SRP vs VoodooShield

[softie15]

Hi folks, I am trying to understand the following question for Win10 Pro protection.

Say I setup SRP using approach described at
How to make a disallowed-by-default Software Restriction Policy
(and also illustrated in tutorial like one at the end of this post). In short, I allow only things to run from a couple of well known Windows locations that cannot be written to by my user account.

Is there any point in adding VoodooShield to that system? What additional benefits does VS provide then?

I understand VS prevents anything unknown from running but if I already specified I only trust those limited locations and if I cannot even write to them, what additional protection would VS provide?

My apologies if this is a dumb question.

Thanks!

P.S. Youtube video for SRP:

 

[KeZa]

Or you can download IWR Consultancy : Simple Software-Restriction Policy and make it a little easier.

 

[Andy Ful]

Or you can download IWR Consultancy : Simple Software-Restriction Policy and make it a little easier.

That is true, and much easier using Hard_Configurator.

 

[softie15]

The attachment can be a 0-day executable, so scanning will fail. The best way is not bypassing the SmartScreen alert. SmartScreen has far less false positives than Virus Total or Comodo File Lookup.
Learn about ways to bypass SmartScreen, and be very cautious with such downloads.

SmartScreen is turned on on my system. It's part of OS now; and I do not see what I can configure for it. So you are saying with this built-in protection, as long as I don't ignore the SmartScreen alerts, it should be (almost) as good as disabling a bunch of other sponsors from the excubits list? If you go to some site for your favorite bank or government site that wants to run some Java or Flash or something else on your box, and it happens to be recently hacked, SmartScreen would catch it? (I did not think so from its description)

To be honest, I was thinking maybe there are some additional "high value" sponsors I can block (like regedit?) which you'd recommend for avoiding a lot of other malware while keeping the system safe (since those should not be needed in user mode), but I am Ok if not too...

Now, I know you mentioned sandboxing and I am a big fan (specifically I have used Comodo and Sandboxie in the past and keep finding myself using them for more and more applications). Do you recommend other sandboxes?

Sanboxing works great for all the "regular" sites. Unfortunately, for sites where you place sensitive personal information, there is a bit of a dilemma today.
- If you use sandboxed browser, it may help the main computer to NOT get infected by the site; but if the system already has a keylogger it can steal your password to the sensitive site.
- If you use Comodo Secure Shopping (CSS), it's the other way around: it should stop the keylogger from seeing the password if you are already infected, but then if the site itself is hacked, it may infect your computer.
So, I am not quite sure whether to use CSS or Sandboxing for accessing sensitive sites, and today there appears to be no way to use both (either sandbox inside CSS or CSS inside a sandbox). CSS is certainly the one new feature that is designed / advertised for using for such kind of websites; but I wish they allowed it to be run inside a sandbox.

 

[Andy Ful]

SmartScreen is turned on on my system. It's part of OS now; and I do not see what I can configure for it. So you are saying with this built-in protection, as long as I don't ignore the SmartScreen alerts, it should be (almost) as good as disabling a bunch of other sponsors from the excubits list? If you go to some site for your favorite bank or government site that wants to run some Java or Flash or something else on your box, and it happens to be recently hacked, SmartScreen would catch it? (I did not think so from its description)

I also posted that :"Learn about ways to bypass SmartScreen, and be very cautious with such downloads."
See for example the last part of Hard_Configurator info (point A):
GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS
You do not use Edge and IE, so for you SmartScreen = SmartScreen Application Reputation (on the run). This means, that it works when you try to execute some files (downloaded from the Internet) by yourself. You have to use Web Browser in the sandbox for JavaScript or Flash malware. Excubits drivers also won't save you against JavaScript and Flash run in the Web Browser.
.

Now, I know you mentioned sandboxing and I am a big fan (specifically I have used Comodo and Sandboxie in the past and keep finding myself using them for more and more applications). Do you recommend other sandboxes?

I cannot recommend you anything to add. I would recommend you to replace Comodo HIPS with CF Sandbox, or replace CF with ReHIPS, or replace CF with Sandboxie.
.

- If you use sandboxed browser, it may help the main computer to NOT get infected by the site; but if the system already has a keylogger it can steal your password to the sensitive site.
- If you use Comodo Secure Shopping (CSS), it's the other way around: it should stop the keylogger from seeing the password if you are already infected, but then if the site itself is hacked, it may infect your computer.

- And, how you will get the keylogger in your system with your setup?
- Use SUA for daily work with different Web Browsers for secure shopping, and CSS on Admin account for banking. You can use Google Chrome for normal browsing, and Firefox only for secure shopping.

 

[softie15]

I also posted that :"Learn about ways to bypass SmartScreen, and be very cautious with such downloads."
See for example the last part of Hard_Configurator info (point A)
You do not use Edge and IE, so for you SmartScreen = SmartScreen Application Reputation (on the run). This means, that it works when you try to execute some files (downloaded from the Internet) by yourself. You have to use Web Browser in the sandbox for JavaScript or Flash malware. Excubits drivers also won't save you against JavaScript and Flash run in the Web Browser.

Thanks for the reminder; I forgot that SmartScreen was also described in the Hard Configurator. I semi-skipped it because I thought it only applied when I wanted to run something via right-click and I did not mind using Run-As-Admin instead in those cases, since I would only run something I know is trust-worthy for sure like that. Did I misunderstand?

I cannot recommend you anything to add. I would recommend you to replace Comodo HIPS with CF Sandbox, or replace CF with ReHIPS, or replace CF with Sandboxie.

CF Sandbox = Comodo Sandbox? (CF = Comodo Firewall?)

I am a bit confused by replacing HIPS with Sandbox - I thought they are complimentary, not one or the other... ?

Thanks for suggestions. I was not sure whether Sandboxie sandbox is better than Comodo.

BTW, the reason I've been leaning toward Comodo sandbox is because I already want to use its Firewall. And since I want to minimize number of vendors I depend on, all else being equal, I'd prefer Comodo for HIPS and Sandboxing as well then... Now, I clearly deviate from that for Anti-Virus purposes, just because Comodo AV is still too young and does not perform close to Avira in AV-comparables tests.

- And, how you will get the keylogger in your system with your setup?

I assume that any setup online will always be vulnerable one way or another. We are just trying to minimize the chance of it but there are always holes, unpatched paths, undiscovered ways, etc. Couple examples off the top of my head
- a hacked bank site that runs bad flash/java which escapes from a Sandbox
- Comodo / Avira / other software distributes upgrade with malware
- Microsoft distributes upgrade with malware
but I think there are many other that you can probably come up with even better than me.

- Use SUA for daily work with different Web Browser for secure shopping, and CSS on Admin account for banking. You can use Google Chrome for normal browsing, and Firefox only for secure shopping.

Wait, CSS on Admin account for banking? If there is some malware on a bank site, that would really screw me up. Why not CSS on user account for banking?

Could you elaborate on using 2 browsers vs one? If I use FF for CSS for secure shopping and only FF in Sandbox for rest of sites, is that really more vulnerable that using Chrome for normal browsing? (fwiw, my motivation for 1 browser - again, less vendors to rely on and less learning curve to figure out how to secure both browsers instead of just tuning 1 for security)

On similar subject, you had recommended Acrobat Reader Touch but I could not find much on its security when googling. However, I have this setup for Acrobat Reader DC - do you think it's not as good as Touch with these settings?

Edit > Preferencess
> Javascript, uncheck "Enable Acrobat Javascript"..
> Security (Enhanced): Protected View : All Files
> Security (Enhanced): check Run in AppContainer (Beta)
> Security (Enhanced): Create Protected Mode Log File..
> Security (Enhanced): Uncheck Automatically Trust Sites from my Win OS Security Zones..
> Trust Manager: Uncheck Allow Opening of Non-PDF file attachments
> Trust Manager: Internet Access from PDF outside the web browser Change Settings button, select Block PDF file access to all web sites.

Note: with "Protected View : All Files", I think it always runs stuff in its own sandbox, and I can instead always open pdf docs in Comodo sandbox instead as well (or another Sandbox if I install it)...

 

[Andy Ful]

Thanks for the reminder; I forgot that SmartScreen was also described in the Hard Configurator. I semi-skipped it because I thought it only applied when I wanted to run something via right-click and I did not mind using Run-As-Admin instead in those cases, since I would only run something I know is trust-worthy for sure like that. Did I misunderstand?

SmartScreen is 0-day protection. You cannot check if 0-day malware is trustworthy using Avira + Comodo + VirusTotal. The best method I know is using the SmartScreen.
.

CF Sandbox = Comodo Sandbox? (CF = Comodo Firewall?)
I am a bit confused by replacing HIPS with Sandbox - I thought they are complimentary, not one or the other... ?
Thanks for suggestions. I was not sure whether Sandboxie sandbox is better than Comodo.

CF = Comodo Firewall. If you are using the Comodo Sandbox with @cruelsister settings, then HIPS are not needed. Sandboxie is more usable and flexible than Comodo Sandbox, but not stronger.
.

Wait, CSS on Admin account for banking? If there is some malware on a bank site, that would really screw me up. Why not CSS on user account for banking?

Hacking the bank website by the hackers is far less probable than hacking the online shop webpage or hacking other websites. You probably thought about hacking your account to redirect you to the fake bank website. That is why you should use separate accounts, one for banking and the second for another activity.
.

Could you elaborate on using 2 browsers vs one? If I use FF for CSS for secure shopping and only FF in Sandbox for rest of sites, is that really more vulnerable that using Chrome for normal browsing? (fwiw, my motivation for 1 browser - again, less vendors to rely on and less learning curve to figure out how to secure both browsers instead of just tuning 1 for security)

You have to use separate sandboxes on SUA for daily Internet activities and for secure shopping. There are a few possibilities: 2 Sandboxie sandboxes for one web browser, two web browsers (Chrome + FF), etc.
It is acceptable to use CSS for secure shopping and using Google Chrome or FF (Sandboxie) for daily browsing.
.

On similar subject, you had recommended Acrobat Reader Touch but I could not find much on its security when googling. However, I have this setup for Acrobat Reader DC - do you think it's not as good as Touch with these settings?

Adobe Acrobat Reader Dc : List of security vulnerabilities
There were (and possibly are) many vulnerabilities for Adobe Reader DC, and no known vulnerabilities for Adobe Reader Touch. The second is a Universal Application, runs fully in AppContainer and has only basic capabilities. Using Adobe DC is similar to using MS Office = big attack surface. It is always safer not using it.

 

[softie15]

SmartScreen is 0-day protection. You cannot check if 0-day malware is trustworthy using Avira + Comodo + VirusTotal. The best method I know is using the SmartScreen.

Sorry if I am being slow here.

HIPS or its replacement with sandbox are effectively 0-day protections, aren't they?

SmartScreen is ONLY for Run-As right clicks - is that true? If so, and if I only right-click on things I am sure of, then how is Smart Screen helping me?

If I never user Run-As-Admin anything, would SmartScreen benefit me at all?

CF = Comodo Firewall. If you are using the Comodo Sandbox with @cruelsister settings, then HIPS are not needed. Sandboxie is more usable and flexible than Comodo Sandbox, but not stronger.

Thanks, I get it: I do like Sandboxie as more usable and flexible as you say, but at the same time, I found Comodo sandbox sufficient for the limited-computer purposes - I can easily run Virtualized Firefox for daily activities and any other program as well. For example, if I open up Adobe always via right-click and sending it to Comodo Sandbox, it's quite protected as well, right?

Since you are saying they are not known to be of different strength, it follows that my "secure" computer should stick with Comodo sandbox to avoid the extra vendor attack surface (i.e. attack via Sandboxie upgrade distributing something bad)

Hacking the bank website by the hackers is far less probable than hacking the online shop webpage or hacking other websites. You probably thought about hacking your account to redirect you to the fake bank website. That is why you should use separate accounts, one for banking and the second for another activity. ... You have to use separate sandboxes on SUA for daily Internet activities and for secure shopping. There are a few possibilities: 2 Sandboxie sandboxes for one web browser, two web browsers (Chrome + FF), etc.
It is acceptable to use CSS for secure shopping and using Google Chrome or FF (Sandboxie) for daily browsing.

Ok, I understand that and it makes sense. So, I think you agree that it's fine to use Comodo CSS with firefox for sensitive activities and Comodo Sandbox with firefox for daily activities, both running under SUA. (BTW, I just learned that the two firefoxes are using different profiles too - my bookmarks from main computer firefox never make it to firefox inside CSS.)

Where I got confused earlier was when you said to use CSS under Admin account. There if a bank site is attacked, I am afraid there is more chance to overall computer damage under Admin account instead of SUA account... but if both are run under SUA account, at least there is less damage maybe...

I am still unclear whether it's better to run CSS or second Sandbox for banking type activities. If I already have keylogger, I don't want it getting to my stuff. If I get hacked from sensitive site, I don't want it spreading to main PC. I guess both are unlikely scenarios; so hard to decide which is more important to hide from...

Adobe Acrobat Reader Dc : List of security vulnerabilities
There were (and possibly are) many vulnerabilities for Adobe Reader DC, and no known vulnerabilities for Adobe Reader Touch. The second is a Universal Application, runs fully in AppContainer and has only basic capabilities. Using Adobe DC is similar to using MS Office = big attack surface. It is always safer not using it.

Thanks for an interesting link. What I don't get is whether other vulnerabilities they site to "Acrobat Reader" apply to Touch for example, or whether they simply never tested Touch for them!

I really wish I could find more info on Touch. I must have lost my Googling touch (pun intended)! The only page I find about Touch that is "official" is the Microsoft download one saying it was designed for Win 8 Touch capabilities and recommended LESS for computer users with keyboard and mouse. It seems like this is an unknown product that noone is looking at as far as security? I am sure I am wrong here and I am just too dumb to find the places that truly investigate this software :-(. I cannot even find it on Adobe site other than forum posts from 2015 claiming that Touch is no longer supported.

 

[Andy Ful]

...
HIPS or its replacement with sandbox are effectively 0-day protections, aren't they?

The reputation service like SmartScreen is much better than HIPS or Sandbox on your computer, when checking software installers. HIPS won't warn you in many cases, and in many cases can give you false positives. The malware can detect sandbox and do nothing, or can run invisibly in the sandbox, or refuse to run because of sandbox restrictions.
.

SmartScreen is ONLY for Run-As right clicks - is that true? If so, and if I only right-click on things I am sure of, then how is Smart Screen helping me?

If you double-click the executable downloaded from the Internet via Web Browser then it will be checked by SmartScreen (on the run). If the file reputation is good, then it will be allowed to run. If not, then you will see SmartScreen alert.
How do you check files to be sure that they are clean?
.

If I never user Run-As-Admin anything, would SmartScreen benefit me at all?

How do you want to install new programs on the computer with default-deny SRP???? The simplest method is using Run as administrator option from right-click Explorer context menu.
Also, you probably mess up SmartScreen with my utility RunAsSmartScreen = Run As administrator + forced SmartScreen.
RunAsSmartScreen allows running by SmartScreen the executables which are not from your computer, and normally do not trigger the SmartScreen check. You probably did not read the info about SmartScreen bypasses (see point A):
GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS
.

Where I got confused earlier was when you said to use CSS under Admin account. There if a bank site is attacked, I am afraid there is more chance to overall computer damage under Admin account instead of SUA account... but if both are run under SUA account, at least there is less damage maybe...

Yes, less damage on your computer and big damage on your bank account. Your admin account is well isolated from SUA, so even when SUA is infected then you have good chances that the infection will not affect your admin account. You should not be afraid of hacking your bank website outside your computer, it is far less probable than compromising your SUA.
.

Thanks for an interesting link. What I don't get is whether other vulnerabilities they site to "Acrobat Reader" apply to Touch for example, or whether they simply never tested Touch for them!

Read more about AppContainer. Adobe Reader Touch was made by Adobe and it is a stripped version of Adobe Reader with code converted to run in AppContainer. It has only basic capabilities and it is more secure than desktop version because:

1. No one bothers to hack it.
2. Fully runs in AppContainer
3. Has fewer functions, so also less attack area.

You can also use any PDF viewer that runs in Comodo Sandbox (set to restricted).

 

[softie15]

Andy, thanks again for a great reply! I appreciate the time you take to educate me (and other readers) here!

The reputation service like SmartScreen is much better than HIPS or Sandbox on your computer, when checking software installers. HIPS won't warn you in many cases, and in many cases can give you false positives. The malware can detect sandbox and do nothing, or can run invisibly in the sandbox, or refuse to run because of sandbox restrictions.

There are two cases of using files from online:
(1) installing new software or upgrading existing software
(2) opening a file like PDF file or XLS file etc.

We want to prevent malware effects from both. I think Sandbox helps with 0-day attacks for (2), because vast majority of malware won't escape the Sandbox and even if it's running inside the sandbox invisibly, it does not matter, right?

For #1, please see below

If you double-click the executable downloaded from the Internet via Web Browser then it will be checked by SmartScreen (on the run). If the file reputation is good, then it will be allowed to run. If not, then you will see SmartScreen alert.
How do you check files to be sure that they are clean?

(On this secure computer) I would never execute anything downloaded from internet unless I am trying to install a given software.

For installing new software, I try to double check that
(a) downloaded file is signed by the right publisher AND
(b) downloaded file matches md5 and sha1 hash if those values are available from publisher (e.g. I love that Comodo releases those!) AND
(c) less importantly... downloaded file passes by VirusTotal: yes, this won't detech 0-day attack but in MOST cases (really ALL cases so far), I am downloading file that has been out there for a little while and VirusTotal had seen it scanned in the past already and Community also often has positive comments about it.

What would Smart Screen do on top of this? How would it know the file is trustworthy or not if I already see its certificate is Comodo or Microsoft etc. Would not it check similar things or check that it's in their cloud database; but what gets it to the cloud database - probably again, the same kinds of checks and maybe running it and not seeing anything suspicious?

For example, before adding to SmartScreen database, does Microsoft run every new version of every Comodo product and then somehow decide that there is no embedded keylogger there? How good is that detection?

And if so, I wonder if I can manually upload such file to Microsoft cloud to check if it's present in their SmartScreen database? (just like I would with VirusTotal)

For installing upgrade to software, I don't normally do much as the software itself downloads the upgrades and I have to rely on that process.

How do you want to install new programs on the computer with default-deny SRP???? The simplest method is using Run as administrator option from right-click Explorer context menu.

Yes, new programs I would install as an admin user. This should be a very rare operation and only after I do the steps I mentioned above. Am I wrong in thinking about above steps would be sufficient?

Also, you probably mess up SmartScreen with my utility RunAsSmartScreen = Run As administrator + forced SmartScreen.
RunAsSmartScreen allows running by SmartScreen the executables which are not from your computer, and normally do not trigger the SmartScreen check. You probably did not read the info about SmartScreen bypasses (see point A):
GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS

Hmm, yes I probably did not pick up on the distinction - that's why I've been trying to ask whether SmartScreen feature applies only when I right-click on a file to run and manually pick the smart screen selection that gets exposed.

(I tried to read that section but frankly some of it I did not quite follow.)

So, I think you are saying there is a different SmartScreen setting that automatically kicks in when something gets run (i.e., NOT just when I manually runs something from Explorer)? And this other option does additional checks. If so, I am happy to have that turned on! I just did not think the extra double-check for manually-invoked software would be useful in my case (and please, let me know if I am wrong on that one too)... but if there is something, Windows built-in, almost like VoodooShield, that check all runnables against a list or cloud (and does not fail when I am OFFLINE) then I am all for it!!

Yes, less damage on your computer and big damage on your bank account. Your admin account is well isolated from SUA, so even when SUA is infected then you have good chances that the infection will not affect your admin account. You should not be afraid of hacking your bank website outside your computer, it is far less probable than compromising your SUA.

Hmm I see.. So, if you think I should switch to another account anyway (from SUA to Admin), then why not switch from SUA1 to SUA2? Is isolation between SUA accounts worse than between SUA and Admin?

Part of my concern is infecting Admin account from bank URL but another part is just being online while in Admin account. Is that not a concern? I thought a good security practice is to be online only as SUA, not as Admin?

Also, I think you are saying Comodo Secure Shopping is not going to protect me from infection all that way and a much better protection would in fact be to connect to another account.

Read more about AppContainer. Adobe Reader Touch was made by Adobe and it is a stripped version of Adobe Reader with code converted to run in AppContainer. It has only basic capabilities and it is more secure than desktop version because:

1. No one bothers to hack it.
2. Fully runs in AppContainer
3. Has fewer functions, so also less attack area.

Thanks! I'll try to learn more about it. Do you know though if Touch is no longer supported? Is any security improvements made in DC ever make it into the stripped down Touch version?

You can also use any PDF viewer that runs in Comodo Sandbox (set to restricted).

Yes! That's the only reason I have DC installed - to run it inside Comodo Sandbox.. but wait! what is "set to restricted" mean in this context? I just right click on .pdf file and say run in Comodo Sandbox. I am not seeing an option in Comodo settings to set it to restricted vs other. Please note that I currently do NOT use auto-sandboxing (called auto-containment in latest versions), so those options do not apply to me. I only Sandbox via right clicking the program and it shows the green border around it... Am I missing some setting here?! Thank you for bringing this to my attention!

 

[Andy Ful]

For installing new software, I try to double check that
(a) downloaded file is signed by the right publisher AND
(b) downloaded file matches md5 and sha1 hash if those values are available from publisher (e.g. I love that Comodo releases those!) AND
...
For example, before adding to SmartScreen database, does Microsoft run every new version of every Comodo product and then somehow decide that there is no embedded keylogger there? How good is that detection?

Both a) and b) may fail with the stolen certificate. SmartScreen can accept the software when one of the below points is true:

1. The installer has the sufficiently high reputation and is not recognized as a malware by Defender.
2. It has high-quality digital certificate.

So in most cases, the malware won't be accepted by SmartScreen even with the stolen digital certificate.
Rarely, SmartScreen can accept a program with adware, if the program is popular among the users.
I use SmartScreen to check software installers and look at VirusTotal to see if Emsisoft or Kaspersky does not flag it as adware. The file should be on VirusTotal about 2 weeks. For example, Hard_Configurator installers (not very popular) are usually accepted by SmartScreen after one month.
.

And if so, I wonder if I can manually upload such file to Microsoft cloud to check if it's present in their SmartScreen database? (just like I would with VirusTotal)

No. Uploading the file does not increase its reputation.
.

Windows built-in, almost like VoodooShield, that check all runnables against a list or cloud (and does not fail when I am OFFLINE) then I am all for it!!

Both SmartScreen and VoodooShield are cloud dependent. SmartScreen has much fewer false positives (for installers) than VoodooShield. Also, VoodooShield checks all executables and SmartScreen not. When you finish the installation, the executables of the installed application are ignored by SmartScreen.
You probably did not see SmartScreen alert because all your installers were silently accepted by SmartScreen.
.

Hmm I see.. So, if you think I should switch to another account anyway (from SUA to Admin), then why not switch from SUA1 to SUA2? Is isolation between SUA accounts worse than between SUA and Admin?

Yes. Two SUA idea is safer.
.

Yes! That's the only reason I have DC installed - to run it inside Comodo Sandbox.. but wait! what is "set to restricted" mean in this context? I just right click on .pdf file and say run in Comodo Sandbox. I am not seeing an option in Comodo settings to set it to restricted vs other. Please note that I currently do NOT use auto-sandboxing (called auto-containment in latest versions), so those options do not apply to me. I only Sandbox via right clicking the program and it shows the green border around it... Am I missing some setting here?! Thank you for bringing this to my attention!

You have to ask someone who uses Comodo in this way. There should be the possibility to configure the sandbox settings.

 

[softie15]

Hi Andy, so, just to be clear, is SmartScreen something that gets run ONLY WHEN I explicitly click on a file in File Explorer, right? As I read more about it, it's NOT like VoodooShield which checks all your programs being run or spawned by other programs (you also mentioned this in your reply). SmartScreen only checks the file that you are explicitly opening up, is that right?

Both a) and b) may fail with the stolen certificate.

I understand that (a) can fail, but (b) would not care about stolen certificate, right?

SmartScreen can accept the software when one of the below points is true:

1. The installer has the sufficiently high reputation and is not recognized as a malware by Defender.
2. It has high-quality digital certificate.

So in most cases, the malware won't be accepted by SmartScreen even with the stolen digital certificate.

You said "one of", so it seems like a malware author just has to ensure "high reputation" for their stuff and avoid recognition by Defender. That seems like it could be less difficult that stealing a certificate, does not it? I guess I am not sure how Microsoft defined "high quality" digital certificate.

Rarely, SmartScreen can accept a program with adware, if the program is popular among the users.
I use SmartScreen to check software installers and look at VirusTotal to see if Emsisoft or Kaspersky does not flag it as adware. The file should be on VirusTotal about 2 weeks. For example, Hard_Configurator installers (not very popular) are usually accepted by SmartScreen after one month.

I've reread Hard Configurator guide multiple times and SmartScreen is the most confusing section for me, probably because I am not quite familiar with what this feature does still. "Run As Smart Screen" vs "Run By Smart Screen" is not a clear concept to me. I think option (B) has more protection and something I would want as it protects me clicking from many more files, right?

As I understood it, under option (B), SmartScreen will test EXE, MSI, JSE, VBE files invoked by me.
The Hard Configurator manual also says it blocks other dangerous extensions independently of SRP: ADP, ADE, BAS, CHM, CRT, HLP, HTA, INF, INS,
ISP, JAR, JS, MDB, MDE, MSC, MSP, MST, PCD, PS1, REG, SCT, SHS, VB, VBS, WS, WSC, WSF, WSH. But why block these if SRP already does this? Does it simply block them based on extension or checks them against SmartScreen cloud database?

Also, various sites talk about SmartScreen applying to files that are downloaded, but how does Windows know whether file is downloaded. Would it remember its status if I downloaded to my own directory and then renamed the file and then rebooted for example? Or what if I bring the downloaded file over from another PC via USB disk? I assume it would not know then... ?

How do I manually setup option (B) on my system?

BTW, it seems like I DO have it turned on in some capacity apparently (due to applying some group policies):
Computer -> Admin Templates -> Windows Components -> File Explorer -> Configure Windows Defender SmartScreen -> set to Enabled with Warn and prevent bypass
Computer -> Admin Templates -> Windows Components -> Windows Defender SmartScreen -> Explorer -> Configure Windows Defender SmartScreen set to Enabled with Warn and prevent bypass
Also going to computer's Windows Defender Security Settings -> App and Browser Control -> Check Apps and files is grayed out and set to Block; smae for MS Edge.

But I am not sure if this corresponds to option (A) or (B) of Hard Configurator.

No. Uploading the file does not increase its reputation.

I did not mean that I wanted to increase the reputation. I was asking if I could upload a file for Microsoft to tell me whether that file would be approved by SmartScreen. (I have not seen anything about such option when reading up on this.)

 

[Andy Ful]

Hi Andy, so, just to be clear, is SmartScreen something that gets run ONLY WHEN I explicitly click on a file in File Explorer, right? As I read more about it, it's NOT like VoodooShield which checks all your programs being run or spawned by other programs (you also mentioned this in your reply). SmartScreen only checks the file that you are explicitly opening up, is that right?

Yes, if the file (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, PIF, SCR, and VBE) is downloaded from the Internet via Web Browser (or from One Drive) to NTFS disk and is run from the Explorer without using command line with sponsor. So in theory, SmartScreen could block some malware files which are not run directly by the user.
Yet, in practice, it means that the above executables can be executed by most exploits without SmartScreen check because:

1. The exploit will download the payload by not using Web Browser or another method that could mark this payload as downloaded from the Internet.
2. Even when the payload is marked as downloaded from the Internet, it can be run anyway, by using the sponsor, like wscript.exe path\payload.vbe to bypass SmartScreen.

.

I understand that (a) can fail, but (b) would not care about stolen certificate, right?

It will also fail if the publisher website is hacked.
.

You said "one of", so it seems like a malware author just has to ensure "high reputation" for their stuff and avoid recognition by Defender. That seems like it could be less difficult that stealing a certificate, does not it? I guess I am not sure how Microsoft defined "high quality" digital certificate.

SmartScreen automatically accepts only EV digital certificates. The way to accept other new software is more complicated and it uses Artifical Intelligence.
MS SmartScreen and Application Reputation | DigiCert Blog
.

I've reread Hard Configurator guide multiple times and SmartScreen is the most confusing section for me, probably because I am not quite familiar with what this feature does still. "Run As Smart Screen" vs "Run By Smart Screen" is not a clear concept to me. I think option (B) has more protection and something I would want as it protects me clicking from many more files, right?

There are the below differences:

1. 'Run As SmartScreen' executes the EXE and MSI files with admin rights and not execute other files.
2. 'Run by SmartScreen' open/execute all files without forcing admin rights but some of them (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, PIF, SCR, and VBE) are forced to be checked by SmartScreen and some files with dangerous extensions (ADP, ADE, BAS, CHM, CRT, HLP, HTA, INF, INS,ISP, JAR, JS, MDB, MDE, MSC, MSP, MST, PCD, PS1, REG, SCT, SHS, VB, VBS, WS, WSC, WSF, WSH) will be blocked.
3. Run As SmartScreen is the safer replacement of Run as administrator when using SRP.
4. Run by SmartScreen is useful when SRP is not applied or set to default-allow (Default Security Level = Unrestricted).

.

Also, various sites talk about SmartScreen applying to files that are downloaded, but how does Windows know whether file is downloaded. Would it remember its status if I downloaded to my own directory and then renamed the file and then rebooted for example? Or what if I bring the downloaded file over from another PC via USB disk? I assume it would not know then... ?

Downloads and the Mark-of-the-Web
.

How do I manually setup option (B) on my system?

I do not understand what the above means????
.

BTW, it seems like I DO have it turned on in some capacity apparently (due to applying some group policies):
Computer -> Admin Templates -> Windows Components -> File Explorer -> Configure Windows Defender SmartScreen -> set to Enabled with Warn and prevent bypass
Computer -> Admin Templates -> Windows Components -> Windows Defender SmartScreen -> Explorer -> Configure Windows Defender SmartScreen set to Enabled with Warn and prevent bypass
Also going to computer's Windows Defender Security Settings -> App and Browser Control -> Check Apps and files is grayed out and set to Block; smae for MS Edge.
But I am not sure if this corresponds to option (A) or (B) of Hard Configurator.

Neither (A) nor (B). You simply enabled SmartScreen via GPO. It is also enabled by default in Windows.
Hard_Configurator uses additional utility to force SmartScreen to check for files. This utility works only via Explorer context menu. It allows the user to check manually the file by SmartScreen, even when Windows would not recognize it as downloaded from the Internet. There is no Windows built-in feature that could do it.
.

I did not mean that I wanted to increase the reputation. I was asking if I could upload a file for Microsoft to tell me whether that file would be approved by SmartScreen. (I have not seen anything about such option when reading up on this.)

Uploading files do not have anything in common with SmartScreen. If you want to see if the file will be approved by SmartScreen you have to download it from the Internet via Web Browser. If you use IE or Edge, then SmartScreen alerts you after downloading the not approved file. If you use another browser, then you have to run that file, then SmartScreen alerts you when it is not approved.

 

[softie15]

--- SmartScreen ---

Thank you for the explanation and nice links, @Andy Ful ! I think the picture is more clear now. Let me try to paraphrase what I understood at the high level.

It sounds like while SmartScreen is a good MS security feature for file checking, it only acts in rather limited cases (downloaded files via Edge / Chrome explicitly opened by me). The point of Hard Configurator options (A) and (B) is a custom software you wrote to FORCE running SmartScreen in more cases, and not just on files marked as "downloaded".

There is no way to manually setup Windows to do what you did with those options A and B.

Even with your setup, only files I open explicitly are checked, not those that get started as a consequence of the file I started (e.g. if main payload is called indirectly). Main benefit of Hard Configurator option A (which would be the more applicable option for when disallow-all SRP is enabled) is when downloading software from presumably secure sites, we can double check that this install file executable is safe (but again, not what the file itself relies on if it happens to call other executables or payloads).

Again, thanks for clarifying this topic.. I am hoping I got it or at least am very close to getting it

--- SRP question ---

Going back to SRPs... one question that keep bothering me - I still don't get why SRP prevents me from opening my .bat file in User space via Run As Administrator. It's not that I need this feature. I'd love to just understand why that is. SRP enforcement is explicitly set to NOT include local admins. Even the Hard Configurator guide says
"If you want to run the executable file in the User Space with SRP set to 'Basic User' or 'Disallowed', then it can be done with "Run As Administrator" option in Explorer context menu." Ok, so maybe word "executable" does not apply to .bat but only .exe's.. ?... but then in another place it says ... "Furthermore with <Recommended SRP> settings, the user cannot run files with extensions: BAT, CMD, CPL, and MSC, from the User Space ... Normally, files with those extensions can be opened using ‘Run as administrator’ from Explorer context menu."
On the other hand, in earlier post, you said "That is normal for files with extensions on DFT list (except EXE). If you want to "Run as administrator" the BAT and CMD files then simply remove those extensions from DFT."..
So, what am I missing?
Seems like .bat should run from user space if i use Run As Administrator option, even with BAT on DFT list.

--- Hard Configuration features ---

And last two small questions on Hard Configuration features:

- <Disable Elevation on SUA>: would Avira, Comodo, Firefox, other apps not be able to update? Especially with background updates they auto-download?
The guide says "all new installations/updates of desktop applications, should be made on 'Administrator Account' (two accounts are required)." So if updates should be made in Admin account, does this negatively affect auto-updates too?

- <Shell Extension Security>: if you happen to have it - which common apps are known to not work with this? And do I need to somehow add the regular "Windows Explorer" to the "approved" list or it's always assumed to be approved?

 

[Andy Ful]

...
The point of Hard Configurator options (A) and (B) is a custom software you wrote to FORCE running SmartScreen in more cases, and not just on files marked as "downloaded".

I should explicitly show the (A) (B) :
"Forcing SmartScreen check can be very useful, because normally the SmartScreen Filter in Windows 8+ allows many vectors of infection listed below:
A) You have got the executable file (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, PIF, SCR and VBE) using:

• the downloader or torrent application (EagleGet, utorrent etc.);
• container format file (zip, 7z, arj, rar, etc.);
• CD/DVD/Blue-ray disc;
• CD/DVD/Blue-ray disc image (iso, bin, etc.);
• non-NTFS USB storage device (FAT32 pendrive, FAT32 USB disk);
• Memory Card;

so the file does not have the proper Alternate Data Stream attached (Mark Of The Web).
.
B) You have run the executable file with runas.exe (Microsoft), AdvancedRun (Nirsoft), RunAsSystem.exe (AprelTech.com), etc."
.
The (A) and (B) are not Hard_Configurator options, but two groups of cases when SmartScreen (in Windows Explorer) will fail. Hard_Configurator (Run As SmartScreen utility) covers only the (A) group. The (B) group is related to special kind of EXE launchers (runas.exe, AdvancedRun, RunAsSystem.exe). The Launcher executable can be checked by SmartScreen but the launched application cannot.
.

Going back to SRPs... one question that keep bothering me - I still don't get why SRP prevents me from opening my .bat file in User space via Run As Administrator.

This is the way how SRP Designated File Types list + Default Security Level = Disallowed, work for BAT, CMD, CPL, MSC files.
The user can Run as administrator those files when;

• BAT, CMD, CPL, MSC extensions are removed from DFT list.

or

• SRP Default Security Level is not set to Disallowed

The second is adopted in Hard_Configurator recommended settings (Default Security Level is set to Basic User).
In your settings, the BAT and CMD extensions can be safely removed from DFT list, because CMD host is under extended protection when Default Security Level = Dissallowed. So, they will be still blocked as standard user, but allowed to Run as administrator. That is not true for CPL and MSC files, because there are no extended SRP protections for them.
.

And last two small questions on Hard Configuration features:
- <Disable Elevation on SUA>: would Avira, Comodo, Firefox, other apps not be able to update? Especially with background updates they auto-download?
The guide says "all new installations/updates of desktop applications, should be made on 'Administrator Account' (two accounts are required)." So if updates should be made in Admin account, does this negatively affect auto-updates too?

Security programs are not the standard desktop applications, because they run and update with higher rights. Generally, if you see the UAC prompt when the application wants to update, then such update will be stopped on SUA by <Disable Elevation on SUA>.
.

- <Shell Extension Security>: if you happen to have it - which common apps are known to not work with this? And do I need to somehow add the regular "Windows Explorer" to the "approved" list or it's always assumed to be approved?

Most applications will work with this setting. In the past, some applications had temporary issues with it (until they were patched).

 

[softie15]

The (A) and (B) are not Hard_Configurator options, but two groups of cases when SmartScreen (in Windows Explorer) will fail. Hard_Configurator (Run As SmartScreen utility) covers only the (A) group. The (B) group is related to special kind of EXE launchers (runas.exe, AdvancedRun, RunAsSystem.exe). The Launcher executable can be checked by SmartScreen but the launched application cannot.

Sorry for not being explicit enough. What I meant by (A) and (B) are these options from Hard Configurator manual under "Run As SmartScreen" section:

"
(A) Keep the 'Administrator' setting when SRP are activated. If so, the users can safely:
1. Run programs (with a mouse click or pressing ENTER button) which have been already installed in the System Space or put on the Whitelist.
2. Open the media files, documents, and other file types, which are not on the 'Designated File Types' list.
3. Safely install new programs from the User Space, using 'Run As SmartScreen' option in Explorer context menu (only EXE and MSI files). This option additionally forces the file to ask for execution with Administrative Rights.

(B) Advanced users can apply the below settings with Default Deny SRP :
Apply recommended settings, and next change <Run As SmartScreen> --> 'Standard User', <Hide 'Run As Administrator> --> 'OFF', as an alternative solution. Then, 'Run By SmartScreen' + SRP can serve as a second opinion scanner for executables located in the User Space. Files with
dangerous extensions are blocked, but media, documents, photos, etc. are allowed.

In the (A) solution files (EXE and MSI) are checked by SmartScreen, and blocked when recognized as not safe, but allowed to execute with Administrative
Rights, when recognized as safe.
In the (B) solution files (EXE, MSI, JSE, VBE) are checked by SmartScreen, and blocked (never executed in the User Space). Other files supported by
SmartScreen filter (BAT, CMD, COM, CPL, DLL, OCX, PIF, SCR) are blocked by SRP (included in ‘Designated File Types’ list). Documents, photos,
media files, and generally, files with not dangerous extensions, are allowed to open. One has to use 'Run as administrator' option in Explorer context menu
to run the EXE and MSI files. ‘Run By SmartScreen’ does not block extensions supported by SmartScreen filter (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, PIF, SCR and VBE), but blocks other dangerous extensions independently of SRP: ADP, ADE, BAS, CHM, CRT, HLP, HTA, INF, INS,
ISP, JAR, JS, MDB, MDE, MSC, MSP, MST, PCD, PS1, REG, SCT, SHS, VB, VBS, WS, WSC, WSF, WSH."

So, to confirm, I think you said there is no way for me to configure Windows settings/registry to simulate the above settings, right? This is a special custom utility that is part of Hard Configurator, right?

This is the way how SRP Designated File Types list + Default Security Level = Disallowed, work for BAT, CMD, CPL, MSC files.
The user can Run as administrator those files when;

• BAT, CMD, CPL, MSC extensions are removed from DFT list.

or

• SRP Default Security Level is not set to Disallowed

The second is adopted in Hard_Configurator recommended settings (Default Security Level is set to Basic User).
In your settings, the BAT and CMD extensions can be safely removed from DFT list, because CMD host is under extended protection when Default Security Level = Dissallowed. So, they will be still blocked as standard user, but allowed to Run as administrator. That is not true for CPL and MSC files, because there are no extended SRP protections for them.

If I have "Default Security Level = Dissallowed" AND if I leave BAT and CMD on the DFT list, would any windows or software upgrades run into any issues?

(I prefer leaving them in DFT if it does not hurt - only because other guides seem to be suggesting such setup, and I don't feel confident enough in this area; so would prefer more protections settings to be ON for now IF it does not cause instability)


Thank you, again!

 

[Andy Ful]

Sorry for not being explicit enough. What I meant by (A) and (B) are these options from Hard Configurator manual under "Run As SmartScreen" section:
...
So, to confirm, I think you said there is no way for me to configure Windows settings/registry to simulate the above settings, right? This is a special custom utility that is part of Hard Configurator, right?

Right.
.

If I have "Default Security Level = Dissallowed" AND if I leave BAT and CMD on the DFT list, would any windows or software upgrades run into any issues?
(I prefer leaving them in DFT if it does not hurt - only because other guides seem to be suggesting such setup, and I don't feel confident enough in this area; so would prefer more protections settings to be ON for now IF it does not cause instability)
Thank you, again!

The difference would be only when you will try to run those files via Run as administrator. If not, then just leave BAT and CMD extensions on DFT list.

 

[softie15]

Thanks a lot @Andy Ful ! You managed to answer all my questions! Wow!

Just FYI, a few notes as I've been trying to configure the system:

(1) For .lnk file protection, I am trying out the configuration where LNK is on DFT list but I explicitly allow links that I normally use with full paths to exact link files. There are about a dozen of them for the Desktop and QuickLaunch areas but so far so good. Interstingly Calculator and File Explorer do not seem to need a an exception - those links (and yes, I double checked that they ARE links) work without the Unrestricted rule apparently.

(2) Adobe DC got installed just fine with all the restrictions (I did not add those sponsors yet from your full list but will do so later); but 7 zip required me to remove SRP protections temporarily and the sponsors I do have and I had to be in Admin account. I did not find out exactly what was blocking it but had to reinstall a few times for it to work. Works now.
I plan to use Adobe DC in a Sandbox only which I think you indicated provides good protection. I have on my TODO list to investigate more about Touch and Universal App containers.

(3) Comodo indicates there is no way to set restriction level when opening files / applications via right-click -> Run in Comodo Sandbox runs things in virtualized sandbox but there is no additional restrictions there. I have not investigates whether this means protection is lacking a lot. I do know that it's still virtualized (and even copy-paste does not work); so I guess malware would still have hard time escaping the sandbox; but not sure what I lose without additional restriction settings.

Thanks a lot for all your help! I hope this thread will be useful to other folks wanting to know more about secure PC setup and what's behind Hard Configurator features!

I have not decided whether to install VoodooShield yet on this system. I just might skip it given the SRP Deny-by-default setup with protected Windows folders and other tweaks we talked about. I could not have done it without you! In any case, I feel like I understand this topic more now and my system will be safer and may not even have the additional attack surface of the VS software.

 

[Andy Ful]

(3) Comodo indicates there is no way to set restriction level when opening files / applications via right-click -> Run in Comodo Sandbox runs things in virtualized sandbox but there is no additional restrictions there. I have not investigates whether this means protection is lacking a lot. I do know that it's still virtualized (and even copy-paste does not work); so I guess malware would still have hard time escaping the sandbox; but not sure what I lose without additional restriction settings.

I do not use Comodo IS. But, in Comodo Firewall it is possible to open Advanced Settings for the Sandbox, and add the application, folder, etc. to the Sandbox. Next, you can adjust the Sandbox settings for the added file, folder.