Advanced Plus Security Gandalf_The_Grey's Security Configuration for 2019

[Gandalf_The_Grey]

Yes, H_C thread is best place for questions. BTW: you copied my config! except for VoodooShield. Nice setup!

Edit: Whitelisting is easy by process or hash. My main gripe is CFA. Exclusions are possible but don't always seem to work. I'm on the fence with enabling it or not.

Yeah, like your setup. Went away from VS because Dan got himself banned from almost everywhere. It's still a great program.
Any tips where to do the whitelisting in H_C?

 

[Andy Ful]

There are two buttons: <Whitelist By Path> and <Whitelist By Hash>.
What do you want to whitelist? Is something blocked?
Please read the help about whitelisting buttons, and let me know if anything is not clear (the help files are written in Polish-English).

 

[Gandalf_The_Grey]

There are two buttons: <Whitelist By Path> and <Whitelist By Hash>.
What do you want to whitelist? Is something blocked?

Okay, thanks. Do I have to to press APPLY CHANGES after that?
A block I see at the moment:

Access to C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\37.186.201\software_reporter_tool.exe has been restricted by your Administrator by the default software restriction policy level.

I also have a lot of lsass.exe messages like this one:

Windows Defender Antivirus audited an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2019-01-18T18:12:47.683Z
User: xxx\xxx
Path: C:\Windows\System32\lsass.exe
Process Name: C:\Windows\System32\Taskmgr.exe
Signature Version: 1.283.3241.0
Engine Version: 1.1.15500.2
Product Version: 4.18.1812.3

I have other warnings for for example CCleaner HitmanPro and Zemana AntiMalware portable.

 

[Andy Ful]

Okay, thanks. Do I have to to press APPLY CHANGES after that?
A block I see at the moment:

I also have a lot of lsass.exe messages like this one:

I have other warnings for for example CCleaner HitmanPro and Zemana AntiMalware portable.

You have to apply changes - they will require log off from the account.

You probably do not need the blocked application software_reporter_tool.exe, see there:
How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.

 

[Gandalf_The_Grey]

You have to apply changes - they will require log off from the account.

You probably do not need the blocked application software_reporter_tool.exe, see there:
How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.

Thank again for your great support
I have put the 4 audit settings in ConfigureDefender to disabled.
Will see tomorrow if there are still any blocks and/or warnings.

 

[Windows_Security]

@Gandalf_The_Grey

What did you do? You mentioned the new Adguard Beta extension with Stealth of which I was completely unaware! I am in my second day of the Browser Extension Anonymous rehab program. I can't sleep, I can't watch my favourite series, I am just staring at the twitter post of Adguard Beta in this thread. I don't dare to touch the keyboard or mouse. I am talking loud repeating my rehab mantra: don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, . . . .

My name is Kees and I am . . .

 

[Gandalf_The_Grey]

@Gandalf_The_Grey

What did you do? You mentioned the new Adguard Beta extension with Stealth of which I was completely unaware! I am in my second day of the Browser Extension Anonymous rehab program. I can't sleep, I can't watch my favourite series, I am just staring at the twitter post of Adguard Beta in this thread. I don't dare to touch the keyboard or mouse. I am talking loud repeating my rehab mantra: don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, don't right click remove smart adblocker and install Adguard beta, . . . .

My name is Kees and I am . . .

Sorry Kees. It just looked so cool and shiny.... Have to be more careful when posting these things
Maybe @Jack can block those posts especially for you

 

[oldschool]

@Windows_Security - It's very healthy to talk about your addiction instead of keeping these things locked inside your mind. Have you gone to a meeting?

BTW- @_CyberGhosT_ raves about the Adguard Beta ...

 

[Windows_Security]

@oldschool,

Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

Stealth mode really impressive


Regards Kees

 

[oldschool]

@oldschool,

Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

Stealth mode really impressive
View attachment 206684

Regards Kees

 

[Gandalf_The_Grey]

You have to apply changes - they will require log off from the account.

You probably do not need the blocked application software_reporter_tool.exe, see there:
How to block the Chrome Software Reporter Tool (software_reporter_tool.exe) - gHacks Tech News
This tool is installed in unsafe location 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', which can be writable by any malware. It is a very popular unsafe location, so it is better to avoid whitelisting it. I have installed Google Chrome and have the folder 'C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter', totally empty.

You can change the four Audit settings in ConfigureDefender to Disabled, if you do not want to see the Audit alerts . Those settings are set to Audit, because the user can see if enabling them can make some problems.

The only warning left on my system after setting the 4 audit settings to disabled is for the software_reporter_tool.exe.

Access to C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\37.186.201\software_reporter_tool.exe has been restricted by your Administrator by the default software restriction policy level.

I don't want to block it.
Should I Whitelist it by hash?
What is the best option here?

 

[Windows_Security]

Options
1. Most secure - no hassle: Leave it as it is (Software Restriction Policies will block it, elevated Chrome update is allowed to update it)
2. Secure with hassle: Allow by hash, after an update the hash is probably changed, so you need to recreate an allow by hash rule
3. Less secure with no hassle: Allow by path name, name remains the same, but processes spoofing this name could sneak through SRP

I would follow Andy's advice (option 1) and set the chrome flag "Extension Content Verification" to "Enforce strict (if we can get hashes ...".or simular text. This should prevent sneaky side loading of extensions. Since you only use some (three?) reputable extensions, you should be fine.

 

[Andy Ful]

...
I don't want to block it.
Should I Whitelist it by hash?
What is the best option here?

You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe

 

[Gandalf_The_Grey]

You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe

Thank you, that seems to work and learned something new about using wildcards.

 

[Gandalf_The_Grey]

Options
1. Most secure - no hassle: Leave it as it is (Software Restriction Policies will block it, elevated Chrome update is allowed to update it)
2. Secure with hassle: Allow by hash, after an update the hash is probably changed, so you need to recreate an allow by hash rule
3. Less secure with no hassle: Allow by path name, name remains the same, but processes spoofing this name could sneak through SRP

I would follow Andy's advice (option 1) and set the chrome flag "Extension Content Verification" to "Enforce strict (if we can get hashes ...".or simular text. This should prevent sneaky side loading of extensions. Since you only use some (three?) reputable extensions, you should be fine.

Did option 2 with wildcards (and the help from Andy) and set the chrome flag "Extension Content Verification" to "Enforce strict.
Using currently 4 extensions (AdGuard, Emsisoft, Windows Defender and LastPass) and try hard to keep that number...

 

[Handsome Recluse]

@oldschool,

Not yet, one of my legs is shorter than the other and both my feet's too long, but tomorrow (Saturday) Bobby Brown will give me a lift to the Browser Extension Anonymous Meeting (BEAM). Your line about CyberHosT tempted me to try Adguard Beta in a VM. I thought a VM is only virtual, not persistant, so running Adguard beta in a VM would not count as a relapse, but only a slip from rehab?

Stealth mode really impressive
View attachment 206684

Regards Kees

What does it have over the original version other than Stealth Mode and a new UI?

 

[Gandalf_The_Grey]

What does it have over the original version other than Stealth Mode and a new UI?

From: AdguardTeam/AdguardBrowserExtension :

Improved] Renewed design
Fresh icon and menu designs that make interface more natural and user-friendly, with a big "On/Off" switch. Brand-new “Statistics” tab creates charts based on your blocked ads statistics, with the ability to show different types of data: total, filter-specific etc.
What's more, user filter editor has undergone a few changes too. Luminous element highlighting and auto-save function as well as unified filtering rules' text field should make editing more convinient.
[Improved] Get rid of the tabs in the filters settings
Now, each filter category (group of filters with similar purpose e.g. Ad blocking, Social Widgets etc.) has an icon and is easier to access. In addition, it can be turned on/off at once, thus making filter management smoother.
[Added] Merge StealthMode Extension code
We took online privacy protection in our extension to the next level by adding the Privacy module, which until this day existed only in the standalone AdGuard for Windows app. Although it doesn’t have the full capabilities of its desktop parent yet, it still makes the extension all the more effective for protecting privacy against trackers and analytical systems.
[Added] "Filters update period" setting
Before, filters were automatically updated every 48 hours (default period), now you can adjust the frequency of automatic updates (by choosing from options: every 1/6/12/24/48 hours) or disable them completely, in case you prefer to update them manually.
[Added] An option to disable integration mode while keeping the extension up
If you already have the AdGuard app, our browser extension may become a very useful additional tool, which can completely replace the browser-based “AdGuard Assistant” module (learn more). It’s called Integration mode and now you can turn it on or off in the “Other settings” tab.

And lots more added, changed, fixed and improved (under Common)

[*][Added] Notifications for various actions, e.g. filter updates #1167
[*][Added] A notification with changelog after an update #1025
[*][Added] "About" screen #1135
[*][Added] $cookie modifier support #961
[*][Added] "Submit a complaint" item to the right-click menu #1072
[*][Added] Update filter after enabling it #1181
[*][Added] Show notify when checking for filters update using context menu #1073
[*][Changed] Wording for manual blocking tool options #1169
[*][Changed] A forwarder is now used for all links #1109
[*][Changed] Localizations have been updated #1174
[*][Fixed] Assistant advanced settings button doesn't respond #1091
[*][Fixed] $extension modifier prevents first-party URL blocking #1122
[*][Fixed] Invalid exclusions are created using Filtering Log #1131
[*][Fixed] "Third-party" icon size in Filtering Log #1069
[*][Fixed] Some hidden elements are not shown in the Filtering Log #1123
[*][Fixed] Some requests are not visible in the Filtering Log #1138
[*][Fixed] While in integration mode, new rules are not imported to the desktop AG User filter #10
[*][Fixed] Incorrect file types are accepted when you try to import a User filter #1039
[*][Fixed] AdGuard settings are not fully visible when accessing them from the overflow menu #970
[*][Improved] $csp rules are now disabled if there's a document-level exception applied to the website #1093
[*][Improved] Extension is now more friendly towards visually impaired users #953
[*][Improved] Multiple $replace rules can be applied to a single web request now #1092
[*][Improved] Network requests excluded by a rule in a custom filter can now be blocked #1044
[*][Improved] "abp:subscribe" links are now intercepted properly #1149

 

[Gandalf_The_Grey]

Added Emsisoft Browser Security to Microsoft Edge.

 

[notabot]

You can whitelist it, because such vulnerability could be exploited in practice only in the targeted attacks. If you do not want to see it blocked after the Chrome update, then you can whitelist that executable by path with wildcards.
Use <Whitelist By Path><Add Path*Wildcards> and write the path to the executable, with ??.???.??? instead of 37.186.201 and your account name instead xxx:
C:\Users\xxx\AppData\Local\Google\Chrome\User Data\SwReporter\??.???.???\software_reporter_tool.exe

Why for a targeted attack this shouldn’t be whitelisted ?

 

[Andy Ful]

Why for a targeted attack this shouldn’t be whitelisted ?

The path of the software_reporter_tool.exe is writable. If there is a danger of targeted attacks (like in organizations), then any writable path should not be executable, except the files whitelisted by hash.
If not, then the attacker could get the information or simply guess the whitelisted path to replace silently the whitelisted file with the malware, and then he could successfully execute the malware. Furthermore, the malware could be started with Windows.
In the home environment with default deny setup, such scenario is rather improbable.