Secure Folders to protect folders (and use as anti-executable)

Discussion in 'other anti-malware software' started by Windows_Security, Oct 21, 2014.

  1. @Deckard

    I noticed the PumperNickel delay with AppTimer only on Office programs also (so edited the post)

    Thx Kees
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Somehow I don't consider a .2sec delay significant. Did that include programs you exclude?
     
  3. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    Hmmm...interesting settings but what about if trusted app...eg Power Point...want to save slideshow as ppt/pptx? I don't remeber how works priroty levels - what is higher: aplication or extension?
     
  4. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Can you post picture settings of AppTimer?
    Is it like this OK:

    primjer.jpg
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Interesting to note, the Secure Folders kernel-mode driver starts just as early as Bouncer and FIDES as far as kernel load order goes. That is most definitely a good thing to see. So those developers are doing something right, indeed. (In case anyone asks, this is a screen shot of NoVirusThanks' Kernel-Mode Drivers Manager tool).

    temp-securefolders.png

    I would not worry so much over 0.2 second application delay personally. Particularly after seeing EMET's EAF/EAF+ mitigations in the past causing delays of anywhere from 1-3 seconds or more to application startup. Bouncer also is around 0.2 second for application startup or somewhere around there. For whatever reason I don't know, but MemProtect has zero delay in comparison to FIDES or Bouncer.

    I've got no rules set for Secure Folders right now but protection enabled, and it's causing a very noticeable slowdown across all programs on my system right now so it's got to go. Even simple analyzing/cleaning with CCleaner is drastically delayed. Though it has been interesting to test and seeing how they use a randomly created name for the kernel-mode driver is quite interesting. I like the way that their UI is designed as well.

    EDIT: Actually prior to uninstalling Secure Folders, I just decided to use the slider within the UI to disable protection and I've got my original perf back.
     
  6. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    And a nice GUI

    Only burp! that shows for me with SF is when applying/adding settings=activating new addition/changing settings. Sort of a REFRESH type pause then all is well.

    Of course I don't use either FIDES or the PUMPER drivers. Am a gui geek
     
  7. You have to enable Visible (window detection) and WM_Close (window close method) also, the rest is fine (you need to have the Windows name right)
     
  8. Yes, it only applies to programs you allow (write access). I compared it with AppTimer (Secure Folders versus Fides/Pumpernickel).

    For me most important reason to prefer secure folders over Fides/PumperNickel is that by combining file extensions (read only ACL) with folders (no-execute ACL), I have a double deny execute on D (SRP and Secure Folders). When I run Windows Image Backup AND have defined a deny execute for Everyone through ACL (manually), then Windows Image Backup won't run. Windows Image backup does not seem to mind Secure Folders setting a simular ACL.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Kees-This is the single one area that I prefer to apply to this own system but like to learn what is best way to proceed.

    I'm speaking of SRP for the 8.1 Windees lol

    Would YOU suggest (because u do approve for simplicity) the app Software Restriction Tool? Or another easy-for-me method to drop admin except where needed (for apps required for privilege at the level).

    I always run Admin and have not any issues doing so for a very long time now, however, an SRP in addition would be ideal I think if only there is bare minimum interaction from switching on/off etc.

    PGS is been mentioned before and did well on 32 bit XP for me. It's certain there are multiple methods available anymore for x64 and more specifically W 8.1.

    What works best in your opinion (for SRP) to also compliment the same, like you, with Secure Folders extensions/folders protection?
     
  10. Easter,

    I have not used Simple Restriction Policy lately, but it seemed to the trick well. I always hack the registry manually (see Malware Tips).

    To be honest you are using NVT ERP and you are liking it (and it is a great application). May I suggest something totally different? Why not keep NVT-ERPO and install AVAST in default deny (hardened mode) using its huge cloud based whitelist, see Malware Tips setup for AVAST 2016.

    Avast 2017 has the IPS module of AVG (which used to be Primary Response Safe Connect a behavioral blocker like Mamutu and ThreatFire). I would install this module also and enjoy the comfort of GUI based applications.

    Regards Kees
     
  11. Deckard

    Deckard Registered Member

    Joined:
    Dec 13, 2016
    Posts:
    46
    Location:
    France
    To come back on the delay. I tested 12 softs on my 7 years old laptop:
    a Sony Vaio Core i3, Win10 X64, HD 5400.
    Superfetch/Prefetch off. WD off.
    I have not the same bahavior compared to my main PC (i7, NVMe) :
    with Bouncer and Pumpernickel -> delay for each application tested. From +11% (for a small soft like IrfanView) until +23% for LibreOfficeWriter.

    with Bouncer but Pumpernickel uninstalled -> no delay; nothing
    +0,006s for IrfanView
    -0,004s for Typora
    +0,025s for LibreOffice Writer
    -0,055s for WordPerfect
    -0,012s for Vivaldi
    etc.

    AppTimer. 4 executions. 2 Times.

    off topic : All the time surprised by the lightness of WordPerfect Office. Around 10MB only in RAM compared to <90MB for LibreO,Launched 2.5X faster; work great and without instability.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    For Bouncer, was [SHA256] enabled or [#SHA256] disabled? That would make a noticeable difference.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Appreciate the AVAST mention and I have had some good results with it in the past but with stubbornness these AV's have not won me over sufficiently enough to continue to experiment with them. In spite of the fact that they have much improved over the ages.

    However is there a favorable opinion of this? https://github.com/AndyFul/Hard_Configurator
     
  14. Andy Ful is active on Malware Tips, he has put a lot of work in assembling hardening tweaks in a script with a GUI and an explanation. It is a real good alternative when you don't want to hack the registry manually.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks Kees and keep up the good work. Really useful
     
  16. Deckard

    Deckard Registered Member

    Joined:
    Dec 13, 2016
    Posts:
    46
    Location:
    France
    It was disable.
    I used the following config :
    [#INSTALLMODE] / [LETHAL] / [LOGGING] / [#SHA256] / [PARENTCHECK] / [#CMDCHECK]
     
  17. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Compared FIDES to Secure Folders, did you find anything which can actually break SF?
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I haven't tried. Once I got my mind wrape around FIDES, I've never looked back. It has been flawless and isn't all that difficult. Just very manual
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks anyway Peter.
     
  20. Tarantula

    Tarantula Guest

    I used to dislike SF, but it actually became my favorite soft because of its hiding capabilities. Using the portable version to install it in a dir different than "program files". Then use it to hide its own executable. It can only be launched by a key combo. And it's hiding everything I need. Too bad it's not developed anymore.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Why did you dislike it? I think it can be useful against data-stealers. It won't protect against ransomware that is using explorer.exe to encrypt files, unless it's not a trusted process, but then you won't be able to access data yourself without keep having to disable protection.
     
  22. jks52

    jks52 Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    12
    Actually, you can access a protected document and change it using Word as a trusted application without turning protection on and off while having explorer.exe as untrusted. You just can't delete, rename, move or encrypt the file without turning the protection off which is the protection you want. You can't even rename or delete a protected file using a .cmd prompt while Read Only protection is on. You can copy a file and paste a file, then change it but your original is still protected.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Secure Folders (as indicated still in my siggy to this very day) is a Gold Standard compliment which is installed on any systems employed. For this user it's a set and absolute forget application/program that just simply works, and works perfectly whichever preference is selected for you to cover.

    Agree with the above poster on it's discontinued development but thank goodness that it did reach a good enough level that the thing is as useful as ever.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, so what you're saying is that it's not necessary to make explorer.exe a trusted app? But that also means you can not manage files, or perhaps you will need to use a third party file manager and make it trusted.
     
  25. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    This is exactly what I do. I believe a third party explorer has less chances of being compromised.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.