Trialing Locked Admin

All those nice free programs, just ask to be combined into a layered setup. I am trailing this combination for just a few hours, so please make an image backup before trying out. I am using a Windows 7 32 bits OS.

MalwareBytes Anti-Exploit as easy and free anti-exploit
Crypto Prevent PORTABLE which is based ONLY on SRP and makes it harder for ransomware to run from user folders.
SecureFolders, to protect my data partitions (drives D, E and F) against illegal write access (e.g. ransomware).
ToolwizTimeFreeze, just updated for protection my system drive C (against changes)


Download malware bytes antie-exploit from https://www.malwarebytes.org/antiexploit/
Download Crypto Prevent PORTABLE from http://www.softpedia.com/get/PORTABLE-SOFTWARE/Security/Portable-CryptoPrevent.shtml#download
Download SecureFolders from http://securefoldersfree.com/ (it is clean, checked at VT)
ToolwizeTimeFreeze from http://www.toolwiz.com/en/products/toolwiz-time-freeze/

Install/run them in that order

Disable automatic update (upgrade) of MBAE, because TTF will remove that after re-boot. No notification is just my personal preference, leave it on when you want to.



Cryptoprevent portable ONLY applies SOFTWARE RESTRICTION POLICIES, no execution filter with fingerprint blacklist, according to Q&A

 

Secondly install SecureFolders (SF), set it up completely before installing ToowizTimeFreeze (TTF)

First add the applications which you want to allow access to the protected drives

 

Second add the user folders to protect.
- first set a no-execution on folders which are often used for drive by infections.
- second protect your data folders with read-only (dis allows other programs to read for ease of use)




Desktop is the name of the computer. I have also password protected Secure Folders

 

Install TTF and make sure to exclude your Chrome User, Internet favourites and Outlook Mail folders for ease of use (SF has set a no-execute on those folders anayway). Now start TTF (reboot) and browse with peace of mind.


P.S.
When you add an exclusion folder e.g. Your C:\Users\[user name]\Desktop, don't forget to add it as a NO-EXECUTION folder in Secure Folders also.

 

Before updating windows or other programs, you only have to stop TTF (see pic).

 

1+3+4 combo is running on my system(s) for months. Not a conflict yet. Before SecureFolders i used the TimeFreeze+EasyFileLocker combo for protecting System+DATA, respectively.

Mind if i ask what more does 2 bring on the table in comparison to (your favorite) Whitelisting/Anti-Execution approach? (ease of updating?)

 

@CGuard

Thanks for confirming it runs well on your computer for months, so I should have named this setup Guarded Admin , maybe a mod is willing to change the title of this thread.

Indeed, primary reason for choosing BD anti-ransomware was to lower user interaction and required knowledge of user.

Second reason is, because they use different security mechanisms:
- CryptoPrevent Portable is ONLY using Window's Software Restrictions Policies (internal mechanism)
- Secure Folders is problably using Window's Access Control List (internal mechanism) forced through an installed driver
- Malware bytes anti-exploit filters running processes and injects its own-dll to monitor actions from within the process
- Toolwiz Time Freeze virtualizes system drive, by filtering disk access

Third reason, in the Safe Admin thread the new Beta of ERP is also mentioned.

regards Kees

 

Do you make any changes to the advanced settings? Any of the four tabs there? In MAlwarbytes Anti-Exploit?

 

No they are good as they are, see first post for MBAE. Idea was to configure a layered defense which was easy to use, with little tweaking and facilitating people who like to try out programs (safe admin is more for people with 'steady' setups).

 

@Windows_Security

If it wasn't for your introductory-to-SF thread (BTW and OT: CrowdInspect is another recent discovery of yours, which i've added to my security toolbox) and/or your ability to utilize apps/approaches to the max ("UAC+SF=LUA effect on a admin account" being your latest contribution), that setup wouldn't be possible. So, my confirmation comes far second, here.

Just to clarify something: BD-AR blacklists the entire Appdata and StartUp folders or only the abovementioned 1st levels?

BTW and OT #2: TimeFreeze+HMPA (auto-updating)=complete nightmare (@anyone interested).

 

Quick Q. On #2 Wouldn't CryptoPrevent also be an alternative?

 

Yeah. Just wanted to ask the same question
What is the advantage of Bitdefender CryptoWall compared to CP or HMP.A (or even combination of both)?

 

It's free

 

Hi All

I was using BitDefender Cryptowall yesterday, on reboot I found it was not remembering settings. Even when it first installs you have to manually set the Immunisation to on.
Anybody any idea why the settings are not remembered?

Thanks

Terry

 

@pablozi, @EASTER, @TerryWood

Because of the issue Terry reported, I checked the tip posted by Easter in detail.

HMPA is not free as explained by ROPchain and overlaps to much with MBAE-free

I thought CryptoPrevent was not free anymore . Also it was not based on Software Restriction Policy solely anymore. This extra feature is a disadvantage in this setup (because it adds another execution filter). Luckiliy I discovered that it is possible to download CryptoPrevent Portable without providing your email address and even better, read that CP Portable (CPP) is ONLY based on Software Restriction Policies. Also CPP has a broader SRP coverage as BD-AR, so dropped Bitdefender Anti-Ransomware for CryptoPreventPortable

@TerryWood
Please stop TTF protection, de-install Bitdefender AR, run CryptoPrevent Portable, reboot and try to run an executable from your user's startup folder. Also that note I made a small adjustment to TTF exclusion and no-execution folder of SF (Chrome User data), see first posts



Regards Kees

 

@Windows_Security
But MBAE is very limited in free version. Maybe it would be better to replace it with EMET which can cover more software than only browsers and JAVA?

 

You can always use EMET on software that is not protected by MBAE. Although I would not bother about the Java protection, the last vulnerabilities that have been targeted by EKs are from june 2013 iirc and you can just disable java in your browser.

 

MBAE is easier to use. But when you know how to, just add EMET for the other applications as ropchain explained. The real value of EMET is to use ASR and block scripting dll's in Office programs. I have explained that in this post I wanted this configuration to be easier to set up (also the other three protections will reduce risk of exploits in other programs).

 

I could never get EMET to work on my machine even with all security software disabled. Tried many configs but always had a problem with one and can't remember now which one it was. That was a few months ago. Is there a newer build I could try now?

Thanks

 

What I wonder is if not using timefreeze or a program like Quietzone and using other software to lock down your pc is using more or less resources.
Why not just use a paid antiexploit and good Av and a Reboot all gone setup? All I know is EMET don't work on my pc and the setup I have now does with little resources.

 

Wonderful simple security arrangements as always Kees

With Windows 8 as my only Live box for awhile now, it is become increasingly more important than ever to make the absolute MOST with the absolute LEAST of what is currently free and available. I already tried the routine all-in-one AV route and it (as always for me) proved once again woefully inadequate. And that was clearly evidenced by having fell victim to an earlier brand of Mr Crypto this year. In essence, another vital lesson learned yet again. Stick with Layered Defense just like this and more and there is much less risk as well as less resource useage to have to deal with.

 

@Windows Security - Cool tools but is there any reason you don't use the built-in SRP, ACL settings? Is it just a matter of convenience?

* Obviously Toolwiztimefreeze doesn't count in above

 

Just curious what advantage there is in using Cryptoprevent portable, over Software Policy (SSRP)?

 

One advantage of CryptoPrevent is it implements SRP on versions of Windows that don't include the Group Policy Editor. It also implements restrictions on many more locations than Bitdefender Cryptowall Vaccine (which only locks %appdata% and %startup%). See the screenshot of CryptoPrevent default settings.

Note also that Kees is suggesting using the default protection level in CryptoPrevent.

 

Yes you are completely right, that is where I gor the idea from.

A family member has two kids 14 and 12 and got tired of restoring an image when his kids had installed all kind of ****. So he asked how those internet café's protected their PC's against changes (because he asumed that they would have simular problems).

I use to trail a setup for a week or two, before I install it on the PC of someone else.

I am now back on my normal setup using OS (WFW, SRP, ACL, UAC, 1806) and application hardening (mail in text format, disable macro's, plug-ins in office etc).

Regards Kees