SECURITY: Basic Major changes in ColonelMal's Security Config 2020

Last updated
Oct 25, 2020
About device
Primary device
Operating system
Sign-in identity
Sign-in with Local account
Log-in security
    • Account password
Permissions
Standard user account
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Malware samples
No - malware is not downloaded
Firewall protection
Provided by a third-party security vendor - see details below.
Real-time malware protection
I have ReHIPS installed and I use mainly for Internet browsing and for LibreOffice applications.
Comodo Internet Security Pro
Windows Defender.
I also use Windows Controlled Folders to protect the external backup drives.
HitmanPro Alert (one month trial)

Shadow Defender
WiseVector StopX
RTP & OS hardening settings
Comodo Internet Security's firewall is complemented by Windows Defender is complemented by Malwarebytes Windows Firewall Control.
SimpleWindowsHardening
ConfigureDefender
Periodic scanning
Comodo Internet Security
Windows Defender
WiseVector StopX
Browsers
Firefox browser with
uBlock Origin
DuckDuckGo Privacy Essentials
Optimisation apps
None.
My Files & Photos backup
Macrium Reflect Home
GoodSync
CrashPlan for Business
My Files backup schedule
Manual - specific days to the cloud, or local attached storage
Device recovery & settings
Macrium Reflect Home image backup of C drive.
Device backup schedule
Manual - backups are made in my own time to local attached storage
Computer specifications
Dell Inspiron 5482 2-in-1
Intel i7 8565U
Intel Graphics
8 GB RAM
256 GB SSD
Four external drives one of which is for data and the other three for backups.
Device activity usage
  1. Financial and sensitive documents
  2. Generic web browsing
  3. Downloading and installing new software(s)
  4. Streaming audio and video content from the Internet
  5. Downloading files from unfamiliar sites
  6. Working from home
Your changelog
Updated Account Type.
16 Sep 2020 - Added HitmanPro Alert (one month trial).
20 Sep 2020 - Added Shadow Defender
22 Sep 2020 - Uninstalled HitManPro Alert
24 Sep 2020 - Reinstalled HitManPro Alert
10 October 2020 - Uninstalled ReHIPS
10 October 2020 - Installed Comodo Internet Security Pro
10 October 2020 - Updated configuration by noting that I use SimpleWindowsHardening and ConfigureDefender and my default search engine is DuckDuckGo
14 October 2020 - Uninstalled HitmanPro Alert
25 October 2020 - Installed WiseVector StopX

ColonelMal

Level 2
Jul 5, 2017
62
I'm particularly interested in finding a way to protect my external backup drives from ransomware.
My external drives are constantly connected to the laptop because I do scheduled backups during the day and it's not convenient to disconnect and reconnect them several times every day.

Should I add a program like Voodooshield (I used to have it) or SecureAplus (I only heard about it a few days ago)?
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
6,966
@ColonelMal:

You may try VS and see how it works in Your system...

I would not keep all the time all the external devices connected to the system, that's a risk, independently of the scheduled backups... also hardware life time may be affected...

In Periodic Scanners, You may add MalWareBytes Free/EmsiSoft Emergengy Kit and HitManPro Free.

A PassWord Manager would be welcome also.

Please kindly reflect Your changes editing Your config, and announcing them here, thanks for sharing :)
 

Gandalf_The_Grey

Level 42
Verified
Trusted
Content Creator
Apr 24, 2016
3,110
Please set UAC to always notify. That is the only setting that can prevent UAC bypasses:
The best advice for external backups comes form @harlan4096 : don't keep them connected all the time.
VoodooShield, Hard_Configurator @ recommended settings or Comodo Firewall @cruelsister settings can provide additional protection.
Good post from @RoboMan :
We should start with the most important security advice. Don't let a machine decide wether something's safe or not. That should be the last line of defence. The safest method to avoid infection, is trusting nothing. This can be achieved with modules or programs like Application Control or anti-executables. Let's sum it up: safest way to not get infected = don't let anything execute. Application Control modules (such as the one included in Kaspersky Internet Security), anti-executable programs (such as VoodooShield), and software restriction policies (such as Hard_Configurator by Andy Ful), can be configured to "not let anything execute", only what's necessary. Although this may seem crazy, it's the safest way to avoid malware. These kind of configurations will block the execution of any program, script, or software that attempts to run in your system. This includes malicious software and safe programs. Of course, these modules like AC or SRP include options to whitelist your desired software or executables, but the point is clear.
 

ColonelMal

Level 2
Jul 5, 2017
62
I updated UAC to "always notify".
I'll see how I can change my backup schedule so that backups will take place at a convenient time and I'll disconnect the external drives during the rest of the day.
I forgot to add that I use Keepass as my password manager - I updated my configuration posting accordingly.
I'll have a look at MalWareBytes Free or EmsiSoft Emergengy Kit and HitManPro Free and I'll need to read up on Hard_Configurator.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,622
It's been suggested that I need not install Hard_Configurator as I use ReHIPS. So I'll not do anything about that.
Yes, adding H_C (or similar application) to your current setup would make it too complex. But instead, you should find a way to harden the system against scripting attacks by properly tweaking ReHIPS and use advanced Defender settings for more protection. If you do not want to tweak ReHIPS then you can use some simple tools to restrict scripting.
You would also have some good options when skipping ReHIPS - it is a very good application for advanced users, but can be problematic for others.(y)
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,622
The ReHIPS developers usually respond to queries about their program, but you are right that it's more geared for advanced users and I'm not in that class.
Do you have any suggestions for the tools to restrict scripting?
Simple Windows Hardening or SysHardener. The first one will also block shortcut malware (popular infection of flash drives).
If you are opening the URL from the document, is it opened in LibreOffice sandbox, web browser sandbox, or the URL is blocked?
 

Tutman

Level 9
Verified
Apr 17, 2020
428
I'm particularly interested in finding a way to protect my external backup drives from ransomware.
My external drives are constantly connected to the laptop because I do scheduled backups during the day and it's not convenient to disconnect and reconnect them several times every day.

Should I add a program like Voodooshield (I used to have it) or SecureAplus (I only heard about it a few days ago)?
Is the external drive only for your backups....as in Macrium which I see you have installed and use? If so it has ransomware protection built in for the backups.
 

ColonelMal

Level 2
Jul 5, 2017
62
Simple Windows Hardening or SysHardener. The first one will also block shortcut malware (popular infection of flash drives).
If you are opening the URL from the document, is it opened in LibreOffice sandbox, web browser sandbox, or the URL is blocked?
If I try to open a URL from LibreOffice I get a choice of browser to use. If I choose Firefox which runs in an isolated environment, then i see a warning that my administrator has blocked the action, but it does open the URL in Firefox. If I repeat the URL opening attempt, the warning does not appear and the URL again opens in Firefox.
Is the external drive only for your backups....as in Macrium which I see you have installed and use? If so it has ransomware protection built in for the backups.
One of my drives has a mix of ordinary files and Macrium backups. I should do an adjustment so that all my Macrium backups will be on the same external drive.

Does the Macrium built-in ransomware protection include the inability for malware to delete a Macrium backup?
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
6,966
Macrium IG only protects their own backups but not the rest of the user files/documents:

1599548041182.png
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,622
If I try to open a URL from LibreOffice I get a choice of browser to use. If I choose Firefox which runs in an isolated environment, ...
I asked, because some ReHIPS users block Internet access in the sandbox for document editors or other vulnerable applications. This requires a different sandbox for the web browser.
 

Soulbound

Moderator
Verified
Staff member
Jan 14, 2015
1,775
I uninstalled HitManPro Alert. I didn't like the fact that no information is given about the program's security features. No explanation makes me, a non-spohisticated user, quite unsure.
I think this sort of sums up

Stop zero-day ransomware
HitmanPro.Alert includes the CryptoGuard feature, which analyzes all encryption behavior. It’s a ransomware stalker. When it recognizes unauthorized encryption, HitmanPro.Alert reacts. It creates backups of the files, then stops and removes the ransomware. Finally, it allows the files to be reverted back to their original state. No user interaction required, and no ransomware signatures needed.

And then under frequently asked questions - go to the question opened in the screenshot that brings you to another page.
hitmanproalert.png



scroll down to
Build 859 (2019-12-30)
Build 859 (2019-12-30)
  • Added CryptoGuard v5, a completely new anti-ransomware engine. It offers increased performance and reduced I/O overhead – which is specifically noticeable in low-bandwidth network scenarios and on endpoints where many documents or other files change frequently.
  • CryptoGuard can run in either v4 or the new v5 mode.
  • CryptoGuard v5 block modes: Terminate, Isolate and Audit
    • Terminate: terminates and isolates the ransomware process (new default)
    • Isolate: detects and isolates the ransomware by revoking write access (old default)
    • Audit: detects ransomware, but takes no action on it (new)
  • Added RDP Lockdown to isolate Remote Desktop (RDP) sessions. It prevents attackers, that brute-forced or otherwise obtained a correct logon credentials, from installing new programs like ransomware. It blocks access to new binaries that are introduced in RDP sessions, strips administrator privileges from new processes and allows to generate a 2-factor token file to unlock an RDP session (automatically enforced when enabling mitigation).
  • Added APISetGuard, part of DLL Hijacking mitigation, to prevent adversaries from using a malicious ApiSet Stub DLL alongside a trusted application.
  • Added FileProtection to block replacement of accessibility tools from remote (like StickyKeys and Utilman). This mitigation also protects the Anti-Malware Scan Interface (AMSI.DLL) in memory against tampering.
  • Added JIT Guard that prevents the use of Win32 API calls from within just-in-time (JIT) memory in Chrome and Firefox based web browser applications.
  • Added Safe Mode support to stop ransomware that forces Windows to (re-)boot into a diagnostic mode and encrypt the system from there – in Safe Mode.
  • Added Event List panel to the user interface to view previous alerts and the involved MITRE ATT&CK TTPs. This replaces the use of the Windows Event Viewer (alerts are still recorded to the Windows Event Log, of course).
  • Added Event Process Tree panel to provide a graphical timeline revealing how an attack took place. Includes clickable objects, view dropped files per process, show time between processes, their exit state and hyperlinked SHA-256 hashes that opens a report on VirusTotal (when it has one).
  • Added Protected Volumes list panel to view the local and removable volumes as well as the network shares that are protected by CryptoGuard from ransomware.
  • Added ability to suppress subsequent alerts on the same application, mitigation and condition (from the Event List).
  • Added license expiration reminder. Users that renew their license will receive a discount of 15% on a new license when buying one via the new reminder message.
  • Added Anti-Malware now relies on a new network manager module to detect when internet connection is lost or restored.
  • Added Excalibur.db is regularly truncated to prevent the file to become too large on high activity machines).
  • Added Alert Events are now also stored in excalibur.db, the local event trace database.
 

ColonelMal

Level 2
Jul 5, 2017
62
Thank you for the information. It's very useful, but I still find it odd for it to be hidden seven updates below the current one on the software Releases page. In my opinion this sort of information should be more prominently displayed on their website.

Based on that, I may re-install it in order to continue trying it out for the duration of the trial period.
 

ColonelMal

Level 2
Jul 5, 2017
62
[Rant On]
Ideally, I would want to protect my system from malware as follows:

I make very frequent backups including taking daily image backups of my PC and I keep a backup history of more than one version. I use the 321 system for backups and I consider my backup schedule quite good if not excessive! I can give details if necessary.

I consider that malware must be detected on my PC as soon as possible so as not to cause damage, for example the harm that ransomware does, but also in order to keep my private data secure and indeed private.
If malware is reported, then I should be able to do an image restore to a clean system condition.

However, the above set up would be impractical if the malware attacks/infections were very frequent and would require restoring the system all the time.
Therefore, I believe that my system should be resilient to attacks by not only detecting them early, but also if possible be effective in preventing or neutralizing them. Prevention and/or neutralization is especially important in preventing private data being compromised.

Is my system adequate? Is it strong in some respects, but weak in other areas? I know that there are no definite answers and since no software is perfect, then the biggest weakness is the human factor which in my case is me!
[/Rant Off]
 
Top