Easy security for anti-exploit & anti-ransomware

The developers mailed me that SecureFolders also stops DLL's (when no-execution is selected), so the safe-DLL Search mode tweak I posted in earlier thread with Securefolders is not nessecary.

 

Hi.
May explain why it is necessary to disable "Certificate trust pinning"?
TH.

 

Ditto. I was curious about the same comment.

 

I also have a better security solution for your e-mail client. Just set it to only accept e-mail in plain text format. That is what I do.

 

Mark Loman has already replied to this. The thing is, file and folder protection tools do not monitor for code injection, and they also don't monitor parent-child process relationships, so what if a malicious app starts a trusted app (process hollowing), then it's also game over.

Of course you can stop ransomware attacks via anti-exploit, that's no surprise, if it can't launch it can't do any damage, but that's not the point of this thread I think. So basically, it's not a bad idea to use SecureFolders, but it needs back up from a HIPS, like the one in HMPA.

 

Yeah, I always do this too.

SecureAPlus will cope with it (and more threats) by another approach IN THE FUTURE version, i.e. process protector and application binding. PP is code injection blocker which protects specified processes from injection. AB determine what file types can be opened by what program so that only specified program can access corresponding file types. e.g. Only Adobe Reader should access .pdf, etc.

 

I saw your quite detailed overview in the SecureAPlus thread, it's interesting but I just don't like the app because of several reasons.

 

That's okay, everyone have his preference and I basically don't push certain product to others.
Maybe one of your reasons is its massive cloud usage, right?

 

so, with MBAE Premium I don't need EMET, or it's limited to office documents?

should I change anything in my MBAE configuration to get your EMET setup?

http://i.imgur.com/HZJnhgH.png
http://i.imgur.com/lk8e7OC.png
http://i.imgur.com/2AReFcv.png
http://i.imgur.com/zOfFQyJ.png

 

That is one of the reasons, but I also like EXE Radar's simpler approach.

 

Yes with MBAE premium, you don't need EMET. Add your mail program to the protected programs (use template Office).

 

Not nessecary, most people don't know how to use this and I had read that the dll is now also injected into Chrome and gave some problems.

 

To start SecureFolders in silent mode add the following command line parameter

-autotask

 

It is true.

 

thanks

 

It's necessary if you want protection against man-in-the-middle activity on your secure financial web sites. Also, unlike other products that claim to provide MITM protection, you can verify that EMET's protection is working.

On x86 systems, EMET's cert protection works fine. On x64 systems when using IE with EPM set on, there are some issues. I have developed a work around for these; see my postings in the EMET thread. And yes, it does require updating when a pinned web site cert expires.

 

@itman

The question was is it necessary to DISABLE cert pinning, I intended to make clear that it is not necessary to disable it. Please post the links in this thread also, so people who want to use cert pinning know how to tackle these x64 issues.

Thx in advance

Kees

 

Here's the post.

 

Some background info on disabling dynamic content in office programs https://zeltser.com/malicious-code-inside-office-documents/

 

Why put windows explorer as trusted? it works for me and I don't have it as trusted

 

Here's my settings, currently no trusted apps
Do I need to whitelist any apps in the program data and users folders?

 

@Overkill

I will look at it next week.

Regards kees

 

No-execution (ProgramData & Users)
Most programs update using temp. When you disable SecureFolders before updating it is no problem, otherwise yuu should add windows update and chrome update to the trusted applications

Read-only (D:\ probably your data partition)
You should whitelist your user applications (explorer, notepad, mspaint, photoviewer, word, powerpoint, spreadsheet) to the trusted applications to allow themn to write to this partition

 

Thanks

 

Nice info here as well, wonderful!