imsoadude's free configuration

[AtlBo]

Nice configuration. Here's a different way to combat ransomeware you may not have thought of...VoodooShield free. I think I would still want to have MBAE to handle exploits activity, but I'm paranoid I guess. VoodooShield adds the extra option for sandboxing unknowns, and that's kind of irresistable to me at this point.

 

[imsoadude]

Thanks for the suggestion AtlBo. At this moment I don't think I would add that. What I am aiming for is more of a automatic solution one that doesn't really need to be hands on as I want to use the same config for myself as my friends and family who aren't as tech savvy and don't really understand these things.

I have checked VoodooShield out and it was very tempting to me as every test has great results, but the amount of popups would not be good as I would start to get hundreds of phone calls from them asking what is this what do I click, what have you done to my computer lol

 

[AtlBo]

I have checked VoodooShield out and it was very tempting to me as every test has great results, but the amount of popups would not be good as I would start to get hundreds of phone calls from them asking what is this what do I click, what have you done to my computer lol

LOL, I can see where you are coming from on this. Avast is definitely a good choice for you. Not sure what I would add, but MBAE protection of the browser seems like a good idea. Good luck finding ARW. That should finish off a great config for your purpose.

 

[jamescv7]

@imsoadude: Although not free and quite expensive then you can try Winpatrol WAR (formerly WinAntiRansom), it contains very good ransomware capabilities compare to others.

Other option is you can try AppCheck Ransomware ( link on review test ), not a bad tool and has impressive results.

 

[imsoadude]

Thanks Jamescv7 i still think i will stay on the free path. Never heard of appcheck. But ill try it out

 

[imsoadude]

Installed AppCheck on the system. Reviews look pretty good for it and memory usage is nice and low.

 

[imsoadude]

I recently had to reinstall Malwarebytes 3.0 (free) and found that it had removed Malwarebytes Anti-Exploit will this happen everytime Malwarebytes requires a program update?

 

[imsoadude]

What are the pros and cons of EMET vs malwarebytes anti-exploit free? I know that EMET protects more programs than MBAE free, what benefits does MBAE free have over EMET?

 

[AtlBo]

I'm using EMET. It's a challenge to configure. I think I have experienced maybe 7 alerts in 2 years. All of them were Firefox, and I don't know what the issue was, whether it was an exploit of Firefox or a behavior of the program. It's great that you can add anything to EMET, but you will find that you can run into issues with Windows and some other processes when trying to configure them for full protection. This seems fairly standard that not all of the protections will work. Not sure why. I have configs you can import for some Windows programs and others if you want to try this. In Windows 7, nothing breaks with these settings.

MBAE free will protect the browser and MS Office. EMET is anything you choose to protect, including Windows processes. You just have to do the testing yourself to make sure that all the protections will work and the program too.

 

[imsoadude]

I'm using EMET. It's a challenge to configure. I think I have experienced maybe 7 alerts in 2 years. All of them were Firefox, and I don't know what the issue was, whether it was an exploit of Firefox or a behavior of the program. It's great that you can add anything to EMET, but you will find that you can run into issues with Windows and some other processes when trying to configure them for full protection. This seems fairly standard that not all of the protections will work. Not sure why. I have configs you can import for some Windows programs and others if you want to try this. In Windows 7, nothing breaks with these settings.

MBAE free will protect the browser and MS Office. EMET is anything you choose to protect, including Windows processes. You just have to do the testing yourself to make sure that all the protections will work and the program too.

MBAE free only protects browsers and java. Just confirmed that MS Office is only available in premium.

As for EMET I will likely give it a shot. After installing it without any configurations what kind of protection does it offer? I would be interested in checking out the configs you have as well as if you have any recommendations on settings to tweak in EMET as well.

 

[imsoadude]

Also if pre-configured and tested working do you think it would be good to put on a novice or beginners computer? Does it require a lot of intervention or is it more a set and forget program?

 

[AtlBo]

OK, yes. I haven't looked at the settings in awhile, obviously. I have it on a second computer.

 

[AtlBo]

As for EMET I will likely give it a shot. After installing it without any configurations what kind of protection does it offer? I would be interested in checking out the configs you have as well as if you have any recommendations on settings to tweak in EMET as well.

This contains a number of Windows processes configured and working fine on Windows 7. You may be able to harden the most recent ones added as I unchecked both EAF and EAF+ for them without testing to avoid crashing Windows:

https://1drv.ms/u/s!AgeDPtkMv7Mzg0qLshSlucaP0JAO

You should see everything for importing. Click on "Apps" up top to add or remove processes. You'll find some that aren't on your system, and you can just delete those. If you have a problem with the link, I'll put this up somewhere else. It's in public, but OneDrive seems to fail sometimes with download links.

EMET has a slew of memory mitigation protections. I think it's most or all of them that exist. From what I understand it's not easy to get around. I think there are 10 or 12, I haven't counted them.

 

[AtlBo]

If you see a number of processes (mostly Windows) in the bottom half of the "Apps" list with both EAF and EAF+ unchecked, I have just in the last 20 minutes checked both of these for these processes. Rebooted and everything is fine so far. The others (one or the other checked or both unchecked as you go down the list) have been tested and break some functionality in Windows if both are used. This group starts for me with the first winlogon.exe and then going down. Not sure they will appear to you the same. If you need a list, I'll take a screenshot. I didn't mean to test winlogon, worried it might break the logon, but I logged on without an issue.

Might be better if you go with what's there for awhile and then roll the changes if you don't have any problems. I think 5.5 was constructed largely with W10 in mind but for 7 onward mostly. Still might be some issues with some processes, idk. Haven't configured the Office apps yet. I think I would have to image back to get them. Not hard to test, though, if you have Office. Just check the EAF and EAF+ then try the app. Usually EAF+ is the one that breaks the app.

 

[AtlBo]

Just noticed. I hadn't added cmd.exe (system32 and SysWow) or PowerShell (system32\Windows Powershell... and SysWow\Windows Powershell...). I added them just now. Hopefully they won't break with the defaults used by EMET. Just ran a cmd script, and it seems to be working.

 

[imsoadude]

Got EMET Installed and added your configs as well as the popular programs list. had EAF+ break chrome lol. I noticed that the EMET service doesnt seem to start with windows. Each boot up shows that the EMET service is stopped have you encountered that? I also notice that explorer.exe doesn't seem to get protected by emet although it is in your list why is that?

 

[AtlBo]

Yeah, it breaks some programs with them all checked. To get it to run on boot, open the GUI and make sure Windows Event Log, Tray Icon, and Early Warning are checked. It should run on boot. No idea if that doesn't work. For explorer.exe, if you mean the green dot isn't showing up, it's working for me. Try unchecking EAF+. Maybe that will work for you on W10. I'm running Windows 7.

 

[imsoadude]

I found why EMET wasn't starting up, the service was set to automatic delay, switched to automatic and it starts up right away. As for Explorer.exe and cmd, powershell cant seem to get them protected.. Removed EAF and EAF+ tried a couple times and no dice. Do I just start unchecking one by one until it shows protected? I still am not super clear about how to configure them to make sure they are working but would like to

 

[AtlBo]

Removed EAF and EAF+ tried a couple times and no dice. Do I just start unchecking one by one until it shows protected? I still am not super clear about how to configure them to make sure they are working but would like to

The menu that opens will show green dots for the processes that are running protected. You can check the others you have added in the apps button menu by running those. Bottom of the main GUI there is a refresh button. You can use that to update list of running processes if you open something with EMET GUI open. Should be able to see what is being protected.

I know it works for browsers, because I have seen it catch issues before...maybe it was bad programming practices from Firefox or maybe an exploit not sure. Think I had 5 alerts or around that over around a year and a half. Powershell opens (32 and 64 bit versions) on Windows 7 Pro 64 bit for me with EAF and EAF+ checked. Got the green dot.

Some others I will probably add are smss.exe, lsm.exe, services.exe, taskhost.exe, taskeng.exe. Some of these I was protecting before I reinstalled Windows a week ago. I haven't had time to add and test them all. Don't know if it helps with these, but I focused on them because they are always running.

A couple of days ago EMET blocked Explorer.exe. It happened when I deleted Comodo Firewall Trusted Vendors list. Comodo alerts started slowing things down, and when I opened a folder or a program EMET would fire claiming it was Explorer. It was probably actually Explorer running as part of Comodo somehow system-wise like sandboxed due to the alert timeout. I didn't take it as an issue but really just good to see how it monitors and can catch exploits. Guess Comodo was "injecting itself" into Explorer system-wise, thus the alert. Doesn't cause problems with browsers though.

Unless you afk, you will see an alert if it fires. It makes a report in Event Viewer you can check and drops two files in the .tmp folder->users\user folder\app data\Local\Temp. Can't miss them. They're named EMET and in html or debug form.

 

[imsoadude]

Seems like I can't get CMD or powershells to get the protected green dot I did EAF+ and EAF tried having them both, one at a time or neither. Doesn't seem like I can get them protected. For CMD I cleared out the whole row and did them one by one and can't get it protected oddly enough. What settings do you use? Application Opt IN or always on? and Do I need to reboot the computer after every change?