How much would I shoot myself in my own foot by doing this? At least for 2015's standard. Thank you for the help.
I'm not a Comodo user, but it appears you're using all kinds of block rules to control what specific applications can do, which tends to make things cumbersome when using an anti-executable. Is it possible to use a default-deny approach, and just allow what applications can do, then the rest will be be denied by default? Your rules could be allow execution in Program files and Windows (except user-writable directories), and that's it. The rest will be "default-denied". BTW, I see no reason to feel insecure about allowing whatever you need in user-space, so long as you create fairly granular rules for them, even if they're Path rules.
Maybe this might help? Using Comodo Internet Security as an anti-executable http://forums.comodo.com/guides-cis-b130.0/-t60303.0.html
@wat0114 I've turned D+ into some kind of a default-deny policy-restriction HIPS. The rest are basically done but the execution control is the one that still bothers me. I can just make specific rulesets for each app, but that would make it to be a little harder for me to monitor. Giving a default-permit execute policy of apps to UAC-protected folders can be a way, but I am not certain if this would be a good idea or not. This seems to heavily reliant upon UAC, which I'm starting to dislike. @safeguy Thanks, but I've already configured it as default-deny. Only thing is I do not know whether or not creating a default-permit execute policy for user-space apps in UAC-protected folders would be a stupid idea.
Eh screw it. I still deny permission to create child processes for apps that don't need it, and I create specific rulesets for specific apps that need to launch other executables, of course only to the specific executables that need to be accessed. No whole-folder allow permission for you. The log surely does help a lot. Windows 8.1 Pro 64-bit.
Why not contain a few applications from Program Files by D+ (the usual suspects), block all from user space, except a few installer programs and let UAC/IL-levels handle the rest? Here is my take on it: What are the currently available anti-executable options? worded by RMUS
I did. However, I was wondering if giving an allow-execute permission to UAC-protected folders would be a safe thing to do. And after much thought, I've now decided to against that idea. If I need to create specific rulesets for all the apps I have installed in my system, so be it. I can't help but keep worrying if the app would get hijacked to create an executable in the program's folder and execute it to launch an intrusion. Oh no, I'm more paranoid than that. Not allowing that to happen.
If you have UAC enabled that program would have to elevate to be able to write to Program files folder.
True, but I consider UAC to be a piece of crap these days, for whatever purpose it was intended for. I can't trust it anymore.
I still trust it and believe that it will notify me when program will try to elevate it's rights. OTOH I don't expect it to do anything more.