Freeware setup giving malware a hardtime to intrude your system

Discussion in 'other anti-malware software' started by Windows_Security, Aug 7, 2015.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Required skill level
    a) Knowing how to change UAC level
    b) Knowing how to configure EMET
    c) Knowing how to use notepad
    d) Knowing how to create an elevated task
    e) Knowing how to use regedit

    Works on Windows 7, 8, 10

    Required software

    1) UAC + Smartscreen
    2) StartupSentinel Free
    3) MBAE Free
    4) EMET Free
    5) SmartObjectBlocker Free

    Preperation
    1) Set UAC to full (best also set Smartscreen to UAC approval)
    1) Install StartupSentinel (warns for HKCU autorun changes)
    2) Install MBAE Free (that's all)
    3) Install EMET (when you have MBAE Premium, skip EMET tweak)
    4) Install SmartObjectBlocker

    Basic concept of this security setup
    Lock down user space, but allow for easy update of trusted publishers (set and forget security)

    Windows Enterprise strength security
    When you implement all these tweaks, you will get NSA/SANS strenght security :D at kernel level (easier and stronger as tweaking Group Policy settings with Applocker on a Windows Enterprise version), so consider a donation to the developers which made this possible:
    - @novirusthanks (Andreas for SmartObjectBlocker)
    - @Kyle_Katarn (Kyle for StartupSentinel)

    Question: Do I need an extra sandbox and or Scriptblocker with this setup?

    a) Sandbox - Only when you use Firefox or FF based browser.
    b) Scriptblocker - NO, AdBlocker/AdGuard/uBlock (default) for Ads and Trackers will do
     
    Last edited: Aug 9, 2015
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    EMET tweak

    Remove all browsers from EMET, simply because MBAE free takes care of them. When you have MBAE Premium, you don't need to install EMET.

    Have a look at all programs interpreting scripts like PDF Readers, Mail, Media Players and Office applications: enable ASR option and copy this "flash*.ocx; vbscript.dll;j*script.dll;python*.dll"

    This blocks javascript, vbscript, python scripts and Adobe Flash embedded in (open) office documents (does anyone knows the name of Libre Office Basic DLL?) When you use Visual Basic in Office, don't include vbscript.dll

    Scripted content (javascript, pythonscript, vbscript, powerscript) and rich content (silverlight, shockwave and flash) are nearly always used to take control of program execution. By blocking these DLL's through ASR you made these programs less vulnarable to malware and exploits attacks.

    WIth UAC + Smartscreen (both onFull), MBAE, EMET and StartupSintenel you wil block most of the user space malware. As always closing the last 20% takes 80% percent of the configuration effort.
     
    Last edited: Aug 8, 2015
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    SmartObjectBlocker tweak

    This reduces attack surface from from user space to a few whitelisted vendors in TEMP. So increased security while still being able to update trusted.


    Andreas has changed defaults :thumb:, so we now only need to focus on behavioral mode configuration files. First step is to empty the DLL, Driver and Process BLOCK RULES. Next open EXCLUDE db in Exclude rules folder (subfolder of SmartObjectBlocker installation folder) and copy tit from the attached Rules configuration file in plain text (Exclude.txt).

    After copying the content from the attached Exclude.txt file, you Exclude config file should look like (save it in SmartObjectBlocker/Exclude folder).
    upload_2015-8-7_14-39-19.png

    Remember
    99% of all regular installs are always initiated from TEMP folder. Malware often tries to drop code in other user space locations. Installs from other USER SPACE locations are blocked by default (at kernel level). SOB checks the publisher which is the organization who produced the software. UAC will check whether it is a regular signed executable (different colour code), so SOB + UAC make sure the digital signature is OK for that specific publisher (so no problems with signed malware)

    When you want to add your AV or on other program which updates itself, just richt click that executable and click on the digital signature tab, see picture below. Add two rules (%FILE% and %PROCESS%) for that publisher (%PUBLISHER%), by copying text in picture below (NoVirusThanks Company Srl) in blue, to the tekst in blue in above picture (Microsoft Corporation).

    upload_2015-8-7_14-45-13.png

    Add a %FILE% and %PROCESS% exception for every program which updates (All Microsoftware and Google software is allready allowed with example above).
     

    Attached Files:

    Last edited: Aug 8, 2015
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Edit block rules for SmartObjectBlocker in Behavioral mode

    Block User data and all partitions. My DVD reader is F, that is why I have EXcluded F-drive from the list. The drives G, H, I, J are to lock down all four USB ports on my system (so when you have more, you might add more letters).
    I assume that seasoned security forum members won't install software outside protected folders. When you do have software running from user space, forget about this weak (no need to harden when you open the back door yourself) :p

    For convienance I have uploaded the Block DLL/Driver/Process configuration files as text file (see attachements). Update the configuration files in SmartObjectBlocker/Block folder.

    Change DLL and Driver block rules as shown in picture below
    upload_2015-8-7_14-54-42.png


    Now change Process block rules as shown in picture below

    upload_2015-8-7_15-1-23.png

    As with DLL and Driver all executions from user space are blocked (with UAC on full AppData is also protected by UAC) :D.

    The command line blocks the dangereous EVAL function in javascript, which is used in many exploit attacks. Eval will be limited in future javascript engines, so you don't need this EVAL anyway :D

    The %PARENT% option blocks the process with the name behind it to launch other processes. This is also a strong container to prevent spawning of malicious processes (I have all these processes from within by EMET) :D

    I don't have included Chrome as an process not allowing to spawn other processes. All renderer processes of Chrome are already limited with the Job Object limitation of Chrome's sandbox and MBAE Free is watching Chrome in an intelligent way (also includes blocking of downloading and starting of malicious code), for ease of usage and system stability let's keep it that way (and leave it to the experts of MalwareBytes corporation) :D
     

    Attached Files:

    Last edited: Aug 8, 2015
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Now test drive your software by launching SmartObjectBlocker, run all the software you have protected for a while (also to check whether PUBLISHER holes you added for updating programs work). When you run into an error, just close SMartObjectBlocker and you are good.

    When you are sure everything run's fine, make SmartObjectBlocker start with system. For time being this has to be done throug this trick, for final release I think Andreas will offer a launch with windows option in future (so this last step will be redundant).

    1. Creat an elevated task with -hidegui


    upload_2015-8-7_15-9-19.png


    2. Add startup to HKLM RUN with regedit
    upload_2015-8-7_15-12-52.png



    Tested this set and forget setup (no need to disable when updating) on Windows 10
     
    Last edited: Aug 7, 2015
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    @MrBrian @J_L

    Could you update Safe_Admin link in best security freeware list?

    Thanks

    Kees
     
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    OK, but what about old links? Will you link them here, should I keep them on list, or ignore them altogether? Currently, I'm only keeping the latest link of Safe_Admin.
     
  8. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,556
    Thank you for recommending my Startup Sentinel :)
     
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    @J_L

    Thanks, I would suggest to keep the latest only (this one). It is easier to use (no need to disable software when updating programs).

    @Kyle_Katarn

    You are welcome, it is a great little application which closes autorun risk in a smart way (HKCU when UAC on, HKLM + HKCU when uAC off)) and it is signed and free :thumb:

    Regards Kees
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Hah ha. Finally got around to reading this thread. Amazing isn't it what a difference for the better just a few added tweaks can make for security.

    What a job! :thumb:
     
  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    I forgot the tips of Mr Brian (about closing Windows holes), so let's include the common blacklist rules as advices by NSA (see page 7 of this PDF). Yes TEMP is omitted because we want convienance of set and forget (allow trusted updates) and YES there are a few more folders blocked (information from SANS security org :) )

    For ease of convienance I will use SmartObjectBlocker %WINDOWS% variable so everybody can copy this text below to Block Rules

    Text for DLL and Driver is the same, so I will add them only once, add these lines
    [%FILE%: %WINDIR%\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*]
    [%FILE%: %WINDIR%\debug\*]
    [%FILE%: %WINDIR%\PCHEALTH\ERRORREP\*]
    [%FILE%: %WINDIR%\Registration\CRMLog\*]
    [%FILE%: %WINDIR%\System32\catroot2\*]
    [%FILE%: %WINDIR%\System32\com\dmp\*]
    [%FILE%: %WINDIR%\System32\FxsTmp\*]
    [%FILE%: %WINDIR%\System32\spool\drivers\color\*]
    [%FILE%: %WINDIR%\System32\spool\PRINTERS\*]
    [%FILE%: %WINDIR%\System32\Tasks\*]
    [%FILE%: %WINDIR%\SysWOW64\com\dmp\*]
    [%FILE%: %WINDIR%\SysWOW64\FxsTmp\*]
    [%FILE%: %WINDIR%\SysWOW64\Tasks\*]
    [%FILE%: %WINDIR%\Tasks\*]
    [%FILE%: %WINDIR%\tracing\*]
    [%FILE%: %WINDIR%\Web\*]


    So DLL and Driver should look like this
    upload_2015-8-8_11-3-50.png


    No also add (append) these entries to Process Block Rules
    [%PROCESS%: %WINDIR%\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*]
    [%PROCESS%: %WINDIR%\debug\*]
    [%PROCESS%: %WINDIR%\PCHEALTH\ERRORREP\*]
    [%PROCESS%: %WINDIR%\Registration\CRMLog\*]
    [%PROCESS%: %WINDIR%\System32\catroot2\*]
    [%PROCESS%: %WINDIR%\System32\com\dmp\*]
    [%PROCESS%: %WINDIR%\System32\FxsTmp\*]
    [%PROCESS%: %WINDIR%\System32\spool\drivers\color\*]
    [%PROCESS%: %WINDIR%\System32\spool\PRINTERS\*]
    [%PROCESS%: %WINDIR%\System32\Tasks\*]
    [%PROCESS%: %WINDIR%\SysWOW64\com\dmp\*]
    [%PROCESS%: %WINDIR%\SysWOW64\FxsTmp\*]
    [%PROCESS%: %WINDIR%\SysWOW64\Tasks\*]
    [%PROCESS%: %WINDIR%\Tasks\*]
    [%PROCESS%: %WINDIR%\tracing\*]
    [%PROCESS%: %WINDIR%\Web\*]
     
    Last edited: Aug 8, 2015
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    This stuff is mind boggling, I will have to pass once again. :D
     
  13. Kyle_Katarn

    Kyle_Katarn Registered Member

    Joined:
    Dec 20, 2007
    Posts:
    1,556
  14. pasmal

    pasmal Registered Member

    Joined:
    Jan 25, 2015
    Posts:
    36
    Thanks Windows_Security. Bookmarked for future reference :)
     
  15. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)
    EMET 5 on Win10 , compatible ?!
     
    Last edited: Aug 20, 2015
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,633
    Location:
    Toronto, Canada
    Yes, using EMET 5.2 here throughout Windows 10 testing builds. Some of the very early Insider builds a year ago had trouble with EMET, but EMET and Windows 10 have been working great together for quite some time now.
     
  17. Nikos751

    Nikos751 Registered Member

    Joined:
    Jul 28, 2015
    Posts:
    6
    Great guide, thank you!!
    Is such setup safe for Windows updates, and other system functions & settings;
     
  18. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    If KIS and MBAM fail me then so be it. I am not capable of doing the OP, and have no desire to go through the process.
    Kudos to those who do, but not me.
    Jerry
     
  19. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Yes see post 3, it allows updates from Microsoft and Google
     
  20. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)
    good to know thanks
     
  21. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    328
    Location:
    Canada
    i am curious what MBAE is adding to the setup - why not just use EMET for browsers as well?
     
  22. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,081
    Location:
    Netherlands
    Because EMET has special ASR settings. It prevents DLLs to load which are used for running scripts: goto ASR option of EMET and copy this "flash*.ocx; vbscript.dll;j*script.dll;python*.dll"

    flash*.ocx = prevents (embedded) flash to run (e.g. in office documents)
    vbscript.dll = prevents visual basic script to run
    j*script.dll = prevents java script to run
    python*.dll = prevents python script to run

    This tweak will make it nearly impossible to exploit the programs (office+mediaplayer+pdfreader+mail) protected by EMET. Adding this ASR (attack surface reduction) trick to your browser would cripple it. Using MBAE you will get full functionality of your browser and smarter (than EMET) exploit protection (designed by experts, with addtional layers of protection over EMET).

    Hope this explains it.

    NB.
    Smart Object Blocker is adding some additional protections, so I will probably post an update and add the dll hardening to SOB (running EMET in default setting).
     
  23. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    253
    Location:
    router
    thank you very much for tutorial Windows_Security
     
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,187
    Location:
    in a remote land :)

    just a question why -hidegui?

    Is it just for hiding the tray icon or it has other purposes?

    nevermind lol, i didn't paid attention that the gui is launched automatically :p
     
    Last edited: Aug 22, 2015
  25. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    or just use SecureAPlus
     
Loading...