Advanced Plus Security Parsh's security config 2020

Last updated
Mar 14, 2020
How it's used?
For home and private use
Operating system
Windows 11
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
REAL-TIME
ESET Internet Security 13
NVT OSArmor
SOME-TIME
Shadow Defender
Windows Sandbox

ONE-TIME
NVT SysHardener
Manual OS Hardening

...........

DAD's Machine
Tweaked KIS + Sandboxie
...........
Firewall security
About custom security
...........
ESET's detection set to Aggressive. The FW is a significant asset.
Though I've set things to Interactive, I now get very infrequent alerts after whitelisting and blocking rules set.

ESET HIPS
  1. HIPS @ Smart mode
  2. Firewall @ Interactive mode
  3. HIPS custom rules
    1. Data folders protected from unauthorized changes (explorer.exe allowed)
    2. Explorer.exe protected from modification (multiple checks - debug/event interception/memory or state modification...)
    3. Similarly, block modification to
      1. Internet-facing apps like browsers, WPS Office (self and self-updater exceptions added using additional rules)
      2. a few system processes vulnerable to injection (a Cuckoo sandbox analysis list, svchost not monitored)
    4. Block Internet-facing apps from starting new processes or modifying other processes (exceptions for self, self updaters and print-spooler added)
    5. Block commonly exploited script interpreters
    6. Verify command-line and invoker of allowed interpreters (Ask rule, then whitelist frequents)
    7. Block child processes of some vulnerable system processes (recommended by ESET)
    8. Block most common LOLbins (Cisco Talos highlights and some from LOLBAS)
    9. Monitor execution of a few vulnerable LOLBins (referring to techniques explained in Mitre) out of the blue, verify initiator. Child processes of most are blocked as suggested by ESET.
    10. Ask when Task Scheduler folder entries are modified (off currently thanks to Kerish Doctor)
    11. Block modification of 3 registry keys pertaining to Powershell restrictions
ESET Firewall
  1. Verify app source/ reputation/ modification data shown on alert
  2. Disable/ block unnecessary Windows services connecting out
  3. Interactively allow/ save rule for system apps' (svchost etc.) connections to only microsoft and related domains (based on reverse-DNS data)
  4. Verify app source when connecting to common CDN networks and cloud host services
  5. Allow browsers and other apps to connect on required (ports) protocols only
  6. Allow 3rd party apps access to their domains only, and selectively
  7. Block common ransomware-abused system processes listed by ESET etc.
  8. Block multiple LOLBins (SysHardener, Andy's FW Hardening list)
NVT OSArmor
  1. Most options checked, including restrictions on process execution from suspicious locations, elevation restrictions ...
  2. Added system-wide block rules for famous commands/args used in known Powershell bypasses
  3. Added block rules on name/common args of known (legit) exploit and testing tools (MD5 check not a good way)
  4. Block shadow copy deletion by system processes
  5. Apps listed by MS for potentially bypassing application white-listing are blocked, including .Net framework processes
I've listed the rest of configuration in the 1st post
............
Periodic malware scanners
System Analyzers
Process Hacker / Process Explorer / SysInternals Autoruns / Comodo KillSwitch / ESET SysInspector (snapshots) / RegShot / CrowdInspect (not preferred due to bad rep) / Sanity / NVT HijackHunter
On-demand scanners
Norton Power Eraser / Zemana / HitmanPro / Malwarebytes / RKill / MetaDefender Cloud
............
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
  1. Vivaldi
    • Netcraft / Evernote / The Great Suspender / uBlock Matrix / Adguard (only for Stealth Mode)
  2. Edge
    • via WD Application Guard for risky browsing
Maintenance tools
1. Kerish Doctor for cleaning and actionable alerts on -->
  1. newly installed Services
  2. changes in Startup apps
  3. changes in Task Scheduler
  4. Host file changes
  5. DNS settings protection
  6. security settings
  7. insight into app updates
  8. removal of sensitive data ...
2. Thor Software Updater
  1. Automatically update important apps (limited list)
File and Photo backup
EaseUS ToDo Backup —
Backed up data is protected by HIPS. Write/delete access only to Imaging tool.
System recovery
EaseUS ToDo Backup —
Backed up data is protected by HIPS. Write/delete access only to Imaging tool.
Risk factors
    • Gaming
    • Logging into my bank account
    • Browsing to popular websites
    • Downloading software and files from reputable sites
    • Browsing to unknown / untrusted / shady sites
    • Working from home
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Kaspersky free + Comodo Firewall at restrictive settings had been my baseline for a year. I used to find peace in using virtualization, isolation and default-deny at the cost of experience.
Now, less of managing sandboxing FPs and rule issues of Comodo. I've shifted the paradigm to lesser real-time programs, more hardening, more ease of using PC as a user normally would (with occasional alerts). Balance. Now my mains are ESET + OSArmor.

I chose ESET since I'd never evaluated its features properly. It's light for real, provides a fairly customizable HIPS with many intuitive options. Some downsides I noticed --
  • ESET HIPS 'Ask' alerts auto-allow actions if not responded to within a minute
  • ESET is forgiving ... in another way. To reduce the no. of FPs, it sometimes bails suspicious actions it tracked. And this has been re-instantiated here and at ESET forums
Sure, ESET HIPS will have its own shortcomings due to its design. Same is the case for any such solution.
For that, I've tried to reduce the attack surfaces so that ESET has little work to do. And then, managing some FW events and one-time HIPS rules.
I've spent the last week experimenting with HIPS and learning good and bad rules (this goes on). I would recommend HIPS to be set at least to 'Smart' Mode instead of 'Automatic', to be alerted very occasionally about suspicious activities.

My other configurations are as below
  1. Unnecessary and risky Program Features disabled
  2. Unnecessary services disabled
  3. Unnecessary network protocols and provisions disabled via Network & Sharing Centre
  4. Distributed and remote access COM universally off
  5. Scripts execution universally OFF
  6. Remote assistance provisions OFF
  7. UAC at Always Notify + UAC bypass hardening as found in OSArmor
  8. Further restrictions using majority of SysHardener and OSArmor settings (+custom rules)
  9. Local Security policy changes
    1. network access - do not allow storage of credentials
    2. UAC Admin Approval Mode
    3. enter log-on screen only via Ctrl+Alt+Delete (to counter a fake screen)
  10. SecureBoot ON
  11. Smartscreen everywhere
  12. Core isolation > Memory Integrity ON (zemana has a problem with this fella)
  13. WD periodic scanning ON
  14. Hardening of browser using some flags
  15. WD Exploit protection settings for Edge (only a few, to not break regular browsing)
  1. Hyper-V VM for an isolated environment
  2. Restriction of R/W permissions over some important data, applicable to other users
  3. Using sandbox for running doubtful programs / Edge with WD App Guard for safe browsing
  4. Using NVT checksum tool to verify installers
  5. Updating OS + apps regularly
  6. Using alternatives to some popular 3rd party programs
  7. Password-protecting important data sent via mails
  8. Periodic checkup of online accounts
    1. Privacy settings
    2. 2FA
    3. 3rd party app access checks
  1. Experiment with Reg Guard & MemProtect (memory protection, indirect DLL blocking)
  2. Experiment to see if SRP/AppLocker ... would be practical for my needs. I often install software and libraries etc w.r.t. testing and programming - using extreme lockdown is a tough job
  3. Comprehensively add more LOLBAS LOLbins and some DLL-driven bypasses to blacklist using a program with such support
 
Last edited:

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
(y)(y)
Just one note.;):)
No flags for browsers?
No Command Line Switches?
I edited the post. I'm using several flags for security and privacy. Just not the strict-origin-isolation among the popular ones. It often breaks things.
AppContainer flag (not the GPU one) is not available anymore and I read that it's default. Couldn't verify using PE/PH though.
I wonder where would I benefit from using Command line switches. Do you use any?
 

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
I edited the post. I'm using several flags for security and privacy. Just not the strict-origin-isolation among the popular ones. It often breaks things.
AppContainer flag (not the GPU one) is not available anymore and I read that it's default. Couldn't verify using PE/PH though.
I wonder where would I benefit from using Command line switches. Do you use any?


--ssl-version-min=tls1.2 -cipher-suite-blacklist=0x002F,0x0035,0x000A,0x009C,0xC014,0x009D

Yes, but in Chrome on my daughter's pc.
--ssl-version-min = tls1.2 also works in Chromium/Edge
The other that eliminates almost all the insecure cipher suites doesn't work.

Test at the link below:

 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
I think OSA is overkill, especially in light of your knowledge and experience.
I feel that a well-configured SRP / isolation / default-deny setup is required besides an AV. That's an important defense I've learnt from here. Safe habits do reduce chances of attack. However, a user like me who's using and allowing quite some 3rd party apps, libraries and surfing the web avidly without total isolation,.. that makes one vulnerable.
ESET even with hardened settings, has limitations in the scope of monitoring restricted files, among other limitations.
Also, with AVs like ESET, you cannot achieve many restrictions that you can impose on the system using OSA, I'm sure you'll agree with that.
OSA is helpful in reduce the attack surface (further than the ESET HIPS I configured with my limited knowledge and with ESET HIPS' limitation based on design) with the extensive blocking options that Andreas has compiled, and I can also add system-wide process and commandline blacklists to OSA :)
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
--ssl-version-min=tls1.2 -cipher-suite-blacklist=0x002F,0x0035,0x000A,0x009C,0xC014,0x009D
Yes, but in Chrome on my daughter's pc.
--ssl-version-min = tls1.2 also works in Chromium/Edge
The other that eliminates almost all the insecure cipher suites doesn't work.

Test at the link below:
I see. It's in relation to How to disable Chrome Browser Bundled MITM backdoor?.
Interesting, will check it. Thanks.

This can be countered by changing notification settings. Change the timeout value to never.
The alert and the notification are different. I could find only the 'Desktop Notification' timeout option and it just displays 'allowed' or 'blocked'. It's not meant to adjust timeout of the alert window that asks for user action. Let me know if I'm missing something.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
The alert and the notification are different. I could find only the 'Desktop Notification' timeout option and it just displays 'allowed' or 'blocked'. It's not meant to adjust timeout of the alert window that asks for user action. Let me know if I'm missing something.
I was a bit wrong with my description. Turn this option off like this. That does the trick for HIPS alert as well.
q.PNG
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
I was a bit wrong with my description. Turn this option off like this. That does the trick for HIPS alert as well.
View attachment 234560
I have this disabled already. Still, the action is automatically taken if I do not input mine within a minute.
It's apparently designed that way for system stability, as the ESET forum admin has indicated.
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Had a system corruption yesterday. Restoring the last backup from EaseUS Todo was a task!
The backup was on an external HDD password-protected by WesternDigital Security app. I tried removing the password on my cousin's computer. WD Discovery app detected the HDD but failed to remove the password. WD Security app failed to detect the HDD at all.
So I was left with one option, restore back to an older Windows-made System Image (C-drive) with just ESET and OSA.
After recovery, I could finally unlock the HDD on my laptop. Then, I chose to restore system using the newer image made by EaseUS Todo Backup. Did that and the system felt quite sluggish.
Hence, I went on to again restore the Windows-made system image (C-drive)(1) and this time, the recovery wizard indicated that the entire harddisk (C, D, E partitions) need to be wiped to map the partition data contained in the system image. Whaaaaa?

Such things show you that anything can go wrong and what better precautions one might want to take henceforth.
I did it (1). And now the ESET installation had some problem. Good time to test a few other suites I'm eager to... and maybe get back to mine :)
 

Parsh

Level 25
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
I like the use of OSA! I used it with ESET and I use it with Bitdefender. It's very helpful for covering extra spots.
Preventing suspicious processes, potentially dangerous actions and widely used attack vectors irrespective of the app reputation. OSA can kick almost any setup up a notch (y)
I have spun up a fully isolated Hyper-V VM with KIS... in an attempt to separate casual and important activities.
I am planning to swap ESET inside the VM. No application control, allow most used apps to run and update on their own without blocks or alerts. Just the lightness, good sigs and policy-based FW along.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top