Software Policy: use Software Restriction Policies on any Windows edition (free)

Discussion in 'other anti-malware software' started by MrBrian, Jan 26, 2014.

  1. zagmarfish

    zagmarfish Registered Member

    Joined:
    Feb 27, 2017
    Posts:
    10
    Location:
    europe
    SRP seems designed to prevent execution, mostly.

    Is it possible to use SRP to make a folder or a group of folders (like every startup folders for every users) unwritable?
     
  2. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    That is the whole point. Block execution in the first place and there is no need to depend upon unreliable signature detection, heuristics, HIPS, behavior blocking, sandboxes, etc. While such protections have been refined over the years to fairly good levels, their protections still remain less than ideal.

    SRP is just one protection model among many. Using it comes down to personal choice.

    Yes. There are softs that will do this.
     
    Last edited: Mar 20, 2017
  3. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,904
    You can do it "manually" with rightclicking on the folder and changing of access rights in the security tab, or you can use NTFS Permission Tools:
    https://www.wilderssecurity.com/threads/ntfs-permissions-tools.390219/
    Or other 3rd-party-tools:
     
  4. zagmarfish

    zagmarfish Registered Member

    Joined:
    Feb 27, 2017
    Posts:
    10
    Location:
    europe
    Yes I know how to do that but then I have to set the permissions of the "\Start Menu\programs\Startup" folders as many times as I have user accounts.
    I'm lazy and I was looking for a way to do it with a line like "%userprofile%\appdata\[...]\programs\Startup" in srp.ini
    Too bad.
     
  5. Turing Doenitz

    Turing Doenitz Registered Member

    Joined:
    Oct 23, 2013
    Posts:
    26
    Location:
    Australia
    I am fairly new to this program, but all good on Windows Creators update. Replacing Cryptoprevent v7 for the moment .
     
  6. Turing Doenitz

    Turing Doenitz Registered Member

    Joined:
    Oct 23, 2013
    Posts:
    26
    Location:
    Australia
    I have come across a strange issue with trying to add cscript.exe and wscript.exe to disallowed apps:
    If i do the following...

    [Disallowed]
    ; Add paths or executables which should never be run.
    ; Wildcards allowed. Be careful here as mistakes could cause problems.
    ; Note that this list is ignored unless DisallowSpecificFolders is non-zero
    C:\windows\*\vssadmin.exe=0
    C:\windows\*\cipher.exe=0
    C:\windows\*\syskey.exe=0
    C:\windows\*\bcdedit.exe=0
    C:\windows\*\wscript.exe=0
    C:\windows\*\cscript.exe=0


    ...
    then running Powershell cscript.exe will be blocked while wscript will run ok.

    Now reversing the order like this...

    [Disallowed]
    ; Add paths or executables which should never be run.
    ; Wildcards allowed. Be careful here as mistakes could cause problems.
    ; Note that this list is ignored unless DisallowSpecificFolders is non-zero
    C:\windows\*\vssadmin.exe=0
    C:\windows\*\cipher.exe=0
    C:\windows\*\syskey.exe=0
    C:\windows\*\bcdedit.exe=0
    C:\windows\*\cscript.exe=0
    C:\windows\*\wscript.exe=0


    ...
    then running Powershell wscript.exe will be blocked by SRP and cscript will run ok.

    I can't work out why this is happening. It might be something obvious that I am missing.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,378
    Location:
    EU • SLO
  8. Turing Doenitz

    Turing Doenitz Registered Member

    Joined:
    Oct 23, 2013
    Posts:
    26
    Location:
    Australia
    Thanks Minimalist. Your idea put me on the right track. I played around with the path names for both and discovered that if they are different to some degree then SRP will work.
    Anyway here's what i came up with:

    [Disallowed]
    ; Add paths or executables which should never be run.
    ; Wildcards allowed. Be careful here as mistakes could cause problems.
    ; Note that this list is ignored unless DisallowSpecificFolders is non-zero
    vssadmin.exe=0
    cipher.exe=0
    syskey.exe=0
    bcdedit.exe=0

    wscript.exe=0
    C:\Windows\*\cscript.exe=0


    Working now..

     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,378
    Location:
    EU • SLO
    Great to hear that you've found a working solution :thumb:
     
  10. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296
    Question: how do I whitelist a program I want to always run. System administrator has blocked it from running.

    I figured it out - it may help others. Under custom policies, don't put the semi-colon in front of the executable to be whitelisted; just put in the executable path, save it and when the SRP asks to set the new policy active, click yes.

    Then you can test to see if the executable is now allowed after having been previously blocked by the system administrator popup.

    Worked for me! :)
     
    Last edited: Jun 13, 2017
  11. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,060
    Location:
    South Texas, USA
    Anyone have insight on how the default protection of Simple Software Restriction Policy compares to the default of CryptoPrevent?
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,535
    Location:
    The etherlands
    Also interested :). Have only tried the latter.
     
Loading...