Advanced Plus Security Shmu26 Config in 2018

Last updated
Dec 28, 2018
Windows Edition
Pro
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
Windows Defender with ConfigureDefender
Software Restriction Policy with Hard_Configurator
Firewall security
Microsoft Defender Firewall
Periodic malware scanners
Macrium Reflect does the job just fine...
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Chrome
Edge
Maintenance tools
Hard_Configurator, SysHardener, BandiZip, PatchCleaner, autoruns
File and Photo backup
Dropbox
OneDrive
GoogleDrive
System recovery
Macrium Reflect, Timeshift (Ubuntu)
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
My rule was not quite right. It was missing the asterisk after automation
But anyways, they say that powershell can launch, even if the dll is blocked. Check out that post over on the other forum. This discussion is a little over my head :)
 
  • Like
Reactions: Deletedmessiah and Jack
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
shmu26 said:
My rule was not quite right. It was missing the asterisk after automation
But anyways, they say that powershell can launch, even if the dll is blocked. Check out that post over on the other forum. This discussion is a little over my head :)
Click to expand...
Your rule:
*>*System.Management.Automation.dll
was correct to block the System.Management.Automation.dll from loading by any program.
The rule proposed on WildersSecurity forum:
*powershell.exe>*System.Management.Automation*.dll
was correct to block both System.Management.Automation.dll and System.Management.Automation.ni.dll from loading only by powershell.exe.
The correct rule to block both DLLs from loading by any program (like fake powershell) is:
*>*System.Management.Automation*.dll
I repeated the test with all the above rules and still, powershell.exe can be executed on my system.
.
The executable powershell.exe cannot be run on my Windows version (Windows 10 Pro FCU 64-bit) when the DLL in the below location is properly blocked:
c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
You can easily check this by yourself after renaming the above DLL (for example to !!!System.Management.Automation.dll).
 
Last edited:
  • Like
Reactions: Deletedmessiah and shmu26
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
The test on WildersSecurity forum:
MemProtect - Support & Discussion
has nothing to do with blocking System.Management.Automation.dll .
In fact, only System.Management.Automation.ni.dll was blocked - that can be seen from the log at the end of the post. This DLL is the native image (compiled version) of System.Management.Automation.dll .
.
I am not sure, but it seems that the test on Wilderssecurity forum
could be made on another Windows version - my test was made on Windows 10 FCU 64-bit.
It may be that on some Windows versions it is sufficient to block the System.Management.Automation.ni.dll (native image) to disable powershell.exe . Still, that says nothing about MemProtect ability to block .NET DLLs.
Blocking System.Management.Automation.ni.dll is nothing special, any DLL blocking soft can do it (SRP, SOB, etc.).
 
Last edited:
  • Like
Reactions: AtlBo, harlan4096, Deletedmessiah and 1 other person
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
The test on WildersSecurity forum:
MemProtect - Support & Discussion
has nothing to do with blocking System.Management.Automation.dll .
In fact, only System.Management.Automation.ni.dll was blocked - that can be seen from the log at the end of the post. This DLL is the native image (compiled version) of System.Management.Automation.dll .
.
I am not sure, but it seems that the test on Wilderssecurity forum
could be made on another Windows version - my test was made on Windows 10 FCU 64-bit.
It may be that on some Windows versions it is sufficient to block the System.Management.Automation.ni.dll (native image) to disable powershell.exe . Still, that says nothing about MemProtect ability to block .NET DLLs.
Blocking System.Management.Automation.ni.dll is nothing special, any DLL blocking soft can do it (SRP, SOB, etc.).
Click to expand...
Andy, you need to get on the other forum and talk to those people.
 
  • Like
Reactions: AtlBo, harlan4096, Andy Ful and 1 other person
Deletedmessiah

Deletedmessiah

Level 25
Verified
Top Poster
Content Creator
Well-known
Jan 16, 2017
1,469
Memprotect and Pumpernickel/Fides, how long can you use the demo? What limitations is there in demo versions?
 
  • Like
Reactions: AtlBo
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Deletedmessiah said:
Memprotect and Pumpernickel/Fides, how long can you use the demo? What limitations is there in demo versions?
Click to expand...
Sorry, I don't know why I didn't see your post before.
The demo needs to be reinstalled every year. That means reinstalling the driver, which is no big deal once you know how to do it :) , but your config file stays the same like before.
The limitation in demo is the number of characters in the config file. You need to write your rules tersely, and there is a limit how much you can squeeze in. But you can do a lot.
 
  • Like
Reactions: AtlBo, Andy Ful, silversurfer and 3 others
Deletedmessiah

Deletedmessiah

Level 25
Verified
Top Poster
Content Creator
Well-known
Jan 16, 2017
1,469
shmu26 said:
Sorry, I don't know why I didn't see your post before.
The demo needs to be reinstalled every year. That means reinstalling the driver, which is no big deal once you know how to do it :) , but your config file stays the same like before.
The limitation in demo is the number of characters in the config file. You need to write your rules tersely, and there is a limit how much you can squeeze in. But you can do a lot.
Click to expand...
Thanks! And you answered all of it two days ago on Windows Security's config :)
 
  • Like
Reactions: vtqhtr413, shmu26, illumination and 1 other person
5

509322

Andy Ful said:
Your rule:
*>*System.Management.Automation.dll
was correct to block the System.Management.Automation.dll from loading by any program.
The rule proposed on WildersSecurity forum:
*powershell.exe>*System.Management.Automation*.dll
was correct to block both System.Management.Automation.dll and System.Management.Automation.ni.dll from loading only by powershell.exe.
The correct rule to block both DLLs from loading by any program (like fake powershell) is:
*>*System.Management.Automation*.dll
I repeated the test with all the above rules and still, powershell.exe can be executed on my system.
.
The executable powershell.exe cannot be run on my Windows version (Windows 10 Pro FCU 64-bit) when the DLL in the below location is properly blocked:
c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
You can easily check this by yourself after renaming the above DLL (for example to !!!System.Management.Automation.dll).
Click to expand...

Andy Ful said:
The test on WildersSecurity forum:
MemProtect - Support & Discussion
has nothing to do with blocking System.Management.Automation.dll .
In fact, only System.Management.Automation.ni.dll was blocked - that can be seen from the log at the end of the post. This DLL is the native image (compiled version) of System.Management.Automation.dll .
.
I am not sure, but it seems that the test on Wilderssecurity forum
could be made on another Windows version - my test was made on Windows 10 FCU 64-bit.
It may be that on some Windows versions it is sufficient to block the System.Management.Automation.ni.dll (native image) to disable powershell.exe . Still, that says nothing about MemProtect ability to block .NET DLLs.
Blocking System.Management.Automation.ni.dll is nothing special, any DLL blocking soft can do it (SRP, SOB, etc.).
Click to expand...

It is best to use block rule: *System.Management.Automation*

to avoid any unintentionally missed loading - especially given the fact that Microsoft is continually changing PowerShell and never tells anyone about the changes until it is way too little, way too late = 2 years later and there has been a major comprise due to Microsoft's undocumented this-or-that in PowerShell made 2 years prior and that it negligently didn't notify anyone about.

Microsoft is a menace to Windows security.
 
Last edited by a moderator:
  • Like
Reactions: Deletedmessiah, oldschool, harlan4096 and 1 other person
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Raiden said:
I too would like to hear what you think of it. When I tried it not long ago, I really liked it! If I didn't have a free licence for SHP, I wold have most probably purchased SPEC.
Click to expand...
I can say that it runs super light, it's a real pleasure. And it is quite configurable to various levels of protection. As for how well it actually protects, for that we need to ask the testers.
I am running it together with Software Restriction Policy (managed by Andy Ful's Hard_Configurator).
 
  • Like
Reactions: AtlBo, Sunshine-boy, Andy Ful and 6 others
I

illumination

shmu26 said:
I can say that it runs super light, it's a real pleasure. And it is quite configurable to various levels of protection. As for how well it actually protects, for that we need to ask the testers.
I am running it together with Software Restriction Policy (managed by Andy Ful's Hard_Configurator).
Click to expand...
If you're disabling vulnerable processes with SRP combined with SEPC, you're good.

It is super light and bloat free.
 
  • Like
Reactions: AtlBo, Sunshine-boy, harlan4096 and 5 others
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I updated to Win 10 1809, played around with a few AVs.
Settled on Windows Defender -- it runs very light on 1809.
Current security config:
Windows Defender with Attack surface reduction (ConfigureDefender)
Software Restriction Policy (Hard_Configurator)
Standard user account
 
  • Like
Reactions: ZeroDay, harlan4096, Windows_Security and 2 others
5

509322

shmu26 said:
I updated to Win 10 1809, played around with a few AVs.
Settled on Windows Defender -- it runs very light on 1809.
Current security config:
Windows Defender with Attack surface reduction (ConfigureDefender)
Software Restriction Policy (Hard_Configurator)
Standard user account
Click to expand...

Make a backup with Windows Backup or Macrium so you don't have to mess with configuring it again. Configuring a SUA is a pain (and the reason a lot of people won't do it, and therefore, won't even bother to create a SUA - if they even know that SUA exists).

The above is the exact config I am using on my personal laptop. Exactly. With SRP one simply does not need the overhead of AV\IS.
 
Last edited by a moderator:
  • Like
Reactions: ZeroDay, AriDfoix, erreale and 1 other person
Windows_Security

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Lockdown said:
Make a backup with Windows Backup or Macrium so you don't have to mess with configuring it again. Configuring a SUA is a pain (and the reason a lot of people won't do it, and therefore, won't even bother to create a SUA - if they even know that SUA exists).

The above is the exact config I am using on my personal laptop. Exactly. With SRP one simply does not need the overhead of AV\IS.
Click to expand...
??? So no AppGuard :oops:
 
  • Like
Reactions: ZeroDay and shmu26
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I have realized that many if not most of the PC issues that I struggle with are related directly or indirectly to my security solutions. Getting tired of that.
I am on a health-food diet: vanilla Windows Defender.
 
  • Like
Reactions: erreale, Deletedmessiah, Gandalf_The_Grey and 8 others
You must log in or register to reply here.

Similar threads

Smoke
    • Like
Advanced Plus Security Smoke's Security Config 2024
Replies
3
Views
356
PC Setup Configuration Help & Showcase
harlan4096
harlan4096
bjm_
    • Like
New Update Sandboxie-Plus 1.15.0, 1.15.1 - Pre-release
Replies
2
Views
229
Sandboxie
bjm_
bjm_
Gandalf_The_Grey
    • Like
    • Thanks
    • Wow
AV-Comparatives Advanced Threat Protection (ATP) Test 2024
Replies
0
Views
518
Security Statistics and Reports
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top