For those having some whitelisting or sandboxing in place, considering to go without

Discussion in 'other anti-virus software' started by Kees1958, Apr 23, 2012.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    I got a few questions of people considering to drop their antivirus, because they have an anti-executable or some other form of default deny policy in place or run LUA/SUA with some sandboxing program.

    To ease up your mind and get acquainted to the idea of surfing 'naked' this might be a good alternative from good old Microsoft.

    Download MSE and install, in the SETTINGS tab select
    A) Real-time protection
    In the screen on the right only select "Turn on real time protection" and "Scan all downloads" options, deselect all others.

    B) Advanced
    Select the "Scan removable drives" option in the screen on the right.

    Now you have your internet downloads (at least from IE and Chrome) covered and when an USB is inserted it will be scanned. Onlything else to cover are incoming emails. Copy and paste the text below into notepad and save as ANSI file/any file with .REG extension (e.g. attachment.reg). Now your AV will be started when you download an attachment with Outlook Express, Vista Mail, Windows Live Mail and Outlook (yeah all M$ programs).


    -------------
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments]
    "ScanWithAntiVirus"=dword:00000003


    -------------
    In this mode MSE will still check incoming executables, but will only read 11MB at startup and uses less than 1 second CPU time. So you still have an AV in real time, but with near zero system impact, because it only looks at downloads, USB insertions and mail attachments. It does NOT check programs you start (or a started by a program allready running).

    Regards
     

    Attached Files:

    Last edited: Apr 23, 2012
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    this is changed in version 4 beta.
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    So beta 4 does not have these options anymore? Did the interface become more '"essential"? :gack:

    Well that sort of boxes the time one has to get used to going naked :D

    Only installed MSE to check whether it still worked this way, now on whitelist mode only again.
     
    Last edited: Apr 23, 2012
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well, did a test:

    1) You are right the controls are gone see pic, after update to 4 Beta

    BUT I WAS COUNTING ON GOOD OLD MICROSOFT INFAMOUS BACKWARD COMPABILITY OBSESSION AND YES :D :D :D
     

    Attached Files:

    Last edited: Apr 24, 2012
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    ALLTHOUGH CONTROLS ARE GONE, THE SETTINGS ARE MAINTAINED (UNVISIBLE TO THE USER), :D :D :D

    2) Did a check and yes the download is checked, allthough status screen tells me I am not protected (like MSE 2.1)), but read count (I/O) of process explorer shows that downloaded winrar is checked by the AV, :argh: :argh: :argh:

    So when you like these settings, make sure to set it in MSE 2.1 before upgrading to 4.0 ;)
     

    Attached Files:

    Last edited: Apr 24, 2012
  6. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Yes they removed the options to monitor incoming files only,Its dumbed down.A Nice idea if I decide to use a Av again.
     
  7. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    525
    Location:
    Arizona
    I miss the option to monitor incoming files only also, but have settled for adding explorer.exe to the list of excluded processes. That definitely helps when parsing a folder full of exe files. I also uncheck Scan archive files.
     
  8. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I miss it as well,it's really to bad they removed it.
     
  9. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Go to MS Answers and tell them that. They need feedback.

    But be ready for pushback from the "loyals". :D
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Found the registry keys which control the "old" settings :D

    Scan downloaded files
    Key: HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection
    Value: DisableOnAccessProtection (REG_DWORD)
    Data: 0 (Scan Enabled)
    Data: 1 (Scan Disabled

    Behavioral Monitoring
    Key: HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection
    Value: DisableBehaviorMonitoring (REG_DWORD)
    Data: 0 (Scan Enabled)
    Data: 1 (Scan Disabled

    Scan network traffic through WFW on Vista and Win7
    Key: HKLM\Software\Microsoft\Microsoft Antimalware\Real-Time Protection
    Value: DisableIntrusionPreventionSystem (REG_DWORD)
    Data: 0 (Scan Enabled)
    Data: 1 (Scan Disabled

    Scan Removable Drives
    Key: HKLM\Software\Microsoft\Microsoft Antimalware\Scan
    Value: DisableRemovableDriveScanning (REG_DWORD)
    Data: 0 (Scan Enabled)
    Data: 1 (Scan Disabled)
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    @ Kees, you truly have a gift with computer's and software.I would have hosed my system playing with registry keys and changing values.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Is it me or the option to scan removable drives is still there, under Advanced settings? o_O

    But, it will only check them when performing a full scan. I believe this was always the option; not when USB devices are inserted. That's what the explanation says in the Advanced settings. :D
     
  13. FrankPU

    FrankPU Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    9
    Monitor Incoming Files ONLY can be enabled through the registry with this key:

    Key: HKLM \ Software \ Microsoft \ Microsoft Antimalware \ Real-Time Protection

    Value: RealtimeScanDirection (REG_DWORD)
    Data: 0 (Enabled Incoming and Outgoing Files)
    Data: 1 (Enabled Incoming Files Only)

    Greetings
     
  14. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Nice share ;)
     
  15. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    does the MSE interface and tray icon show that you're not protected(realtime protection is turned off) when you modify the registry entry to let it scan only incoming files?
     
  16. KelvinW4

    KelvinW4 Registered Member

    Joined:
    Oct 11, 2011
    Posts:
    1,199
    Location:
    Los Angeles, California
    Nope. still green :)
     
  17. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    I only see an entry saying 'disablerealtimemonitoring', none saying 'RealtimeScanDirection', is it supposed to be there or do you create a reg entry saying RealtimeScanDirection and give it a value of 1?
     
  18. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    I can't even write to the registry entries regarding MSE. Writing to entries that do not effect MSE is allowed so I guess MSE blocks registry write access.

    So am I right? In order to get MSE scan only incoming files you have to install MSE, then uninstall, do your registry changes and install againo_O
     
  19. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    just ditched MSE because I couldn't tweak it to scan only imcoming files. I just don't want an antivirus that scans random files on your harddrive all the time. It's pointless to me because most files are clean anyway. Tried modifying the registry but apparently MSE blocked write access and it removes all registry entries after uninstallation...
     
  20. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    Hmm. Now I wonder if WSA can be modified to work this way. It's already lighter than pretty much anything, and they already scan more intelligently than pretty much anything out there.

    Of course a file that is clean now may be modified to become unclean if all goes wrong, but it should be trivial to hash the file and find out, and that's what WSA does. Only doesn't meet the free spec. Yet. They say they are working on a free version too.

    *Goes off to poke WSA some and see*
     
  21. Arcanez

    Arcanez Registered Member

    Joined:
    Oct 5, 2011
    Posts:
    396
    Location:
    Event Horizon
    So tried it once again and added all those DWORD entries to the RealtimeProtection folder in the registry. I needed root permissions to do so...changing registry entries didn't have any major impact on MSE performance and memory usage.
     
    Last edited: Jun 9, 2012
  22. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    377
    Thanks for posting this tweak. If I understand well, to scan only the incoming (write) files, I should:

    1. create the 5 registry keys as they don't exist [Win 7 x64]
    2. disable BehavioralMonitoring, IntrusionPreventionSystem, IOAVProtection

    3. enable OnAccessProtection

    4. set ScanDirection to incoming only

    can somebody confirm?
     
    Last edited: Jul 12, 2012
  23. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    You should enable the intrusion prevention system also
     
  24. newbino

    newbino Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    377
    thanks for replying toxinon.
    can I ask you why the intrusion prevention system?
     
  25. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Normally all should be enabled, for people only requiring a downloaded file scan and USB connect scan the settings newbino mentioned are sufficient
     
Loading...
Thread Status:
Not open for further replies.