Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
Windows Home/Pro owner? Use Software Restriction Policies!
Message
<blockquote data-quote="Andy Ful" data-source="post: 1005986" data-attributes="member: 32260"><p>Today I have repeated my tests (Windows 11 Home ver 22H2 Insider OS build 25201.1000):</p><ol> <li data-xf-list-type="ol">Turn Off the Internet connection.</li> <li data-xf-list-type="ol">Start from the snapshot SAC ON.</li> <li data-xf-list-type="ol">Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged (Id=3033 and 3077). Event Log also logs that the 4 policies were refreshed and activated (Id=3099). One of these policies is <strong><span style="color: rgb(41, 105, 176)">{d2bda982-...}.cip</span></strong> (Windows Driver Policy) which is absent in the "\Active" directory.</li> <li data-xf-list-type="ol">Rename all policies in the "\Active" directory (reboot).</li> <li data-xf-list-type="ol">Run suspicious application = allowed. Check Event Log, events not logged (reboot).</li> <li data-xf-list-type="ol">Restore the names of original policies in the "\Active" directory (reboot).</li> <li data-xf-list-type="ol">Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged.</li> </ol><p>So it is possible to enable/disable SAC without turning it OFF in the Security Center. I tested this with a disabled Internet connection. So some more tests are required.</p><p><span style="color: rgb(184, 49, 47)"><strong>I do not recommend this method on the real system, because it is not documented by anyone. </strong></span><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" /></p><p></p><p>Post updated.</p><p>When making a backup and restoring the policies (by copying them from the backup) the file permissions can be changed (lowered), so one has to do it by preserving NTFS file permissions. It is easier to rename the policies without removing them. In my test, I added the "B" letter at the front of the policy name.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1005986, member: 32260"] Today I have repeated my tests (Windows 11 Home ver 22H2 Insider OS build 25201.1000): [LIST=1] [*]Turn Off the Internet connection. [*]Start from the snapshot SAC ON. [*]Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged (Id=3033 and 3077). Event Log also logs that the 4 policies were refreshed and activated (Id=3099). One of these policies is [B][COLOR=rgb(41, 105, 176)]{d2bda982-...}.cip[/COLOR][/B] (Windows Driver Policy) which is absent in the "\Active" directory. [*]Rename all policies in the "\Active" directory (reboot). [*]Run suspicious application = allowed. Check Event Log, events not logged (reboot). [*]Restore the names of original policies in the "\Active" directory (reboot). [*]Run suspicious application = blocked with SAC alert. Check Event Log, blocked events logged. [/LIST] So it is possible to enable/disable SAC without turning it OFF in the Security Center. I tested this with a disabled Internet connection. So some more tests are required. [COLOR=rgb(184, 49, 47)][B]I do not recommend this method on the real system, because it is not documented by anyone. [/B][/COLOR](y) Post updated. When making a backup and restoring the policies (by copying them from the backup) the file permissions can be changed (lowered), so one has to do it by preserving NTFS file permissions. It is easier to rename the policies without removing them. In my test, I added the "B" letter at the front of the policy name. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
