Most important layers in security setup

J

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
Andy Ful said:
Yes, for users who are going to run script files by themselves (casual users). Yet, this kind of protection can be bypassed when the script is run by opening documents, media files, or shortcuts. Disabling the second possibility is not easy. The stronger script blocking can be done by blocking the script interpreters by hash. The other way (not recomended) is blocking script engine DLLs.
Click to expand...
Agree.
 
  • Like
Reactions: Andy Ful
Windows_Security

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Ironic conclusion that IMO the most effective protection against embedded code/scripts in rich content document/files comes from free programs like SysHardener and OSArmor (with anti-exe) and or DocumentsAntiExploit and HardConfigurator (using Windows Software Restriction Policies).

Question to @Andy Ful
Does HardConfigurator also removes user write access to RunOnce, Run, Run Only etc registry entries in HKCU (so only elevated software/admin users can change it)?

Regards Kees
 
Last edited:
  • Like
Reactions: plat, harlan4096, Gandalf_The_Grey and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
Windows_Security said:
...
Question to @Andy Ful
Does HardConfigurator also removes user write access to RunOnce, Run, Run Only etc registry entries in HKCU (so only elevated software/admin users can change it)?

Regards Kees
Click to expand...
I thought about it, because those Registry keys are often used to run the malware after reboot.
Unfortunately, also many legal software and sometimes Windows processes (especially after updates) can also use RunOnce or Run keys to do something after reboot on the particular user account. That would be a problem, because removing user write access would block silently any changes in those keys.So, they are not blocked in Hard_Configurator, but the payload which would try to start with Windows, will be blocked in the UserSpace.

Yet, monitoring/checking those Registry keys and some others would be an important security layer. I usually do this via Sysinternals Autoruns.

Regards.(y)
 
  • Like
Reactions: Gandalf_The_Grey, harlan4096 and shmu26

Similar threads

Bot
    • Like
Paint app update adding support for layers and transparency begins rolling out to Windows Insiders
Replies
0
Views
291
Windows 11
Bot
Bot
J
    • Like
Advice Request Which apps to whitelist in Simplewall to keep system secure?
Replies
2
Views
375
General Security Discussions
JordanMason8
J
Practical Response
    • Like
    • +Reputation
    • Hundred Points
Serious Discussion Security configuration Gurus
Replies
38
Views
1,689
General Security Discussions
Practical Response
Practical Response

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top