Pro
Security updates
Check for updates and Notify
User Access Control
Never notify (disabled)
Real-time security
Kaspersky Security Cloud free, Syshardener, Run-by-smartscreen (by Andy Ful)
Firewall security
Microsoft Defender Firewall
Periodic malware scanners
Zemana, HitmanPro, NPE, Emsisoft emergency kit
Malware sample testing
Browser(s) and extensions
Chromium portable x64 (RAMdisk cache): ublock origin, Notifier for Gmail, Google Translate, h264ify, Windows Defender Browser Protection, Popup blocker (strict)
Maintenance tools
CCleaner+CCenhancer, auslogic disk defragmenter, Defraggler Wise disk cleaner, Wise registry cleaner, IObit Uninstaller, Revo Uninstaller, Syshardener, O&OShutup, WPD, SumatraPDF, EagleGet, SoftPefectRAM Disk, Winrar, Everything Search Engine, Classic Shell, Run-by-Smartscreen
File and Photo backup
Dropbox, Google Drive
System recovery
Norton Ghost
Computer specs
https://malwaretips.com/threads/rains-laptop.61841/#post-528136

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Does your Java blacklists persist with every Java update as the folder path changes with every version? Or can you block processes by folder/name in Process Lasso?
I just block the processes by name regardless of their paths. So if they update or change their path, they will still be blocked, unless they are renamed by malwares. Fortunately, I used group policy to block .jar execution just in case the processes are renamed

Capture.PNG
 

CoherentCrayon

Level 4
Verified
Jun 23, 2017
183
updated some tweaks used for a while, too lazy to update them before:

1/ Process Lasso: disallowed wscript, cscript, powershell.exe, powershell_ise.exe, java.exe, javaw.exe
2/ Group Policy (SRP): blocked some extensions: .hta, .jar, .scr
3/ Regedit: blocked windows script host
4/ Windows Firewall:
- blocked all inbound connections
- block outbound: msra.exe, msha.exe, wscript, cscript, powershell, powershell_ise, conhost, cmd
Is it possible to block specific extensions (.scr for example) from executing via the registry if you run Windows 10 Home? Thanks
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Is it possible to block specific extensions (.scr for example) from executing via the registry if you run Windows 10 Home? Thanks
I'm afraid we can't do it
perhaps, it's possible but may require some skills
we can use apps like Hard_configurator to do something similar

maybe, @Windows_Security can teach us how to do it?
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Block unsigned elevation (allow unsigned programs to run, but not elevate to admin

Save as UAC_Block_Unsigned_Elevation.reg
------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

----- end


Allow unsigned elevation (allow unsigned programs to run, but not elevate to admin

Save as UAC_Allow_Unsigned_Elevation.reg
------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000000
 
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
I have put this on my wife's laptop (which runs Windows 10 Home) and it seems to run fine.

I have to thank @Evjl's Rain, because he asked for registry tweaks to block certain file extensions, I realised that by removing EXE, DLL and MSI from the list of guarded extension I could realize this with an SRP-registry tweak.

Blocking dangereous extensions (while allowing EXE, DLL, MSI) and blocking unsigned elevation (while allowing them to run) should not interfere with normal usage (you can still run programs from user space), but stops 90% of the malware.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Is it possible to block specific extensions (.scr for example) from executing via the registry if you run Windows 10 Home? Thanks
Hard_Configurator can block any file extension in default deny mode (SRP). But it seems to me that you would like to block file extensions in SRP default allow mode. That can be done using the program Simple Software Restriction Policies, when changing some default settings and adding the global Disallowed rules: *.scr, *.hta , *.bat, *.cmd, etc. in the configuration file.
Blocking the extensions via SRP is good for blocking double extension malware like *.pdf.scr, *.jpg.hta, etc . So, the file will be blocked when the user will try to execute it by the mouse-click or pressing the ENTER key.
This protection does not prevent opening the files like *.hta , *.bat, *.cmd by the malware that already runs in memory.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
@Andy Ful

Maybe give an example using Hard_Configurator with some screen shots?

regards Kees (and keep up the good work guys
( @Andy Ful for Hard configurator, @Evjl's Rain for posting tests)
With Hard_Configurator it is rather simple. Just download and install Hard_Configurator
Hard_Configurator/Hard_Configurator_setup(x64)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
Hard_Configurator/Hard_Configurator_setup(x86)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
x64 is for 64-bit Windows and x86 is for 32-bit Windows.
.
Next, run Hard_Configurator. Accept making System Restore Point and checking autoruns (see the picture 1h.png).
After this is finished, you can close the TOOLS window and the main window will be activated.
In the normal (not tweaked) system all options will be OFF (see picture 2h.png).
Press <Recommended SRP> and next <Recommended Restrictions> buttons. Hard_Configurator settings will be changed (see picture 3h.png). Yet, some settings require LogOFF to be fully activated by Windows.
Press <APPLY CHANGES> button to LogOFF from the account. If you LogON again the Hard_Configurator settings will be activated.
.
To uninstall Hard_Configurator press <Tools> button and next from the TOOLS window press the red button <Restore Windows Defaults> (see 4h.png). Next use the standard Windows uninstallation procedure.
 

Attachments

  • 1h.png
    1h.png
    101.8 KB · Views: 581
  • 2h.png
    2h.png
    23.9 KB · Views: 553
  • 3h.png
    3h.png
    25.1 KB · Views: 539
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Hard_Configurator recommended settings are kind of default deny + whitelisting setup. Any executable file from C:\Windows, C:\Program Files (and C:\Program Files (x86) for 64-bit Windows) + whitelisted paths, will be allowed, but the rest will be blocked.
.
The only way to bypass default deny is to run executable using Explorer context menu (right mouse click on the file) and choose 'Run As SmartScreen' option. This will execute any EXE or MSI file with SmartScreen check and with Administrator privileges. This option can be used for the installations of the new programs.
.
Not dangerous files like documents, photos, media, etc. can be opened without problems from any locations by mouse-click or pressing Enter key, because they are not executable for SRP.
.
Files downloaded by web browser cannot be executed within the web browser. One should navigate to the Download folder and execute the file using Explorer context menu ('Run As SmartScreen').
.
This setup blocks many files that may contain executable content like *.exe, *.msi, *.scr, *.hta, *.bat, *cmd, *.jar, *.vbs, *.js, *.ps1, and many others. Files with protected extensions cannot be run by the user when mouse-clicking or pressing the Enter key - that protects users from being fooled by double extension malware (*.pdf.scr, *.jpg.exe, *.avi.msi, *.doc.hta, *.txt.bat, *.mp3.ps1, etc.).
But, if the malware is already running in the system, it can open them (except *.exe, *.scr, *.msi, *vbs, *.vbe, *js, *.jse, *wsf, *.wsh, that has extended protection). Also, PowerShell scripts can only be run by malware in Constrained Language mode that blocks PowerShell trojan downloaders, and most penetration tools based on PowerShell.
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Removed:
- Emsisoft AM: too high RAM usage (struggled to play games on my 8Gb laptop), unforgivable bug (exited EAM using the tray icon -> re-opened using start menu icon (a2start.exe) -> all protections were disabled + missing tray icon -> tried to open a2guard.exe -> all shields were on + the tray icon re-appeared -> exited EAM again -> performed the same steps above -> "A major problem prevents..." + tray icon never appeared again. Could no long start EAM anymore except a reboot)

Installed:
- Avast free: managed to be bug-less
 

Syafiq

Level 11
Verified
Top Poster
Well-known
May 8, 2017
536
@Evjl's Rain You're using KIS again, right ? You were said that you dislike the KIS's Performance in the past, is it feels light now ? Just asking :)
 
  • Like
Reactions: shmu26

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
@Evjl's Rain You're using KIS again, right ? You were said that you dislike the KIS's Performance in the past, is it feels light now ? Just asking :)
the performance impact comes from application control especially during app installation the rest is fine. I usually disable KIS while installing apps because I don't want it to break the installation process so it's tolerable
 
Last edited:

Rebsat

Level 6
Verified
Well-known
Apr 13, 2014
254
How are you doing bro? I need your advice on my combo's configuration, please....
"Avast Free Antivirus + OSArmor"

I am using this combo but I actually don't have a Firewall module in my combo and I want to add a 3rd party Firewall into that combo
which does not overwrite or conflict with any of both softwares of the combo.

Questions
1. Which of the following Firewalls do you recommend to be added into my combo and why?
- Comodo Firewall
- Xvirus Personal Firewall
- SpyShelter Firewall
- ZoneAlarm Firewall
- FortKnox Firewall


2. Avast Free Antivirus includes a BB which is Behavior Shield. I wonder if that aspect of Avast would be redundant with some aspects of OSArmor or not?


Any advice is welcome, Thank you for your good assistance bro :)
Best regards,
Rebsat.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
How are you doing bro? I need your advice on my combo's configuration, please....
"Avast Free Antivirus + OSArmor"

I am using this combo but I actually don't have a Firewall module in my combo and I want to add a 3rd party Firewall into that combo
which does not overwrite or conflict with any of both softwares of the combo.

Questions
1. Which of the following Firewalls do you recommend to be added into my combo and why?
- Comodo Firewall
- Xvirus Personal Firewall
- SpyShelter Firewall
- ZoneAlarm Firewall
- FortKnox Firewall


2. Avast Free Antivirus includes a BB which is Behavior Shield. I wonder if that aspect of Avast would be redundant with some aspects of OSArmor or not?


Any advice is welcome, Thank you for your good assistance bro :)
Best regards,
Rebsat.
I had a conflict last week between Avast free and OSArmor. I was running Avast free in passive mode, and it was preventing OSArmor from actually blocking the things it is supposed to block. You would only know if you tested it, because everything "looked" as if it was running properly. So if you combo Avast with OSArmor, please do make a test, to make sure that OSArmor is working.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
How are you doing bro? I need your advice on my combo's configuration, please....
"Avast Free Antivirus + OSArmor"

I am using this combo but I actually don't have a Firewall module in my combo and I want to add a 3rd party Firewall into that combo
which does not overwrite or conflict with any of both softwares of the combo.

Questions
1. Which of the following Firewalls do you recommend to be added into my combo and why?
- Comodo Firewall
- Xvirus Personal Firewall
- SpyShelter Firewall
- ZoneAlarm Firewall
- FortKnox Firewall


2. Avast Free Antivirus includes a BB which is Behavior Shield. I wonder if that aspect of Avast would be redundant with some aspects of OSArmor or not?


Any advice is welcome, Thank you for your good assistance bro :)
Best regards,
Rebsat.
hi, sorry for being late. I was busy. I'm fine. How about you, bro?
avast and OSA are fine. You can use windows firewall and you can block internet connections of vulnerable processes to orevent malwares from downloading payloads. I think it's good enough
if you want a 3rd party firewall, any of them is fine but I prefer a free firewall because home users don't need paid firewall as we are not usually targetted
you may try xvirus firewall. I think it's good

CF is even better but I prefer Kaspersky + CF than avast + OSA + CF or avast + CF (no OSA)

2/ I think they are not redudant together. Each one has their own job and there is no overlapping

if you use avast, make sure you disable the "stupid" hardware-assisted virtualization in troubleshooting because it's the cause of 80-90% of avast's problems and conflicts with other apps.mIt's okay to be used alone but problematic to be used in combo
 

Rebsat

Level 6
Verified
Well-known
Apr 13, 2014
254
According to Avast site...
Mail Shield is an additional layer of active protection in Avast Antivirus. It scans your incoming and outgoing email messages in real-time for malicious content such as viruses. Scanning applies only to messages sent or received using a mail management software (email clients, such as Microsoft Outlook or Mozilla Thunderbird). If you access your web based email account via an internet browser, your PC is protected by other Shields

Don't be sorry bro. I am good, thank you and I hope you are doing very well ;)

Questions:
1. Why did you Disable "Mail Shield" component in your Avast settings? and Have you faced any slowdown, conflicts, issues with enabling "Mail Shield"?

2. Can I benefit from enabling "Mail Shield" while I am running Microsoft Outlook 2010 with Gmail integrated into it? Guess I received an email from inbox of my Microsoft Outlook with malware attached file...

3. What the situation be like if I clicked a malware attached file inside an email from inbox of Microsoft Outlook 2010... Would Avast Free Antivirus (Evjl's Rain tweaks) or Comodo Firewall (cs settings) pop up an alert and block the malware? or any malicious/malware attached files from inbox of Microsoft Outlook is separate from entire windows security and is not protected by either Avast Free Antivirus and Comodo Firewall...
 
Last edited:

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
According to Avast site...


Don't be sorry bro. I am good, thank you and I hope you are doing very well ;)

Questions:
1. Why did you Disable "Mail Shield" component in your Avast settings? and Have you faced any slowdown, conflicts, issues with enabling "Mail Shield"?

2. Can I benefit from enabling "Mail Shield" while I am running Microsoft Outlook 2010 with Gmail integrated into it? Guess I received an email from inbox of my Microsoft Outlook with malware attached file...

3. What the situation be like if I clicked a malware attached file inside an email from inbox of Microsoft Outlook 2010... Would Avast Free Antivirus (Evjl's Rain tweaks) or Comodo Firewall (cs settings) pop up an alert and block the malware? or any malicious/malware attached files from inbox of Microsoft Outlook is separate from entire windows security and is not protected by either Avast Free Antivirus and Comodo Firewall...
1. because I don't use outlook. I only use the web mail
2. yes, you will benefit from it. Mail shield will scan your mail as soon as they are downloaded to your outlook. It works like web shield for outlook
3. avast will block the malware before execution unless they are password-protected while CF will block after execution
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top