Safe_Admin finally it is there

Discussion in 'other anti-malware software' started by Windows_Security, Apr 21, 2015.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Dear all, with Sully I tried to configure an easy way to use Windows mechanisms like ACL (Access Control Lists) and Software Restriction Policies. Thanks to SecureFolders, Bouncer this can be realised for free.

    First install SecureFolders and Bouncer

    Before Windows update or Chrome update, you have to disable both Bouncer and SecureFolders
     
    Last edited: Apr 21, 2015
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Bouncer setup

    Provide kernel level ant-executable protection like AppLocker for FREE.

    Code:
    [LETHAL]
    [LOGGING]
    [WHITELIST]
    C:\Windows\*
    C:\Program Files\*
    C:\Program Files (x86)\*
    [BLACKLIST]
    C:\windows\debug\WIA\*
    C:\windows\Registration\CRMLog\*
    C:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\*
    C:\windows\System32\com\dmp\*
    C:\windows\System32\FxsTmp\*
    C:\windows\System32\spool\drivers\color\*
    C:\windows\System32\spool\PRINTERS\*
    C:\windows\System32\Tasks\*
    C:\windows\Tasks\*
    C:\windows\Temp\*
    C:\windows\tracing\*
    [EOF]
    
    See instructive post of Wildbydesign for Bouncer and Wat0114 and MrBrian for explanation on how to close write holes for basic users in Windows Folders. In the Blacklist I have added the folders to which a normal user has write access to.
     
    Last edited: Apr 21, 2015
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    SecureFolder setup

    Add LUA container (DropMyRights like) to programs for FREE, so they can't touch UAC protected folders

    SecureFolders sets an ACL (AccessControlList) like permission on folders and sets exceptions (the trusted applications) on files. The DENY file execution option is set for EVERYONE when no-execution option is chosen for a folder. SecureFolders driver uses its own user (shown as 'unknown user') to allow trusted programs to execute/access folders protected by SecureFolders.

    Thinking out of the box: when you assign NO-EXECUTION permission to Chrome's folder AND add Windows Explorer AND Chrome as trusted programs. Chrome runs in a BASIC USER/LUA/MEDIUM IL container (simular to old drop my rights)! See this post

    You have to enable UAC (or at least set it to elevate silently) to benefit from the LUA-container set by SecureFolders on user applications

    upload_2015-4-21_13-6-18.png
    Not all trusted programs are shown above, just add all executables of the folders you set a no-execution on.


    upload_2015-4-21_13-6-46.png

    The (unsigned) GUI application of SecureFolders does not have to run, the (signed) driver of SecureFolders enforces the rules set by the GUI application.
     
    Last edited: Apr 21, 2015
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    That is one heck of a combination, Kees. They seem to compliment eachother well and lock the system down really tight. Actually, this is quite impressive.
     
  5. powerpack

    powerpack Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    42
    Location:
    Now-here or NO-WHERE
    Thanks kees, as usual superb post. I have got cleared out all doubts about the combinations.
    I have one question though, how to install new program, by disable both programs? I guess yes!
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Add protection against ransonware malware

    I have My documents relocated to the D:\ partition (d for documents) and I have My Music, My Videos and My Pictures relocated to M:\ (m for media files). So either add your user folders (My documents, My music, My video's, My Pictures) and/or the letter of your Data Partition(s) to the list of proctected folders (see picture below).

    Untitled.png
    Setting it to read-only will prevent ransomware to encrypt your personal data folders. When you want them really to be private, you have to choose the option LOCKED or HIDDEN.

    upload_2015-4-21_16-22-26.png

    Added all my user programs (including mspaint, to have write acces to private folders
     
    Last edited: Apr 21, 2015
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    I just wanted to confirm, is the comma after C:\windows\System32\com\dmp\*, just a typo?

    Also, you could add the following rule for Chrome's internal updater:
    Code:
    [WHITELIST]
    C:\Users\*\AppData\Local\Temp\??_?????.tmp\setup.exe
    That way you wont have to disable Bouncer for Chrome updates. But you would still need to disable SecureFolders.

    Yes, that is correct. But if you don't want to have to disable two programs to install programs, Kees previously posted/shared another method of using Bouncer together with SRP in which you only had to disable Bouncer, yet utilize SRP feature of "Run as Admin" or something like that. That was also an excellent combination suggestion by Kees that is quite secure and handy. Kees would have to elaborate more on that, though.
     
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Yes corrected, thanks

    True, but both these programs provide protection at kernel/driver level, so disabling two programs is the usability price you pay for this strong free protection. When you want simular protection, with one click comfort, then you need to buy AppGuard.

    Disable both Bouncer and SecureFolders when you want to install programs
     
    Last edited: Apr 21, 2015
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    Do you happen to know if Secure Folder uses a KMD, appcertdll, hooking, etc.?
     
  10. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    136
    Let me see if I understand this correctly (probably not ;) )... If you run as LUA, you would only need Bouncer, not SecureFolders, right?
     
  11. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Correct, but you could still use it for the read-only ransomware protection (skip the no-exection entries).
     
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Contact the developers, they respond quickly on questions
     
  13. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    @MrBrian

    Could you replace the links of OLD safe admin with this thread?

    Thanks

    Kees

    Untitled.png
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I'll try to do so today.
     
  15. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Thx, much appreciated
     
  16. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Major props... I'm implementing this into my setup as well.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Implemented this very pair just today and i really must say that i am equally impressed!
     
  18. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    @EASTER,

    New NVT-ERP beta becomes donation ware, so you could add an anti-exec layer to your setup (allowing trusted vendors of your signed programs and hashes of the unsigned programs). In XP-times you used to have everything covered twice at least when I remember correctly.

    Regards Kees
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    You are oh so right Kees. My XP hard drives (i have plenty of them in storage) each and every one is mega-tight with various hair trigger monitors etc. Windows 8 64 bit is been a major pain in comparison. I'm kinda between universes now. I intend to (maybe) run Windows 10 but i'm gonna revert back to XP Pro as soon as i can visit the computer shop and have them put me a framework box together with a strong processor etc. I'm using pretty much all the techniques available for 64 bit Windows 8 in bits and pieces.

    EDIT: I almost forgot to mention. SD is been the bread basket for this Windows 8 box in the interim as well as anything.
     
    Last edited: May 25, 2015
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    EXERadar_Pro_x86_x64_v3.1_22042015_BUILD1.exe

    Thanks again. Lot of catching up to do :)
     
  21. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi Kees

    "New NVT-ERP beta becomes donation ware, so you could add an anti-exec layer to your setup"

    Where can I download the new beta, could not find it on their site?

    Thanks

    Terry
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
  24. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Startup Sentinel is now a signed program :thumb: to warn when autorun entries are changed in real time http://www.kcsoftwares.com/?sus
    (to protect HKCU autoruns which are accessible by LUA/medium level processes).
     
  25. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Hi Kees,

    I have been using Simple Software-Restriction Policy on Windows XP. I recall reading that the latest version of Bouncer won't run on Windows XP. Would I lose any protection if I were to continue using SSRP instead of Bouncer?

    Phil
     
    Last edited: Nov 29, 2015