SRP method

Actually yes. I answered this question already here. Another aspect would be that an already installed application executed as a limited user wants to change autostarts without asking you (although it may be a legimitate request). kafu would prevent that, so you have better control over what such an app is doing. The downside is that apps that you want to start automatically (like a local spam proxy) have to be started once with SuRun (not with runas!) to make this possible. And: Since you had to install this app with admin rights before, it would have been able to manipulate any autostart locations during the installation process anyhow. To sum up: kafu doesn't serve any useful purpose with LUA & SRP.

It all comes down to a very simple rule: Only install trustworthy applications from trustworthy sources. If you follow this rule, a LUA/SRP combo is an excellent protection against nearly all threats.

 

@Rilla No I only use Windows XP firewall It doesn't ever seem to give me problems. I just looked under its exceptions tab and none of the security apps are listed. The only one thats strange is Windows Media Player Network Sharing Service is listed 6 times for some reason. The only ones enabled with checkmarks are Network Diagnostics for Windows XP and Yahoo! Messenger. Seems like I read somewhere that the firewall in XP only blocks unsolicited inbound connections and not outbound so I'm guessing the security apps wouldnt have a problem with retreiving updates since theyre solicited.

 

OK, thanks. In the future I can skip this part. Undoing it now would probably be a pita.

 

Okay, I thought all d/l's went to the "Downloads" folder in my doc's only. I can create anything in notepad and save it to my desktop or my doc's and click open and it opens. Is this supposed to do that?

My av is Emsisoft AntiMalware. At first I had put it in SuRun with elevated priviliges and then took it out. When I click on the program it doesn't ask me if I want to run it elevated or not, it just opens. The circle doesn't change colors, it stays green.

 

Okay, XP has inbound only. It would be a good idea to use a firewall for outbound connections. Last I remember (someone can correct me if I'm wrong) WMP, Yahoo shouldn't need inbound connections.

In fact I have all inbound blocked no exceptions. Then all my rules for outbound connections.

 

Yes, that's fine. You have created a .txt file, which of course isn't executable. When you double-click it, it opens with Notepad, which itself is located in a place where you are allowed to execute executable files.

This is also OK. The GUI is not running as system, so it stays green. The important part runs as a service, but you don't see it. Nothing to worry about. Avira does things a bit different. The updater and the Luke Filewalker scan thing have their own GUIs, which is why the smiley turns to the red stop sign w/exclamation point when they run.

BTW, with EAM you can set in the configuration what each user is allowed to do, you have probably seen that.

 

Referring to EAM, no I didn't see anything like that. It's probably right in front of me. Ever since this last escapade of malware on my system I don't let anyone use my computer.

I told hubby and family they can use a Live CD, no exceptions cuz they don't listen.

 

It's in the configuration, in German the tab says Berechtigungen (Privileges) I believe. For each user you can check off different boxes of things they are allowed or not allowed to do.

LOL, I guess that's one way of dealing with it. OTOH, you could make them a separate limited account. That way they can only hose their own account. If they screw something up you just delete their account and it's all gone.

 

@Rilla, But wouldn't Windows media player need inbound to retrieve missing album info and doesn't Yahoo Messenger need inbound for when my friends talk to me or when i listen to Yahoo radio plugin? Or if i block those will those features still work?

 

WMP (last I remember) connects out for that information. Here a quick little test, uncheck both from inbound and reboot and they should still work since you have no block rules into place for outbound. You can always recheck them if needed.

 

Re: SRP method - Event Viewer Error

Finally I found a couple of the Errors caused by Software Restriction Policy. If anyone knows how I can make exceptions for these in SRP I'd be really happy to know but if its impossible then its no biggie since you guys have helped me already by telling me to use the Run As option which isn't hard to do. Here's the Errors: Date: 10/30/2010 Source: Software Restriction Policy Time: 7:10:00 PM Category: None Type: Warning Event ID: 865 User: N/A Computer: (my computers name) And the Description: Access to C:\DOCUME~1\(MyUsername)\LOCALS~1\Temp\SSUPDATE.EXE has been restricted by your Administrator by the default software restriction policy level. That ones for when i try to update SuperAntiSpyware from my limited account. The program SuperAntiSpyware let me install it for all users. This other ones from Yahoo Messenger,Date: 10/30/2010 Source: Software Restriction Policy Time: 7:35:46 PM Category: None Type: Warning Event ID: 865 User: N/A Computer: (my computers name) And the Description: Access to C:\Documents and Settings\All Users\Application Data\Yahoo!\YUPDATER\YUPDATER.EXE has been restricted by your Administrator by the default software restriction policy level.I'm not really sure what YUPDATER.EXE does but it doesn't seem to stop the Yahoo messenger program from working. @Rilla I'm fixing to go back into my administrators account and try what you said about the little test but I'm assuming you mean to uncheck the exceptions for the programs, WMP network sharing is already unchecked but i'll try unchecking Yahoo Messenger and see if it still works thanks. Ps HAPPY HALLOWEEN ALL!![/COLOR][/COLOR]

 

Re: SRP method - Event Viewer Error

You should be able to add those paths to Additional Rules. Just open the folder, right click and choose New Path rule... then add the paths to the executable that were blocked.

 

Used SRP for quite some time, became more annoying than a HIPS , and sometimes rules would work and sometimes not
So i got rid of it

 

I've been using SRP for years, and I've never had this problem. If the New Path Rule adresses the correct executable it works. Period.

Quite obviously, you did something wrong. SRP is much easier and much less troublesome than ony HIPS.

 

Absolutely, unequivocally right.

It seems like people are having difficulties with SRP, and AppLocker for that matter, with executable that need to run under the "less conventional" directories such as user\john-jane doe\Appdata or user-john\jane doe\Application data. An example of one I've got for Applocker;

%OSDRIVE%\Users\myson\AppData\LocalLow\Panda3D\hosts\ToontownOnline\*

A few of these type are going to be necessary for everything to work right. It's up to the user to do a little digging, then create the rules needed.

 

You obviously fudged up somewhere. Read this guide, SRP made simple.

BTW, if you aren't using a limited account I don't see much point in setting up a SRP.

 

Re: SRP method - Event Viewer Error

Are you using SuRun? If not, it would address these problems.

Yes, uncheck WMP and Yahoo for inbound connection and see.

 

So would my New Path Rules look like this: C:\DOCUME~1\(MyUsername)\LOCALS~1\Temp\SSUPDATE.EXE as written in the event viewer, or C:\Documents and Settings\(MyUsername)\Local Settings\Temp\SSUPDATE.EXE as how its listed on the address bar in Windows Explorer?
And then for YUPDATER i'm guessing to make the rule the same as it looks in event viewer like this? C:\Documents and Settings\All Users\Application Data\Yahoo!\YUPDATER\YUPDATER.EXE Oh and I have a question if I make these rules for these parts of documents and settings will SRP still keep executables from running from there besides these 2 exceptions. Thank you all very much for your input. Hopefully this won't be too hard lol.
Hey Rilla all my exceptions in Windows Firewall are unchecked and I haven't came across any problems so far, Yahoo Messenger is still working fine do you think that exception is only for file transfers In the messenger program? Also I haven't put a check mark in Don't allow exceptions box under the general tab like you've done except on yours it says Block all incoming connections. Would you check that also if you were me? I like how it shows all the additional information behind your Windows Firewall dialog box is that Vista? Oh I almost forgot no i'm not using SuRun it sounds like it would be very helpfull though. I guess I was afraid it would add an extra process I guess i'm kind of a TweakFreak lol.
Thanks again everyone!

 

OMGGG HAHAHAHA, i felt everyone was against me J/K

Yeah, i actually set SRP and it DID work for quite some time (1 month) without any flaws, then everything started to get boring and i started playing with apps, and every single time i played with new apps i had to create rules "DUH" (While in a HIPS i just set to learn mode and then check the rules)
Then came the appcrash with the flash player files in System32, i allowed every single damn thing from flashplayer (I knew which files were affected each time, Event Manager ) for some reason it won't work.
So i just got annoyed and deactivated it

And installed MD over it

 

No offense meant - but if this was really necessary it seems that you simply don't understand the basics behind SRP, or something is misconfigured. You should really carefully read http://www.mechbgon.com/srp/

Any application that complies to Windows standards should install itself into a subfolder of c:\Program Files. New Path rules are only necessary for applications that want to be installed (and executed) outside of the c:\Program Files folder to a new folder under c:\ (but you usually have the chance to correct this during the installation process) and for a few applications that save an executable in the Documents and Settings/Users folder. But these are exceptions - it should definitely not apply to "every single time" you played with new apps.

And if you happen to install an app that wants to save/modify settings or data in its installation folder (rather than to Documents and Seetings/Users as it should), this has nothing to do with SRP - it's simply due to the fact that its programmer is incompetent or still living in the age of Win 9X (since a limited user or a user working under UAC has no write permission for c:\Program Files).

 

Ok thanks guys I'm fixing to go check out the tutorial that tlu posted earlier: SuRun tutorial and also the link from Rilla: http://www.dedoimedo.com/computers/surun.html. Hey no problem Noob I appreciate everyones advice. Just like the other day I tried to configure tighter security zones in IE8 but had all kinds of problems trying to get to my Hotmail and then when i finally got it to load by adding *.live.com to trusted I was not able to click on any of my email folders, it felt like javascript wasn't working. So I had to put IE8 back to its defaults and re-enable Spywareblaster.

 

@SAustn2

How many users do have on your computer?

Just some info in regards to SuRun: Right before your ready to install it you need to create another Admin account (this will be your Limited account you will use all the time). I named mine SuRunner so I didn't forget. And then install SuRun from your original Admin account (the one before SuRun) and log off and log into your new account and configure SuRun. The very first thing you must do is add the SuRun account (what ever name it is) to SuRunners group. This will take away admin rights to that account and that's what you want it to do so you end up with a limited user account.

If you want me to go further I can post some screen shots for you, just let me know.

 

Hi Rilla sorry it took me awhile to post on here we've been painting the outside of the house and in my free time I been reading a lot of the articles at dedoimedo its very interesting reading(that would be neat if a user could get away with not having to use antivirus programs but im not sure what all it takes to do that) thank yall for the link.

I have 4 user accounts:the hidden built-in administrator,my administrator,my regular user and the guest account which is disabled.​

Would i need to get rid of my old accounts or will SuRun run inside those also? And since i have disabled some windows services I'm not sure which ones are needed for SuRun to work properly, I didn't notice service requirements at either dedoimedo or at kays site but i may have overlooked it somewhere. I guess I could always download the registry file from BlackViper's Site to set all my services back to default or else i could run back through them with the tweakguide i used since he has both the default and tweaked settings listed. Also I don't know if it's a good idea to disable the SRP before installing SuRun then enable it again afterward.Thanks

I guess the main reason I started trying to secure my computer is sorta like yours,KIDS lol, except in my case its my young nephews and neice when they come to visit, they always seem to get a computer infected with mywebsearch from playing some game called Zwinky. So now I try to ask what site theyre gonna go to then use Norton Safe Web to check to see what they say about the site.​

 

Install Shadow Defender, then go into shadow mode when others use your computer. Reboot, bye bye problems. Very easy fix for such a problem. Learning SRP is good too. Sometimes there are more than one right tool for the job.

Sul.