Easy security for anti-exploit & anti-ransomware

Discussion in 'other anti-malware software' started by Windows_Security, Apr 5, 2015.

  1. The developers mailed me that SecureFolders also stops DLL's (when no-execution is selected), so the safe-DLL Search mode tweak I posted in earlier thread with Securefolders is not nessecary.
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,614
    Location:
    Italy
    Hi.
    May explain why it is necessary to disable "Certificate trust pinning"?
    TH.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,904
    Location:
    U.S.A.
    Ditto. I was curious about the same comment.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,904
    Location:
    U.S.A.
    I also have a better security solution for your e-mail client. Just set it to only accept e-mail in plain text format. That is what I do.:)
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    Mark Loman has already replied to this. The thing is, file and folder protection tools do not monitor for code injection, and they also don't monitor parent-child process relationships, so what if a malicious app starts a trusted app (process hollowing), then it's also game over.

    Of course you can stop ransomware attacks via anti-exploit, that's no surprise, if it can't launch it can't do any damage, but that's not the point of this thread I think. So basically, it's not a bad idea to use SecureFolders, but it needs back up from a HIPS, like the one in HMPA.
     
  6. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,944
    Yeah, I always do this too.
    SecureAPlus will cope with it (and more threats) by another approach IN THE FUTURE version, i.e. process protector and application binding. PP is code injection blocker which protects specified processes from injection. AB determine what file types can be opened by what program so that only specified program can access corresponding file types. e.g. Only Adobe Reader should access .pdf, etc.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    I saw your quite detailed overview in the SecureAPlus thread, it's interesting but I just don't like the app because of several reasons.
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,944
    That's okay, everyone have his preference and I basically don't push certain product to others.;)
    Maybe one of your reasons is its massive cloud usage, right?
     
  9. usrname

    usrname Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    9
    Location:
    Romagna, ITALY
    so, with MBAE Premium I don't need EMET, or it's limited to office documents?

    should I change anything in my MBAE configuration to get your EMET setup?

    http://i.imgur.com/HZJnhgH.png
    http://i.imgur.com/lk8e7OC.png
    http://i.imgur.com/2AReFcv.png
    http://i.imgur.com/zOfFQyJ.png
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,480
    Location:
    The Netherlands
    That is one of the reasons, but I also like EXE Radar's simpler approach.
     
  11. Yes with MBAE premium, you don't need EMET. Add your mail program to the protected programs (use template Office).
     
  12. Not nessecary, most people don't know how to use this and I had read that the dll is now also injected into Chrome and gave some problems.
     
  13. To start SecureFolders in silent mode add the following command line parameter

    -autotask
     
  14. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,614
    Location:
    Italy
    It is true.
     
  15. usrname

    usrname Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    9
    Location:
    Romagna, ITALY
    thanks :thumb:
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,904
    Location:
    U.S.A.
    It's necessary if you want protection against man-in-the-middle activity on your secure financial web sites. Also, unlike other products that claim to provide MITM protection, you can verify that EMET's protection is working.

    On x86 systems, EMET's cert protection works fine. On x64 systems when using IE with EPM set on, there are some issues. I have developed a work around for these; see my postings in the EMET thread. And yes, it does require updating when a pinned web site cert expires.
     
  17. @itman

    The question was is it necessary to DISABLE cert pinning, I intended to make clear that it is not necessary to disable it. Please post the links in this thread also, so people who want to use cert pinning know how to tackle these x64 issues.

    Thx in advance

    Kees
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,904
    Location:
    U.S.A.
    Here's the post.

     
  19. Some background info on disabling dynamic content in office programs https://zeltser.com/malicious-code-inside-office-documents/
     
  20. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    Why put windows explorer as trusted? it works for me and I don't have it as trusted
     
  21. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    Here's my settings, currently no trusted apps
    Do I need to whitelist any apps in the program data and users folders?

    screenshot.4.png
    screenshot.5.png
    screenshot.6.png
     
    Last edited: Sep 28, 2015
  22. @Overkill

    I will look at it next week.

    Regards kees
     
  23. No-execution (ProgramData & Users)
    Most programs update using temp. When you disable SecureFolders before updating it is no problem, otherwise yuu should add windows update and chrome update to the trusted applications

    Read-only (D:\ probably your data partition)
    You should whitelist your user applications (explorer, notepad, mspaint, photoviewer, word, powerpoint, spreadsheet) to the trusted applications to allow themn to write to this partition
     
  24. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    Thanks :)
     
  25. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    766
    Nice info here as well, wonderful!
     
Loading...
Similar Threads
  1. lucd
    Replies:
    2
    Views:
    559
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.