Paranoid Banking Computer.

Divergent said:
You have successfully built a "digital fortress" that can survive the End-of-Life of Windows 10.
Click to expand...

Most work was done/recommended for Enterprises by Microsoft.
I only added:
  • NextDNS as the default-deny domain blocker, which is a nice addition to Microsoft Defender Network Protection.
  • Blocking Console Window Host (conhost.exe) on the kernel level, which can effectively blind the attackers at the post-exploitation stage.
 
Last edited:
  • Like
  • +Reputation
  • Hundred Points
Reactions: Behold Eck, Sampei.Nihira, simmerskool and 1 other person
  • +Reputation
  • Like
Reactions: simmerskool and Halp2001
Paranoid banking on the new computer (Windows + Linux in VirtualBox).

As it was mentioned in the OP, instead of using Windows OS, it is possible to use Linux, etc.
One of the available solutions is as follows:
  1. Install VirtualBox.
  2. Create a VM with any small reputable Linux distro.
  3. Install the AdGuard AdBlocker extension in the browser.
  4. Deactivate blocking ADs and Trackers in AdGuard.
  5. Use the user rule: ||*^$all
  6. Add to the AdGuard Allowlist the banking website and some other necessary websites.
  7. Set a free DOH in the browser.

Point 4 is necessary because AdGuard uses blocking lists with a combination of block/allow rules. For example, the "abc" TLD can be generally blocked except for some trusted websites. Those rules will bypass the global blocking rule from point 5. After applying point 4, those trusted websites will be blocked (trusted websites might be compromised).

1771414220568.png


To whitelist any concrete website, just copy the blocked domain from the AdGuard block page and paste into AdGuard Whitelist.

1771414683670.png


In the above example, I skipped the banking domain, but added MalwareTips and domains needed to run Office Apps online.

REMARKS.
The "Proceed anyway button", can sometimes temporarily allow the blocked website.
The default-deny rules work only in the browser and not system-wide, like in paranoid banking with Windows OS. However, the Linux VM is well isolated from the real system, so this should not impact the security.
 
Last edited:
  • +Reputation
  • Hundred Points
  • Like
Reactions: piquiteco, simmerskool and Sampei.Nihira
You can also do this with uBlock Origin Lite, just enter these 1 DNR rules:

Code: 
action:
  type: block
condition:
  urlFilter: ^
  resourceTypes:
    - csp_report
    - font
    - image
    - main_frame
    - media
    - object
    - other
    - ping
    - script
    - stylesheet
    - sub_frame
    - webbundle
    - websocket
    - webtransport
    - xmlhttprequest
---
action:
  type: allow
condition:
  requestDomains:
    - malwaretips.com
    - login.live.com
    - outlook.office.com
  resourceTypes:
    - csp_report
    - font
    - image
    - main_frame
    - media
    - object
    - other
    - ping
    - script
    - stylesheet
    - sub_frame
    - webbundle
    - websocket
    - webtransport
    - xmlhttprequest
---
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool and Andy Ful
@Andy Ful

Even simpler.
Only the first blocking rule.
Use the slider in Basic and move it to no filtering on the websites you want to allow.
In “Filtering mode details” you can check the list of excluded domains:

1.png
2.png
3.png

In this mode, uboL does not consume CPU, RAM, or other resources compared to AG.
 
Last edited:
  • Like
  • +Reputation
Reactions: Andy Ful and simmerskool

You may also like...