Advanced Plus Security Thales Hard Protected Setup

Last updated
Jul 31, 2019
Windows Edition
Pro
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
  • HMPA
  • F-Secure SAFE
  • syshardener
Firewall security
Microsoft Defender Firewall
About custom security
  • syshardener (Almost everything is checked)
Periodic malware scanners
  • HMPA
  • F-Secure SAFE
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Chrome (Portable)
  • Adguard
  • BitWarden
Maintenance tools
Cleaners
  • Wise Cleaner (portable)
  • Cleanmgr+ (Portable)
  • CCleaner (portable)
Other
  • Bandizip (portable)
  • Geek uninstaller (portable)
File and Photo backup
  • MEGA
System recovery
  • Macrium Reflect Free
Risk factors
    • Gaming
    • Logging into my bank account
    • Browsing to popular websites
    • Streaming audio/video content from shady sites
    • Working from home
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Acer Aspire 3 A315-41

CPU
: AMD Ryzen 3 2200U
GPU: Radeon Vega Mobile Gfx
RAM: 8GB DDR4 2400Mhz
Storage: 128GB SSD

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
E.g. driver update tools by laptop vendors. Once the user account is changed to SUA, the vendor driver update tools for my laptop only work from the admin account, not when they run elevated from SUA account.
They probably are not prepared to run from SUA and try to display some windows/alerts on the desktop of Administrator account, so they are not visible on SUA. (y)
 
  • Like
Reactions: [correlate]

notabot

Level 15
Verified
Oct 31, 2018
703
I have to admit i just have a good laugh after reading the few posts above, as @Andy Ful said most don't have a clue of what is SUA vs Admin purpose.

SUA is a restricted account made for daily use like surfing, watching videos, gaming, etc...
Admin account is for all ADMIN task: maintenance, drivers/softs/program/OS updates, etc...

the problem is that in the past decades, Microsoft stupidly set everybody to use an admin account by default, so devs of all sorts just used to program their software to be used on admin account when it was not necessary.

in enterprises, only the bad admin would use Admin account for others than himself, because admin are supposed to administrate, if they want browse, they use another computer or switch users.


those people should be fired, they are the ones why ransomware hit most companies/organizations so hard.
They are just lazy and refuse to adapt their working methodology for a safer environment.


before implementing, SRP you have to intensively test the policy. The admin was faulty because of ignorance and carelesssness, SRP isn't faulty, SRP is the best security mechanism if properly used. There is a reason why most 3rd party corporate products from kaspersky, McAffee, Symantec, Sophos all implement some kind of SRP.


If used without proper testing and implementation.


SRP isn't made for personal use, it is made for static systems like you have in corporate environment.

Notabot, i'm sorry to say that but your understanding and view of SRP is all wrong.

I'm happy that you had a good laugh, what a lot of people find even funnier is that in all other OSs you do not need to login and then logout in a different account to do administrative work, elevation to admin works fine and the UX was designed well from the get go.

Also please read more carefuly, my post was clear, I didn't not discuss non-dev corporate environments, it was dev corporate where I mentioned that SRP-like whitelisting led to people who put it getting fired and the rest of the discussion was about dev home, where it's dysfunctional and home personal where it seems to work fine and with Andy's tool it's easy to setup too.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I agree with @Umbra that SRP can be used in many enterprises, especially when they use similar software on many computers.

I agree with @notabot that SRP can fail in many enterprises, if they use different software on many computers or administrators are not trained in applying more complex SRP restrictions. It can also fail if directors do not realize that the staff cannot do anything they want, on computers at work. Furthermore, sometimes it is hard to find the right balance between security and productivity.

I think that in enterprises the best solution would be the combination of SRP and AppLocker - some SRP restrictions are not available via AppLocker. SRP restrictions should allow elevated processes but also should block the users' stupid actions (like running scripts from email attachments). Applocker should apply the restrictions for elevated processes, because the malware can attack computers via the enterprise network with admin rights.
 
Last edited:

notabot

Level 15
Verified
Oct 31, 2018
703
They probably are not prepared to run from SUA and try to display some windows/alerts on the desktop of Administrator account, so they are not visible on SUA. (y)

Could be, HP also was a good free security app that's like WDAG that also doesn't run with SUA, see .

When I find time to play with it, if I'm happy with that in terms of performance, I may scrap the SUA acc, as the security benefits of running virtualized anything exploitable are quite cool. MS wants to expand WDAG beyond Edge but I think they plan it only for office365-business for now
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Could be, HP also was a good free security app that's like WDAG that also doesn't run with SUA, ...
As many such 3rd party solutions, it will produce issues on Windows 10:

"As a solution, HP proposes to install the HP Sure Click version 4.1.0.5734 provided on the site. This means: With every update of Windows 10 you have to expect issues with HP Sure Click. Then you have to wait for an update of the software and install it. Given these issues, I’d rather uninstall HP Sure Click from the machines using the Control Panel."
 

notabot

Level 15
Verified
Oct 31, 2018
703
As many such 3rd party solutions, it will produce issues on Windows 10:

"As a solution, HP proposes to install the HP Sure Click version 4.1.0.5734 provided on the site. This means: With every update of Windows 10 you have to expect issues with HP Sure Click. Then you have to wait for an update of the software and install it. Given these issues, I’d rather uninstall HP Sure Click from the machines using the Control Panel."

Shame, though to be expected, oh well, someday MS may release WDAG for Office Home users
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Side note Firejail works flawlesly wit MANJARO but when you check protections, Firejail only adds some folder protection when using Chromium (COMPARED TO DEFAULT PROTECTIONS)

SORRY: EDIT IN CAPS
 
Last edited:

notabot

Level 15
Verified
Oct 31, 2018
703
Side note Firejail works flawlesly wit Firejail, but when you chrck protections, Firejail only adds some folder protection when using Chromium.

It's a bit out of context so I'll reply shortly, if you're using Ubuntu, chromium is available as a snap app, which are containerised and come with their own AppArmor profile, so there's no need to install it via apt and containerize it with firejail. If you want to add folder restrictions, you can edit the AppArmor profile, the trouble with that is that you'll need to maintain your edits with updates
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
On Manjaro Chromium is also availble as snap app, but my point was that Firejail does not add much protection (anymore) on Manjaro (on most distro's with build-in AppArmor profiles, I am told). Thanks for your answer, some time ago I asked whether form members used snapapps on Manjaro and what the added value was of using SnapApps. I shoudl have not restricted that question to Manjaro. You sort of answered my old questions thanks @notabot (y)
 

notabot

Level 15
Verified
Oct 31, 2018
703
On Manjaro Chromium is also availble as snap app, but my point was that Firejail does not add much protection (anymore) on Manjaro (on most distro's with build-in AppArmor profiles, I am told). Thanks for your answer, some time ago I asked whether form members used snapapps on Manjaro and what the added value was of using SnapApps. I shoudl have not restricted that question to Manjaro. You sort of answered my old questions thanks @notabot (y)

you are welcome but probably this is the wrong thread, this is Thales' computer thread :)
 
F

ForgottenSeer 823865

To resume, in most "serious" corporate environment, most employee workstations are locked via Windows SRP + Applocker or 3rd party SRP like SEP Managed.
That is a fact, that SRP is a well-known and solid mechanism for corporate environment, but is has to be properly used which require training, reason you don't see SRP on Home user products, the only case I heard is Kaspersky which use a comparable but simplified mechanism in SystemWatcher.
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
I tried to slim down the system a little bit. I missed the 1,6 GB of RAM usage.
After the boot my system used 3GB RAM. :( I had to do something.

Removed
  • Windows Defender is disabled completely in ConfigureDefender and in O&O ShutUp10
This made the biggest change. Slimmed down the memory usage by 1GB.

Installed
  • HMPA
This is my 2nd license. Love this program very much.
  • Eset Nod32 Antivirus only
Very light and I have free 30 days licence from magazine in every month.
  • O&O ShutUp10
Because I don't use any 3rd party firewall anymore I need to disable telemetry somehow.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Thales,
It is strange. Usually, WD has similar RAM usage to Eset and smaller than most AVs. I disabled WD to see the difference (no AV at all) and the RAM usage dropped by 100 MB. I do not think that skipping WD was the cause of 1GB free space.
Anyway, Eset is a good choice, too. (y) :)
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
@Thales,
It is strange. Usually, WD has similar RAM usage to Eset and smaller than most AVs. I disabled WD to see the difference (no AV at all) and the RAM usage dropped by 100 MB. I do not think that skipping WD was the cause of 1GB free space.
Anyway, Eset is a good choice, too. (y) :)

Yeah probably something else. The "antimalware service executable" was still active (but consumed only 150 MB) after I installed Eset. Had to disable all WD features I could in ConfigureDefender and in O&O ShutUp10 too.
I don't know what was the main issue but disabling WD solved the problem :D
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
... Had to disable all WD features I could in ConfigureDefender and in O&O ShutUp10 too.
I don't know what was the main issue but disabling WD solved the problem :D
When you installed Eset, then WD is disabled automatically, no need to use any software for that. I think that O&O Shutup (or something else) slimmed your system with or without disabling WD.
O&O Shutup disables many services and tasks that are loaded to memory with Windows start. But, be careful with slimming down the system. Windows Updates are not tested by M$ on slimmed systems and this usually can cause hidden problems. I had a few such problems on my slimmed system a few years ago. Finally (after some months), it turned out that one unnecessary service should be enabled to finish the cumulative update.:)(y)
Eset + H_C is a very strong setup. Eset will be also more comfortable (fewer false positives) as compared to WD MAX or HIGH Protection Level.
 
Last edited:

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
I made a completely new config from scratch.
The main goal was to make a system that uses minimal RAM as possible and don't lose the performance.
Portable apps are an integral part of this configuration.

1. Remove bloats,
- Windows Privacy Dashboard
- O&O ShutUp10
- Easy service optimizer
I removed everything unnecessary after the clean install. Also, made a backup image for the future.
Fresh Windows (2).png

2. Hardening Windows
- syshardener did the job
I've skipped the srp for now to test this config.
Windows after hardenning (2).png

3. Security
- Installed WiseVector and HMPA
I think HMPA and Wisevector is a light and very powerful combo.

4. Portable system apps
- CCleaner, Wise Disk Cleaner, Cleanmgr+

No 3rd party firewall, chrome is portable, no VPN just proxy extension.

This is the final result after browsing for a while.
It is more than I expected. Previously the system used 2,5 - 3 GB, now it is 1.5 GB.
After running.png

And another one :D
another.png
 
F

ForgottenSeer 823865

You know that considering having a lot of free RAM as beneficial is a erroneous concept.

RAM is supposed to be used, reason why some programs when detecting lot of available RAM increase their RAM usage to gain more responsiveness and efficiency.
Having lot of RAM is only needed when you use heavy softwares (Movie/Sound/Photo editors, VMs, etc...).
Even Windows adapts its RAM usage depending on the active softwares.

WD doesn't make the system slow because it uses lot of RAM, it does because it keep real-time scanning the system over and over.
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
708
You know that considering having a lot of free RAM as beneficial is a erroneous concept.

RAM is supposed to be used, reason why some programs when detecting lot of available RAM increase their RAM usage to gain more responsiveness and efficiency.
Having lot of RAM is only needed when you use heavy softwares (Movie/Sound/Photo editors, VMs, etc...).
Even Windows adapts its RAM usage depending on the active softwares.

Yes, I forget to mention I have a special program that uses a lot of RAM and I need it everyday.
My laptop has only 8 GB of RAM and the APU uses 1 GB, so I had to do something because sometimes my program couldn't finish the task because of the low RAM issue.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top