- May 1, 2018
- 229
Only windows backup but i dont like this option. If system is compromised hard by ransomware i`d like a new instalation of windows. But any important files i have in two copies in onedrive and WD MY CLOUD
KonradPL Security Config 2021
- Thread starter KonradPL
- Start date
- Jul 27, 2015
- 5,459
That's probably one of the worst general recommendations I seen in a long time. I fully understand the point or view of harden the system for advanced users and for many of the users here on MT, but for the majority tell them that they shouldn't trust AVs, is actually borderline reckless no matter what you personal might think and feel about AVs. Please try be a bit more specific and clear next time.
I don’t saying that MT users shouldn’t use any AV. I say that they’re shouldn’t only trust on that and instead harden the system (beside using AV).
anyway, a secured system is most important and remember that AVs aren’t part of security concept or at least last part of it as they’re increasing attack surface by itself
- Jul 27, 2015
- 5,459
For some reason you actually do keep saying that users shouldn't use AVs. The part I highlight in the quote makes that too obvious. It basically means the same thing and it then automatic gets confusing.
Again! Telling the majority of users that AVs ( AntiVirus ) aren't part of security concept and even increase the attack surface, when it's a real genuine life boat for most people and extra much for those that also gets infected or risk get infected, is something that by itself is just sad to watch. If I actually for some very weird reason would fully believe that, and I don't btw, people like @struppigel and even developers like @Andy Ful or @danb and more or less the whole security industry don't have a single clue what they do as it's useless anyway.
I personal 100% get the attack surface point of view, but I still don't do everything I know. It simply wouldn't work when I have to do what I do or must do. Everything online is actually not solely about lockdown and throw away the key and that automatic makes it safe and bullet proof, and specially as not one path is the only correct path/way. There's something also called user compatibility and experience and skill. The " harden system " advice is not wrong, but one have to be aware that the majority of users can't grasp it or won't use it, no matter how good we here think it is. AVs is and will be something a majority of users will have on their machines, either we like it or not. Malware is also something that won't just suddenly go * Poof *.
- Dec 23, 2014
- 8,114
I agree with @upnorth. For most users, the AV is a must solution. Anyway, I do not think that @SecurityNightmares would propose not using AVs by average users (90% or more of all users). I have read many of his posts on MT and Telegram. His words are rather addressed for advanced users (although sometimes it is not clear enough from his posts). Some of them can rely more on the tight system restrictions (like Windows S mode) and Windows events than on the AV protection.
My opinion slightly differs from @SecurityNightmares. I think that advanced users can harden their machines (but usually as the AV support) if they like, or choose to be more cautious (without any hardening).
The problem of hardening the machines of average users can be solved only in some circumstances (by the Home administrator).
My opinion slightly differs from @SecurityNightmares. I think that advanced users can harden their machines (but usually as the AV support) if they like, or choose to be more cautious (without any hardening).
The problem of hardening the machines of average users can be solved only in some circumstances (by the Home administrator).
Last edited:
Thanks Andy for writing it down better than I do
Yes, i focus more on „advanced“ and in my opinion that’s more interesting for MT user but sometimes I’m not sure.
@upnorth AndyFul is one of few people I trust (else I wouldn’t use his programs).
i also doesn’t say anything like that about pinged user you listed but I’m focused on securing systems with internal features as much as possible with avoiding using/ trusting external solutions
Yes, i focus more on „advanced“ and in my opinion that’s more interesting for MT user but sometimes I’m not sure.
@upnorth AndyFul is one of few people I trust (else I wouldn’t use his programs).
i also doesn’t say anything like that about pinged user you listed but I’m focused on securing systems with internal features as much as possible with avoiding using/ trusting external solutions
Konrad, I also run Windows 11 on my daily driver, and you're in a good amt. of company. Yes, it's prudent and "safe" not to, but but but .....you could argue this ad nauseum.
It's a personal choice made after some consideration, a concept that doesn't always get the respect it deserves around here. If it fails at some point, well around here, one might be a little better prepared.
Security Center still has a bug or two so a third party helper comes in handy. By the way, Automatic Sample Submission is now enabled after every machine start/restart.
Must be that magic MS telemetry at work, right?
It's a personal choice made after some consideration, a concept that doesn't always get the respect it deserves around here. If it fails at some point, well around here, one might be a little better prepared.
Security Center still has a bug or two so a third party helper comes in handy. By the way, Automatic Sample Submission is now enabled after every machine start/restart.
Must be that magic MS telemetry at work, right?
- Dec 23, 2014
- 8,114
I think that the discussion here should be continued in two different scenarios:
The AVs are not especially efficient in targeted attacks on institutions, organizations, or Enterprises, and here @anupritaisno1 is probably right - one cannot rely on such protection alone. The professional attacker can usually compromise such protection without a problem.
But, for practical reasons, the AVs are still necessary as a part of the solution even in the second scenario. Their protection can be extended by other security services and other security solutions (like Zero Trust model).
The protection model without an AV is possible in theory. It would be probably stronger for the reasons noted by @anupritaisno1, but hardly possible in practice (for now).
Edit.
@KonradPL, please forgive me for my off-topic posts.
- Widespread attacks.
- Targeted attacks.
The AVs are not especially efficient in targeted attacks on institutions, organizations, or Enterprises, and here @anupritaisno1 is probably right - one cannot rely on such protection alone. The professional attacker can usually compromise such protection without a problem.
But, for practical reasons, the AVs are still necessary as a part of the solution even in the second scenario. Their protection can be extended by other security services and other security solutions (like Zero Trust model).
The protection model without an AV is possible in theory. It would be probably stronger for the reasons noted by @anupritaisno1, but hardly possible in practice (for now).
Edit.
@KonradPL, please forgive me for my off-topic posts.
Last edited:
- Aug 22, 2013
- 813
Most of windows users not worth to be even considered for "targeted attacks". So a general antivirus would suffice for most. Then there are people like us ( me included)who have a habit of tweaking, tinkering and making a simple security model to utter complex one for the mental satisfaction and for timepass, and for those its advisable to harden the system, experiment a bit here and there and in the end have the ultimate satisfaction of achieving "the most complex system" as a sculptor gets by watching his creation. I couldn't even get to sleep if I have an un-tweaked system in my hand, it had become an obsessive compulsive disorder for me.
- May 1, 2018
- 229
I want to say i have a pretty good knowlege about cyber threats. My Windows is hardened not only by eset but in os settings too.
I have a good surf web habbits, don't use any cracks etc.
I like eset more than MD and have a multi device eset licence to protect my family.
Eset is a additional line of defence for me.
I dont know why you think i rely only on hardening by eset?
- May 1, 2018
- 229
Ask to moderator why status is risk? Becosue of beta windows 11 or something else?
- Apr 28, 2015
- 8,653
Yes, all Insider builds will be considered as Risk, since are not final official releases
- May 1, 2018
- 229
Ok good to know thatYes, all Insider builds will be considered as Risk, since are not final official releases
- Aug 22, 2013
- 813
I accept your argument, but is there a 100% effective solution to the issue? I use a locked down default deny system, but it has its own demerits, like no one except me can install anything on my system, even if I want to install something I must also go through the pain of adding the digital signature to the allow list. Its a pain in the a## for most and most wouldn't even consider this kind of locked down or hardened system, ease of use is paramount for most if am not wrong? That brings us to the question I asked in the beginning, "is there a 100% effective solution to the issue without annoying the average user?"
- May 31, 2017
- 1,650
I agree with @anupritaisno1 on almost everything.
But @anupritaisno1 lost me when he suggested that SRP is a solution to the issue, considering that SRP is easily bypassed, not user-friendly, runs in user-mode, is a 20 year old deprecated tech and offers zero context on each event, so no one knows if something should actually be blocked or not.
This is not a bash on H_C, and once the WDAC version of H_C is available, it will solve all of the above issues.
It is probably best to equate cybersecurity with home security and to create an analogy. For example, with allow-by-default, you leave the doors and windows unlocked and let random people roam your house, and you only kick them out if they are drunk, rowdy and break stuff. With deny-by-default you lock your doors and windows. The only caveat is that you have to figure out how to make it user-friendly for the masses.
It is important to mention that a lot of products rely HEAVILY on digital signatures, which I believe is crazy. And a lot of times they rely solely on the signer’s name, which is even more insane. They suggest that their product is zero trust, but yet they allow any item that matches a signer’s name. For example… if a new process matches a signer’s name, then allow that file, and if not sandbox it. What people do not seem to understand is that a determination has been made at this point. That is not zero trust.
And you wonder why there is a malware epidemic. I have seen people say “yeah, product x blocks less than VS”, without realizing that it is not a correct comparison when product x allows by the signers name, and VS is set to ON. If you want to correct comparison, put VS on AutoPilot.
Anyway, I could go on for days about all of this. Ultimately the real problem is that cybersecurity “professionals” love to put on a suit and play cops and robbers and make tons of money in the process. Or they like to see who can get more likes on their tweets and this whole circus is turned into a popularity contest, and the end result is that malware just simply slips by.
And all along, the cybersecurity industry knew the only thing they had to do to solve this problem was to find a way to make TRUE deny-by-default user-friendly enough for the masses.
But @anupritaisno1 lost me when he suggested that SRP is a solution to the issue, considering that SRP is easily bypassed, not user-friendly, runs in user-mode, is a 20 year old deprecated tech and offers zero context on each event, so no one knows if something should actually be blocked or not.
This is not a bash on H_C, and once the WDAC version of H_C is available, it will solve all of the above issues.
It is probably best to equate cybersecurity with home security and to create an analogy. For example, with allow-by-default, you leave the doors and windows unlocked and let random people roam your house, and you only kick them out if they are drunk, rowdy and break stuff. With deny-by-default you lock your doors and windows. The only caveat is that you have to figure out how to make it user-friendly for the masses.
It is important to mention that a lot of products rely HEAVILY on digital signatures, which I believe is crazy. And a lot of times they rely solely on the signer’s name, which is even more insane. They suggest that their product is zero trust, but yet they allow any item that matches a signer’s name. For example… if a new process matches a signer’s name, then allow that file, and if not sandbox it. What people do not seem to understand is that a determination has been made at this point. That is not zero trust.
And you wonder why there is a malware epidemic. I have seen people say “yeah, product x blocks less than VS”, without realizing that it is not a correct comparison when product x allows by the signers name, and VS is set to ON. If you want to correct comparison, put VS on AutoPilot.
Anyway, I could go on for days about all of this. Ultimately the real problem is that cybersecurity “professionals” love to put on a suit and play cops and robbers and make tons of money in the process. Or they like to see who can get more likes on their tweets and this whole circus is turned into a popularity contest, and the end result is that malware just simply slips by.
And all along, the cybersecurity industry knew the only thing they had to do to solve this problem was to find a way to make TRUE deny-by-default user-friendly enough for the masses.
It’s still fine if configured correctly.
with H_C it becomes user friendly. Isn’t even AppLocker build on SRP?
as Andy wrote in past, I agree that SRP isn’t removed soon but it can combined or replaced by WDAC. Anyway WDAC is even less user friendly than SRP
- May 31, 2017
- 1,650
I posted some of the issues with SRP. The way you configure SRP has little to do how effective it is, especially when SRP offers zero context on a potential attack. Andy is aware of the multiple bypasses, but is confident that these bypasses will not infect the home user. If this is the case, then you are safe using SRP.It’s still fine if configured correctly.
with H_C it becomes user friendly. Isn’t even AppLocker build on SRP?
as Andy wrote in past, I agree that SRP isn’t removed soon but it can combined or replaced by WDAC. Anyway WDAC is even less user friendly than SRP
Once Andy finishes the WDAC version of H_C, then you will have nothing to worry about.
- May 31, 2017
- 1,650
Yeah, and I totally agree that if devs are not careful with kernel mode drivers, they can certainly increase the attack surface. But Microsoft has some amazing kmd templates that are secure and only require a little tweaking to implement into any solution. So as long as devs work from the provided templates and do not do anything crazy, then there should not be an issue.
As far as the question "is there a 100% effective solution to the issue without annoying the average user?" goes, I believe the answer is quite simple. UAC needs to be redesigned from scratch, and this time, should be designed to function as an actual security mechanism, instead of simply being a Windows feature whose sole purpose is to persuade software devs to not run their apps elevated. They also need to do away with the affirmative user prompt that forces the end user to make a yes or no decision on the spot, and consider adding a little file insight to help the end user make the correct decision.
A fulltime lockdown approach will probably never be accepted by end users or admins, no matter how bad the malware epidemic becomes. Just look at AG for example, according to a former employee on Glassdoor, "They just laid off more than half the employees as of June 15 2021". So even if you have 100M to develop and market a fulltime lockdown product, you are simply fighting gravity.
Having said that, adding dynamic security postures to a redesigned UAC would help tremendously. In other words, there is never a good reason to automatically allow new arbitrary executable code when the user is engaging in risky activities.
- Dec 23, 2014
- 8,114
That is right. SRP is a long-live security feature - even the new Windows 11 still supports it. So, I do not have to replace it with WDAC. The H_C is more usable and the SRP settings are adjusted to the Home environment. They are very strong against widespread attacks (tested also in Malware Hub) and targeted attacks that require malware elevation. In the Home environment, the malware can get high privileges (without user consent) only by exploiting something, which is hardly possible with default-deny protection and forced SmartScreen. The known bypasses are irrelevant because they will not work with H_C settings.
The SRP restrictions are not so strong in the Enterprise environment due to targeted attacks. In lateral movement, the attacker can already have high privileges before attacking the user machine. With Admin rights and basic knowledge about SRP, the attacker can dismantle the protection. Still, SRP can be useful in Enterprises to restrict users' actions and prevent them from infecting computers.
Edit.
I am afraid that @KonradPL is not interested in H_C, VS, WDAC, and any similar protection.
I also think that he does not need any of them with his current setup.
Last edited:
- May 1, 2018
- 229
