MarzametaL's System Software Configuration (OEM)

marzametal

Level 7
Thread author
Verified
Jun 10, 2014
316
Clam AV... one of the weakest AV ever...
I installed it as an extra opinion for PUA/PUP, since EAM and MBAM don't pick up all. As an added incentive, updates come directly from Clam mirrors as opposed to CDNs, which is a tick in my book. I also like the added choice to scan memory, rather than having it bundled in the whole scan process like some software out there.

Tthe GUI is not modernised for tablets, or other technology that uses fingers rather than keyboards and mice, which is great news for the traditionalist in me. I don't feel like I am back in kindergarten learning how to fingerpaint big blue rectangles (MBAM) and green/orange squares (EAM). Also, during the scan process, it lets me know which files were access restricted, and just by watching the screen you can see a crapload of filenames fly through with full directory structure.

Modernise everything... pfft!

EDIT: Removed Sandboxie, since I prefer the "better protection" option from SpyShelter Premium

Can't believe I am going to say this... I will accept some convenience over security...
EDIT 2: (18/07/15)
  • Removed Ghostery for IE since it is not compatible with SSP (due to global hooks and not being able to tweak rule 33 manually)
  • Re-installed Sandboxie (latest) for use with IE9 (also inserted IE9 into SSP Restricted Apps List)
  • Installed NVT-ERP (browsers used as "allowed till reboot" so entries are not hard-coded, cleared after usage ends)
  • Installed EMET 5.2
EDIT 3: (23/07/15)
  • Added some lil' apps - AudioShell, HashTab, MP3Tag, NVT KMD (lists order of execution), PSPad (text editor with code capabilities), NirSofts' FolderChangesView
 
Last edited:
  • Like
Reactions: JM Safe

marzametal

Level 7
Thread author
Verified
Jun 10, 2014
316
Been a while since I updated my config here, and since I put my name down for MBAE giveaway, I was reminded of this thread.

  • Removed EAM and MBAM Premium, along with existing On-demand scanners. They have been replaced with EEK and MBAM Free (annoyed with the constant update checks), which are run intermittently or before backup... depending on surfing habits
  • Removed SpyShelter Premium (caused Application Hangs and Windows Error Reporting prompts)
  • Removed Spyware Blaster
  • Removed AdGuard for Windows
  • Removed IE 9 from Windows Features
  • Installed AppGuard
  • Installed NVT-ERP
  • Installed Sandboxie
  • Installed SRP (Software Restriction Policy)
  • Installed Secure Folders
  • Started using Group Policy provided by Major Geeks
In relation to Firefox 27.0.1 & addons:
  • uBlock Origin
  • uMatrix
  • NoScript
I was going to jump from a signature and definition setup straight to Bouncer; but I anticipated a learning curve. So I went for the alternative approach which was a combination of the installed apps, to gain an understanding of what policies and privileges actually do... as opposed to lock everything out and be done with it.

I can say for certain, if I decide to stay on W7 (tossing up between learning and working with the Qubes + Whonix combo), when I eventually give Bouncer a run, it'll be a beast that can be tamed without losing my marbles.
 
Last edited:
  • Like
Reactions: Online_Sword

Soulbound

Level 29
Verified
Well-known
Jan 14, 2015
1,761
I might be wrong but see a few overlapings:
Appguard from Blue Ridge and Anti-Executable NoVirusThanks EXE Pro. I would go one or another. Personally Appguard.

In terms of FF addons, uMatrix has more granular control last i tried, compared to ublock. There was a discussion not long ago about both in wilders side.

Privazer and CCleaner: I assume CCleaner is portable? Either way one or another is fine, no really a need to have both.

One question: Why running Wonix which is a KDE based Debian distro? You could resort to Crunchbang ++ which is based on Jessie and uses OB + Tint2 combo. Sure it ain't fully featured as a "security" distro, but you got other options that do not use either KVM technology or Qubes OS. Also don't think you really need to dip your towes on Qubes OS Project.
 
Last edited:
  • Like
Reactions: marzametal

marzametal

Level 7
Thread author
Verified
Jun 10, 2014
316
  • Reinstalled AdGuard v6 (sort of current Beta): for some reason, when I remove this app, my bandwidth is reduced significantly, can't break 50kb/s. Post-reinstall, full throttle bandwidth returns!
  • Removed NVT-ERP: not LUA friendly
  • Removed Privazer: already have one of these apps

I might be wrong but see a few overlapings:
Appguard from Blue Ridge and Anti-Executable NoVirusThanks EXE Pro. I would go one or another. Personally Appguard.

In terms of FF addons, uMatrix has more granular control last i tried, compared to ublock. There was a discussion not long ago about both in wilders side.

Privazer and CCleaner: I assume CCleaner is portable? Either way one or another is fine, no really a need to have both.

One question: Why running Wonix which is a KDE based Debian distro? You could resort to Crunchbang ++ which is based on Jessie and uses OB + Tint2 combo. Sure it ain't fully featured as a "security" distro, but you got other options that do not use either KVM technology or Qubes OS. Also don't think you really need to dip your towes on Qubes OS Project.
Cheers for the feedback...

I've had a think about it over the past day or two, and have come to the realisation that I went a bit nuts. Trying to cover all bases is a lesson in futility; it all comes back to where you browse and your level of common sense.

One thing that ticked me off about ERP was the lack of carry-over between Admin and LUA. Whenever loading LUA, ERP options in Settings tab would have to be customised, each and every bootup. Even if one was to take the export before shutdown and import after bootup approach, it is still an unnecessary and tedious task. Each and every time. After uninstalling ERP, system seems to have a slight improvement in reaction time.

I've read over various threads over at Wilders, uBlock vs uMatrix, uBlock vs Adguard etc... I like AdGuard, but find it tricky to create custom filter rules because the AG Assistant doesn't work on 27.0.1 if you make about:config tweaks. So, to compensate for a hardened prefs.js, I use uBlock Dynamic Filtering to create the custom filter lists, then transfer them to AdGuard. Apart from that, I don't use uBlock for anything else.

I ended up removing Privazer, and had a look at all of the CCleaner settings; you were definitely right... no real need to have both.

I have some more thinking to do in relation to the Linux topic; time is on my side for this, so happy days ahead!

Thanks once again :)
 
  • Like
Reactions: Moose

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
Been a while since I updated my config here, and since I put my name down for MBAE giveaway, I was reminded of this thread.

  • Removed EAM and MBAM Premium, along with existing On-demand scanners. They have been replaced with EEK and MBAM Free (annoyed with the constant update checks), which are run intermittently or before backup... depending on surfing habits
  • Removed SpyShelter Premium (caused Application Hangs and Windows Error Reporting prompts)
  • Removed Spyware Blaster
  • Removed AdGuard for Windows
  • Removed IE 9 from Windows Features
  • Installed AppGuard
  • Installed NVT-ERP
  • Installed Sandboxie
  • Installed SRP (Software Restriction Policy)
  • Installed Secure Folders
  • Started using Group Policy provided by Major Geeks
In relation to Firefox 27.0.1 & addons:
  • uBlock Origin
  • uMatrix
  • NoScript
I was going to jump from a signature and definition setup straight to Bouncer; but I anticipated a learning curve. So I went for the alternative approach which was a combination of the installed apps, to gain an understanding of what policies and privileges actually do... as opposed to lock everything out and be done with it.

I can say for certain, if I decide to stay on W7 (tossing up between learning and working with the Qubes + Whonix combo), when I eventually give Bouncer a run, it'll be a beast that can be tamed without losing my marbles.
Good changelog, I really like almost all software that you added :)
 

marzametal

Level 7
Thread author
Verified
Jun 10, 2014
316
No anti-x programs running in real-time, strictly on-demand (EEK & MBAM)... run when I am close to performing a system backup via Acronis True Image 2015...

Backup Process:
1) In Safe Mode
  • remove allowable log files and empty remaining accessible log files (redundant since *.log is used as a backup exclusion... oh well!)
  • delete unwanted *.txt files brought about by updating/installing apps
  • run DriveCleanup to flush USB registrations (eg: make it appear that no external devices have been used)
  • run "wevtutil el | Foreach-Object {wevtutil cl "$_"}" in PowerShell to empty Event Viewer
  • empty System Restore catalogue
  • reboot

2) In Admin Account
  • connect necessary USB drives for backup & startup restoration, then modify Power Management settings in Device Manager
  • run CCleaner
  • reboot
  • backup with various exclusions in Acronis: (I am sure I have missed some... )
C:\$RECYCLE.BIN\
D:\$RECYCLE.BIN\
C:\ProgramData\NVIDIA
C:\ProgramData\NVIDIA Corporation
C:\Users\xxxxxx\AppData\Local\VirtualStore\ProgramData\NVIDIA Corporation
C:\Users\xxxxxx\AppData\Roaming\NVIDIA
views.htm & views.js
*ntuser.dat.log* <--- first time I used "ntuser.dat", and bricked my login credentials... so came up with the custom-exclusions as shown...
*ntuser.dat{*
*index.dat*
C:\Users\xxxxxx\AppData\Local\Microsoft\Windows\History
--- haven't seen a History directory in Roaming on my system yet...
C:\Users\xxxxxx\AppData\Local\Microsoft\Windows\Cookies
C:\Users\xxxxxx\AppData\Roaming\Microsoft\Windows\Cookies
D:\Temp\Temporary Internet Files\
D:\Temp\Local\
D:\Temp\System\
*usrclass.dat*
C:\Users\xxxxxx\AppData\Local\Microsoft\Windows\Explorer <--- includes the directory "ThumbCacheToDelete" (I am aware that CCleaner deals with this, but the reboot before backup commencement populates the directory somewhat... so I include it here as well)
*.log
pagefile.sys

Restore Process: (I might have missed some... )
1) In Admin Account
  • disable relevant entries in SecureFolders
  • re-create necessary Temp directories
  • reboot

2) In Standard Account
  • set Integrity Level of D drive and everything in it to LOW via MicEnum (Integrity Control)
  • enable relevant entires in SecureFolders
  • reboot

The NVIDIA directories are set to LOCK and the above User & Temp directories are set to READ ONY in SecureFolders (some users might o_O after reading that a Temp directory is read-only, but it works for me and I love it)... I still use hexxed versions of dnsapi.dll, and they are also set to READ ONLY.

Group Policy (version available for W7 HP), along with SRP, UAC, SUA... rules regularly maintained by running Access Check tests after installation of app(s)...

Internet usage through VPN (DNSCrypt supported) with heavily-customised firewall rules via WFwAS, enabling the VPN connection (and only the VPN connection - aka killswitch) to remain active when WFC is set to "High Filtering". VPN and WFC are partnered with VPN Monitor (lil' app that acts as another killswitch for 3 heavily-used apps) and Acrylic DNS Proxy. Uncommenting one or two rules in the Acrylic Hosts File allows me to remain invisible while online (some leak sites detect online availability - my results screen shows Online = False). Router has various things unticked (UPNP etc...) and VPN DNS addresses entered in manually to over-ride ISP assigned DNS addresses.

AdGuard for Windows is blended into the Internet Usage, on system level and browser level. One FF about:config entry has been modified to hide AG Assistant access (I only allow it when I need to block something I can't be bothered seeing by resetting the dom.indexedDB.enabled value to "true", then refreshing the specific page to bring up Assistant icon).

Sandboxie is heavily-customised.
  • I wasn't satisfied that Program Files, Program Files x86 and Windows directories were defaulted to read-only. So I ended up creating blocked access rules for all relevant directories in both Program Files sub-directories, and some Windows directories (Installer, System32 & SysWOW64 "config"... will need to spend more time on this...)
  • I also wonder if entering this "C:\Windows\System32\kernel32.dll" and "C:\Windows\SysWOW64\kernel32.dll" into blocked access for FF sandbox was sufficient enough to overcome the recent FF 0-day fiasco? I have also added oppposing sandboxes into blocked access, to prevent one sandbox peeking into another. I've noticed on forum threads, people have mentioned that sandboxes can peek into one another, so I took this approach to see if I can prevent it. It works on UI level, but who knows what's happening in the background
  • The only User that is not entered in blocked access is the SUA account (eg: Hidden Administrator (disable then delete this account after finishing with it, but keep directory in Sandboxie config just in case it is used later), Default, Public, Administrator), just in case the sandboxed app tries to get into another user's pants
Hmmmm, this is all that comes to mind at the moment.

Once SpyShelter and NVT-ERP are fully compatible with SUA (eg: settings do not revert back to default, therefore no requirement to load config files every time SUA is logged onto), I might entertain the thought of using them again. I have been tempted to re-install AppGuard, but have put it off because I don't see a real need for it in my setup. If I was to choose an app that I would install next and try and keep as a foundation, it would have to be RE-HIPS, but can hold off until it becomes a full stable release.

I think that is it for now... the other stuff I could mention is just for sh**s and giggles, lil' apps that do this or that... nothing really major. I think we all have some of these apps lying around :p
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top