Basic Security Major changes in ColonelMal's Security Config 2020

[ColonelMal]

I'm particularly interested in finding a way to protect my external backup drives from ransomware.
My external drives are constantly connected to the laptop because I do scheduled backups during the day and it's not convenient to disconnect and reconnect them several times every day.

Should I add a program like Voodooshield (I used to have it) or SecureAplus (I only heard about it a few days ago)?

 

[harlan4096]

@ColonelMal:

You may try VS and see how it works in Your system...

I would not keep all the time all the external devices connected to the system, that's a risk, independently of the scheduled backups... also hardware life time may be affected...

In Periodic Scanners, You may add MalWareBytes Free/EmsiSoft Emergengy Kit and HitManPro Free.

A PassWord Manager would be welcome also.

Please kindly reflect Your changes editing Your config, and announcing them here, thanks for sharing

 

[Gandalf_The_Grey]

Please set UAC to always notify. That is the only setting that can prevent UAC bypasses:

Nearly 300 Windows 10 executables vulnerable to DLL hijacking

A simple VBScript may be enough to allow users to gain administrative privileges and bypass UAC entirely on Windows 10. In a new report from a PwC UK security researcher Wietze Beukema, we learn that almost 300 Windows 10 executables are vulnerable to DLL hijacking. “It turns out nearly 300...

malwaretips.com

The best advice for external backups comes form @harlan4096 : don't keep them connected all the time.
VoodooShield, Hard_Configurator @ recommended settings or Comodo Firewall @cruelsister settings can provide additional protection.
Good post from @RoboMan :

We should start with the most important security advice. Don't let a machine decide wether something's safe or not. That should be the last line of defence. The safest method to avoid infection, is trusting nothing. This can be achieved with modules or programs like Application Control or anti-executables. Let's sum it up: safest way to not get infected = don't let anything execute. Application Control modules (such as the one included in Kaspersky Internet Security), anti-executable programs (such as VoodooShield), and software restriction policies (such as Hard_Configurator by Andy Ful), can be configured to "not let anything execute", only what's necessary. Although this may seem crazy, it's the safest way to avoid malware. These kind of configurations will block the execution of any program, script, or software that attempts to run in your system. This includes malicious software and safe programs. Of course, these modules like AC or SRP include options to whitelist your desired software or executables, but the point is clear.

How to choose "The Best Antivirus"?

A good antivirus is a must have. It minimizes the times you have to enter damage control mode to clean up the mess caused by a successful malware attack. Antivirus has always been the go-to solution to fight malicious software and cyber criminal tactics. And it still is. Malware, phishing scams...

malwaretips.com

 

[ColonelMal]

I updated UAC to "always notify".
I'll see how I can change my backup schedule so that backups will take place at a convenient time and I'll disconnect the external drives during the rest of the day.
I forgot to add that I use Keepass as my password manager - I updated my configuration posting accordingly.
I'll have a look at MalWareBytes Free or EmsiSoft Emergengy Kit and HitManPro Free and I'll need to read up on Hard_Configurator.

 

[harlan4096]

Please announce/post here the future changes, thanks

 

[ColonelMal]

It's been suggested that I need not install Hard_Configurator as I use ReHIPS. So I'll not do anything about that.

 

[Andy Ful]

It's been suggested that I need not install Hard_Configurator as I use ReHIPS. So I'll not do anything about that.

Yes, adding H_C (or similar application) to your current setup would make it too complex. But instead, you should find a way to harden the system against scripting attacks by properly tweaking ReHIPS and use advanced Defender settings for more protection. If you do not want to tweak ReHIPS then you can use some simple tools to restrict scripting.
You would also have some good options when skipping ReHIPS - it is a very good application for advanced users, but can be problematic for others.

 

[ColonelMal]

The ReHIPS developers usually respond to queries about their program, but you are right that it's more geared for advanced users and I'm not in that class.
Do you have any suggestions for the tools to restrict scripting?

 

[Andy Ful]

The ReHIPS developers usually respond to queries about their program, but you are right that it's more geared for advanced users and I'm not in that class.
Do you have any suggestions for the tools to restrict scripting?

Simple Windows Hardening or SysHardener. The first one will also block shortcut malware (popular infection of flash drives).
If you are opening the URL from the document, is it opened in LibreOffice sandbox, web browser sandbox, or the URL is blocked?

 

[Tutman]

I'm particularly interested in finding a way to protect my external backup drives from ransomware.
My external drives are constantly connected to the laptop because I do scheduled backups during the day and it's not convenient to disconnect and reconnect them several times every day.

Should I add a program like Voodooshield (I used to have it) or SecureAplus (I only heard about it a few days ago)?

Is the external drive only for your backups....as in Macrium which I see you have installed and use? If so it has ransomware protection built in for the backups.

 

[ColonelMal]

Simple Windows Hardening or SysHardener. The first one will also block shortcut malware (popular infection of flash drives).
If you are opening the URL from the document, is it opened in LibreOffice sandbox, web browser sandbox, or the URL is blocked?

If I try to open a URL from LibreOffice I get a choice of browser to use. If I choose Firefox which runs in an isolated environment, then i see a warning that my administrator has blocked the action, but it does open the URL in Firefox. If I repeat the URL opening attempt, the warning does not appear and the URL again opens in Firefox.

Is the external drive only for your backups....as in Macrium which I see you have installed and use? If so it has ransomware protection built in for the backups.

One of my drives has a mix of ordinary files and Macrium backups. I should do an adjustment so that all my Macrium backups will be on the same external drive.

Does the Macrium built-in ransomware protection include the inability for malware to delete a Macrium backup?

 

[harlan4096]

Macrium IG only protects their own backups but not the rest of the user files/documents:

 

[Andy Ful]

If I try to open a URL from LibreOffice I get a choice of browser to use. If I choose Firefox which runs in an isolated environment, ...

I asked, because some ReHIPS users block Internet access in the sandbox for document editors or other vulnerable applications. This requires a different sandbox for the web browser.

 

[Tutman]

Does the Macrium built-in ransomware protection include the inability for malware to delete a Macrium backup?

I just started using the program a few weeks ago, I am not sure. Someone else may be able to answer that!

 

[Soulbound]

I just started using the program a few weeks ago, I am not sure. Someone else may be able to answer that!

one way to find out is by testing it in a vm

 

[ColonelMal]

Added HitManPro Alert and Shadow Defender.

 

[ColonelMal]

I uninstalled HitManPro Alert. I didn't like the fact that no information is given about the program's security features. No explanation makes me, a non-spohisticated user, quite unsure.

 

[Soulbound]

I uninstalled HitManPro Alert. I didn't like the fact that no information is given about the program's security features. No explanation makes me, a non-spohisticated user, quite unsure.

I think this sort of sums up

Stop zero-day ransomware
HitmanPro.Alert includes the CryptoGuard feature, which analyzes all encryption behavior. It’s a ransomware stalker. When it recognizes unauthorized encryption, HitmanPro.Alert reacts. It creates backups of the files, then stops and removes the ransomware. Finally, it allows the files to be reverted back to their original state. No user interaction required, and no ransomware signatures needed.

And then under frequently asked questions - go to the question opened in the screenshot that brings you to another page.

New Releases, Updates and Builds for hitmanpro.alert | HitmanPro

HitmanPro Malware Removal Cleans Viruses, Trojans, Keyloggers, Ransomware, Spyware and More. Secure from Attacks in Real Time with HitmanPro.Alert.

www.hitmanpro.com

scroll down to
Build 859 (2019-12-30)

Spoiler

Build 859 (2019-12-30)

• Added CryptoGuard v5, a completely new anti-ransomware engine. It offers increased performance and reduced I/O overhead – which is specifically noticeable in low-bandwidth network scenarios and on endpoints where many documents or other files change frequently.
• CryptoGuard can run in either v4 or the new v5 mode.
• CryptoGuard v5 block modes: Terminate, Isolate and Audit
  • Terminate: terminates and isolates the ransomware process (new default)
  • Isolate: detects and isolates the ransomware by revoking write access (old default)
  • Audit: detects ransomware, but takes no action on it (new)
• Added RDP Lockdown to isolate Remote Desktop (RDP) sessions. It prevents attackers, that brute-forced or otherwise obtained a correct logon credentials, from installing new programs like ransomware. It blocks access to new binaries that are introduced in RDP sessions, strips administrator privileges from new processes and allows to generate a 2-factor token file to unlock an RDP session (automatically enforced when enabling mitigation).
• Added APISetGuard, part of DLL Hijacking mitigation, to prevent adversaries from using a malicious ApiSet Stub DLL alongside a trusted application.
• Added FileProtection to block replacement of accessibility tools from remote (like StickyKeys and Utilman). This mitigation also protects the Anti-Malware Scan Interface (AMSI.DLL) in memory against tampering.
• Added JIT Guard that prevents the use of Win32 API calls from within just-in-time (JIT) memory in Chrome and Firefox based web browser applications.
• Added Safe Mode support to stop ransomware that forces Windows to (re-)boot into a diagnostic mode and encrypt the system from there – in Safe Mode.
• Added Event List panel to the user interface to view previous alerts and the involved MITRE ATT&CK TTPs. This replaces the use of the Windows Event Viewer (alerts are still recorded to the Windows Event Log, of course).
• Added Event Process Tree panel to provide a graphical timeline revealing how an attack took place. Includes clickable objects, view dropped files per process, show time between processes, their exit state and hyperlinked SHA-256 hashes that opens a report on VirusTotal (when it has one).
• Added Protected Volumes list panel to view the local and removable volumes as well as the network shares that are protected by CryptoGuard from ransomware.
• Added ability to suppress subsequent alerts on the same application, mitigation and condition (from the Event List).
• Added license expiration reminder. Users that renew their license will receive a discount of 15% on a new license when buying one via the new reminder message.
• Added Anti-Malware now relies on a new network manager module to detect when internet connection is lost or restored.
• Added Excalibur.db is regularly truncated to prevent the file to become too large on high activity machines).
• Added Alert Events are now also stored in excalibur.db, the local event trace database.

 

[ColonelMal]

Thank you for the information. It's very useful, but I still find it odd for it to be hidden seven updates below the current one on the software Releases page. In my opinion this sort of information should be more prominently displayed on their website.

Based on that, I may re-install it in order to continue trying it out for the duration of the trial period.

 

[ColonelMal]

[Rant On]
Ideally, I would want to protect my system from malware as follows:

I make very frequent backups including taking daily image backups of my PC and I keep a backup history of more than one version. I use the 321 system for backups and I consider my backup schedule quite good if not excessive! I can give details if necessary.

I consider that malware must be detected on my PC as soon as possible so as not to cause damage, for example the harm that ransomware does, but also in order to keep my private data secure and indeed private.
If malware is reported, then I should be able to do an image restore to a clean system condition.

However, the above set up would be impractical if the malware attacks/infections were very frequent and would require restoring the system all the time.
Therefore, I believe that my system should be resilient to attacks by not only detecting them early, but also if possible be effective in preventing or neutralizing them. Prevention and/or neutralization is especially important in preventing private data being compromised.

Is my system adequate? Is it strong in some respects, but weak in other areas? I know that there are no definite answers and since no software is perfect, then the biggest weakness is the human factor which in my case is me!
[/Rant Off]