To be fair I never see it, or my AV for that matter, working. With the exception of when I try to open CMD and forget to disable OSA.Yes, it is a nice tool if you cannot block/restrict something by H_C. Did you see it working when using H_C in default-deny setup?
Edit.
Nobody can deny that the life ring (OSA) is a great thing on the boat (AV). But, is it really necessary on the boat in the desert (AV + H_C)? You will probably never see it working (the Noah case can be an exception).
You can even block CMD in H_C, and open it elevated via "open file location" + "Run As SmartScreen" when you want to execute CMD command lines.To be fair I never see it, or my AV for that matter, working. With the exception of when I try to open CMD and forget to disable OSA.
Most locations in C:\Windows, all locations in C:\Program Files, C:\Program Files (x86) - for Windows 64-bit, and Windows Defender application folder.
I'm still using SSRP default-deny setup in my main computer, and when I started using OSA I saw it working. Luckily for me - as I mentioned - I found the Exclusion rules to fulfill my needs, so after some tweaking OSA has been silent.Yes, it is a nice tool if you cannot block/restrict something by H_C. Did you see it working when using H_C in default-deny setup?
Edit.
Nobody can deny that the life ring (OSA) is a great thing on the boat (AV). But, is it really necessary on the boat in the desert (AV + H_C)? You will probably never see it working (the Noah case can be an exception).
:emoji_pray:. Since that's not available to us nowadays, I find it good to have both the boat and life ring at hand (at least so far as neither of them cause me headache).
Did you saw the same with H_C? the H_C setup can be much stronger than the common setups made by SSRP.
You can still do it via a simple script, or a simple AutoIt program that first turns off MemProtect driver to install mode and next runs SwitchDefaultDeny tool. If you want to restore the protection then the AutoIt program first turns MemProtect on and next runs SwitchDefaultDeny tool.
Well, I think that my "problem" was in the opposite direction, so to say.
I think that if there were a command line interface to SwitchDefaultDeny (e.g. "-on" and "-off") to switch the setting accordingly, that would be a workable solution. I wonder if there is a way to append this into the wish list...?
What about setting it as a scheduled task with elevated privileges? Won't that bypass SRP restrictions?
I have no need to change my current setup; everything works well and smoothly.
It is much safer set H_C to allow PowerShell scripts and block PowerShell executables via <Block Sponsors>. With these settings, you can use PowerShell as Administrator (elevated) without restrictions from H_C. PowerShell scripting will be still blocked for malware. The H_C default-deny will prevent malware to elevate.
I do not plan to add the command line interface. It is very easy to set SRP Default Security Level to Unrestricted/Disallowed via reg tweaks. You can simply add a few command lines to your PowerShell or CMD script and run it with elevation via shortcut. You can do a similar thing in Autoit.I think that if there were a command line interface to SwitchDefaultDeny (e.g. "-on" and "-off") to switch the setting accordingly, that would be a workable solution. I wonder if there is a way to append this into the wish list...?
github.com
@Marana this is what I was talking about when I suggested the elevated startup entry. I understand you have everything set up just the way you like it, I was just talking about the future switch to H_C
Will be interesting to see what apps are not properly signed and mabe time to search for alternatives.
You get the Windows error alerts, like:
Yes, after publishing the upcoming beta version, I will work on adding this option also to the main H_C panel and will include Windows_Security profile in H_C profiles.@Andy Ful
Great news that H_C will be signed. Inevitable question which follows, could you add it as an option in H_C and add it as a setting in Windows_Security configuration? :emoji_clap:
Offer stands to support you when you decide to start a crowd funding action.
Regards Kees
When you are using your PC as Admin (not a seperate basic user account) and use Windows Defender as antivirus, simple use this profile and you are good to go. It is not a Default Deny (it has a hole in it, but uses the whitelist of WD to protect this hole). You probably end up using a full default deny policy, but this is a good first step in using a whitelist in stead of blacklist approach.
malwaretips.com
