Advanced Security TairikuOkami's Configuration 202x

[TairikuOkami]

Is Canary build very buggy? Do you use this on your test pc only?

On normal PC, I never had any serious problems, maybe a flashing explorer or a bad task manager, but usually fixed within a week. I have not had BSOD since Vista, except caused by me.

 

[Parkinsond]

I have decided to remove WFC, it was giving me too much headache. Windows Firewall with outbound allowed still honors block rules, so I am just going to block bad ports by default like:

netsh advfirewall firewall delete rule name=all
netsh advfirewall firewall add rule name="TCP Block" dir=out action=block protocol=TCP remoteport=1-79,81-442,444-852,854-1024
netsh advfirewall firewall add rule name="UDP Block" dir=out action=block protocol=UDP remoteport=1-442,444-1024
netsh advfirewall firewall add rule name="Brave TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="C:\Users\Tairi\AppData\Local\BraveSoftware\Brave-Browser\Application\brave.exe"
netsh advfirewall firewall add rule name="Edge TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
netsh advfirewall firewall add rule name="Edge UDP" dir=out action=block protocol=UDP remoteport=443 program="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
netsh advfirewall firewall add rule name="LibreWolf TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="C:\Program Files\LibreWolf\librewolf.exe"
netsh advfirewall firewall add rule name="LibreWolf UDP" dir=out action=block protocol=UDP remoteport=443 program="C:\Program Files\LibreWolf\librewolf.exe"
netsh advfirewall firewall add rule name="OneDrive TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="C:\Program Files\Microsoft OneDrive\OneDrive.exe"
netsh advfirewall firewall add rule name="IceDrive TCP" dir=out action=block protocol=TCP remoteport=1-442,444-65535 program="C:\Users\Tairi\AppData\Local\Temp\IcedrivePortable\Icedrive.exe"

Is it necessary to apply such rules if using a 3rd party firewall aksing for permission before any connection?

 

[Andy Ful]

I have restricted some exes (lolbins) like mshta.exe via Disallow policy. Port 80 aka http is not allowed. To partially prevent malware using legitimate processes, I have allowed only trusted IP ranges for the most vulnerable apps like svchost or discord. Process Hacker checks running processes in VirusTotal.

Hi,

It is always interesting to discuss the No-AV setup.
Many attacks will be blocked, but some popular attack vectors are still possible. Therefore, the user must be cautious and have extensive knowledge and experience in using Process Hacker (System Informer).

In your case, the problem may be related to game mods or game updates. For example, when the gaming server is compromised, the malicious content will be installed. In such cases, the protection provided by NextDNS is often slowed.
Unfortunately, the installed malware often uses trusted IP ranges and HTTPS.
ProcessHacker with VT integration is a good protection layer, but may be insufficient nowadays. Many malware use DLLs (no integration with VT) for persistence.

It would be interesting to use SAC or a specially adjusted WDAC policy to periodically audit non-system DLLs and drivers. The audit starts when enabling SAC in Evaluate mode or copying the WDAC policy to the appropriate folder.

 

[piquiteco]

Thanks, it would be actually interesting to see, how would this AV-less setup hold against real a malware/ransomware, but that would require someone more skilled than me. I once tested wannacry real life and it failed to do anything, since ransomware requires SYSTEM permissions and I pretty much denied that on important partitions and folders.

No need to worry, friend. What a coincidence, I also tested a WannaCry sample back in 2017. I had BDTS with folder protection similar to what MD has today. WannaCry also did not encrypt protected folders because I was using the SUA account and still had the C:\Users\Public folders protected. The process remained running but was unable to elevate system or administrator privileges on the SUA account to encrypt my files. Then I ran the test without folder protection, and it only encrypted the files of the standard account users. The admin account files remained untouched. Since I was using RBX at the time, I just reverted to a previous snapshot and I was back, just for peace of mind, but Wannacry did not spread to other machines. Coincidence or not, you think similarly to me, you like to configure and harden the operating system without relying too much on AVs. In your settings, theoretically, ransomware and malware would not be able to do much, I presume, precisely because of the configuration restrictions you imposed on your OS. For example, the malware would not be able to communicate with C2 due to your DNS and the blocking of ports commonly used and abused by malware. Here we will also consider LOLBins. If your system is applied, blocked by the firewall, the malware would also not be able to download the payload, so the malware would remain inactive. Very interesting configuration @TairikuOkami. I liked your approach. Sorry for the delay in answering your question, I'm as slow as a turtle when it comes to typing.

 

[piquiteco]

Is it necessary to apply such rules if using a 3rd party firewall aksing for permission before any connection?

Of course not, these rules only apply to the Windows firewall. But you can still apply them if you uninstall the third-party firewall or disable it for testing purposes.

 

[piquiteco]

What ports should be allowed?

Same as @TairikuOkami's post number #33. I won't post here anymore, otherwise it will clutter up @TairikuOkami's thread, which is about his computer settings. Let's respect him.

 

[Parkinsond]

Same as @TairikuOkami's post number #33. I won't post here anymore, otherwise it will clutter up @TairikuOkami's thread, which is about his computer settings. Let's respect him.

Yes, I have noticed the settings after asking you; apologies.