Is virtualization Chinese to you? Then check this freeware setup out

[Windows_Security]

To be honest this setup is inspired by two consecutive posts of @ozone and @EASTER in this overview thread of free anti-ransomware programs

First Ozone mentioned that the developer of EasyFileLocker was the same as Shadow Defender. Secondly Easter posted that he still liked SecureFolders, a program simular to EasyFileLocker. From the other security forum I remembered Easter to be a hard core Shadow Defender user, so why did not he use a simular program from the same developer (since SecureFolders is abandonware). Since those programs (Shadow Defender and Secure Folders) both filter disk access, there is always an incompatibility risk. But I also know that Easter likes to cover every dispatch in the System Service Descriptor Table twice. So when someone has experience in finding compatible pairs of protection programs it is Easter.

An insight or idea popped up*. Obviously disk protection programs from different vendors work together well. When you think about a disk protection program like EasyFileLocker, it protects the DATA on C:\Users and other Data partitions depending on the setup, while a disk virtualisation program like Shadow Defender typically would protect the OS and your installed programs, so it makes sense that they would not interfere with each other.

So would a freebie like ToolWizTimeFreeze (simular to Shadow Defender) play along well with another freebie EasyFileLocker (simular to SecureFolders)?: To start with the spoiler: YES at least at my wife's laptop running Windows 7 ultimate 32 bits. Next posts: short explanation and screenprints of first EasyFileLocker and secondly ToolwizTimeFreeze.

*) I am that old (Kees1958 was my first nickname) that I had to learn to write with my right hand at elementary school while being a lefty (teachers in those days were allowed to slap you on your left hand with a reed when I tried to write left). Using your creative brain part for rational stuff makes your brain take other short cuts (good for creativity by making other associations, bad for grammar because it causes dyslectic like side effects).

 

[Windows_Security]

EasyFileLocker

You can download it from here: XOSLAB.COM and the installation is pretty straight forward. The only thing I noticed could be that it needed to be run elevated (as Admin) for the settings to be changed.

Secondly allowed al trusted programs she uses access to her Documents folder (on data partition D, I always split a hard drive into two partitions for security and backup/recovery ease of maintenance).

And as last her pictures folder (Albelli is photobook creation software)

 

[Windows_Security]

ToolWiz TimeFreeze

You can download it from here: toolwiz and the installation is pretty straight forward, simply eclude your user data folder on C and the hidden C:\ProgramData as shown in the picture. When you use any anti-virus don't forget to exclude these folders otherwise ToolwizTimeFreeze will thow away the virus-fingerprint-data base after every reboot.

The only thing I did before enabling ToolwizTimeFreeze protection is to disable the auto start of the settings-program (ToolwizTimeFreeze.exe) from HKCU with Autoruns, because this settings program is not ASLR enabled. The protection is enforced with a driver, so you don't need the GUI/settngs program to run.

 

[FrFc1908]

thanks for the post! very interesting !!

 

[Windows_Security]

NOTE 1: Fileless malware/process hollowing ransomware
Fileless malware/process hollowing is often the second step in a staged approach. Blocking the first step, a script which triggers it, (e.g. with Hardentools) or blocking the the third step, the payload to run with an anti-executable or survive reboot by simply using @Umbra favourite UAC-tweak to block unsigned program elevation will also stop fileless/process hollowing malware. For my wife's laptop I installed Hardentools ( review) and use two reg.files to switch on and off the UAC "ValidateAdminCodeSignatures" feature (enabling this UAC protection still allows unsigned programs to run).

BLOCK ELEVATION/INSTALLATION OF UNSIGNED PROGRAMS (PROTECTION TWEAK)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

ALLOW ELEVATION/INSTALLATION OF UNSIGNED PROGRAMS (DEFAULT VALUE)
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000000

NOTE 2: Update hassle
My wife works at a company which applies both whitelisting/blackisting/ so she can't install software on her laptop or run programs from user space. Therefore she still uses IE11. This reduces the update hassle (switching off ToolwizTimeFreeze) to Microsoft's (monthly) patch Tuesday.

Note 3: Your (optional) AV of choice
In the configuration picture or Toolwiz TimeFreeze I explicietly warned in red to exclude the folders of your Anti-Virus also. I have not tested this with AV's but a cloud based Antivirus would be my AV of choice (when applying disk virtualization).

 

[Daniel Keller]

Hi,
thank you very much for this very interesting topic! Really appreciate it!
Question: Does someone have an idea what to exclude in TF if you use Win10 + Windows Defender?

 

[Windows_Security]

Probably those three:

C:\Program Files\Windows Defender
C:\ProgramData
C:\Users

 

[EASTER]

I concur. Keep these good freeware ideas rolling out

Yes I indeed always have favored and still do even on Windows 10 strategically employing double-duty layering from the far inner reaches to even the basics above ground on Windows. It obviously arose from necessity a long time ago as you yourself understand. Windows always being the free wheeling type.

And to add it only takes a few extra minutes of a user's time to quickly determine if compatibility sits well or not.

@Windows_Security. You always had that special knack for touching on just the right protections at the right time too. As you already noted and are fully aware of, it's but a simple matter for me to add EasyFileLocker to the works.

The preference that I long have had for the abandoned Secure Folders still rests in it's driver's stability which supports what it was designed to do and is worked well, still does.

However I am not beyond having a second look at EFL

One other thing that strikes me with some satisfaction. Not sure for others but I have found far more stability and much less incompatibility with taking the FREEWARE route then the opposite. It never quite caught on for me why some security programs always seem to have that endless drive to make claims/changes where solid improvements are the expectation (but not always turn out to be) to their commercial programs. One need only look at plenty of posts where end users are faced with that endless revolving door, once again reaching for a different solution since the one they first selected either no longer works as expected or protects as expected. But I suppose that's par for the course with some of those choices.

 

[Windows_Security]

The preference that I long have had for the abandoned Secure Folders still rests in it's driver's stability which supports what it was designed to do and is worked well, still does.

Same here, because its security seems to be build partly on Windows internal mechanisms (like ACL and Alternate User), it works great for Windows 10 although the driver was designed for Vista/Windows7. I agree only needing one versions for different OS-ses shows the smart and compatible design of software in general. The deny execute surely is a bonus compared to EFL.

 

[Overkill]

I've been using EFL for awhile but never understood the apps tab, what do you or should you put there? I mainly use it to lock my important folders

 

[Windows_Security]

@Overkill

At the applications tab you can specify which programs are exempted (allowed) access. So in the picture below, no program is allowed to write or delete files from the D:\Pictures folder, except explorer, paint, office image manager (OIS) and albelli photobook creator (APC). Hope the picture explains it.

 

[Deleted member 178]

The deny execute surely is a bonus compared to EFL.

the main reason i still use it

 

[EASTER]

Leave it to @Windows_Security to specify in sections that clearly show best settings (luv those annotations, thanks) in these and others in as clear a guide any (new) or other user could ever need to make things perfectly clear.

It's very commendable to take up proving exactly what options are available in freeware that takes nothing away from focusing on the best possible layout with what there is to keep them completely relevant.

 

[Windows_Security]

On my Wife's laptop (which has Windows 7 ultimate) I have Software Restriction Policies enabled (link) , people with Windows Home version can use Malware Tip's member @Andy Ful Hard_Configurator (link) to achieve the same. SRP at basic level with Symantec tweak to run MSI as admin, really is the simplest and easiest implementation of a default deny in user folders.

 

[Deleted member 178]

Yes Hard_configurator is nice stuff, like SSRP. small but efficient goodies.