Basic Security Evjl's Rain's security config

[Evjl's Rain]

Does your Java blacklists persist with every Java update as the folder path changes with every version? Or can you block processes by folder/name in Process Lasso?

I just block the processes by name regardless of their paths. So if they update or change their path, they will still be blocked, unless they are renamed by malwares. Fortunately, I used group policy to block .jar execution just in case the processes are renamed

 

[CoherentCrayon]

updated some tweaks used for a while, too lazy to update them before:

1/ Process Lasso: disallowed wscript, cscript, powershell.exe, powershell_ise.exe, java.exe, javaw.exe
2/ Group Policy (SRP): blocked some extensions: .hta, .jar, .scr
3/ Regedit: blocked windows script host
4/ Windows Firewall:
- blocked all inbound connections
- block outbound: msra.exe, msha.exe, wscript, cscript, powershell, powershell_ise, conhost, cmd

Is it possible to block specific extensions (.scr for example) from executing via the registry if you run Windows 10 Home? Thanks

 

[Evjl's Rain]

Is it possible to block specific extensions (.scr for example) from executing via the registry if you run Windows 10 Home? Thanks

I'm afraid we can't do it
perhaps, it's possible but may require some skills
we can use apps like Hard_configurator to do something similar

maybe, @Windows_Security can teach us how to do it?

 

[Windows_Security]

EDIT: better use Hard Configurator, see Andy's post below

 

[Windows_Security]

Block unsigned elevation (allow unsigned programs to run, but not elevate to admin

Save as UAC_Block_Unsigned_Elevation.reg
------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

----- end


Allow unsigned elevation (allow unsigned programs to run, but not elevate to admin

Save as UAC_Allow_Unsigned_Elevation.reg
------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000000

 

[Windows_Security]

I have put this on my wife's laptop (which runs Windows 10 Home) and it seems to run fine.

I have to thank @Evjl's Rain, because he asked for registry tweaks to block certain file extensions, I realised that by removing EXE, DLL and MSI from the list of guarded extension I could realize this with an SRP-registry tweak.

Blocking dangereous extensions (while allowing EXE, DLL, MSI) and blocking unsigned elevation (while allowing them to run) should not interfere with normal usage (you can still run programs from user space), but stops 90% of the malware.

 

[Andy Ful]

Is it possible to block specific extensions (.scr for example) from executing via the registry if you run Windows 10 Home? Thanks

Hard_Configurator can block any file extension in default deny mode (SRP). But it seems to me that you would like to block file extensions in SRP default allow mode. That can be done using the program Simple Software Restriction Policies, when changing some default settings and adding the global Disallowed rules: *.scr, *.hta , *.bat, *.cmd, etc. in the configuration file.
Blocking the extensions via SRP is good for blocking double extension malware like *.pdf.scr, *.jpg.hta, etc . So, the file will be blocked when the user will try to execute it by the mouse-click or pressing the ENTER key.
This protection does not prevent opening the files like *.hta , *.bat, *.cmd by the malware that already runs in memory.

 

[Windows_Security]

@Andy Ful

Maybe give an example using Hard_Configurator with some screen shots?

regards Kees (and keep up the good work guys
( @Andy Ful for Hard configurator, @Evjl's Rain for posting tests)

 

[Andy Ful]

@Andy Ful

Maybe give an example using Hard_Configurator with some screen shots?

regards Kees (and keep up the good work guys
( @Andy Ful for Hard configurator, @Evjl's Rain for posting tests)

With Hard_Configurator it is rather simple. Just download and install Hard_Configurator
Hard_Configurator/Hard_Configurator_setup(x64)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
Hard_Configurator/Hard_Configurator_setup(x86)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
x64 is for 64-bit Windows and x86 is for 32-bit Windows.
.
Next, run Hard_Configurator. Accept making System Restore Point and checking autoruns (see the picture 1h.png).
After this is finished, you can close the TOOLS window and the main window will be activated.
In the normal (not tweaked) system all options will be OFF (see picture 2h.png).
Press <Recommended SRP> and next <Recommended Restrictions> buttons. Hard_Configurator settings will be changed (see picture 3h.png). Yet, some settings require LogOFF to be fully activated by Windows.
Press <APPLY CHANGES> button to LogOFF from the account. If you LogON again the Hard_Configurator settings will be activated.
.
To uninstall Hard_Configurator press <Tools> button and next from the TOOLS window press the red button <Restore Windows Defaults> (see 4h.png). Next use the standard Windows uninstallation procedure.

 

[Andy Ful]

Hard_Configurator recommended settings are kind of default deny + whitelisting setup. Any executable file from C:\Windows, C:\Program Files (and C:\Program Files (x86) for 64-bit Windows) + whitelisted paths, will be allowed, but the rest will be blocked.
.
The only way to bypass default deny is to run executable using Explorer context menu (right mouse click on the file) and choose 'Run As SmartScreen' option. This will execute any EXE or MSI file with SmartScreen check and with Administrator privileges. This option can be used for the installations of the new programs.
.
Not dangerous files like documents, photos, media, etc. can be opened without problems from any locations by mouse-click or pressing Enter key, because they are not executable for SRP.
.
Files downloaded by web browser cannot be executed within the web browser. One should navigate to the Download folder and execute the file using Explorer context menu ('Run As SmartScreen').
.
This setup blocks many files that may contain executable content like *.exe, *.msi, *.scr, *.hta, *.bat, *cmd, *.jar, *.vbs, *.js, *.ps1, and many others. Files with protected extensions cannot be run by the user when mouse-clicking or pressing the Enter key - that protects users from being fooled by double extension malware (*.pdf.scr, *.jpg.exe, *.avi.msi, *.doc.hta, *.txt.bat, *.mp3.ps1, etc.).
But, if the malware is already running in the system, it can open them (except *.exe, *.scr, *.msi, *vbs, *.vbe, *js, *.jse, *wsf, *.wsh, that has extended protection). Also, PowerShell scripts can only be run by malware in Constrained Language mode that blocks PowerShell trojan downloaders, and most penetration tools based on PowerShell.

 

[Evjl's Rain]

Removed:
- Emsisoft AM: too high RAM usage (struggled to play games on my 8Gb laptop), unforgivable bug (exited EAM using the tray icon -> re-opened using start menu icon (a2start.exe) -> all protections were disabled + missing tray icon -> tried to open a2guard.exe -> all shields were on + the tray icon re-appeared -> exited EAM again -> performed the same steps above -> "A major problem prevents..." + tray icon never appeared again. Could no long start EAM anymore except a reboot)

Installed:
- Avast free: managed to be bug-less

 

[Evjl's Rain]

Removed:
- Avast: higher memory usage in the latest version
- Checker Plus for Gmail
- DiskMax

Added:
- KIS 2018
- Notifier for Gmail
- NVT OSArmor
- Wise Disk Cleaner

 

[Syafiq]

@Evjl's Rain You're using KIS again, right ? You were said that you dislike the KIS's Performance in the past, is it feels light now ? Just asking

 

[Evjl's Rain]

@Evjl's Rain You're using KIS again, right ? You were said that you dislike the KIS's Performance in the past, is it feels light now ? Just asking

the performance impact comes from application control especially during app installation the rest is fine. I usually disable KIS while installing apps because I don't want it to break the installation process so it's tolerable

 

[beefsteak]

thanks

 

[Rebsat]

How are you doing bro? I need your advice on my combo's configuration, please....
"Avast Free Antivirus + OSArmor"

I am using this combo but I actually don't have a Firewall module in my combo and I want to add a 3rd party Firewall into that combo
which does not overwrite or conflict with any of both softwares of the combo.

Questions
1. Which of the following Firewalls do you recommend to be added into my combo and why?
- Comodo Firewall
- Xvirus Personal Firewall
- SpyShelter Firewall
- ZoneAlarm Firewall
- FortKnox Firewall

2. Avast Free Antivirus includes a BB which is Behavior Shield. I wonder if that aspect of Avast would be redundant with some aspects of OSArmor or not?


Any advice is welcome, Thank you for your good assistance bro
Best regards,
Rebsat.

 

[shmu26]

How are you doing bro? I need your advice on my combo's configuration, please....
"Avast Free Antivirus + OSArmor"

I am using this combo but I actually don't have a Firewall module in my combo and I want to add a 3rd party Firewall into that combo
which does not overwrite or conflict with any of both softwares of the combo.

Questions
1. Which of the following Firewalls do you recommend to be added into my combo and why?
- Comodo Firewall
- Xvirus Personal Firewall
- SpyShelter Firewall
- ZoneAlarm Firewall
- FortKnox Firewall

2. Avast Free Antivirus includes a BB which is Behavior Shield. I wonder if that aspect of Avast would be redundant with some aspects of OSArmor or not?


Any advice is welcome, Thank you for your good assistance bro
Best regards,
Rebsat.

I had a conflict last week between Avast free and OSArmor. I was running Avast free in passive mode, and it was preventing OSArmor from actually blocking the things it is supposed to block. You would only know if you tested it, because everything "looked" as if it was running properly. So if you combo Avast with OSArmor, please do make a test, to make sure that OSArmor is working.

 

[Evjl's Rain]

How are you doing bro? I need your advice on my combo's configuration, please....
"Avast Free Antivirus + OSArmor"

I am using this combo but I actually don't have a Firewall module in my combo and I want to add a 3rd party Firewall into that combo
which does not overwrite or conflict with any of both softwares of the combo.

Questions
1. Which of the following Firewalls do you recommend to be added into my combo and why?
- Comodo Firewall
- Xvirus Personal Firewall
- SpyShelter Firewall
- ZoneAlarm Firewall
- FortKnox Firewall

2. Avast Free Antivirus includes a BB which is Behavior Shield. I wonder if that aspect of Avast would be redundant with some aspects of OSArmor or not?


Any advice is welcome, Thank you for your good assistance bro
Best regards,
Rebsat.

hi, sorry for being late. I was busy. I'm fine. How about you, bro?
avast and OSA are fine. You can use windows firewall and you can block internet connections of vulnerable processes to orevent malwares from downloading payloads. I think it's good enough
if you want a 3rd party firewall, any of them is fine but I prefer a free firewall because home users don't need paid firewall as we are not usually targetted
you may try xvirus firewall. I think it's good

CF is even better but I prefer Kaspersky + CF than avast + OSA + CF or avast + CF (no OSA)

2/ I think they are not redudant together. Each one has their own job and there is no overlapping

if you use avast, make sure you disable the "stupid" hardware-assisted virtualization in troubleshooting because it's the cause of 80-90% of avast's problems and conflicts with other apps.mIt's okay to be used alone but problematic to be used in combo

 

[Rebsat]

According to Avast site...

Mail Shield is an additional layer of active protection in Avast Antivirus. It scans your incoming and outgoing email messages in real-time for malicious content such as viruses. Scanning applies only to messages sent or received using a mail management software (email clients, such as Microsoft Outlook or Mozilla Thunderbird). If you access your web based email account via an internet browser, your PC is protected by other Shields

Don't be sorry bro. I am good, thank you and I hope you are doing very well

Questions:
1. Why did you Disable "Mail Shield" component in your Avast settings? and Have you faced any slowdown, conflicts, issues with enabling "Mail Shield"?

2. Can I benefit from enabling "Mail Shield" while I am running Microsoft Outlook 2010 with Gmail integrated into it? Guess I received an email from inbox of my Microsoft Outlook with malware attached file...

3. What the situation be like if I clicked a malware attached file inside an email from inbox of Microsoft Outlook 2010... Would Avast Free Antivirus (Evjl's Rain tweaks) or Comodo Firewall (cs settings) pop up an alert and block the malware? or any malicious/malware attached files from inbox of Microsoft Outlook is separate from entire windows security and is not protected by either Avast Free Antivirus and Comodo Firewall...

 

[Evjl's Rain]

According to Avast site...


Don't be sorry bro. I am good, thank you and I hope you are doing very well

Questions:
1. Why did you Disable "Mail Shield" component in your Avast settings? and Have you faced any slowdown, conflicts, issues with enabling "Mail Shield"?

2. Can I benefit from enabling "Mail Shield" while I am running Microsoft Outlook 2010 with Gmail integrated into it? Guess I received an email from inbox of my Microsoft Outlook with malware attached file...

3. What the situation be like if I clicked a malware attached file inside an email from inbox of Microsoft Outlook 2010... Would Avast Free Antivirus (Evjl's Rain tweaks) or Comodo Firewall (cs settings) pop up an alert and block the malware? or any malicious/malware attached files from inbox of Microsoft Outlook is separate from entire windows security and is not protected by either Avast Free Antivirus and Comodo Firewall...

1. because I don't use outlook. I only use the web mail
2. yes, you will benefit from it. Mail shield will scan your mail as soon as they are downloaded to your outlook. It works like web shield for outlook
3. avast will block the malware before execution unless they are password-protected while CF will block after execution