- Aug 30, 2012
- 6,598
Elaborate your findings, please.
Other standalone Default-Deny software?
- Thread starter SearchLight
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
- Dec 23, 2014
- 8,511
AG is a very good commercial product (paid). Both AG and H_C can be locked/unlocked with one click. H_C can be configured with 2 clicks (Recommended settings). H_C is more restrictive for the user actions than AG, and less restrictive for the system processes than AG. Both have some unique features. I think that AG can be more usable for many people, but there are some people who think otherwise.
Last edited:
- May 4, 2018
- 2,261
Sorry to put my discourse in this manner, but I don't think you have any prior experience, knowledge, evidence or expertise in suggesting the software is a "scam". Hard Configure, AppGuard et al increase security of one computer massively dependent on oneself implementation of a computer setup.
If you do have any evidence to put forward as an argument to backup your quoted claims I would very much like to see in put in motion, also you're border-lining defamation as this could deter people from using such software if people believe your statement, thus loosing potential revenue and clientele.
Please be careful with future statement if you have evidence to put forward.
~LDogg
- Dec 23, 2014
- 8,511
Please ignore @Klappis, he has got lost here by an accident.
Furthermore, he is partially right - the solutions from this thread will not work for him.
Furthermore, he is partially right - the solutions from this thread will not work for him.
Last edited:
- Oct 25, 2018
- 236
Yah, I'm more concerned about system processes than user actions. Nobody knows my admin password but my wife and me, I research before I install/run, and my wife doesn't install anything; so I don't need protection from myself. Fileless malware is my biggest concern.AG is a very good commercial product (paid). Both AG and H_C can be locked/unlocked with one click. H_C can be configured with 2 clicks (Recommended settings). H_C is more restrictive for the user actions than AG, and less restrictive for the system processes than AG. Both have some unique features. I think that AG can be more usable for many people, but there are some people who think otherwise.
- Dec 23, 2014
- 8,511
In the home environment (almost) all malware are started by user actions so initially can run only with standard privileges. So, it is far better and safer to restrict user actions, because this does not disturb Windows system processes, Windows Updates and administrative scheduled tasks. The malware/exploit cannot run because of those restrictions, so cannot get higher privileges, too.
If you want to apply restrictions with high privileges then you cannot restrict user actions as much as with standard privileges, because this could break something in the system. But, such restrictions are necessary for enterprise users, because the computers in the large local network can be attacked with high privileges (remotely).
Last edited:
- Mar 25, 2014
- 398
- Jul 3, 2015
- 8,153
- Oct 25, 2018
- 236
True. And if I ran an admin account, shared my admin password, or had UAC turned down; then I would have greater cause for concern. But I don't. Now, since I run Chrome with its sandbox and site isolation, along with Malwarebytes Browser Extension, Bitdefender TrafficLight, WoT, and Quad9 DNS; I realize my chances of landing on a malicious page are slim from the get-go. And if I do land on a malicious page, or a legitimate page infected by a third party, the malware on that page has to be able to defeat MBBE and BDTL, escape the sandbox, and execute.
It's a tall order, but not impossible. And since my processor is vulnerable to Meltdown and Spectre, not to mention how much harder it is to detect fileless malware, I don't feel like waiting until a working drive-by download kit enters the wild. There's something I can do about it now. And I'm doing it. Blue Ridge acknowledges that, once Spectre executes, nothing can stop it. But because certain events have to take place before Spectre can take hold, a proactive program like AG has as good a chance as any of stopping it before it's too late. And since the OP specifically asked about default-deny alternatives to Cruel Comodo, this is material information. Cheers!
Last edited:
- May 16, 2018
- 1,363
That's just simply not correct.
Edit: Oops, I didn't go to the next page to see that this had already been addressed.
- Jul 3, 2015
- 8,153
IMHO the best way to address posts like this is to ignore them.
There are some baddies going around that exploit Chrome's Extension System and can cause some serious issues. A symptom of it says your chrome browser is managed your organization.
It seems to also get beyond default-deny systems but I guess we would need to test it more. I ran into a system that was impacted by such a beast. Also it can impact Android, iOS, Windows and Chromebooks.
www.bleepingcomputer.com
Honestly, I am unsure anything can stop these other than perhaps a Group Policy to block all Chrome Extensions and/or not even using Chrome?
Administrative Templates
Google
Google Chrome
Extensions
It seems to also get beyond default-deny systems but I guess we would need to test it more. I ran into a system that was impacted by such a beast. Also it can impact Android, iOS, Windows and Chromebooks.
Chrome Saying It's Managed by Your Organization May Indicate Malware
Recently users have noticed that Google Chrome has started stating that it is "Managed by your organization", which is a confusing for home computers who are not part of any organization. It turns out that with the release of Chrome 73, the browser will display this message whenever a group...
Honestly, I am unsure anything can stop these other than perhaps a Group Policy to block all Chrome Extensions and/or not even using Chrome?
Administrative Templates
- Dec 23, 2014
- 8,511
Modifying policies requires malware that could access admin rights. In most cases, it is a malware that already infected system outside the web browser and wants to infect the web browser by installing the malicious extension. It can be also done without modifying policies, but doing it via policies can be probably harder to detect by AVs.
The default-deny system will easily prevent modifying policies because it will block the initial malware in the first place.
Edit.
I do not use Chrome, but maybe there is a Chrome security flag that disables the policy feature? If not, then it should be implemented, because home users do not use the policy feature, and they are vulnerable for nothing.
Last edited:
Modifying policies requires malware that could access admin rights. In most cases, it is a malware that already infected system outside the web browser and wants to infect the web browser by installing the malicious extension. It can be also done without modifying policies, but doing it via policies can be probably harder to detect by AVs.
The default-deny system will easily prevent modifying policies because it will block the initial malware in the first place.
Edit.
I do not use Chrome, but maybe there is a Chrome security flag that disables the policy feature? If not, then it should be implemented, because home users do not use the policy feature, and they are vulnerable for nothing.
Did you try it against Appguard with tweaked settings?
- Dec 23, 2014
- 8,511
I did not test Appguard for over a year. I could bypass Apguard default protection by using scriptlets and LOLBins, but this can be easily prevented by adding some LOLBins to guarded applications and some to the User Space. It is hard to bypass a properly configured AppGuard, but like any security, it can be bypassed in the targetted attack. Anyway, most attackers will find another target, which will be easier to bypass.
Exploiting Chrome via policy feature has nothing to do with AppGuard protection, because Chrome processes are not protected by AppGuard directly. So, if the malware could bypass AppGuard and get access to admin rights, then next it could change the policies to infect Chrome. The same is true for most default-deny solutions. The hard task for the malware will be bypassing default-deny protection and get admin rights (very improbable for widespread malware).
Last edited:
OK so this config would not stop it?
c:\Windows\*\bitsadmin.exe
c:\Windows\*\powershell.exe
c:\Windows\*\powershell_ise.exe
c:\Windows\*\wscript.exe
c:\Windows\*\cscript.exe
c:\Windows\*\mshta.exe
c:\Windows\*\hh.exe
c:\Windows\*\wmic.exe
c:\Windows\*\scrcons.exe
- Dec 23, 2014
- 8,511
These blocked LOLBins are most common, so most attacks will be stopped.
- Oct 25, 2018
- 236
They should be enabled by default. You can double-check on site isolation by going to "chrome://process-internals" (without quotes); it should say "Site Isolation mode: Site Per Process."
If it says "Site Isolation mode: Disabled," then you need to fix that. Go to "chrome://flags/#site-isolation-trial-opt-out" and select "Default."
Last edited:
- Aug 15, 2018
- 634
If you're not sure if a file is malicious or not, when VS blocks a file, you can first allow it to run in cuckoo sandbox. If the verdict returns clean you can use the file else if the verdict returns as malicious, you shouldn't run it.
