Supposing you choose to white/black list, what do you choose?

If you use Sandboxie or SRP or EMET, or any other security/hardening tool, and you don't apply a system wide setting, but rather pick and choose what to add to your list, what is it?

As an example, a thread recently on a new version of EMET had a few folks discussing the merit of applying EMET to specific things or everything. I personally apply EMET only to specific items, like browsers.

As well, I have Sandboxie forced to open specific applications only, such as browsers.

I wonder, for the sake of comparing and getting new ideas, what do you specifically choose to add to your list (whatever you may be doing with whatever application/tool, whether user or admin).

I like to apply settings (whatever that might be) to all browsers, media players, rich text document apps, pdf viewers and any internet app that might need it such as a torrent client or instant messaging application.

For most other apps, such as text editors, cd burners, tools like fraps/rivatuner/speedfan, audio editors, photo/video tools, etc etc, I don't worry too much about and really have no protection on them at all unless I feel they might open a file that is questionable or something of that nature.

What do you do?

Sul.

 

In EMET's case it isn't one or the other. When you configure it for specific apps you can force them to "run with EMET" which means that emet.dll is injected into the process. This is different than simply changing how applications opt into EMET.

So, to answer your question, I do both. I have all internet-facing applications running with emet.dll and I have it set to "maximum security" for system wide preferences.

 

Whitelist for Sandboxie and SRP, because it's far more secure. Blacklist for EMET, because of compatibility issues.

Generally, I would choose whitelist over blacklist any day.

 

I've added net apps to EMET. In SRP, I deny all including Admin. I have a few white listed hash rules for portable apps that reside on external storage. I also have not excluded .lnk extension which means I have added rules for All Programs shortcuts in the start menu. <--- That one may not even be needed since the .lnk security hotfix but I have not removed the .lnk extesnion nor the rules for start menu shortcuts.

 

Hi Sully,

I have a similar approach to you. I use Sandboxie only for browsing and opening email attachments that I'm not sure about. I also believe in the concept of applying different levels of policy restriction to applications, depending on their trust level.

The main difference with the way you do it is that you have the technical knowledge, experience, and interest to do it yourself using the inbuilt features of the OS. I read your posts with interest and never fail to be impressed by the depth of your technical knowledge regarding the inner workings of Windows. I don't have the time or inclination to follow that route so I rely on third-party applications to do it for me.

For some time now, it's seemed to me that a mixture of virtualisation and predefined policy restriction provides a good level of security, without having to ask the user to make decisions that they may not have the knowledge, experience, or inclination to handle correctly. For the majority of users, I think it's better if security software sits quietly in the background and makes its own decisions without involving the user, as far as possible.

A big plus for Sandboxie of course is that it combines both application virtualisation and policy restriction features within a single program, although obviously only for those programs that run inside the sandbox.

For system-wide protection, I mostly use Shadow Defender in combination with AppGuard. I also have Comodo Firewall 5 installed with Defense+ enabled. Now that it has an extensive whitelist and cloud security for blacklisting purposes, Comodo makes nearly all of its decisions itself without reference to the user. I've hardly seen any alerts since it was installed.

Regards