Nice AV find for featherlight setup

I am running without AV in this setup https://www.wilderssecurity.com/showpost.php?p=1775211&postcount=11560

I also have implemented this for my wife's laptop. Only she is a completely PC illiterate. She will never clean trash, won't ever run defrag, won't ever run an on-demand Anti Virus scan, etc.

So I started to craft some batch files (and got a giveaway of Ashampoo Winoptimiser 6 with auto defrag), when searching I found something nice.

With Chrome the Downloads directory can be fixed, with IE8 not, so All downloads are forces to the Downloads directory (does not matter what documents, movies, all user folders are relocated to Downloads). The real data is on a second partition.

I really like A2 Emergency, because of its small updates and updates real fast. SO I added an update shortcut in the startup folder (use /u switch for a2cmd) and added "TheSpyFolder" a freebie which watches folders, to guard the Downloads directory for creation and temp directory for rename operations. I have also added the batch file for Spyfolder to start in the background (/b switch) and you have to add a log file.

In the folder spy settings A2cmd is started to /d (delete infections) /a (look in archives) /f="fulll path\name of directory" (to check in this directory)

Regards

Picture explaines it all

EDIT: pitty the application SpyFolder is not suitable for this use, e.g. when you download a large file it starts the application mentioned at first bytes write, because the download is either in use or not yet considered an executable, the AV does not check it)

 

good job Kees.

2 questions:
1) why detection of renamed files in temp folder? and not creation?

2) what about USB and other portable devices?

 

Jav,

USB's are through GPO autorun blocked and through SRP execution blocked, so not possible to execute

For Temp folder it is normal to create stuff. Often installers extract executables into it.Windows has some internal protection mechanism for temp folders which limit execution sufficiently to keep for instance Software Restriction Rules applicable of dangereous file types. It is common for malware to dump tmp files and renames them afterwards. So it is a very suspicious action.

Regards Kees

 

ok, I see.
Thank you

 

One issue that caught my eye:
c) Auto elevate only from safe places (Windows & Program Files)

The Windows folder is not safe, it contains world writable+executable folders, see this post.

 

Yep,

Normally windows should protect from intrusions. This is because some actions which touch the system are allowed by users (e.g. installing a printer). See "testing" in this post https://www.wilderssecurity.com/showpost.php?p=1775211&postcount=11559 TDSS makes use of this 'weakness' only in a very smart way.

Regards Kees

 

Within the context of a standard user account with UAC enabled, these folders aren't accessable to such user without credentials:

C:\Windows\Temp\*
C:\Windows\System32\Tasks\*
C:\windows\System32\spool\PRINTERS\*
C:\windows\System32\com\dmp\*

(With UAC disabled they won't get access nor won't be alerted to enter credentials, obviously.)

To all others, free run.