Danger Sampei Nihira Security Config WinXP (POS Ready2009) 2020

Status
Not open for further replies.
Last updated
Dec 26, 2019
Windows Edition
Home
Operating system
Other
Log-in security
Security updates
Block all updates
User Access Control
Notify me only when programs try to make changes to my computer
Real-time security
  • Windows Firewall
  • Firewall Hardware on router
  • 1° AdGuard DNS / 2° CloudFlare DNS
  • MBAE Premium - Custom Setting
  • OSA - Custom Setting
  • Black Viper's List - Some services Disabled/Manual
Firewall security
Microsoft Defender Firewall
About custom security
  • Trick POS Ready 2009 + KB4500331.
  • PsExec - Run browsers + email client with limited rights - Exceptions (OSA) for Interlink Mail News and New Moon.
  • DEP Always ON
  • SMB Protocol Disabled
  • No NET Framework Installed
  • I.E.8 No Flash + Trick 1803 (Block the downloadable executable files) + Disable script (F12 - on/off) + block execution I.E.8.
Periodic malware scanners
Hitman Pro,McAfee Stinger,HijackThis Portable,Adwcleaner v.6.0.4.7
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
New Moon 28 - (Pale Moon fork for Windows XP) Custom Setting about:config

  • Noscript
  • U.B.O.Legacy
  • Decentraleyes
  • No Resource URI Leak
  • Canvas Blocker Legacy 0.2 - Only to pass the ClientRects Fingerprint test
Maintenance tools
  • CCleaner - Many custom rules created by me
  • RegSekeer
  • Process Explorer
  • SigcheckGUI
  • Dependency Walker
  • CFF Explorer
  • Currports
  • WWDC
  • IobitUnistaller Portable
  • Speedyfox -Custom Rule for Interlink Mail News
  • SUMo Portable
  • JKDefragGUI
File and Photo backup
Pen Drive
System recovery
Acer System Backup
Risk factors
    • Logging into my bank account
    • Browsing to popular websites
    • Working from home
Computer specs
Acer Intel Celeron M380 1.60 GHz 1GB RAM
Notable changes
  1. Added some custom rules in OSA for Mimikatz Dump Lsass.exe mitigation.
  2. Added "sc" command rule block in OSA.
  3. Added rule to block execution of I.E.8 in OSA.
  4. Added rule to block msbuild.exe in OSA and the same rule on the Registry Key.
  5. Blocking rule in host file for CCleaner.
Notes by Staff Team
  1. This setup configuration may put you and your device at risk!
    We do not recommend that other members use this setup. We cannot be held responsible for problems that may occur to your device by using this security setup.

  2. This computer configuration is using an unsupported operating system. If possible, we recommend to upgrade to an operating system that is supported by its developers to remain protected from the latest threats.

F

ForgottenSeer 823865

I would like to bring this 3D to your attention:

Any malware can bypass signature if properly obfuscated and encrypted, make them fileless, signed and it is guaranteed to bypass.

About Mimikatz and lsass.exe, if you use a true anti-exploit or a soft protecting lsass.exe memory space like Appguard or the Excubit tool (forgot its name), you should be ok. However this is out if reach of most anti-exe (ERP, OSA, etc...) since they don't have any in-memory process protection (preventing lsass.exe or other processes to be read or modified).

This kind of attacks is the perfect example of anti-exe limitations, they are excellent at blocking malicious parent-child processes but it stop there. You can't just rely solely on them if you want them as main security tool (you need an anti-exploit alongside, i told this since ages).
 
Last edited by a moderator:

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
Sampei Nihira,
Did you make a comparison of PaleMoon safety to other possible web browsers like K-Meleon, Maxthon 5, or Opera (ver. 36)? All are still patched for security on Windows XP.

Stay away from Maxthon especially for privacy reasons.
Roytam1 develops an XP version of K-Meleon but has inferior functionality to New Moon as you well know.
I don't know anyone who still uses Opera36 with XP.
He gave me several problems, a few years ago.
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
Any malware can bypass signature if properly obfuscated and encrypted, make them fileless, signed and it is guaranteed to bypass.

About Mimikatz and lsass.exe, if you use a true anti-exploit or a soft protecting lsass.exe memory space like Appguard or the Excubit tool (forgot its name), you should be ok. However this is out if reach of most anti-exe (ERP, OSA, etc...) since they don't have any in-memory process protection (preventing lsass.exe or other processes to be read or modified).

This kind of attacks is the perfect example of anti-exe limitations, they are excellent at blocking malicious parent-child processes but it stop there. You can't just rely solely on them if you want them as main security tool (you need an anti-exploit alongside, i told this since ages).

The purpose of 3D on Wilders,from post 6 onwards, is prevention, as usual.
The attacker's aim is to appropriate our Lsass.dmp.
Our aim is to block the creation of this file in our pc.
Those who have read 3D have understood that there are various ways and systems to do this.

I with my Windows XP have prevented all possible methods for creating the file minus one, Process Explorer.

The method with P.E. was highlighted by me.

I do not think it is appropriate to waste time with P.E. in my OS.
If you want I can explain the reason.

Although an OS W.10 protects upstream from this type of attack, I believe that it is beneficial for Wilders and MT members to carry out some tests.

Which unfortunately only me and itman did.:unsure:
 
Last edited:
F

ForgottenSeer 823865

I will tell you honestly, 90% of the discussions in security forums (especially on Wilders, where it involve just a handful of people) are more theoretical than practical.
It is like debating about the result of a meteor impact on Earth.

Those who have read 3D have understood that there are various ways and systems to do this.
Which after i quickly read, seems to involve the abuse of lsass.exe, which can be easily prevented by in-memory protection kind of software (unless i overlooked something while quickly reading)
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
@ to All

The abuse of lsass.exe in creating the dump file with an OS W.10 is mitigated by the OS itself.
I believe in most cases, for what I recommend you check.

In an OS W.XP such abuse must be blocked in the sequence of events that can lead to the success of the attacker.
In my OS I just did this, I ran several tests.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
Stay away from Maxthon especially for privacy reasons.
...
Yes, there were some issues in the year 2016, for example:
Honestly, I read far worse things about Google Chrome, Avast, etc. Furthermore, I could not find anything suspicious about it after the year 2016 (the company is in the US). It looks like the safest browser for Windows XP and Vista (except maybe the PaleMoon).

The cons are the extensions made by unknown people. So, I would rather use the Adguard DNS, or another safe DNS.
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
Yes, there were some issues in the year 2016, for example:
Honestly, I read far worse things about Google Chrome, Avast, etc. Furthermore, I could not find anything suspicious about it after the year 2016 (the company is in the US). It looks like the safest browser for Windows XP and Vista (except maybe the PaleMoon).

The cons are the extensions made by unknown people. So, I would rather use the Adguard DNS, or another safe DNS.

Look at this old 3D:


see my post.
Using a browser also means having functionality.;)

P.S. Pale Moon ranks better than Maxthon in you article.
 
Last edited:

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
The Mimikatz discussion on the Wilders forum has ended.
The result for my security configuration, with one exception (P.E.), ended positively.

I hope the

@MT Security Staff

will reevaluate their assessment.:)
A kind of exception that confirms your rules.(y)

With best regards.:)


P.S. This my pleading is very little, compared to Humphrey Bogart's final pleading in the movie:

 
Last edited:
F

ForgottenSeer 823865

@MT Security Staff

will reevaluate their assessment.:)
A kind of exception that confirms your rules.(y)

With best regards.:)
Don't hope too much, the actual rules are less strict than the ones I enforced when I was in charge of the security config section.
So I don't see any exceptions being made for you. The tags aren't only made to rate your config, but also to inform other members about replicating it.
Those tags aren't considering the user skills or workarounds but only the items used.
XP is vulnerable, so risky is your config.
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
Don't hope too much, the actual rules are less strict than the ones I enforced when I was in charge of the security config section.
So I don't see any exceptions being made for you. The tags aren't only made to rate your config, but also to inform other members about replicating it.
Those tags aren't considering the user skills or workarounds but only the items used.
XP is vulnerable, so risky is your config.

I don't hope.
The ending of the film, which I have seen, and I have brought to attention is clear.
If you ask yourself "then why?"

I will answer you, if you can find that film, see it and you will know it.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
I think that it would be much easier to protect a Vista computer.
  1. Stronger design.
  2. The security patches are still available (manually via Server 2008).
  3. This is a rarely used Windows version.
  4. You can use Comodo Firewall or any AV + H_C to lock/unlock the computer in a few minutes.
1. Windows XP (for advanced swimmers only) :):
tratwaXP.png



2. Windows Vista (rarely used):
WinVista.jpg



3. Windows 7:
Windows 7.jpg
 
Last edited:

Outpost

Level 5
Verified
Well-known
Jan 11, 2020
220
@MT Security Staff
will reevaluate their assessment.:)

But what are you interested in their assessment? The thing that should matter most to you is only one: you have been using your configuration for years, over time you have improved and mastered it. In all this time no virus or anything has ever gone through it. So for you (which you know how to use very well) it is more than good. That's all that matters.
 
Last edited:

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
I think that it would be much easier to protect a Vista computer.
  1. Stronger design.
  2. The security patches are still available (manually via Server 2008).
  3. This is a rarely used Windows version.
  4. You can use Comodo Firewall or any AV + H_C to lock/unlock the computer in a few minutes.
1. Windows XP (for advanced swimmers only) :):
View attachment 232414


2. Windows Vista (rarely used):
View attachment 232415


3. Windows 7:
View attachment 232416

Kon Tiki in the year 1947 crossed the Pacific to arrive Polynesia:

 
Last edited:

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
But what are you interested in their assessment? The thing that should matter most to you is only one: you have been using your configuration for years, over time you have improved and mastered it. In all this time no virus or anything has ever gone through it. So for you (which you know how to use very well) it is more than good. That's all that matters.

I think it's a matter of justice.
But if I have to be honest I don't know it well.
It is as if something is not in the right place.

I have read of Security Configurations that use W.10 which may be more at risk than mine.
 

Outpost

Level 5
Verified
Well-known
Jan 11, 2020
220
Kon Tiki in the year 1947 crossed the Pacific to arrive Polynesia:

"Amateurs built the Ark and it was the professionals that built the Titanic" ;)

I think it's a matter of justice...

...I have read of Security Configurations that use W.10 which may be more at risk than mine.

I see. I feel the same way.
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
I solved the Mimikatz dump lsass.exe problem with Process Explorer.:):)

You won't believe it but the idea came to me before I fell asleep.

I entered a general blocking rule for Process Explorer.
At the same time, an exception to my Process Explorer path was added.

The mitigations in this case are so varied that any attack would be impossible.

- P.E. works only in my path.

- The latest versions of P.E. although they start in W.XP they malfunction, an attacker will hardly be able to know because the "systeminfo" command does not work in W.XP.
And even if it works in OSA there is a specific rule.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top