Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
NoVirusThanks OSArmor
Message
<blockquote data-quote="Windows_Security" data-source="post: 702763" data-attributes="member: 50782"><p>[USER=68429]@NoVirusThanks[/USER]</p><p></p><p>Andreas thanks new variables work like a charm. I have two questions.</p><ol> <li data-xf-list-type="ol">The medium IL system processes are not protected by UAC from side by side attacks (e.g. by poisoned Office documents clicked on as normal user). Does blocking starting medium IL processes (explorer svchost etc) from user folders provide any real world protection?</li> <li data-xf-list-type="ol">OS_Armor (like many security programs) has trouble with "unsigned" Windows processes like Windows Explorer (explorer.exe) which have catalog signing (C:\Windows\System32\catroot), so I added %parentprocess% to include Windows Update processes as Exclusions. Did I include all windows update processes (to less or to much)?</li> </ol><p>Click on spoiler to see above two rules</p><p>[SPOILER]</p><p><strong>Custom</strong></p><p>; Block executables from data partitions F (files) and P (Private) on second harddisk</p><p>[%PROCESSFILEPATH%: F:\*]</p><p>[%PROCESSFILEPATH%: P:\*]</p><p></p><p>; Block executables from my user folders on C drive</p><p>[%PROCESSFILEPATH%: C:\Users\*]</p><p></p><p>; <span style="color: #ff0000"><em>Block Medium IL (often attacked) system process launch from user folders</em></span></p><p>[%PROCESS%: *\explorer.exe] [%PARENTFILEPATH%: C:\Users\*]</p><p>[%PROCESS%: *\svchost.exe] [%PARENTFILEPATH%: C:\Users\*]</p><p>[%PROCESS%: *\dwm.exe] [%PARENTFILEPATH%: C:\Users\*]</p><p>[%PROCESS%: *\schtasks.exe] [%PARENTFILEPATH%: C:\Users\*]</p><p></p><p></p><p><strong>Exclusions</strong></p><p>;allow spawning of printer, webbrowser and pdfreader by already installed programs</p><p>[%PROCESS%: C:\Windows\splwow64.exe] [%PARENTFILEPATH%: C:\Program Files\*]</p><p>[%PROCESS%: C:\Program Files\Chromium\chrome.exe] [%PARENTFILEPATH%: C:\Program Files\*]</p><p>[%PROCESS%: C:\Program Files\Utilities\SumatraPDF.exe] [%PARENTFILEPATH%: C:\Program Files\*]</p><p></p><p>;allow signed processes of windows and system programs to update automaticallly</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Windows]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Corporation]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Dynamic Code Publisher Corporation]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Windows Third Party Application Component]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel(R) Smart Connect software]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel Corporation - Software and Firmware Products]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel Corporation - Intel® Management Engine Firmware]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel Corporation - Software and Firmware Products]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Broadcom Corporation]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Realtek Semiconductor Corp]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: NoVirusThanks Company Srl]</p><p></p><p><span style="color: #ff0000"><em>;allow Microsoft Windows update and installer parent processes</em></span></p><p>[%PROCESSFILEPATH%: C:\Users\*] [%PARENTFILEPATH%: C:\Windows\System32\wuauclt.exe]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%PARENTFILEPATH%: C:\Windows\System32\wusa.exe]</p><p>[%PROCESSFILEPATH%: C:\Users\*] [%PARENTFILEPATH%: C:\Windows\servicing\TrustedInstaller.exe]</p><p></p><p>[/SPOILER]</p></blockquote><p></p>
[QUOTE="Windows_Security, post: 702763, member: 50782"] [USER=68429]@NoVirusThanks[/USER] Andreas thanks new variables work like a charm. I have two questions. [LIST=1] [*]The medium IL system processes are not protected by UAC from side by side attacks (e.g. by poisoned Office documents clicked on as normal user). Does blocking starting medium IL processes (explorer svchost etc) from user folders provide any real world protection? [*]OS_Armor (like many security programs) has trouble with "unsigned" Windows processes like Windows Explorer (explorer.exe) which have catalog signing (C:\Windows\System32\catroot), so I added %parentprocess% to include Windows Update processes as Exclusions. Did I include all windows update processes (to less or to much)? [/LIST] Click on spoiler to see above two rules [SPOILER] [B]Custom[/B] ; Block executables from data partitions F (files) and P (Private) on second harddisk [%PROCESSFILEPATH%: F:\*] [%PROCESSFILEPATH%: P:\*] ; Block executables from my user folders on C drive [%PROCESSFILEPATH%: C:\Users\*] ; [COLOR=#ff0000][I]Block Medium IL (often attacked) system process launch from user folders[/I][/COLOR] [%PROCESS%: *\explorer.exe] [%PARENTFILEPATH%: C:\Users\*] [%PROCESS%: *\svchost.exe] [%PARENTFILEPATH%: C:\Users\*] [%PROCESS%: *\dwm.exe] [%PARENTFILEPATH%: C:\Users\*] [%PROCESS%: *\schtasks.exe] [%PARENTFILEPATH%: C:\Users\*] [B]Exclusions[/B] ;allow spawning of printer, webbrowser and pdfreader by already installed programs [%PROCESS%: C:\Windows\splwow64.exe] [%PARENTFILEPATH%: C:\Program Files\*] [%PROCESS%: C:\Program Files\Chromium\chrome.exe] [%PARENTFILEPATH%: C:\Program Files\*] [%PROCESS%: C:\Program Files\Utilities\SumatraPDF.exe] [%PARENTFILEPATH%: C:\Program Files\*] ;allow signed processes of windows and system programs to update automaticallly [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Windows] [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Corporation] [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Dynamic Code Publisher Corporation] [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Windows Third Party Application Component] [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel(R) Smart Connect software] [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel Corporation - Software and Firmware Products] [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel Corporation - Intel® Management Engine Firmware] [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel Corporation - Software and Firmware Products] [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Broadcom Corporation] [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Realtek Semiconductor Corp] [%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: NoVirusThanks Company Srl] [COLOR=#ff0000][I];allow Microsoft Windows update and installer parent processes[/I][/COLOR] [%PROCESSFILEPATH%: C:\Users\*] [%PARENTFILEPATH%: C:\Windows\System32\wuauclt.exe] [%PROCESSFILEPATH%: C:\Users\*] [%PARENTFILEPATH%: C:\Windows\System32\wusa.exe] [%PROCESSFILEPATH%: C:\Users\*] [%PARENTFILEPATH%: C:\Windows\servicing\TrustedInstaller.exe] [/SPOILER] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
