Freeware setup giving malware a hardtime to intrude your system

Required skill level
a) Knowing how to change UAC level
b) Knowing how to configure EMET
c) Knowing how to use notepad
d) Knowing how to create an elevated task
e) Knowing how to use regedit

Works on Windows 7, 8, 10

Required software
1) UAC + Smartscreen
2) StartupSentinel Free
3) MBAE Free
4) EMET Free
5) SmartObjectBlocker Free

Preperation
1) Set UAC to full (best also set Smartscreen to UAC approval)
1) Install StartupSentinel (warns for HKCU autorun changes)
2) Install MBAE Free (that's all)
3) Install EMET (when you have MBAE Premium, skip EMET tweak)
4) Install SmartObjectBlocker

Basic concept of this security setup
Lock down user space, but allow for easy update of trusted publishers (set and forget security)

Windows Enterprise strength security
When you implement all these tweaks, you will get NSA/SANS strenght security at kernel level (easier and stronger as tweaking Group Policy settings with Applocker on a Windows Enterprise version), so consider a donation to the developers which made this possible:
- @novirusthanks (Andreas for SmartObjectBlocker)
- @Kyle_Katarn (Kyle for StartupSentinel)

Question: Do I need an extra sandbox and or Scriptblocker with this setup?
a) Sandbox - Only when you use Firefox or FF based browser.
b) Scriptblocker - NO, AdBlocker/AdGuard/uBlock (default) for Ads and Trackers will do

 

EMET tweak

Remove all browsers from EMET, simply because MBAE free takes care of them. When you have MBAE Premium, you don't need to install EMET.

Have a look at all programs interpreting scripts like PDF Readers, Mail, Media Players and Office applications: enable ASR option and copy this "flash*.ocx; vbscript.dll;j*script.dll;python*.dll"

This blocks javascript, vbscript, python scripts and Adobe Flash embedded in (open) office documents (does anyone knows the name of Libre Office Basic DLL?) When you use Visual Basic in Office, don't include vbscript.dll

Scripted content (javascript, pythonscript, vbscript, powerscript) and rich content (silverlight, shockwave and flash) are nearly always used to take control of program execution. By blocking these DLL's through ASR you made these programs less vulnarable to malware and exploits attacks.

WIth UAC + Smartscreen (both onFull), MBAE, EMET and StartupSintenel you wil block most of the user space malware. As always closing the last 20% takes 80% percent of the configuration effort.

 

SmartObjectBlocker tweak

This reduces attack surface from from user space to a few whitelisted vendors in TEMP. So increased security while still being able to update trusted.

Andreas has changed defaults , so we now only need to focus on behavioral mode configuration files. First step is to empty the DLL, Driver and Process BLOCK RULES. Next open EXCLUDE db in Exclude rules folder (subfolder of SmartObjectBlocker installation folder) and copy tit from the attached Rules configuration file in plain text (Exclude.txt).

After copying the content from the attached Exclude.txt file, you Exclude config file should look like (save it in SmartObjectBlocker/Exclude folder).


Remember
99% of all regular installs are always initiated from TEMP folder. Malware often tries to drop code in other user space locations. Installs from other USER SPACE locations are blocked by default (at kernel level). SOB checks the publisher which is the organization who produced the software. UAC will check whether it is a regular signed executable (different colour code), so SOB + UAC make sure the digital signature is OK for that specific publisher (so no problems with signed malware)

When you want to add your AV or on other program which updates itself, just richt click that executable and click on the digital signature tab, see picture below. Add two rules (%FILE% and %PROCESS%) for that publisher (%PUBLISHER%), by copying text in picture below (NoVirusThanks Company Srl) in blue, to the tekst in blue in above picture (Microsoft Corporation).



Add a %FILE% and %PROCESS% exception for every program which updates (All Microsoftware and Google software is allready allowed with example above).

 

Edit block rules for SmartObjectBlocker in Behavioral mode

Block User data and all partitions. My DVD reader is F, that is why I have EXcluded F-drive from the list. The drives G, H, I, J are to lock down all four USB ports on my system (so when you have more, you might add more letters).
I assume that seasoned security forum members won't install software outside protected folders. When you do have software running from user space, forget about this weak (no need to harden when you open the back door yourself)

For convienance I have uploaded the Block DLL/Driver/Process configuration files as text file (see attachements). Update the configuration files in SmartObjectBlocker/Block folder.

Change DLL and Driver block rules as shown in picture below



Now change Process block rules as shown in picture below



As with DLL and Driver all executions from user space are blocked (with UAC on full AppData is also protected by UAC) .

The command line blocks the dangereous EVAL function in javascript, which is used in many exploit attacks. Eval will be limited in future javascript engines, so you don't need this EVAL anyway

The %PARENT% option blocks the process with the name behind it to launch other processes. This is also a strong container to prevent spawning of malicious processes (I have all these processes from within by EMET)

I don't have included Chrome as an process not allowing to spawn other processes. All renderer processes of Chrome are already limited with the Job Object limitation of Chrome's sandbox and MBAE Free is watching Chrome in an intelligent way (also includes blocking of downloading and starting of malicious code), for ease of usage and system stability let's keep it that way (and leave it to the experts of MalwareBytes corporation)

 

Now test drive your software by launching SmartObjectBlocker, run all the software you have protected for a while (also to check whether PUBLISHER holes you added for updating programs work). When you run into an error, just close SMartObjectBlocker and you are good.

When you are sure everything run's fine, make SmartObjectBlocker start with system. For time being this has to be done throug this trick, for final release I think Andreas will offer a launch with windows option in future (so this last step will be redundant).

1. Creat an elevated task with -hidegui




2. Add startup to HKLM RUN with regedit




Tested this set and forget setup (no need to disable when updating) on Windows 10

 

@MrBrian @J_L

Could you update Safe_Admin link in best security freeware list?

Thanks

Kees

 

OK, but what about old links? Will you link them here, should I keep them on list, or ignore them altogether? Currently, I'm only keeping the latest link of Safe_Admin.

 

Thank you for recommending my Startup Sentinel

 

@J_L

Thanks, I would suggest to keep the latest only (this one). It is easier to use (no need to disable software when updating programs).

@Kyle_Katarn

You are welcome, it is a great little application which closes autorun risk in a smart way (HKCU when UAC on, HKLM + HKCU when uAC off)) and it is signed and free

Regards Kees

 

Hah ha. Finally got around to reading this thread. Amazing isn't it what a difference for the better just a few added tweaks can make for security.

What a job!

 

I forgot the tips of Mr Brian (about closing Windows holes), so let's include the common blacklist rules as advices by NSA (see page 7 of this PDF). Yes TEMP is omitted because we want convienance of set and forget (allow trusted updates) and YES there are a few more folders blocked (information from SANS security org )

For ease of convienance I will use SmartObjectBlocker %WINDOWS% variable so everybody can copy this text below to Block Rules

Text for DLL and Driver is the same, so I will add them only once, add these lines
[%FILE%: %WINDIR%\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*]
[%FILE%: %WINDIR%\debug\*]
[%FILE%: %WINDIR%\PCHEALTH\ERRORREP\*]
[%FILE%: %WINDIR%\Registration\CRMLog\*]
[%FILE%: %WINDIR%\System32\catroot2\*]
[%FILE%: %WINDIR%\System32\com\dmp\*]
[%FILE%: %WINDIR%\System32\FxsTmp\*]
[%FILE%: %WINDIR%\System32\spool\drivers\color\*]
[%FILE%: %WINDIR%\System32\spool\PRINTERS\*]
[%FILE%: %WINDIR%\System32\Tasks\*]
[%FILE%: %WINDIR%\SysWOW64\com\dmp\*]
[%FILE%: %WINDIR%\SysWOW64\FxsTmp\*]
[%FILE%: %WINDIR%\SysWOW64\Tasks\*]
[%FILE%: %WINDIR%\Tasks\*]
[%FILE%: %WINDIR%\tracing\*]
[%FILE%: %WINDIR%\Web\*]


So DLL and Driver should look like this



No also add (append) these entries to Process Block Rules
[%PROCESS%: %WINDIR%\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*]
[%PROCESS%: %WINDIR%\debug\*]
[%PROCESS%: %WINDIR%\PCHEALTH\ERRORREP\*]
[%PROCESS%: %WINDIR%\Registration\CRMLog\*]
[%PROCESS%: %WINDIR%\System32\catroot2\*]
[%PROCESS%: %WINDIR%\System32\com\dmp\*]
[%PROCESS%: %WINDIR%\System32\FxsTmp\*]
[%PROCESS%: %WINDIR%\System32\spool\drivers\color\*]
[%PROCESS%: %WINDIR%\System32\spool\PRINTERS\*]
[%PROCESS%: %WINDIR%\System32\Tasks\*]
[%PROCESS%: %WINDIR%\SysWOW64\com\dmp\*]
[%PROCESS%: %WINDIR%\SysWOW64\FxsTmp\*]
[%PROCESS%: %WINDIR%\SysWOW64\Tasks\*]
[%PROCESS%: %WINDIR%\Tasks\*]
[%PROCESS%: %WINDIR%\tracing\*]
[%PROCESS%: %WINDIR%\Web\*]

 

This stuff is mind boggling, I will have to pass once again.

 

For info :
- dedicated thread here : https://www.wilderssecurity.com/threads/startup-sentinel-fast-secure-startup.350167/
- new version out today ! (v1.6)

 

Thanks Windows_Security. Bookmarked for future reference

 

EMET 5 on Win10 , compatible ?!

 

Yes, using EMET 5.2 here throughout Windows 10 testing builds. Some of the very early Insider builds a year ago had trouble with EMET, but EMET and Windows 10 have been working great together for quite some time now.

 

Great guide, thank you!!
Is such setup safe for Windows updates, and other system functions & settings;

 

If KIS and MBAM fail me then so be it. I am not capable of doing the OP, and have no desire to go through the process.
Kudos to those who do, but not me.
Jerry

 

Yes see post 3, it allows updates from Microsoft and Google

 

good to know thanks

 

i am curious what MBAE is adding to the setup - why not just use EMET for browsers as well?

 

Because EMET has special ASR settings. It prevents DLLs to load which are used for running scripts: goto ASR option of EMET and copy this "flash*.ocx; vbscript.dll;j*script.dll;python*.dll"

flash*.ocx = prevents (embedded) flash to run (e.g. in office documents)
vbscript.dll = prevents visual basic script to run
j*script.dll = prevents java script to run
python*.dll = prevents python script to run

This tweak will make it nearly impossible to exploit the programs (office+mediaplayer+pdfreader+mail) protected by EMET. Adding this ASR (attack surface reduction) trick to your browser would cripple it. Using MBAE you will get full functionality of your browser and smarter (than EMET) exploit protection (designed by experts, with addtional layers of protection over EMET).

Hope this explains it.

NB.
Smart Object Blocker is adding some additional protections, so I will probably post an update and add the dll hardening to SOB (running EMET in default setting).

 

thank you very much for tutorial Windows_Security

 

just a question why -hidegui?

Is it just for hiding the tray icon or it has other purposes?

nevermind lol, i didn't paid attention that the gui is launched automatically

 

or just use SecureAPlus