Shmu26's new security config

[shukla44]

Great setup. Thanks for sharing.

I would also restrict the cmd in Kaspersky application control. I have powershell, wscript, csript blocked & cmd in prompt. That is my setup, & it is totally up to you.

 

[shmu26]

Great setup. Thanks for sharing.

I would also restrict the cmd in Kaspersky application control. I have powershell, wscript, csript blocked & cmd in prompt. That is my setup, & it is totally up to you.

thanks.
I used to block cmd as well, until I uninstalled adobe acrobat, and the uninstaller ran cmd, so part of the uninstall process was blocked. I think it just left some registry entries, which a registry cleaner got rid of at a later point in time...

 

[shukla44]

thanks.
I used to block cmd as well, until I uninstalled adobe acrobat, and the uninstaller ran cmd, so part of the uninstall process was blocked. I think it just left some registry entries, which a registry cleaner got rid of at a later point in time...

I know that so well (also suffered, cmd is needed quite often), so i have set it to prompt, that way i can chose if it wants to run legitimately.

Do you use interactive or automatic protection mode in Kaspersky?

 

[shmu26]

I know that so well (also suffered, cmd is needed quite often), so i have set it to prompt, that way i can chose if it wants to run legitimately.

Do you use interactive or automatic protection mode in Kaspersky?

I use automatic.
how do you set up cmd to prompt and not block?

on a different note, I am presently experimenting with SecureAPlus instead of Zemana AntiMalware.
what is your opinion?
I find SAP actually runs pretty light (after long initial scan is finished)
and it provides customizable anti-exe protection, as well as a certain degree of sensitive processes protection (such as powershell and cmd.exe), without blocking too many important things along on the way.

 

[shukla44]

I use automatic.
how do you set up cmd to prompt and not block?

on a different note, I am presently experimenting with SecureAPlus instead of Zemana AntiMalware.
what is your opinion?
I find SAP actually runs pretty light (after long initial scan is finished)
and it provides customizable anti-exe protection, as well as a certain degree of sensitive processes protection (such as powershell and cmd.exe), without blocking too many important things along on the way.

To use prompt, One has to enable Interactive Protection otherwise prompt is considered allowed in Automatic protection. And Automatic Protection is the default protection, suffice to say that interactive protection is for advanced users. To enable interactive protection Go to Settings > General > Uncheck 'Perform recommended actions automatically'. Now when you double-click an application rule in Application Control, you will see many tabs, one of them is 'Rights'. Click on the 'Rights' tab then scroll down to the bottom of it, there you will find 'Start'. Click on the green arrow, there you will see many options like allow, prompt for action, block, etc. Now select prompt for action, save the rule & now when you launch that particular application you will be prompted for it's start. All this is meaningless if you have automatic protection.

On the second thing. I have used SAP for a very little time & then replaced it with Zemana & Malwarebytes, both free. In my opinion, SAP is moderate in every area, at least it was when i tested it. But you should do your own experimenting.
It all comes down to your browsing habit & your system.

 

[shmu26]

To use prompt, One has to enable Interactive Protection otherwise prompt is considered allowed in Automatic protection. And Automatic Protection is the default protection, suffice to say that interactive protection is for advanced users. To enable interactive protection Go to Settings > General > Uncheck 'Perform recommended actions automatically'. Now when you double-click an application rule in Application Control, you will see many tabs, one of them is 'Rights'. Click on the 'Rights' tab then scroll down to the bottom of it, there you will find 'Start'. Click on the green arrow, there you will see many options like allow, prompt for action, block, etc. Now select prompt for action, save the rule & now when you launch that particular application you will be prompted for it's start. All this is meaningless if you have automatic protection.

On the second thing. I have used SAP for a very little time & then replaced it with Zemana & Malwarebytes, both free. In my opinion, SAP is moderate in every area, at least it was when i tested it. But you should do your own experimenting.
It all comes down to your browsing habit & your system.

thanks for explanations!
I did put kaspersky in interactive, and I set cmd for prompt, and indeed it worked.
but this has the side effect that when I start up chrome, I get prompts. Even if I "trust" app, and I select to remember my choice, it will prompt me again, when I start up chrome again.

 

[shmu26]

I uninstalled SAP
now running just KIS+HMPA
now that I have disabled also cmd.exe in Kaspersky Application Control (in addition to powershell and script interpreters), and I also have UAC at the highest setting, I think I am pretty well protected. It's going to be pretty hard for malware to do its thing.

 

[shukla44]

thanks for explanations!
I did put kaspersky in interactive, and I set cmd for prompt, and indeed it worked.
but this has the side effect that when I start up chrome, I get prompts. Even if I "trust" app, and I select to remember my choice, it will prompt me again, when I start up chrome again.

Good to hear. And for the prompts with chrome, it must be one of the extensions which is causing it. You have to setup exclusion in the trusted applications. This (attached image) is my exclusion list.
Do you use sticky password? Cause i do & after setting cmd to prompt, i got prompts with chrome too, which was sticky password related so i excluded it & voila, no prompts.

 

[shmu26]

Good to hear. And for the prompts with chrome, it must be one of the extensions which is causing it. You have to setup exclusion in the trusted applications. This (attached image) is my exclusion list.
Do you use sticky password? Cause i do & after setting cmd to prompt, i got prompts with chrome too, which was sticky password related so i excluded it & voila, no prompts.

hey, thanks
the prompt I am getting, turns out it is from a kaspersky plugin, see screenshot.
what can I do about this plugin?

 

[shukla44]

hey, thanks
the prompt I am getting, turns out it is from a kaspersky plugin, see screenshot.
what can I do about this plugin?

I have chrome & kaspersky but i don't have this extension.

I can't tell anything from this. Please double-click it and then post the application info dialogue screenshot.

 

[shmu26]

I have chrome & kaspersky but i don't have this extension.

I can't tell anything from this. Please double-click it and then post the application info dialogue screenshot.

attached

 

[shukla44]

attached

Understood. It is an Kaspersky 2017 plugin setup. Unfortunately i have kaspersky 2016.

Are you still getting continuous prompts from chrome?
If yes, then try adding the exclusion, In the 'Exclusions' tab, just tick 'Do not monitor application activity'. See the attached screenshot for example.

 

[shmu26]

Understood. It is an Kaspersky 2017 plugin setup. Unfortunately i have kaspersky 2016.

Are you still getting continuous prompts from chrome?
If yes, then try adding the exclusion, In the 'Exclusions' tab, just tick 'Do not monitor application activity'. See the attached screenshot for example.
View attachment 115529

I ticked that, and also do not monitor child applications, and now things are quiet...
thanks a million

 

[shukla44]

I ticked that, and also do not monitor child applications, and now things are quiet...
thanks a million

You're welcome.
Remember always add exclusion to the programs you trust & keep your exclusion list to a minimum.

Regards.

 

[shmu26]

I switched to COMODO Firewall, with auto-sandbox enabled globally (proactive configuration), and browsers running sandboxed.

COMODO has its quirks, but the auto-sandbox function is great. It saves you all those agonizing decisions about whether you trust the file or not. You just run your file, and it gets sandboxed. If you like it, you can take it out of sandbox later.

 

[hjlbx]

I switched to COMODO Firewall, with auto-sandbox enabled globally (proactive configuration), and browsers running sandboxed.

COMODO has its quirks, but the auto-sandbox function is great. It saves you all those agonizing decisions about whether you trust the file or not. You just run your file, and it gets sandboxed. If you like it, you can take it out of sandbox later.

You may like it, but it can be sandbox-(virtualization)-aware and the malicious components will lie-in-wait until you run it outside the sandbox. Rare, but it does happen.

There is no solution that will protect against such things except manual inspection.

This is not difficult...

 

[askmark]

I switched to COMODO Firewall, with auto-sandbox enabled globally (proactive configuration), and browsers running sandboxed.

COMODO has its quirks, but the auto-sandbox function is great. It saves you all those agonizing decisions about whether you trust the file or not. You just run your file, and it gets sandboxed. If you like it, you can take it out of sandbox later.

Although I'm using CCAV and not Firewall I agree, the auto sandox is an awesome feature and works really well.

 

[shmu26]

it can be sandbox-(virtualization)-aware and the malicious components will lie-in-wait until you run it outside the sandbox.

right, but once you already ran your file in sandbox, and you are not under the impulse of the moment anymore, you can evaluate the file at your leisure.

 

[shmu26]

Although I'm using CCAV and not Firewall I agree, the auto sandox is an awesome feature and works really well.

there is a significant difference between the sandbox of CCAV and the sandbox of CF/CIS.
credits to @yigido:
CIS sandbox is stronger than CCAV sandbox
Here is the information from CCAV homepage
"CCAV sandbox is a light weighted sandbox, it does not rely on service or filter drivers. It is implemented purely from user mode hooks. CCAV sandbox does not have COM/Service virtualization which CIS has. Besides, unlike CIS which has one global sandbox instance, different CCAV applications have their own sandbox instance while child process inherits sandbox instance from parent process"

 

[askmark]

there is a significant difference between the sandbox of CCAV and the sandbox of CF/CIS.
credits to @yigido:
CIS sandbox is stronger than CCAV sandbox
Here is the information from CCAV homepage
"CCAV sandbox is a light weighted sandbox, it does not rely on service or filter drivers. It is implemented purely from user mode hooks. CCAV sandbox does not have COM/Service virtualization which CIS has. Besides, unlike CIS which has one global sandbox instance, different CCAV applications have their own sandbox instance while child process inherits sandbox instance from parent process"

Thanks for pointing this out as I didn't realise there was a difference in the protection each of these sandboxes provides.
I will now be more cautious when using CCAV sandbox.