SRP: Protecting Windows Folder in Win 10

[softie15]

Paranoid users should block all sponsors, and delay Windows Updates. Then updating may be done with unblocked sponsors. The blocked sponsors can interfere with updates very rarely. I installed Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, several times with upgrades and hundreds of updates. Only one update in Windows 10 FCU failed (one month ago). I simply unblocked the sponsors, and the update finished successfully.
But the most effective protection is not using MS Office, not allowing macros, and using the protected PDF viewer.

Thanks, so it sounds like you often run with many sponsors blocked. Do you happen to have a list of sponsors you block? Hard Configurator manual shows a screenshot where I see some but I am not of what is the complete list you happen to like.

 

[Andy Ful]

Thanks, so it sounds like you often run with many sponsors blocked. Do you happen to have a list of sponsors you block? Hard Configurator manual shows a screenshot where I see some but I am not of what is the complete list you happen to like.

You can use the blacklist from the Excubits website. I used sponsors from the old Excubits list (see attachment). The entries which are with 3 spaces on the left were not used by me, and are on the newest Excubits blacklist.

 

[softie15]

You can use the blacklist from the Excubits website. I used sponsors from the old Excubits list (see attachment). The entries which are with 3 spaces on the left were not used by me, and are on the newest Excubits blacklist.

Thank you! I'll use your positive experience with non-indented entries in your attached file and plan to add them to my setup too then, in addition to the cmd.exe, cscript.exe and wscript.exe!

 

[softie15]

Hi @Andy Ful ,

I applied your list to my system (thanks again!)

Couple questions:

(1) I noticed this pair of rules where it seems like second rule is not needed. Am I missing something?

InstallUtil*
InstallUtil.exe

(2) I noticed you prevent std user to open Event viewer. Curious why that is. It'll require to use of admin credentials to open then, but I am guessing it's so that malware does not see events on the system?

(3) just FYI, the only thing I see blocked by SRP from Event Viewer is some Intel batch file that constantly wants to run but everything seems to work with it being blocked. Here is a thread that discusses this issue for other people too.

Thanks!

P.S. Applied list:

attrib.exe
auditpol.exe
bcdboot.exe
bcdedit.exe
bginfo.exe
bitsadmin*
bootcfg.exe
bootim.exe
bootsect.exe
ByteCodeGenerator.exe
cacls.exe
cmd.exe
csc.exe
debug.exe
DFsvc.exe
diskpart.exe
eventvwr.exe
hh.exe
IEExec.exe
iexplore.exe
iexpress.exe
ilasm.exe
InstallUtil*
InstallUtil.exe
journal.exe
jsc.exe
mmc.exe
msra.exe
MSBuild.exe
mshta.exe
msiexec.exe
mstsc.exe
netsh.exe
netstat.exe
powershell.exe
powershell_ise.exe
PresentationHost.exe
quser.exe
reg.exe
RegAsm*
regini.exe
Regsvcs*
regsvr32.exe
RunLegacyCPLElevated.exe
runonce.exe
runas.exe
*script.exe
set.exe
setx.exe
Stash*
systemreset.exe
takeown.exe
taskkill.exe
UserAccountControlSettings.exe
vbc.exe
vssadmin.exe
wmic.exe
xcacls.exe
+
from earlier discussions: cscript.exe, wscript.exe

 

[Andy Ful]

(1) I noticed this pair of rules where it seems like second rule is not needed. Am I missing something?
InstallUtil*
InstallUtil.exe

InstallUtil* can block EXE + DLLs. But, If you choose to block it, then InstallUtil.exe is not necessary.
.

(2) I noticed you prevent std user to open Event viewer. Curious why that is. It'll require to use of admin credentials to open then, but I am guessing it's so that malware does not see events on the system?

It can auto-elevate, so may be used for bypassing the UAC.
Windows UAC Bypassed Using Event Viewer | SecurityWeek.Com