Advanced Plus Security Thales Hard Protected Setup

Last updated
Jul 31, 2019
Windows Edition
Pro
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
  • HMPA
  • F-Secure SAFE
  • syshardener
Firewall security
Microsoft Defender Firewall
About custom security
  • syshardener (Almost everything is checked)
Periodic malware scanners
  • HMPA
  • F-Secure SAFE
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Chrome (Portable)
  • Adguard
  • BitWarden
Maintenance tools
Cleaners
  • Wise Cleaner (portable)
  • Cleanmgr+ (Portable)
  • CCleaner (portable)
Other
  • Bandizip (portable)
  • Geek uninstaller (portable)
File and Photo backup
  • MEGA
System recovery
  • Macrium Reflect Free
Risk factors
    • Gaming
    • Logging into my bank account
    • Browsing to popular websites
    • Streaming audio/video content from shady sites
    • Working from home
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Acer Aspire 3 A315-41

CPU: AMD Ryzen 3 2200U
GPU: Radeon Vega Mobile Gfx
RAM: 8GB DDR4 2400Mhz
Storage: 128GB SSD
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Thales said:
Feel free to give me some advice to improve my system I you feel i need to.
Click to expand...
@Andy Ful put out a FirewallHardener tool, it is an easy way and effective way to add block rules to Windows firewall for LOL bins that can be dangerous if they have internet access. It is a natural complement to Windows SRP for those who are into system hardening. Just mentioning it as a suggestion.
 
  • Like
Reactions: DeepWeb, Thales, oldschool and 2 others
Thales

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
shmu26 said:
@Andy Ful put out a FirewallHardener tool, it is an easy way and effective way to add block rules to Windows firewall for LOL bins that can be dangerous if they have internet access. It is a natural complement to Windows SRP for those who are into system hardening. Just mentioning it as a suggestion.
Click to expand...

Is it a standalone program or part of the H_C?
 
  • Like
Reactions: oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,113
Hi,
What Default Security Level did you apply in SRP?
What is your setting under the SRP Enforcement option “Apply software restriction policies to the following users”?
How do you protect shortcuts?
Did you harden Windows subfolders?
:giggle:(y)
 
  • Like
Reactions: floalma, Thales, oldschool and 2 others
Thales

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Andy Ful said:
Hi,
What Default Security Level did you apply in SRP?
What is your setting under the SRP Enforcement option “Apply software restriction policies to the following users”?
How do you protect shortcuts?
Did you harden Windows subfolders?
:giggle:(y)
Click to expand...
Default Security Level is Disallowed.
All Software files except libraries.
I enabled shortcuts because I need them. (Is it too bad?)
Windows folder is disallowed. I didn't put them in the exception list.
 
  • Like
Reactions: floalma, Andy Ful and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,113
Thales said:
Default Security Level is Disallowed.
All Software files except libraries.
I enabled shortcuts because I need them. (Is it too bad?)
Windows folder is disallowed. I didn't put them in the exception list.
Click to expand...
There are additional options in Enforcement Window. One of them is “Apply software restriction policies to the following users”. Did you chose settings: 'All users' or 'All users except local administrators'?

If you have enabled shortcuts, then you have to be very cautious, because shortcuts can run command lines with script Interpreters or LOLBins (known SRP bypass).:(

What do you mean by "Windows folder is disallowed"?:unsure:
Did not you allow even the folder "C:\Windows\system32" ?
 
Last edited:
  • Like
Reactions: floalma, Thales, shmu26 and 2 others
Thales

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Thanks @Andy Ful I didn't know about that shortcut issue. Shortcuts have been disabled.
Here it is my settings.
215066

215067
 
  • Like
Reactions: floalma, Gandalf_The_Grey, Andy Ful and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,113
Thales said:
Thanks @Andy Ful I didn't know about that shortcut issue. Shortcuts have been disabled.
Here it is my settings.
View attachment 215066
View attachment 215067
Click to expand...
Can you run regedit.exe without SRP block?
In fact, you whitelisted all Windows folder via the Unrestricted rule:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
This is OK, but allows bypassing SRP via writable subfolders of the Windows folder. (y)
 
Last edited:
  • Like
  • Thanks
Reactions: floalma, Thales, oldschool and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,113
The below paths (sometimes only its sub-paths) are usually writable in WIndows (some are actually blocked in Windows 10):
C:\windows\debug\WIA
C:\windows\Registration\CRMLog
C:\windows\servicing\Packages
C:\windows\servicing\Sessions
C:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
C:\windows\System32\com\dmp
C:\windows\System32\FxsTmp
C:\windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\windows\System32\spool\drivers\color
C:\windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\windows\System32\Tasks
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\Com\dmp
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\Tasks
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing

I am not sure if you can blacklist the path c:\Windows\Temp, because it can be used by some Windows processes. If you would have SRP set to allow processes with admin rights, then this folder can be safely blacklisted. But you have Enforcement setting "All users", so SRP can block also processes run with admin rights.
 
Last edited:
  • Like
  • Thanks
Reactions: floalma, Thales, oldschool and 2 others
Thales

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Andy Ful said:
Can you run regedit.exe without SRP block?
In fact, you whitelisted all Windows folder via the Unrestricted rule:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
This is OK, but allows bypassing SRP via writable subfolders of the Windows folder. (y)
Click to expand...
I can't run regedit in my currrent settings. To do that I need to change the security level to Unrestricted temporally.
The %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% is there in default I think, so I didn't want to delete.

Andy Ful said:
The below paths (sometimes only its sub-paths) are usually writable in WIndows (some are actually blocked in Windows 10):
C:\windows\debug\WIA
C:\windows\Registration\CRMLog
C:\windows\servicing\Packages
C:\windows\servicing\Sessions
C:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
C:\windows\System32\com\dmp
C:\windows\System32\FxsTmp
C:\windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\windows\System32\spool\drivers\color
C:\windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\windows\System32\Tasks
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\Com\dmp
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\Tasks
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing

I am not sure if you can blacklist the path c:\Windows\Temp, because it can be used by some Windows processes. If you would have SRP set to allow processes with admin rights, then this folder can be safely blacklisted. But you have Enforcement setting "All users", so SRP can block also processes run with admin rights.
Click to expand...
In the past I used most of these rules however I got tons of error messages (maybe the C:\Windows\Temp or the WD). I switched to linux after that for 1 year and then I totally forgot those rules :emoji_cold_sweat:.
The only reason I don't use 3rd party app for SRP is because I love it in it's current form and I want to know what folders and programs allowed to run and the SRP gives me the safe feeling that an antivirus can't. Added these rules again and I hope not using WD will avoid error messages.
Thank you :emoji_pray:
 
  • Like
Reactions: floalma and shmu26
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,113
Thales said:
I can't run regedit in my currrent settings. To do that I need to change the security level to Unrestricted temporally.
The %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% is there in default I think, so I didn't want to delete.


In the past I used most of these rules however I got tons of error messages (maybe the C:\Windows\Temp or the WD). I switched to linux after that for 1 year and then I totally forgot those rules :emoji_cold_sweat:.
The only reason I don't use 3rd party app for SRP is because I love it in it's current form and I want to know what folders and programs allowed to run and the SRP gives me the safe feeling that an antivirus can't. Added these rules again and I hope not using WD will avoid error messages.
Thank you :emoji_pray:
Click to expand...
You have the SRP setup similar to that suited to enterprises. It is not especially useful in the home environment. Anyway, your actual setup is OK. It can be bypassed, but first, something has to be exploited. (y)
I hope that you do not use MS Office or Adobe Acrobat Reader. To make SRP working with WD, you can add Unrestricted rule for:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath%
 
  • Like
  • Thanks
Reactions: shmu26, harlan4096, ZeroDay and 2 others
Thales

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
Removed
  • Kapsersky cloud free

Added
  • H_C
  • WD with High settings by H_C
  • Switched to SRP using H_C
I started to use H_C because I found it very cool. Thanks @Andy Ful

I'm thinking about to replace BitLocker with something else but Veracrypt is not offering encryption on used disk space only. I have a 120GB SSD and I don't really want to do a full disk encryption on every 2-3 weeks ( too slow) when I restore the system with Macrium. Disk encryption is crucial to me because I don't live alone and I don't trust anyone.
 
  • Like
Reactions: Andy Ful, shmu26 and harlan4096
Thales

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
shmu26 said:
I also just switched back from KSCF to WD. :)
Click to expand...
The reason you switched back?
I had issues with the update service. I got "database is corrupted" error message and nothing could fix it. Also the windows startup was kinda slow (compared to HMPA or WD) on SSD. Removing KSCF has fixed the problem
 
  • Like
Reactions: Andy Ful and shmu26
You must log in or register to reply here.

Similar threads

BigWrench
    • Like
Unlimited Giveaway Wise Care 365 PRO - free license (fresh update 6.6.5) ✌️
Replies
0
Views
425
Giveaways, Promotions and Contests
BigWrench
BigWrench
R
  • Locked
No Reply PUA:Win32/AutoKMS
Replies
3
Views
434
Windows Malware Removal Help & Support
icotonev
icotonev
BigWrench
    • Thanks
    • Like
Unlimited Giveaway Wise Care 365 PRO - Free License 6.6.2.632 (latest update)
Replies
0
Views
1,179
Giveaways, Promotions and Contests
BigWrench
BigWrench

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top