Advanced Plus Security Shmu26 Windows Config in 2019

[shmu26]

If I remember correctly it blocks 3rd party everything by default but check as I haven't had to use the default since forever (save settings on the cloud).

This is right. Out of the box it blocks 3rd party by default.
I tried it out a little. Looks good! Thanks for the suggestion.

 

[SHvFl]

This is right. Out of the box it blocks 3rd party by default.
I tried it out a little. Looks good! Thanks for the suggestion.

As usual it will be a bit annoying but the more you use it the less annoying it gets. I usually visit my normal websites from a umatrix browser and any research i want to do that will be on random websites is done on another browser (deletes on close).

 

[shmu26]

Trying out this config:
Kaspersky Internet Security 2020 with Trusted Applications Mode
Hard_Configurator (default-allow)

I don't know what magic spells they uttered over Kaspersky 2020, but it is wicked fast.

 

[harlan4096]

They have improved also the speed when TAM is enabled, I reported some slowdown when opening applications + TAM On during beta testing and in later beta builds I already noticed the increasing of speed...

 

[Andy Ful]

Trying out this config:
Kaspersky Internet Security 2020 with Trusted Applications Mode
Hard_Configurator (default-allow)

I don't know what magic spells they uttered over Kaspersky 2020, but it is wicked fast.

With KIS & TAM, you probably can skip H_C.

 

[shmu26]

With KIS & TAM, you probably can skip H_C.

Sorry Andy, I will never skip H_C

 

[Divine_Barakah]

I like it. Thanks for sharing.

 

[Andy Ful]

Sorry Andy, I will never skip H_C

Although there is some advantage of using H_C even as default-allow (hardening + blocked Sponsors + forced SmartScreen + Documents Anti-Exploit), I think that KIS & TAM would be strong enough for most users. Please note, that in default - allow setup, PowerShell should be blocked because Constrained Language Mode works only in default - deny setup.

 

[shmu26]

Constrained Language Mode works only in default - deny setup

Thanks for the info.
Besides blocking it, I also set the Windows environment variable of PSLockdownPolicy 4.

 

[Andy Ful]

Thanks for the info.
Besides blocking it, I also set the Windows environment variable of PSLockdownPolicy 4.

What exactly is your H_C default-allow setup? Could you post here the screenshot?
If you used Avast profile or Allow EXE, then it is stronger than default-allow setup.

 

[shmu26]

What exactly is your H_C default-allow setup? Could you post here the screenshot?
If you used Avast profile or Allow EXE, then it is stronger than default-allow setup.

I used Windows_10_Recommended_Enhanced.hdc as a base, but I allowed EXE and TMP, and blocked *script.exe in Sponsors, and made a couple other modifications.
What is the proper meaning of "default-allow", in terms of H_C?

 

[Andy Ful]

I used Windows_10_Recommended_Enhanced.hdc as a base, but I allowed EXE and TMP, and blocked *script.exe in Sponsors, and made a couple other modifications.
What is the proper meaning of "default-allow", in terms of H_C?

View attachment 214833

This is Allow-EXE setup. In your case, it is equal to the Enhanced default-deny setup (scripts, MSI, all files from Designated File Types List, blocked Sponsors). PowerShell works in Constrained Language Mode and only PowerShell command lines are allowed - PowerShell script files cannot be executed from hard local disks. Only EXE files are allowed to run Unrestricted.
It is a hybrid between default-deny and default-allow setup. If you would use it with Avast Hardened Mode Aggressive, then H_C + Avast = default-deny setup.

Default-allow setup has <Default Security Level> = Unrestricted. This forces PowerShell to Full Language Mode (it is not restricted any more) and all extensions from SRP Designated File Types are not protected in UserSpace except LNK files, if <More SRP ...> <Protect Shortcuts> = ON. The chosen Sponsors can be still blocked by SRP if <Block Sponsors> feature was used. Scripting can be blocked by <Disable Win. Script Host> = ON and <No PowerShell Exec> = ON or by blocking script Interpreters via <Bloc Sponsors>.
The below is a typical default-allow setup based on Enhanced profile:

 

[shmu26]

Trying out this config:
Kaspersky Internet Security 2020 with Trusted Applications Mode
Hard_Configurator (default-allow)

I had a glitch with customized Kaspersky firewall settings, so I downgraded to Kaspersky Free Antivirus 2020, coupled with Hard_Configurator (default-deny, EXE blocked).
It looks like the issue is solved, thanks to @harlan4096 the wizard. So I am checking out the 2021 technical preview...

 

[Andy Ful]

Kaspersky with activated TAM works as a kind of SRP + forced SmartScreen. It can check/block the following file types: .bat, .cmd, .com, .js, .jse, .msc, .msi, .msp, .pif, .ps1, .reg, .scr, settingcontent-ms, .vbe, .vbs, .wsf, .wsh, and maybe some more.
But it seems that .chm and .hta scriptlets are not covered.

 

[harlan4096]

Yes, that ones are not blocked...

 

[Andy Ful]

I had no time to test .cpl, .dll, .ocx, .sys, .tmp (for DLL), .tmp (for .exe). Avast Hardened Mode Aggressive can block .tmp (for .exe) but not the rest.
While activating TAM, the snapshot of executables already present on disk is made. So, these executables are automatically excluded from reputation checking, even when they are not recognized as Trusted.

 

[shmu26]

Kaspersky with activated TAM works as a kind of SRP + forced SmartScreen. It can check/block the following file types: .bat, .cmd, .com, .js, .jse, .msc, .msi, .msp, .pif, .ps1, .reg, .scr, settingcontent-ms, .vbe, .vbs, .wsf, .wsh, and maybe some more.
But it seems that .chm and .hta scriptlets are not covered.

Interesting. TAM does more than I thought.

 

[shmu26]

Unfortunately, Kaspersky's behavior is not quite as consistent as I would hope for. I have a certain program with a firewall block rule, and every once in a while, like tonight for instance, it somehow manages to connect to the internet anyways, causing my whole system to freeze and the program itself to deactivate. So it looks like I am back to:
Windows Defender with ConfigureDefender
Windows Software Restriction Policies with Hard_Configurator
.

 

[Pat MacKnife]

Does configure defender work good in W10 1903 ? and what profile to choose in configure defender

 

[oldschool]

Unfortunately, Kaspersky's behavior is not quite as consistent as I would hope for. I have a certain program with a firewall block rule, and every once in a while, like tonight for instance, it somehow manages to connect to the internet anyways, causing my whole system to freeze and the program itself to deactivate. So it looks like I am back to:
Windows Defender with ConfigureDefender
Windows Software Restriction Policies with Hard_Configurator
.

What a coincidence! I had an issue with KFA and website rendering, so it's been removed.