SRP: Protecting Windows Folder in Win 10

Status
Not open for further replies.

softie15

Level 2
Thread author
Verified
Oct 18, 2017
50
Paranoid users should block all sponsors, and delay Windows Updates. Then updating may be done with unblocked sponsors. The blocked sponsors can interfere with updates very rarely. I installed Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, several times with upgrades and hundreds of updates. Only one update in Windows 10 FCU failed (one month ago). I simply unblocked the sponsors, and the update finished successfully.
But the most effective protection is not using MS Office, not allowing macros, and using the protected PDF viewer.

Thanks, so it sounds like you often run with many sponsors blocked. Do you happen to have a list of sponsors you block? Hard Configurator manual shows a screenshot where I see some but I am not of what is the complete list you happen to like.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Thanks, so it sounds like you often run with many sponsors blocked. Do you happen to have a list of sponsors you block? Hard Configurator manual shows a screenshot where I see some but I am not of what is the complete list you happen to like.
You can use the blacklist from the Excubits website. I used sponsors from the old Excubits list (see attachment). The entries which are with 3 spaces on the left were not used by me, and are on the newest Excubits blacklist.
 

Attachments

  • blacklist.txt
    1.2 KB · Views: 595

softie15

Level 2
Thread author
Verified
Oct 18, 2017
50
You can use the blacklist from the Excubits website. I used sponsors from the old Excubits list (see attachment). The entries which are with 3 spaces on the left were not used by me, and are on the newest Excubits blacklist.

Thank you! I'll use your positive experience with non-indented entries in your attached file and plan to add them to my setup too then, in addition to the cmd.exe, cscript.exe and wscript.exe!
 
  • Like
Reactions: Andy Ful

softie15

Level 2
Thread author
Verified
Oct 18, 2017
50
Hi @Andy Ful ,

I applied your list to my system (thanks again!)

Couple questions:

(1) I noticed this pair of rules where it seems like second rule is not needed. Am I missing something?

InstallUtil*
InstallUtil.exe

(2) I noticed you prevent std user to open Event viewer. Curious why that is. It'll require to use of admin credentials to open then, but I am guessing it's so that malware does not see events on the system?

(3) just FYI, the only thing I see blocked by SRP from Event Viewer is some Intel batch file that constantly wants to run but everything seems to work with it being blocked. Here is a thread that discusses this issue for other people too.

Thanks!

P.S. Applied list:

attrib.exe
auditpol.exe
bcdboot.exe
bcdedit.exe
bginfo.exe
bitsadmin*
bootcfg.exe
bootim.exe
bootsect.exe
ByteCodeGenerator.exe
cacls.exe
cmd.exe
csc.exe
debug.exe
DFsvc.exe
diskpart.exe
eventvwr.exe
hh.exe
IEExec.exe
iexplore.exe
iexpress.exe
ilasm.exe
InstallUtil*
InstallUtil.exe
journal.exe
jsc.exe
mmc.exe
msra.exe
MSBuild.exe
mshta.exe
msiexec.exe
mstsc.exe
netsh.exe
netstat.exe
powershell.exe
powershell_ise.exe
PresentationHost.exe
quser.exe
reg.exe
RegAsm*
regini.exe
Regsvcs*
regsvr32.exe
RunLegacyCPLElevated.exe
runonce.exe
runas.exe
*script.exe
set.exe
setx.exe
Stash*
systemreset.exe
takeown.exe
taskkill.exe
UserAccountControlSettings.exe
vbc.exe
vssadmin.exe
wmic.exe
xcacls.exe
+
from earlier discussions: cscript.exe, wscript.exe
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
(1) I noticed this pair of rules where it seems like second rule is not needed. Am I missing something?
InstallUtil*
InstallUtil.exe
InstallUtil* can block EXE + DLLs. But, If you choose to block it, then InstallUtil.exe is not necessary.
.
(2) I noticed you prevent std user to open Event viewer. Curious why that is. It'll require to use of admin credentials to open then, but I am guessing it's so that malware does not see events on the system?
It can auto-elevate, so may be used for bypassing the UAC.
Windows UAC Bypassed Using Event Viewer | SecurityWeek.Com
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top