Freeware setup giving malware a hardtime to intrude your system

Discussion in 'other anti-malware software' started by Windows_Security, Aug 7, 2015.

  1. Required skill level
    a) Knowing how to change UAC level
    b) Knowing how to configure EMET
    c) Knowing how to use notepad
    d) Knowing how to create an elevated task
    e) Knowing how to use regedit

    Works on Windows 7, 8, 10

    Required software

    1) UAC + Smartscreen
    2) StartupSentinel Free
    3) MBAE Free
    4) EMET Free
    5) SmartObjectBlocker Free

    1) Set UAC to full (best also set Smartscreen to UAC approval)
    1) Install StartupSentinel (warns for HKCU autorun changes)
    2) Install MBAE Free (that's all)
    3) Install EMET (when you have MBAE Premium, skip EMET tweak)
    4) Install SmartObjectBlocker

    Basic concept of this security setup
    Lock down user space, but allow for easy update of trusted publishers (set and forget security)

    Windows Enterprise strength security
    When you implement all these tweaks, you will get NSA/SANS strenght security :D at kernel level (easier and stronger as tweaking Group Policy settings with Applocker on a Windows Enterprise version), so consider a donation to the developers which made this possible:
    - @novirusthanks (Andreas for SmartObjectBlocker)
    - @Kyle_Katarn (Kyle for StartupSentinel)

    Question: Do I need an extra sandbox and or Scriptblocker with this setup?

    a) Sandbox - Only when you use Firefox or FF based browser.
    b) Scriptblocker - NO, AdBlocker/AdGuard/uBlock (default) for Ads and Trackers will do
    Last edited by a moderator: Aug 9, 2015
  2. EMET tweak

    Remove all browsers from EMET, simply because MBAE free takes care of them. When you have MBAE Premium, you don't need to install EMET.

    Have a look at all programs interpreting scripts like PDF Readers, Mail, Media Players and Office applications: enable ASR option and copy this "flash*.ocx; vbscript.dll;j*script.dll;python*.dll"

    This blocks javascript, vbscript, python scripts and Adobe Flash embedded in (open) office documents (does anyone knows the name of Libre Office Basic DLL?) When you use Visual Basic in Office, don't include vbscript.dll

    Scripted content (javascript, pythonscript, vbscript, powerscript) and rich content (silverlight, shockwave and flash) are nearly always used to take control of program execution. By blocking these DLL's through ASR you made these programs less vulnarable to malware and exploits attacks.

    WIth UAC + Smartscreen (both onFull), MBAE, EMET and StartupSintenel you wil block most of the user space malware. As always closing the last 20% takes 80% percent of the configuration effort.
    Last edited by a moderator: Aug 8, 2015
  3. SmartObjectBlocker tweak

    This reduces attack surface from from user space to a few whitelisted vendors in TEMP. So increased security while still being able to update trusted.

    Andreas has changed defaults :thumb:, so we now only need to focus on behavioral mode configuration files. First step is to empty the DLL, Driver and Process BLOCK RULES. Next open EXCLUDE db in Exclude rules folder (subfolder of SmartObjectBlocker installation folder) and copy tit from the attached Rules configuration file in plain text (Exclude.txt).

    After copying the content from the attached Exclude.txt file, you Exclude config file should look like (save it in SmartObjectBlocker/Exclude folder).

    99% of all regular installs are always initiated from TEMP folder. Malware often tries to drop code in other user space locations. Installs from other USER SPACE locations are blocked by default (at kernel level). SOB checks the publisher which is the organization who produced the software. UAC will check whether it is a regular signed executable (different colour code), so SOB + UAC make sure the digital signature is OK for that specific publisher (so no problems with signed malware)

    When you want to add your AV or on other program which updates itself, just richt click that executable and click on the digital signature tab, see picture below. Add two rules (%FILE% and %PROCESS%) for that publisher (%PUBLISHER%), by copying text in picture below (NoVirusThanks Company Srl) in blue, to the tekst in blue in above picture (Microsoft Corporation).


    Add a %FILE% and %PROCESS% exception for every program which updates (All Microsoftware and Google software is allready allowed with example above).

    Attached Files:

    Last edited by a moderator: Aug 8, 2015
  4. Edit block rules for SmartObjectBlocker in Behavioral mode

    Block User data and all partitions. My DVD reader is F, that is why I have EXcluded F-drive from the list. The drives G, H, I, J are to lock down all four USB ports on my system (so when you have more, you might add more letters).
    I assume that seasoned security forum members won't install software outside protected folders. When you do have software running from user space, forget about this weak (no need to harden when you open the back door yourself) :p

    For convienance I have uploaded the Block DLL/Driver/Process configuration files as text file (see attachements). Update the configuration files in SmartObjectBlocker/Block folder.

    Change DLL and Driver block rules as shown in picture below

    Now change Process block rules as shown in picture below


    As with DLL and Driver all executions from user space are blocked (with UAC on full AppData is also protected by UAC) :D.

    The command line blocks the dangereous EVAL function in javascript, which is used in many exploit attacks. Eval will be limited in future javascript engines, so you don't need this EVAL anyway :D

    The %PARENT% option blocks the process with the name behind it to launch other processes. This is also a strong container to prevent spawning of malicious processes (I have all these processes from within by EMET) :D

    I don't have included Chrome as an process not allowing to spawn other processes. All renderer processes of Chrome are already limited with the Job Object limitation of Chrome's sandbox and MBAE Free is watching Chrome in an intelligent way (also includes blocking of downloading and starting of malicious code), for ease of usage and system stability let's keep it that way (and leave it to the experts of MalwareBytes corporation) :D

    Attached Files:

    Last edited by a moderator: Aug 8, 2015
  5. Now test drive your software by launching SmartObjectBlocker, run all the software you have protected for a while (also to check whether PUBLISHER holes you added for updating programs work). When you run into an error, just close SMartObjectBlocker and you are good.

    When you are sure everything run's fine, make SmartObjectBlocker start with system. For time being this has to be done throug this trick, for final release I think Andreas will offer a launch with windows option in future (so this last step will be redundant).

    1. Creat an elevated task with -hidegui


    2. Add startup to HKLM RUN with regedit

    Tested this set and forget setup (no need to disable when updating) on Windows 10
    Last edited by a moderator: Aug 7, 2015
  6. @MrBrian @J_L

    Could you update Safe_Admin link in best security freeware list?


  7. J_L

    J_L Registered Member

    Nov 6, 2009
    OK, but what about old links? Will you link them here, should I keep them on list, or ignore them altogether? Currently, I'm only keeping the latest link of Safe_Admin.
  8. Kyle_Katarn

    Kyle_Katarn Developer

    Dec 20, 2007
    Thank you for recommending my Startup Sentinel :)
  9. @J_L

    Thanks, I would suggest to keep the latest only (this one). It is easier to use (no need to disable software when updating programs).


    You are welcome, it is a great little application which closes autorun risk in a smart way (HKCU when UAC on, HKLM + HKCU when uAC off)) and it is signed and free :thumb:

    Regards Kees
  10. EASTER

    EASTER Registered Member

    Jul 28, 2007
    U.S.A. (South)
    Hah ha. Finally got around to reading this thread. Amazing isn't it what a difference for the better just a few added tweaks can make for security.

    What a job! :thumb:
  11. I forgot the tips of Mr Brian (about closing Windows holes), so let's include the common blacklist rules as advices by NSA (see page 7 of this PDF). Yes TEMP is omitted because we want convienance of set and forget (allow trusted updates) and YES there are a few more folders blocked (information from SANS security org :) )

    For ease of convienance I will use SmartObjectBlocker %WINDOWS% variable so everybody can copy this text below to Block Rules

    Text for DLL and Driver is the same, so I will add them only once, add these lines
    [%FILE%: %WINDIR%\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*]
    [%FILE%: %WINDIR%\debug\*]
    [%FILE%: %WINDIR%\Registration\CRMLog\*]
    [%FILE%: %WINDIR%\System32\catroot2\*]
    [%FILE%: %WINDIR%\System32\com\dmp\*]
    [%FILE%: %WINDIR%\System32\FxsTmp\*]
    [%FILE%: %WINDIR%\System32\spool\drivers\color\*]
    [%FILE%: %WINDIR%\System32\spool\PRINTERS\*]
    [%FILE%: %WINDIR%\System32\Tasks\*]
    [%FILE%: %WINDIR%\SysWOW64\com\dmp\*]
    [%FILE%: %WINDIR%\SysWOW64\FxsTmp\*]
    [%FILE%: %WINDIR%\SysWOW64\Tasks\*]
    [%FILE%: %WINDIR%\Tasks\*]
    [%FILE%: %WINDIR%\tracing\*]
    [%FILE%: %WINDIR%\Web\*]

    So DLL and Driver should look like this

    No also add (append) these entries to Process Block Rules
    [%PROCESS%: %WINDIR%\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*]
    [%PROCESS%: %WINDIR%\debug\*]
    [%PROCESS%: %WINDIR%\Registration\CRMLog\*]
    [%PROCESS%: %WINDIR%\System32\catroot2\*]
    [%PROCESS%: %WINDIR%\System32\com\dmp\*]
    [%PROCESS%: %WINDIR%\System32\FxsTmp\*]
    [%PROCESS%: %WINDIR%\System32\spool\drivers\color\*]
    [%PROCESS%: %WINDIR%\System32\spool\PRINTERS\*]
    [%PROCESS%: %WINDIR%\System32\Tasks\*]
    [%PROCESS%: %WINDIR%\SysWOW64\com\dmp\*]
    [%PROCESS%: %WINDIR%\SysWOW64\FxsTmp\*]
    [%PROCESS%: %WINDIR%\SysWOW64\Tasks\*]
    [%PROCESS%: %WINDIR%\Tasks\*]
    [%PROCESS%: %WINDIR%\tracing\*]
    [%PROCESS%: %WINDIR%\Web\*]
    Last edited by a moderator: Aug 8, 2015
  12. Rasheed187

    Rasheed187 Registered Member

    Jul 10, 2004
    The Netherlands
    This stuff is mind boggling, I will have to pass once again. :D
  13. Kyle_Katarn

    Kyle_Katarn Developer

    Dec 20, 2007
  14. pasmal

    pasmal Registered Member

    Jan 25, 2015
    Thanks Windows_Security. Bookmarked for future reference :)
  15. guest

    guest Guest

    EMET 5 on Win10 , compatible ?!
    Last edited by a moderator: Aug 20, 2015
  16. WildByDesign

    WildByDesign Registered Member

    Sep 24, 2013
    Toronto, Canada
    Yes, using EMET 5.2 here throughout Windows 10 testing builds. Some of the very early Insider builds a year ago had trouble with EMET, but EMET and Windows 10 have been working great together for quite some time now.
  17. Nikos751

    Nikos751 Registered Member

    Jul 28, 2015
    Great guide, thank you!!
    Is such setup safe for Windows updates, and other system functions & settings;
  18. JerryM

    JerryM Registered Member

    Aug 31, 2003
    If KIS and MBAM fail me then so be it. I am not capable of doing the OP, and have no desire to go through the process.
    Kudos to those who do, but not me.
  19. Yes see post 3, it allows updates from Microsoft and Google
  20. guest

    guest Guest

    good to know thanks
  21. rm22

    rm22 Registered Member

    Oct 26, 2014
    i am curious what MBAE is adding to the setup - why not just use EMET for browsers as well?
  22. Because EMET has special ASR settings. It prevents DLLs to load which are used for running scripts: goto ASR option of EMET and copy this "flash*.ocx; vbscript.dll;j*script.dll;python*.dll"

    flash*.ocx = prevents (embedded) flash to run (e.g. in office documents)
    vbscript.dll = prevents visual basic script to run
    j*script.dll = prevents java script to run
    python*.dll = prevents python script to run

    This tweak will make it nearly impossible to exploit the programs (office+mediaplayer+pdfreader+mail) protected by EMET. Adding this ASR (attack surface reduction) trick to your browser would cripple it. Using MBAE you will get full functionality of your browser and smarter (than EMET) exploit protection (designed by experts, with addtional layers of protection over EMET).

    Hope this explains it.

    Smart Object Blocker is adding some additional protections, so I will probably post an update and add the dll hardening to SOB (running EMET in default setting).
  23. co22

    co22 Registered Member

    Nov 22, 2011
    thank you very much for tutorial Windows_Security
  24. guest

    guest Guest

    just a question why -hidegui?

    Is it just for hiding the tray icon or it has other purposes?

    nevermind lol, i didn't paid attention that the gui is launched automatically :p
    Last edited by a moderator: Aug 22, 2015
  25. treehouse786

    treehouse786 Registered Member

    Jun 6, 2010
    or just use SecureAPlus
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.