Can configure AppGuard to block vulnerable processes and file execution completely in Lock Down mode. Some malware, even in SUA can bypass UAC - and infect your system.
Sorry what is SUA ? I feel stupid. Also where can I download the trial version of AppGuard to try it ?
SUA = standard user account LUA = limited user account http://www.appguardus.com/support/products/AG44/AppGuardSetup-4-4-6-1.exe After July 1st, version 4.X will no longer be available; version 5.X will be offered.
I know and agree. There has been many years since I dropped LUAs/SUAs, better off with superb specialized extra protection.
Well I can confirm SUA with UAC deny elevation of unsigned and parental control with Smartscreen require admin consent works really well. Advantage of parental control is the option to allow programs on the fly (asks whether parent is around to grant access)
Yes, together with deny execute / traverse folder ACL for most vulnarable folders since parental control (as far as I know) only checks on executables (not dll etc).
Since Windows 8.1 you can use Windows Aps for skype, pdf, music, video and pictures stuff. So every program facing the internet can run in AppContainer (disabled IE and WMP). This reduces the vulnability of medium IL processes, hence increasing the strength of standard user. When you use Office, the TrustCenter has a lot of options to harden Office (e.g. disable Macro's, Active-X, Plug-ins, external content, etc). Documents folder is the only trusted location and it has deny execute/traverse folder ACL for Everyone. The other user folders are only protected by Parental Control. Because they are not in the my Documents trusted location, Office opens them in protected view as if they were from the internet. I have upped the Internet Settings to high, protect system DLL's, safe search DLL order and block DLL's from network to make parental control stronger (it only guards executables). All these precautions makes it pretty hard to misuse Office applications.
i also disabled them with SMB and XPS things. For internet-faced 3rd party apps , i have them portable for most (VLC, etc.) , HMPA-ized and sandboxed