Advanced Plus Security Vitali Ortzi Dell security config (Work in progress)

Last updated
May 7, 2020
How it's used?
Operating system
Log-in security
Security updates
Check for updates and Notify
User Access Control
Notify me only when programs try to make changes to my computer
Real-time security
Symantec endpoint protection 14.3 managed by Symantec endpoint Manager.
And other inbuilt security measures such as configuring exploit guard and enabling core isolation.
Firewall security
About custom security
Made an image of LTSC without many prebuilt apps /services and tools.
replaced and removed them with secure alternative some from the windows store (Better isolation in the kernel and higher support with exploit guard) and some with secure and faster open-source alternatives.

Changes regarding Symantec endpoint protection client installation and policies:
Disabling Sonar and Auto-Protect to reduce the attack surface and increase performance.

Only application and device control /network and host mitigations
components have been utilized in the host Via SPEM server.
I have also made policies to harden the System such as default-deny firewall as well as used the application control module to minimize and isolate critical software.

Reasoning to disable components such as Sonar and bloodhound and even auto-protect (The robust AI and signature-based security components).

Read research papers and project zero articles that indicated how SEP is vulnerable to some forms of exploitation .
As SEP uses a filter driver that intercepts all system I/O Wich makes exploitation highly effective.
One of the issues in SEP is the the way Symantec implemented the Emulator as it unpacks malware in the kernel level .
Anthor issue with SEP Is that it is known to injects hooks into windows processes that Wich could compromise windows integrity and stability.
even worse is the usage of old outdated open-source libraries that Symantec integrates into its products Wich have already been susceptible to exploitation ,one big example is the 7-year old libraries that google project uncovered.
So because of all the above and performance degradation, I have decided to disable the AV Engine /AML and surpass it with the application and device control module.
Other tweaks I made to very
Critical machines are using system lockdown policy as well and other reduction of internal processes.
Periodic malware scanners
Windows based live boot drive aka Windows pe.


For serious infection
Linux based boot drive.
hopefully replacing with a μ-kernel / micro kernel based one once it has enough development.
Malware sample testing
Browser(s) and extensions
Firefox with tweaks from both Reddit and Privacy Tools.
Maintenance tools
Privzer and other inbuilt ones for now .
File and Photo backup
Image based backup.
System recovery
Linux Bootdrive .
Risk factors
    • Gaming
    • Logging into my bank account
    • Browsing to popular websites
    • Downloading software and files from reputable sites
    • Streaming audio/video content from shady sites
    • Downloading malware samples
    • Browsing to unknown / untrusted / shady sites
    • Working from home
Computer specs
Dell
8th gen i5
UHD 620
8gb DDR4
NVME 256gb
Notable changes
updated the explanation about disabling some Symantec components.
Vitali Ortzi

Vitali Ortzi

Level 22
Thread author
Verified
Top Poster
Well-known
Dec 12, 2016
1,148
Still ongoing testing different things post your favorite software recommendations!
BTW if anyone wants SPEM server I have a spare unbinded license.
Already deployed 2 SPEM servers in my house as I'm planning a secure connection for laptops .
Remember want SPEM PM!
 
Last edited:
  • Like
Reactions: Brahman, Dave Russo, Deletedmessiah and 7 others
LDogg

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
"User Access ControlNever Notify " - need to be on Always Notify, there's no known bugs or slow downs on Windows 10 if you have an SSD.

Do you have an active 3rd party Firewall at all? And what security program(s) do you have on this machine, it's very hard to tell what you have installed or using the native security.

Backup to me looks decent.

Some things haven't been fully address while the effort has been clearly made.

~LDogg
 
  • Like
Reactions: Dave Russo, roger_m, toto_10 and 2 others
Vitali Ortzi

Vitali Ortzi

Level 22
Thread author
Verified
Top Poster
Well-known
Dec 12, 2016
1,148
LDogg said:
The software name, version number and type of suite needs to be named brother. Other people will be confused about this.

~LDogg
Click to expand...
Thanks very much 😊

LDogg said:
The software name, version number and type of suite needs to be named brother. Other people will be confused about this.

~LDogg
Click to expand...
Hopefully it's a little better now.
 
  • Like
Reactions: Dave Russo and CyberTech
harlan4096

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,655
LDogg said:
"User Access ControlNever Notify " - need to be on Always Notify, there's no known bugs or slow downs on Windows 10 if you have an SSD.

Do you have an active 3rd party Firewall at all? And what security program(s) do you have on this machine, it's very hard to tell what you have installed or using the native security.

Backup to me looks decent.

Some things haven't been fully address while the effort has been clearly made.

~LDogg
Click to expand...
Apart from that:

I participate by downloading malware samples on my Host PC
Click to expand...
Please use a virtualized system, thanks!
 
  • Like
Reactions: Brahman, Dave Russo, Protomartyr and 4 others
Vitali Ortzi

Vitali Ortzi

Level 22
Thread author
Verified
Top Poster
Well-known
Dec 12, 2016
1,148
LDogg said:
"User Access ControlNever Notify " - need to be on Always Notify, there's no known bugs or slow downs on Windows 10 if you have an SSD.

Do you have an active 3rd party Firewall at all? And what security program(s) do you have on this machine, it's very hard to tell what you have installed or using the native security.

Backup to me looks decent.

Some things haven't been fully address while the effort has been clearly made.

~LDogg
Click to expand...
Made my config secure status thanks to the our MalwareTips community help!
 
Last edited:
  • Like
Reactions: Dave Russo and Protomartyr
Vitali Ortzi

Vitali Ortzi

Level 22
Thread author
Verified
Top Poster
Well-known
Dec 12, 2016
1,148
harlan4096 said:
In DataBackUp You may use some cloud services...
Click to expand...
No cloud thanks .
harlan4096 said:
In SystemBackUp You may use Macrium reflect Free o AOMEI BackUp, both free...
Click to expand...
In a case I need to use a backup
I Can't trust anything running in my current operating system.
But thanks for the recommendation.
A love true image and Macrium reflect paid ones for friends and family.
 
  • Like
Reactions: Dave Russo, roger_m, oldschool and 5 others
Vitali Ortzi

Vitali Ortzi

Level 22
Thread author
Verified
Top Poster
Well-known
Dec 12, 2016
1,148
Minor update
1.updated the explanation about disabling some Symantec components.
also wanted to recommend How to Compromise the Enterprise Endpoint for further reading regarding how Symantec is vulnerable.
2. Testing Deception policies before moving to production (will take a long time to get it as secure as possible without hurting stability ).
white paper Broadcom Inc. | Connecting Everything
Deception product tour
 
Last edited:
  • Like
Reactions: Brahman, Dave Russo, roger_m and 3 others
Vitali Ortzi

Vitali Ortzi

Level 22
Thread author
Verified
Top Poster
Well-known
Dec 12, 2016
1,148
Nagisa said:
Hey, I didn't know that you run SEP without auto-protect and BB. Have you thought about replacing SEP with Forticlient and -optionally- MBAE?
Click to expand...
No it will increase my attack surface.
And I think MBAE is inferior to Symantec anti exploit/exploit guard but haven't done any testing in that regard.
 
  • Like
Reactions: Protomartyr and oldschool
N

Nagisa

Level 7
Verified
Jul 19, 2018
341
Vitali Ortzi said:
No it will increase my attack surface.
And I think MBAE is inferior to Symantec anti exploit/exploit guard but haven't done any testing in that regard.
Click to expand...

So you think attack vectors are more important risk for you than common malwares? I found the idea interesting but i think in practice, it's not better for home user to disable signature/behaviour detection.
 
  • Like
Reactions: Protomartyr
Vitali Ortzi

Vitali Ortzi

Level 22
Thread author
Verified
Top Poster
Well-known
Dec 12, 2016
1,148
Nagisa said:
So you think attack vectors are more important risk for you than common malwares? I found the idea interesting but i think in practice, it's not better for home user to disable signature/behaviour detection.
Click to expand...
Malware isn't able to execute.
I used a fingerprint (hash) to exclude all programs on the system as non will execute without it.
And system lockdown is used in some systems in my house.
 
  • Like
Reactions: roger_m, Protomartyr and Brahman
You must log in or register to reply here.

Similar threads

SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
75
Views
10,180
Other security for Windows, Mac, Linux
Warencom
W
Gandalf_The_Grey
    • Like
Ransomware In the fight against ransomware, Microsoft must do more
Replies
3
Views
1,773
Malware Analysis
Filipe
Filipe
Bot
    • Like
  • Locked
Find out what’s new in Windows and Office in October
Replies
1
Views
1,952
OS Archive
Vasudev
V

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top