RISK: Danger Itachi Sempai's security config for grandmas

Joined
Sep 20, 2017
Messages
74
OS
Windows 7
Antivirus
Kaspersky
#1
so the main purpose of this configuration is to have a very stable system, nothing should change like system or software inteface, bottoms windows volume or anything else that can be changed, there should be zero notifications, user interaction or any decisions to make, also nothing should take up long time to install updates (max 30 seconds for any update)... thus software and windows updates should be disabled (if something terrible comes out like SMB protocol vulnerability i will update it manually)... there will be 3 programs that will protect the system

1) avast free: hardened mode (aggressive) enabled... software updates disabled. only A) file shield B) behavior shield and C) web shields are installed... silent mode enabled to disable all notifications and any access to the program is protected by the password



2) hitmanpro alert: only anti exploit is on rest of modules disabled. updates disabled



3) shadow defender: updates disabled. program is password protected all notifications disabled... and exclusion list: my documents videos pictures downloads... desktop and recycle bin also browsers profile and cache + avast program files path (for signature updates) i hate stupid skype :mad: cant disable updates and notifications so it is excluded and its profile too to save chat history C:\Users\user5\AppData\Roaming\Skype



firefox 57 will be the browser with ublock origin lastpass and few other extensions... in profile 3 files will be marked as read-only... A) xulstore.json Toolbar and window size/position settings B) prefs.js All preferences. about:config C) sessionstore.js Stored sessions

9.9.9.9 DNS



so any suggestions will be appreciated p.s. wanted to use comodo firewall and sanbox but i dont want to slow down system and dont think it will be needed... what do you think? :)
 
Last edited:
D

Deleted member 65228

Guest
#2
Here's my suggestions but I am not trying to push you to change anything so ignore everything if you feel free, no questions asked.

1. Windows 7 with SP1 - not as secure as Windows 10 up-to-date. There are less internal security improvements. For example, csrss.exe is more vulnerable on Windows 7 and below whereas it isn't for Windows 8 and above. There is also an older version of PatchGuard (Driver Signature Enforcement & Kernel Patch Protection), no system-wide SmartScreen, among other things. Microsoft are pretty much focusing more on the future than past, even if they say they aren't/if Windows 7 is still supported for the time being.

2. OS updates are disabled and should be enabled/done on a scheduled basis. You should make sure that you watch new updates and update for security ones at the least. There's nothing wrong with waiting a few days or even weeks in some situations if you are cautious about faulty updates but not updating except for in rare circumstances is really bad for security and also the cause of many businesses being successfully attacked with old (but patched via recent updates) exploits.

3. Shadow Defender works best with no exclusions. By excluding an area which is not protected such as the Skype folder you excluded, you sort of break the purpose of Shadow Defender. You also excluded the Documents and Pictures folder which is really bad and leaves you vulnerable. Excluding the Avast directory is different because it's a protected directory and it's also covered by the Avast self-defence, but the other directories you mentioned aren't and can be accessed by standard rights processes, too. The Downloads folder is an interesting exclusion.

You should exclude on a case-by-case session basis instead if you're certain. You could also try using Skype for Web if that is better when using this configuration, preventing you from excluding the Skype folder you have excluded. Are you sure that the folder you mentioned is used? I'd have imagined they'd have used their initial installation directory, but I'll take your word for it since I don't use the software anymore.

4. "(max 30 seconds for any update)." - it will depend on your internet connection as well. The update time for security software cannot be reliably estimated because there are constant changes occurring... Traffic for the servers by the vendor, location of the servers, your own internet connection/use of proxy/VPN, etc.

5. "zero notifications" - Hardened Mode will block execution of programs which aren't excluded/trusted and HitmanPro.Alert exploit attack situations will trigger an notification alert. There's no point to using security if you will be unaware of blocks/attacks, otherwise you'll be left in the dark when there is a problem. You may even miss an infection which was partially blocked, but is also partially active. Businesses may do it, but the administrators will be notified in such scenarios so they won't be entirely left in the dark. As for Avast Hardened Mode, remember that they won't restrict all executable formats like dedicated anti-executable/lock-down software like VoodooShield/NoVirusThanks ERP does.

You're using Shadow Defender so Comodo Sandbox isn't really necessary, I'd say pick one or the other. Windows Firewall is enough in my opinion but you can configure it to be a lot better than it is by default of course - most likely do change its settings, or add Windows Firewall Control (WFC) which is cheap and great.

I recommend you add an on-demand scanner like Emsisoft Emergency Kit (EEK) or Zemana Anti-Malware (ZAM - Free version). For backups, I'd make sure you have a system image backup even if you are keeping documents backed up. Other than that, Avast for real-time with Shadow Defender and HitmanPro.Alert should be good if it works nicely.
 

AtlBo

Level 24
Joined
Dec 29, 2014
Messages
1,390
Antivirus
Qihoo 360
#3
Very well said @Opcode. I just learned a great deal LOL.

Nothing to add, but I appreciate you trying to achieve a real measure of security while still having alert friendly security interaction with the security programs. Wish I could say I have been able to do this :rolleyes:. Not so far...
 
Joined
Jan 23, 2017
Messages
171
#4
It is more than enough for the old people’s because they are using pc for light purposes so thanks friend for sharing your grandma’s configuration are she using internet or not Friend
 
Joined
Jul 6, 2017
Messages
697
OS
Linux
Antivirus
Default-Deny
#6
I understand your problem, but for people who do not know what to do in front of an alert. which is inevitable in windows either by an AV or do a scan and make decisions that are given in Windows.
I would like to put a Linux distribution that would configure what is necessary and let it update automatically has nothing else to do
 
Joined
Sep 20, 2017
Messages
74
OS
Windows 7
Antivirus
Kaspersky
#7
By excluding an area which is not protected such as the Skype folder you excluded, you sort of break the purpose of Shadow Defender.
lets say someone sent a virus via skype and it got into skype folder that is excluded from SD... what is gonna happen next? unless virus gets executed on every system startup there will be no danger

she is used to win7 and there is no way to install windows 10 unless it has exactly the same interface


and HitmanPro.Alert exploit attack situations will trigger a notification alert
i meant that there should be no frequent popups but even so what do you think what are the chances that a random person is gonna come across an attack that will trigger anti exploit? i added this soft only because i am going to disable updates (probably i will update everything once per year)
As for Avast Hardened Mode, remember that they won't restrict all executable formats like dedicated anti-executable/lock-down software like VoodooShield/NoVirusThanks ERP does.
you are right thats the thing that i would like to change... in the past i was testing VS only for few weeks and had some problems it was asking permission tu run same process after i already specified that it was trusted... i will try NoVirusThanks if it works without problems i will include it definitely





theoreticly lets say i enable windows updates... in that case i will have to disable shadow diffender and what is stronger windows without updates but with shadow defender or updated windows without SD? i definitly think that SD is much secure
 
Last edited:
Likes: AtlBo
D

Deleted member 65228

Guest
#8
theoreticly lets say i enable windows updates... in that case i will have to disable shadow diffender and what is stronger windows without updates but with shadow defender or updated windows without SD? i definitly think that SD is much secure
You can't compare that.

Shadow Defender is nothing without the Windows vulnerability patches. All it takes is for one bad vulnerability to be exploited to over-come the protection in Shadow Defender. Keeping software up to date is one of the best things you can do, and old vulnerabilities can open the door to new stealthier exploitable vulnerabilities which are undiscovered but cannot be used without the original vulnerability being present.

There's a recent major Intel vulnerability which allows an untrusted caller to gain access to kernel-mode memory with read-access. This can allow an attacker to steal sensitive data within the memory of running software. The only fix without implementing updated hardware once available is via an OS update to receive Kernel Page Table Isolation, and it's reportedly possibly affecting AMD as well. It allegedly affects all Intel CPUs from the past decade. More details are awaiting so we don't know the facts for sure yet but that is one critical example of why you should update, otherwise you'll be vulnerable to things like that too, which Shadow Defender can't save you from.

However, you don't have to do anything you don't want to do. If you don't agree that is fine, but it's a well known fact that keeping software up-to-date strengthens your security configuration because it prevents previously known and patched vulnerabilities (whether exploited in the wild or not) from being used; developing zero-day exploits after hunting a powerful vulnerability which can be abused for causing good damage can be very difficult with strong, well-built software. Therefore, ensuring old vulnerabilities is a good start.
 
Joined
Sep 20, 2017
Messages
74
OS
Windows 7
Antivirus
Kaspersky
#9
the system just has to function on a level to go check facebook page and youtube... there is no valuable information to steal or concerns for privacy

i need shadow defender so that suddenly sound doesnot "disappear" from computer thus enabling windows updates is impossible... but its good thing you told me about exe radar i will test it now

You can't compare that.
i forgot to say that you are wrong... most of the viruses that are in the wild dont use windows vulnerabilities... update windows to latest version download virus samples and see how many of them are gonna be stopped by windows 7... answer should be 0 or very close to zero... while on non updated system shadow defender should stop 100%



p.s. exe radar looks great so far
 
Last edited by a moderator:
Likes: AtlBo
D

Deleted member 65228

Guest
#10
i forgot to say that you are wrong... most of the viruses that are in the wild dont use windows vulnerabilities... update windows to latest version download virus samples and see how many of them are gonna be stopped by windows 7... answer should be 0 or very close to zero... while on non updated system shadow defender should stop 100%
1. Viruses aren't even prevalent in the wild and haven't been for years - bumping into a virus would be rare now.
2. Old vulnerabilities have a high exploitation potential.

There are always new types of variants in the wild which attempt to exploit both old and new vulnerabilities, usually with banking malware and ransomware (either updated code-base to previous attacks we've already seen to help evade detection and improve success ratio of infection or brand new). If you don't believe me, ask @silversurfer because he regularly posts news on this forum about new attacks in the wild which are exploiting old and new vulnerabilities.

Some malicious software will check the version of Windows which is being ran and will then decide which vulnerability to exploit, too.

Malware authors are after income these days and it's been like this for a long time now, which is why viruses are no longer "prevalent" in the wild neither for home users nor businesses. This is why the rise of ransomware and banking malware samples is forever increasing, although ransomware is usually more common than banking malware because the success rate tends to be higher due to encryption of sensitive documents is generally a faster process than lurking while eagerly trying to evade anti-virus solutions to steal credentials/banking details which may or may not be entered.

On the note about Windows 7, there are many, many vulnerabilities on Windows 7 which were patched over the years. They range from bypasses for PatchGuard (Driver Signature Enforcement, PatchGuard) to User Account Control and bypassing Anti-Virus self-defence via exploitation of vulnerable system processes like csrss.exe.

If you don't want to keep your software updated or believe me then that is your funeral, I did try to warn you so I've done my part.
 
Last edited by a moderator:
Joined
Sep 20, 2017
Messages
74
OS
Windows 7
Antivirus
Kaspersky
#11
1. Viruses aren't even prevalent in the wild and haven't been for years - bumping into a virus would be rare now.
well i live in Georgia once we were on number 1 spot on pirated software usage second was zimbabwe and here lot of people have viruses from hacked software from torrents and most of USB drives are also infected... 90% of infections that i interact with happen because someone stick their USB drive to someones PC (mostly in universities or some public place) windows updates can not defend against infected usb drive and can not defend against infected keygens cracks and patches

the only instans when people i know called me and it turned out they got infected from windows vulnerability was wannacrys doing... in theory you and i can say lot of things but in practice the problem that people here have are mostly infected executables that they open intentionally... so the protection i am focusing is on the problem that is most common... someone can bring some pictures with usb or try to install some awsome software and if internet will be off avasts hardened mode is not gonna work
 
Joined
Dec 23, 2014
Messages
1,583
OS
Windows 10
Antivirus
Microsoft
#13
Everything that @Opcode said is true and worth rethinking. It would be good to make updates (by you) on the grandma computer several times per year. The most important thing in your setup should be using Standard User Account, because it can stop most Windows OS exploits, and this is a key factor when you cannot update frequently.
You have a very good protection against EXE files (Cyber Capture + Hardened mode), but poor protection against malicious documents/macros/scripts/scriptlets.
What applications are used to view/edit documents (office, pdf, etc.)?
 
Joined
Feb 13, 2017
Messages
1,464
OS
Windows 10
Antivirus
Emsisoft
#14
well i live in Georgia once we were on number 1 spot on pirated software usage second was zimbabwe and here lot of people have viruses from hacked software from torrents and most of USB drives are also infected... 90% of infections that i interact with happen because someone stick their USB drive to someones PC (mostly in universities or some public place) windows updates can not defend against infected usb drive and can not defend against infected keygens cracks and patches

the only instans when people i know called me and it turned out they got infected from windows vulnerability was wannacrys doing... in theory you and i can say lot of things but in practice the problem that people here have are mostly infected executables that they open intentionally... so the protection i am focusing is on the problem that is most common... someone can bring some pictures with usb or try to install some awsome software and if internet will be off avasts hardened mode is not gonna work
I think @Opcode was just referring to the term "virus" that is a type of malware.
Nowadays, viruses are rare, replaced by different and more sophisticated threats generally defined as malware (malicious software).
Of course, often crack = malware.
 
D

Deleted member 65228

Guest
#15
windows updates can not defend against infected usb drive and can not defend against infected keygens cracks and patches
You don't seem to understand what the point of patching vulnerabilities is, therefore there's nothing I can say nor do to make you re-think. I can at-least attempt to educate you on what a vulnerability is, what exploitation of a vulnerability is, and what patching a vulnerability means, that could work.

What is a vulnerability?
A vulnerability is a flaw, a weakness if you will. This flaw can be abused by someone to do both good and bad, but typically to do bad.

An example of a good scenario where a weakness is being abused would be to restore files encrypted by a ransomware variant due to lack of care with the encryption routine - maybe the encryption keys were not free'd from memory properly and thus can still be extracted if the malware is still running, or back-up copies on the system were forgotten about.

An example of a bad scenario where a weakness is being abused would be to evade from an Anti-Virus product, like the one you are using, or even overrule it by using the weakness as an opportunity to shut it down despite it's self-defence mechanisms.

There are all sorts of vulnerabilities in the world, and many when it comes down to computing. Software of all different types and intentions will be vulnerable to flaws, it's only a matter of time of finding them - nothing is full-proof and humans are not perfect. Due to this, the damage which can be performed by a vulnerability not being patched, if the weakness is abused with malicious intent, can vary between each vulnerability (and sometimes it may also require additional circumstances to be able to trigger usage of a weakness).

What is exploitation of a vulnerability?
Exploitation of a vulnerability is abusing the vulnerability for a desired result; you'll be using the discovered weakness to your own advantage for whichever purpose, also typically for malicious intent (but not always as we've already established).

An example of exploitation of a vulnerability would be to access sensitive (personal) information regarding a customer of a product which was mistakenly leaked by the targeted software when the weakness was abused. Another example, could be as simple as using a bad datatype type-cast used in source code of a feature in a product which went un-noticed due to the software still functioning to make it crash when the weakness is applied, and this could lead to data corruption - it might sound unrealistic but it certainly isn't, look at EternalBlue which contributed with WannaCry because a data-type cast mistake was a heart-key to the kernel exploit.

All in all, exploiting a vulnerability is abusing a weakness to your own advantage to get a desired result which you shouldn't have been able to do (wasn't designed for you to do so).

What does patching a known vulnerability mean?
Patching a known vulnerability will prevent the vulnerability in question from being abused; the weakness will no longer be present. Sometimes, a patch for a vulnerability can introduce other unknown vulnerabilities, or may not be properly patched and with some work-around it can still be exploited (new variant of the exploitation), but generally speaking it will fix the vulnerability, closing the attack vector.

If a vulnerability has been correctly patched, an attacker will be unable to target that weakness and make use of it to their own advantage to execute an operation of their own desire with additional benefits. An example would be a privilege escalation flaw in a component embedded within the Operating System software, allowing an attacker to escalate their privileges which would allow them to do more than they should be able to, but after the patch it would not work and thus the attack would not be successfully deployed, but would be for any system operating which has not had the vulnerability patched.

---------------------

Windows Update doesn't prevent malicious software from being executed on your system. The best person for stopping this is yourself, with backup-buddies (layered protection configuration - which you've already been working on). However, Windows Update does bring security updates which patch vulnerabilities being found, and thus if you end up in the firing line of an attack which attempts to abuse a weakness (vulnerability) which has since been patched due to the applied vulnerability, the attack won't necessarily work because the targeted weakness is no longer present. Whatever this entails will depend on the vulnerability and on the attack.

With this being said, if you're scared of viruses, it is indeed in your best interest to keep your software up-to-date. Viruses were commonly paired with worms when they were prevalent, and a worm is a type of malicious software designed for the ability to spread; worms could exploit a vulnerability to ease this operation and make it more effective. There's very big history from the old-days when it comes to the use of powerful worms to aid in the spreading of malicious software, typically viruses back in those days since they were indeed "prevalent" in the wild at the time.

In regards to your comment about using pirated software, it's illegal and it is a known fact that it is an easy way to get an infection. Attackers will also attempt to social engineer you into ignoring an Anti-Virus detection because it is a "hack tool", when in actual fact it could be anything from a backdoor to a password stealer, among other types of malicious software. Getting involved with pirated content is a very easy way to get infected, and this will never ever change.

The comment Spawn made about the chrome-book is a good one (actually, it is spectacular), and I've seen a few other members like Lockdown and Andy Ful mentioning such recently. It's a win-win for your family member if only things like browsing need to be done, and they're very secure. You drop many attack vectors using one. You'll still need to be on the look-out for malicious browser extensions, but the attack vector difference compared to using a Windows system would be huge.

Since the title implies this is for a family member (your grandma), it may be in your best interest to close off as many attack vectors as possible. I would be devastated if an elderly family member of my own lost a chunk of their life savings over an attack which was only successful using an old vulnerability which had been patched over 2 months ago. You don't know what is around the corner and anything can happen the next day, never ever count your chickens. No one in this world is invincible to malware, absolutely no-one. You'd think that the government agencies would be pretty secure, yet a government contractor was recently exposed for being responsible for the theft of critical government source code linked back to the equation group - Advanced Persistent Threats - because he decided to use pirated software on his machine and leave his anti-virus solution disabled, turns out it was the cause of an unknown backdoor infection which went unnoticed for a long time. There's also Kaspersky Labs, breached by a team of hackers from Iraq, and they have been in the security industry for as long as anyone can remember. Not to mention the breach of CCleaner which was a bit more recent... And on and on.

You can never make something full-proof but you can at-least try to close as many attack vectors as possible while keeping the system in a state where it is still actually worth using.

I won't take up anymore of your time, nor my own, with this pointless debate. If you aren't going to agree that keeping software up-to-date with the latest security patches is a good and effective technique when it comes to keeping yourself protected against attackers then you likely never will, at-least for a very long time. Hopefully you see my intentions are trying to help you, instead of different.

Thanks for your time, and good luck with your configuration/family members system.
 
Last edited by a moderator:
Joined
Dec 12, 2013
Messages
114
#16
3) shadow defender: updates disabled. program is password protected all notifications disabled... and exclusion list: my documents videos pictures downloads... desktop and recycle bin also browsers profile and cache + avast program files path (for signature updates) i hate stupid skype :mad: cant disable updates and notifications so it is excluded and its profile too to save chat history C:\Users\user5\AppData\Roaming\Skype
As regard to malware that spread via Skype
https://www.scmagazine.com/skype-being-used-to-distribute-malware/article/529378/
Malware Alert - Skype users hit by Ransomware
and via Windows Update
Malware Update with Windows Update
New 'Fantom' Ransomware Poses As Windows Update
Next - if you exclude your private documents so what is important for you to protect?...system?...is easy to revert...apps?...easy to instal from zero? It's hard to understand your SD configuration. There is only one folder in the list of exclusion in my SD - on second disk for files downloaded via browsers (Firefox/IE) and only one reason to such decision was that folder is also protected by restriction of SpyShelter.
SD is as strong as less locations are excluded...more areas on exclusion list means more unprotected/vulnerable place in your machine...it's just asking for trouble.
 

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,961
OS
Windows 10
Antivirus
Default-Deny
#17
Wow, i missed this thread; what i did for a uber-noob friend:

0- SUA + UAC Max.
1- Shadow Defender set on reboot, no exclusions (after explaining how to disable it when updating win10; and how to save his files on a cloud account).
2- NVT ERP set on Lockdown Mode.

That is it.
 
Joined
Dec 23, 2014
Messages
1,583
OS
Windows 10
Antivirus
Microsoft
#18
@ichito this setup was also strange to me, but we must remember that it is for his grandma. He cannot probably help her in an acceptable time period to visit her and make a system repair.:)(y)
I understand his problem, because I made a similar setup for my father (Windows XP + Shadow Defender on system disk + Sandboxie for secondary disk + Comodo Firewall CS settings). I visit my parents two/three times a year.
Anyway, if he can help grandma in a short time, then there are better solutions.
 
Joined
Jul 7, 2016
Messages
316
OS
Windows 10
Antivirus
AVG
#19
Instead of Google syncing her files, you're probably better off (or using in conjunction) Rollback Rx Home. It's free, so wouldn't cost anything, and it will back up all of her data. I'd think for someone a bit older this would be more ideal.
 
Joined
Sep 20, 2017
Messages
74
OS
Windows 7
Antivirus
Kaspersky
#20
@Opcode
i know what vulnerability is and i am not arguing that they are not necessary but i have two options... 1) enable shadow defender and disable windows updates 2) disable shadow defender + find some solution to lock down windows configuration so that something doesnot disappear from bottom taks bar or sound doesnot get muted and enable windows updates... thats it i dont have third choice... i cant enable avast software updates eather because they will introduce some new feature that will be a problem like they did with avast email signatures and all the other stuff... i can enable hitman and SD updates if they update in background but i am worryed that after updates some settings can brake


@Andy Ful
you are right i need to block scripts... i think about ERP if you have any other suggestion it would be nice p.s. office 2007