Basic Security Meltcheesedec Security Configuration 2018

meltcheesedec

Level 2
Thread author
Verified
Jul 30, 2017
54
Thanks to @Exterminator I am much happier using Macrium for backup/imaging -
Removed:
- 'System Image Backup Software:' = "Windows Built-in"
Added:
- 'System Image Backup Software:' = "Macrium Reflect Free and viBoot"

Thanks to @askalan I have an additional updating tool in my configuration -
Added:
- 'Frequently used System Utilities:' = "Patch My PC"

Google Safe Browsing is utilized OOTB in most commonly-used browsers, including the two I use (Firefox and Chrome); even though it is ubiquitous, I consider it an important layer in most of our security configurations, so I will state it explicitly -
Added:
- 'Browsers and Extensions:' = "FireFox (with Google Safe Browsing OOTB)"
- 'Browsers and Extensions:' = "Chrome (with Google Safe Browsing OOTB)"

I removed ScriptSafe/NoScript because I was only using a portion of their functionalities (in order to actually render most web pages), and feel comfortable with Adguard for Windows and the other layers in my security configuration -
Removed:
- 'Browsers and Extensions:' = "FireFox: ScriptSafe"
- 'Browsers and Extensions:' = "Chrome: NoScript"
- 'Content Blocker (Ads, Scripts, Trackers):' = "NoScript/ScriptSafe"

I removed TrafficLight because I feel comfortable with Adguard for Windows and the other layers in my security configuration -
Removed:
- 'Browsers and Extensions:' = "FireFox: TrafficLight"
- 'Browsers and Extensions:' = "Chrome: TrafficLight"

There has been much recent debate within the Adguard community concerning Adguard Assistant (userscript) vs. Adguard browser extension in integration mode - e.g.,
Adguard Assistant ,
Integration mode-only Assistant browser extension and
Move Adguard Assistant (Chrome)
. I've decided to revert to Adguard Assistant because of recent updates/improvements to this userscript, and my typical use case involving only rare requirements to turn off Adguard, at which point I turn it off at the Adguard for Windows (desktop app) level instead of at the browser level -
Removed:
- 'Browsers and Extensions:' = "FireFox: Adguard extension (integration mode)"
- 'Browsers and Extensions:' = "Chrome: Adguard extension (integration mode)"
Added:
- 'Browsers and Extensions:' = "FireFox: Adguard Assistant (userscript installed with OOTB Adguard for Windows desktop app)"
- 'Browsers and Extensions:' = "Chrome: Adguard Assistant (userscript installed with OOTB Adguard for Windows desktop app)"

Google Backup and Sync has replaced Google Drive and Google Photos -
Removed:
- 'Data Backup Software:' = "Files: Google Drive (Cloud)"
- 'Data Backup Software:' = "Photos/Videos: Google Photos (Cloud)"
Added:
- 'Data Backup Software:' = "Files (Google Drive) and Photos/Videos (Google Photos): Google Backup and Sync (Cloud)"

Thanks to @askalan , I -
Removed:
- 'Frequently used System Utilities:' = "f.lux"
Added:
- 'Frequently used System Utilities:' = "Night Light (Windows 10 Creators Update)"

@Umbra , @DeepWeb , @JM Security , @Exterminator @askalan : might you be interested in commenting on these changes?
 
Last edited:

meltcheesedec

Level 2
Thread author
Verified
Jul 30, 2017
54
Added:
Changed from
- Windows BitLocker
to
- Windows BitLocker (TPMAndPIN configured via manage-bde)

Added:
Changed from
- AppGuard Personal
to
- AppGuard Personal ('Protection Level' = "Locked Down"; configuration guided step-by-step via AppGuard; PM me for more info)

Removed:
- Click&Clean extension in Firefox & Chrome

@Umbra , @DeepWeb , @JM Security , @Exterminator , @askalan : might you be interested in commenting as to whether my configuration is secure as of 2018-02?
 
Last edited:

meltcheesedec

Level 2
Thread author
Verified
Jul 30, 2017
54
@DeepWeb : I'm probably biased, but my objective data seems to indicate that my current configuration uses fewer resources than any of my previous configurations (and is the most secure by far). Which of the products in my configuration do you feel use significant resources?
 
  • Like
Reactions: DeepWeb

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Hi, you use Windows Defender and AppGuard in locked down mode, right?
Might be good to recheck with @Lockdown about it, because he has been talking about how to configure AppGuard for use with WD, and there might be some changes. Not sure if it impacts your version of Appguard or not.
 
F

ForgottenSeer 69673

Might be good to recheck with @Lockdown about it, because he has been talking about how to configure AppGuard for use with WD, and there might be some changes. Not sure if it impacts your version of Appguard or not.

I have not seen his posts on this. first time I heard of it.
 
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I have not seen his posts on this. first time I heard of it.
He doesn't post much on the open forums anymore.
The issue is that Windows Defender now runs from programdata, which is considered user space. So this gives rise to certain issues, the more subtle of which involve memory guard.
I don't want to get into details because
1 I don't understand all the issues well enough as they apply to the various Appguard protection levels
2 I am not sure which versions of AG they apply to

Maybe @Lockdown can clarify?
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
@DeepWeb : I'm probably biased, but my objective data seems to indicate that my current configuration uses fewer resources than any of my previous configurations (and is the most secure by far). Which of the products in my configuration do you feel use significant resources?
I mean if everything works well together with Windows Defender Antivirus, great news! (y)
 
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Yes that would be nice. I guess I have not noticed any blocks of WD files with version 4-4-6-1
I assume you are talking about Windows 10 current version, right?

The trickier issue is the memory guard, because if WD processes are running from user space, by default they will be memory guarded, and that's not good for an AV.

If you are in standard mode, you will never see execution blocks for WD, because WD files are signed by microsoft.
If you are in locked down mode, and you have made the necessary exceptions to user space, you also will not see execution blocks.
But the memory guard issue remains.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
So allow me to correct myself: the memory guard issue applies only to protected mode, because in protected mode, WD is running from user space. Therefore, the user should do the following:
Trusted Publisher list > Microsoft > MemGuard > OFF

But in locked down mode, like @meltcheesedec has it, this is not necessary -- because the relevant WD processes are excluded from user space:
c:\programdata\microsoft\windows defender\platform\*\msmpeng.exe
c:\programdata\microsoft\windows defender\platform\*\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\*\nissrv.exe
c:\programdata\microsoft\windows defender\platform\scans\mppayloaddata\mpengine.exe

So, @meltcheesedec , it turns out that it was a false alarm on my part, as you are in locked down mode. Sorry for hijacking your thread...
 
  • Like
Reactions: harlan4096

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I also run in lockdown mode.
Yeah, there is another way of doing it for locked down mode, but it is less secure: instead of excepting the relevant processes from user space, you can put them on the power apps list. That's the point I was unclear about. So it turns out that the power app method is not recommended.
 

meltcheesedec

Level 2
Thread author
Verified
Jul 30, 2017
54
@shmu26 , you are not hijacking my thread at all :). This topic is important for those of us who use Windows Defender for antivirus and AppGuard for Software Restriction Policy.

Here is official communication I received from AppGuard Support regarding this issue you brought up (which merely restates what you wrote above):
"
Microsoft moved its Antimalware service and other protection services to User Space (ProgramData) in October 2017. Therefore the user needs to make some changes in their AppGuard policy.

Locked Down mode:

Add to User Space and set to NO

c:\programdata\microsoft\windows defender\platform\*\msmpeng.exe
c:\programdata\microsoft\windows defender\platform\*\mpcmdrun.exe
c:\programdata\microsoft\windows defender\platform\*\nissrv.exe
c:\programdata\microsoft\windows defender\platform\scans\mppayloaddata\mpengine.exe

Protected mode:

Trusted Publisher list > Microsoft > MemGuard > OFF
"

I follow this above guidance; and, I frankly built my entire AppGuard configuration in Locked Down mode via step-by-step guidance from AppGuard Support. As a result Windows Defender is a practically a minor-player, OOTB-With-Windows-OS afterthought in my security configuration ( SECURE - Meltcheesedec Security Configuration 2018 ).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top