Advanced Plus Security Gandalf_The_Grey's Security Configuration for 2019

Last updated
Dec 1, 2019
Windows Edition
Pro
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
Ziggo Safe Online (F-Secure Safe) 17.7 and VoodooShield 5.52 beta
Firewall security
Microsoft Defender Firewall
About custom security
Removed Internet Explorer 11.
Ziggo Safe Online switched off Banking protection.
VoodooShield enabled WhitelistCloud and added the new Edge to web apps
Periodic malware scanners
HitmanPro and AdwCleaner (for the kids)
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Microsoft Edge Dev with uBlock Origin, F-Secure Browsing Protection, Netcraft Extension, Certificate Info and Bitwarden.
Maintenance tools
O&O ShutUp10, Patch My PC, Autoruns, Bandizip, Driver Easy Pro, CCleaner Pro and Disk Cleanup
File and Photo backup
OneDrive, File History
System recovery
Windows system image
Risk factors
    • Logging into my bank account
    • Browsing to popular websites
    • Streaming audio/video content from shady sites
    • Working from home
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Acer Aspire VN7-791G-576X
Intel Core i5-4210H
Intel HD Graphics 4600 / NVIDIA GeForce GTX 860M
Kingston 16GB Dual-Channel DDR3 PC3-12800 RAM
Samsung SSD 850 EVO M.2 250GB
Seagate HDD ST1000LM014-1EJ164 1TB
Realtek High Definition Audio

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,419
Yes, H_C thread is best place for questions. BTW: you copied my config! :LOL: except for VoodooShield. Nice setup! (y)

Edit: Whitelisting is easy by process or hash. My main gripe is CFA. Exclusions are possible but don't always seem to work. I'm on the fence with enabling it or not.
Yeah, like your setup. Went away from VS because Dan got himself banned from almost everywhere. It's still a great program.
Any tips where to do the whitelisting in H_C?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
There are two buttons: <Whitelist By Path> and <Whitelist By Hash>.(y)
What do you want to whitelist? Is something blocked?
Please read the help about whitelisting buttons, and let me know if anything is not clear (the help files are written in Polish-English).:giggle:
 
Last edited:

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,419
There are two buttons: <Whitelist By Path> and <Whitelist By Hash>.
What do you want to whitelist? Is something blocked?
Okay, thanks. Do I have to to press APPLY CHANGES after that?
A block I see at the moment:
Access to C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\37.186.201\software_reporter_tool.exe has been restricted by your Administrator by the default software restriction policy level.
I also have a lot of lsass.exe messages like this one:
Windows Defender Antivirus audited an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2019-01-18T18:12:47.683Z
User: xxx\xxx
Path: C:\Windows\System32\lsass.exe
Process Name: C:\Windows\System32\Taskmgr.exe
Signature Version: 1.283.3241.0
Engine Version: 1.1.15500.2
Product Version: 4.18.1812.3
I have other warnings for for example CCleaner HitmanPro and Zemana AntiMalware portable.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
Okay, thanks. Do I have to to press APPLY CHANGES after that?
A block I see at the moment:

I also have a lot of lsass.exe messages like this one:

I have other warnings for for example CCleaner HitmanPro and Zemana AntiMalware portable.
You have to apply changes - they will require log off from the account.

You probably do not need the blocked application software_reporter_tool.exe, see there:
How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.
 

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,419
You have to apply changes - they will require log off from the account.

You probably do not need the blocked application software_reporter_tool.exe, see there:
How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.
Thank again for your great support (y)
I have put the 4 audit settings in ConfigureDefender to disabled.
Will see tomorrow if there are still any blocks and/or warnings.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Gandalf_The_Grey

What did you do? You mentioned the new Adguard Beta extension with Stealth of which I was completely unaware! I am in my second day of the Browser Extension Anonymous rehab program. I can't sleep, I can't watch my favourite series, I am just staring at the twitter post of Adguard Beta in this thread. I don't dare to touch the keyboard or mouse. I am talking loud repeating my rehab mantra: don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, . . . .

My name is Kees and I am . . .
 

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,419
@Gandalf_The_Grey

What did you do? You mentioned the new Adguard Beta extension with Stealth of which I was completely unaware! I am in my second day of the Browser Extension Anonymous rehab program. I can't sleep, I can't watch my favourite series, I am just staring at the twitter post of Adguard Beta in this thread. I don't dare to touch the keyboard or mouse. I am talking loud repeating my rehab mantra: don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, . . . .

My name is Kees and I am . . .
Sorry Kees. It just looked so cool and shiny.... :oops: Have to be more careful when posting these things :D
Maybe @Jack can block those posts especially for you :unsure:
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@oldschool,

Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

Stealth mode really impressive
1547856904931.png

Regards Kees
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,706
@oldschool,

Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

Stealth mode really impressive
View attachment 206684

Regards Kees

:LOL::LOL::LOL:
 

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,419
You have to apply changes - they will require log off from the account.

You probably do not need the blocked application software_reporter_tool.exe, see there:
How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.
The only warning left on my system after setting the 4 audit settings to disabled is for the software_reporter_tool.exe. (y)
Access to C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\37.186.201\software_reporter_tool.exe has been restricted by your Administrator by the default software restriction policy level.
I don't want to block it.
Should I Whitelist it by hash?
What is the best option here?
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Options
1. Most secure - no hassle: Leave it as it is (Software Restriction Policies will block it, elevated Chrome update is allowed to update it)
2. Secure with hassle: Allow by hash, after an update the hash is probably changed, so you need to recreate an allow by hash rule
3. Less secure with no hassle: Allow by path name, name remains the same, but processes spoofing this name could sneak through SRP

I would follow Andy's advice (option 1) and set the chrome flag "Extension Content Verification" to "Enforce strict (if we can get hashes ...".or simular text. This should prevent sneaky side loading of extensions. Since you only use some (three?) reputable extensions, you should be fine.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
...
I don't want to block it.
Should I Whitelist it by hash?
What is the best option here?
You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe
 
Last edited:

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,419
You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe
Thank you, that seems to work and learned something new about using wildcards. (y)
 

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,419
Options
1. Most secure - no hassle: Leave it as it is (Software Restriction Policies will block it, elevated Chrome update is allowed to update it)
2. Secure with hassle: Allow by hash, after an update the hash is probably changed, so you need to recreate an allow by hash rule
3. Less secure with no hassle: Allow by path name, name remains the same, but processes spoofing this name could sneak through SRP

I would follow Andy's advice (option 1) and set the chrome flag "Extension Content Verification" to "Enforce strict (if we can get hashes ...".or simular text. This should prevent sneaky side loading of extensions. Since you only use some (three?) reputable extensions, you should be fine.
Did option 2 with wildcards (and the help from Andy) and set the chrome flag "Extension Content Verification" to "Enforce strict.
Using currently 4 extensions (AdGuard, Emsisoft, Windows Defender and LastPass) and try hard to keep that number... ;)
 

Handsome Recluse

Level 23
Verified
Top Poster
Well-known
Nov 17, 2016
1,242
@oldschool,

Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

Stealth mode really impressive
View attachment 206684

Regards Kees
What does it have over the original version other than Stealth Mode and a new UI?
 

Gandalf_The_Grey

Level 84
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,419
What does it have over the original version other than Stealth Mode and a new UI?
From: AdguardTeam/AdguardBrowserExtension :
Improved] Renewed design
Fresh icon and menu designs that make interface more natural and user-friendly, with a big "On/Off" switch. Brand-new “Statistics” tab creates charts based on your blocked ads statistics, with the ability to show different types of data: total, filter-specific etc.
What's more, user filter editor has undergone a few changes too. Luminous element highlighting and auto-save function as well as unified filtering rules' text field should make editing more convinient.
[Improved] Get rid of the tabs in the filters settings
Now, each filter category (group of filters with similar purpose e.g. Ad blocking, Social Widgets etc.) has an icon and is easier to access. In addition, it can be turned on/off at once, thus making filter management smoother.
[Added] Merge StealthMode Extension code
We took online privacy protection in our extension to the next level by adding the Privacy module, which until this day existed only in the standalone AdGuard for Windows app. Although it doesn’t have the full capabilities of its desktop parent yet, it still makes the extension all the more effective for protecting privacy against trackers and analytical systems.
[Added] "Filters update period" setting
Before, filters were automatically updated every 48 hours (default period), now you can adjust the frequency of automatic updates (by choosing from options: every 1/6/12/24/48 hours) or disable them completely, in case you prefer to update them manually.
[Added] An option to disable integration mode while keeping the extension up
If you already have the AdGuard app, our browser extension may become a very useful additional tool, which can completely replace the browser-based “AdGuard Assistant” module (learn more). It’s called Integration mode and now you can turn it on or off in the “Other settings” tab.
And lots more added, changed, fixed and improved (under Common)
[*][Added] Notifications for various actions, e.g. filter updates #1167
[*][Added] A notification with changelog after an update #1025
[*][Added] "About" screen #1135
[*][Added] $cookie modifier support #961
[*][Added] "Submit a complaint" item to the right-click menu #1072
[*][Added] Update filter after enabling it #1181
[*][Added] Show notify when checking for filters update using context menu #1073
[*][Changed] Wording for manual blocking tool options #1169
[*][Changed] A forwarder is now used for all links #1109
[*][Changed] Localizations have been updated #1174
[*][Fixed] Assistant advanced settings button doesn't respond #1091
[*][Fixed] $extension modifier prevents first-party URL blocking #1122
[*][Fixed] Invalid exclusions are created using Filtering Log #1131
[*][Fixed] "Third-party" icon size in Filtering Log #1069
[*][Fixed] Some hidden elements are not shown in the Filtering Log #1123
[*][Fixed] Some requests are not visible in the Filtering Log #1138
[*][Fixed] While in integration mode, new rules are not imported to the desktop AG User filter #10
[*][Fixed] Incorrect file types are accepted when you try to import a User filter #1039
[*][Fixed] AdGuard settings are not fully visible when accessing them from the overflow menu #970
[*][Improved] $csp rules are now disabled if there's a document-level exception applied to the website #1093
[*][Improved] Extension is now more friendly towards visually impaired users #953
[*][Improved] Multiple $replace rules can be applied to a single web request now #1092
[*][Improved] Network requests excluded by a rule in a custom filter can now be blocked #1044
[*][Improved] "abp:subscribe" links are now intercepted properly #1149
50401638-46c5ad80-07a1-11e9-9dca-95aa8ef2eb06.png50401666-7674b580-07a1-11e9-8de8-ece53875daa9.png50424262-8b6d4980-0872-11e9-8053-ba4c68f189f6.png50424316-cd968b00-0872-11e9-8b20-e46a414f564c.png
 
Last edited:

notabot

Level 15
Verified
Oct 31, 2018
703
You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe

Why for a targeted attack this shouldn’t be whitelisted ?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
Why for a targeted attack this shouldn’t be whitelisted ?
The path of the software_reporter_tool.exe is writable. If there is a danger of targeted attacks (like in organizations), then any writable path should not be executable, except the files whitelisted by hash.
If not, then the attacker could get the information or simply guess the whitelisted path to replace silently the whitelisted file with the malware, and then he could successfully execute the malware. Furthermore, the malware could be started with Windows.
In the home environment with default deny setup, such scenario is rather improbable.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top