Trialing Locked Admin

Discussion in 'other anti-malware software' started by Windows_Security, May 30, 2015.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    All those nice free programs, just ask to be combined into a layered setup. I am trailing this combination for just a few hours, so please make an image backup before trying out. I am using a Windows 7 32 bits OS.

    MalwareBytes Anti-Exploit as easy and free anti-exploit
    Crypto Prevent PORTABLE which is based ONLY on SRP and makes it harder for ransomware to run from user folders.
    SecureFolders, to protect my data partitions (drives D, E and F) against illegal write access (e.g. ransomware).
    ToolwizTimeFreeze, just updated for protection my system drive C (against changes)


    Download malware bytes antie-exploit from https://www.malwarebytes.org/antiexploit/
    Download Crypto Prevent PORTABLE from http://www.softpedia.com/get/PORTABLE-SOFTWARE/Security/Portable-CryptoPrevent.shtml#download
    Download SecureFolders from http://securefoldersfree.com/ (it is clean, checked at VT)
    ToolwizeTimeFreeze from http://www.toolwiz.com/en/products/toolwiz-time-freeze/

    Install/run them in that order

    Disable automatic update (upgrade) of MBAE, because TTF will remove that after re-boot. No notification is just my personal preference, leave it on when you want to.
    Untitled.png


    Cryptoprevent portable ONLY applies SOFTWARE RESTRICTION POLICIES, no execution filter with fingerprint blacklist, according to Q&A
    Untitled.png

     
    Last edited: May 31, 2015
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Secondly install SecureFolders (SF), set it up completely before installing ToowizTimeFreeze (TTF)

    First add the applications which you want to allow access to the protected drives

    upload_2015-5-30_13-20-28.png
     
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Second add the user folders to protect.
    - first set a no-execution on folders which are often used for drive by infections.
    - second protect your data folders with read-only (dis allows other programs to read for ease of use)


    Untitled.png

    Desktop is the name of the computer. I have also password protected Secure Folders
     
    Last edited: May 31, 2015
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Install TTF and make sure to exclude your Chrome User, Internet favourites and Outlook Mail folders for ease of use (SF has set a no-execute on those folders anayway). Now start TTF (reboot) and browse with peace of mind.

    TTF.png
    P.S.
    When you add an exclusion folder e.g. Your C:\Users\[user name]\Desktop, don't forget to add it as a NO-EXECUTION folder in Secure Folders also.
     
    Last edited: May 31, 2015
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Before updating windows or other programs, you only have to stop TTF (see pic).

    upload_2015-5-30_13-28-23.png
     
    Last edited: May 30, 2015
  6. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    :thumb:

    1+3+4 combo is running on my system(s) for months. Not a conflict yet. Before SecureFolders i used the TimeFreeze+EasyFileLocker combo for protecting System+DATA, respectively.

    Mind if i ask what more does 2 bring on the table in comparison to (your favorite) Whitelisting/Anti-Execution approach? (ease of updating?)
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    @CGuard

    Thanks for confirming it runs well on your computer for months, so I should have named this setup Guarded Admin :thumb:, maybe a mod is willing to change the title of this thread.

    Indeed, primary reason for choosing BD anti-ransomware was to lower user interaction and required knowledge of user.

    Second reason is, because they use different security mechanisms:
    - CryptoPrevent Portable is ONLY using Window's Software Restrictions Policies (internal mechanism)
    - Secure Folders is problably using Window's Access Control List (internal mechanism) forced through an installed driver
    - Malware bytes anti-exploit filters running processes and injects its own-dll to monitor actions from within the process
    - Toolwiz Time Freeze virtualizes system drive, by filtering disk access

    Third reason, in the Safe Admin thread the new Beta of ERP is also mentioned.

    regards Kees
     
    Last edited: May 31, 2015
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,166
    Do you make any changes to the advanced settings? Any of the four tabs there? In MAlwarbytes Anti-Exploit?
     
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    No they are good as they are, see first post for MBAE. Idea was to configure a layered defense which was easy to use, with little tweaking and facilitating people who like to try out programs (safe admin is more for people with 'steady' setups).
     
  10. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
    @Windows_Security

    If it wasn't for your introductory-to-SF thread (BTW and OT: CrowdInspect is another recent discovery of yours, which i've added to my security toolbox) and/or your ability to utilize apps/approaches to the max ("UAC+SF=LUA effect on a admin account" being your latest contribution), that setup wouldn't be possible. So, my confirmation comes far second, here. :)

    Just to clarify something: BD-AR blacklists the entire Appdata and StartUp folders or only the abovementioned 1st levels?

    BTW and OT #2: TimeFreeze+HMPA (auto-updating)=complete nightmare (@anyone interested).
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Quick Q. On #2 Wouldn't CryptoPrevent also be an alternative?
     
  12. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    190
    Location:
    Oudenbosch
    Yeah. Just wanted to ask the same question ;)
    What is the advantage of Bitdefender CryptoWall compared to CP or HMP.A (or even combination of both)?
     
  13. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    331
    It's free
     
  14. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi All

    I was using BitDefender Cryptowall yesterday, on reboot I found it was not remembering settings. Even when it first installs you have to manually set the Immunisation to on.
    Anybody any idea why the settings are not remembered?

    Thanks

    Terry
     
  15. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    @pablozi, @EASTER, @TerryWood

    Because of the issue Terry reported, I checked the tip posted by Easter in detail.

    HMPA is not free as explained by ROPchain and overlaps to much with MBAE-free

    I thought CryptoPrevent was not free anymore . Also it was not based on Software Restriction Policy solely anymore. This extra feature is a disadvantage in this setup (because it adds another execution filter). Luckiliy I discovered that it is possible to download CryptoPrevent Portable without providing your email address and even better, read that CP Portable (CPP) is ONLY based on Software Restriction Policies. Also CPP has a broader SRP coverage as BD-AR, so dropped Bitdefender Anti-Ransomware for CryptoPreventPortable

    @TerryWood
    Please stop TTF protection, de-install Bitdefender AR, run CryptoPrevent Portable, reboot and try to run an executable from your user's startup folder. Also that note I made a small adjustment to TTF exclusion and no-execution folder of SF (Chrome User data), see first posts

    Untitled.png

    Regards Kees
     
    Last edited: May 31, 2015
  16. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    190
    Location:
    Oudenbosch
    @Windows_Security
    But MBAE is very limited in free version. Maybe it would be better to replace it with EMET which can cover more software than only browsers and JAVA?
     
  17. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    331
    You can always use EMET on software that is not protected by MBAE. Although I would not bother about the Java protection, the last vulnerabilities that have been targeted by EKs are from june 2013 iirc and you can just disable java in your browser.
     
  18. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    MBAE is easier to use. But when you know how to, just add EMET for the other applications as ropchain explained. The real value of EMET is to use ASR and block scripting dll's in Office programs. I have explained that in this post I wanted this configuration to be easier to set up (also the other three protections will reduce risk of exploits in other programs).
     
  19. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,166
    I could never get EMET to work on my machine even with all security software disabled. Tried many configs but always had a problem with one and can't remember now which one it was. That was a few months ago. Is there a newer build I could try now?

    Thanks
     
  20. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,166
    What I wonder is if not using timefreeze or a program like Quietzone and using other software to lock down your pc is using more or less resources.
    Why not just use a paid antiexploit and good Av and a Reboot all gone setup? All I know is EMET don't work on my pc and the setup I have now does with little resources.
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Wonderful simple security arrangements as always Kees :thumb:

    With Windows 8 as my only Live box for awhile now, it is become increasingly more important than ever to make the absolute MOST with the absolute LEAST of what is currently free and available. I already tried the routine all-in-one AV route and it (as always for me) proved once again woefully inadequate. And that was clearly evidenced by having fell victim to an earlier brand of Mr Crypto this year. In essence, another vital lesson learned yet again. Stick with Layered Defense just like this and more and there is much less risk as well as less resource useage to have to deal with.
     
  22. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    @Windows Security - Cool tools but is there any reason you don't use the built-in SRP, ACL settings? Is it just a matter of convenience?

    * Obviously Toolwiztimefreeze doesn't count in above :)
     
  23. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    854
    Just curious what advantage there is in using Cryptoprevent portable, over Software Policy (SSRP)?
     
  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,121
    Location:
    USA
    One advantage of CryptoPrevent is it implements SRP on versions of Windows that don't include the Group Policy Editor. It also implements restrictions on many more locations than Bitdefender Cryptowall Vaccine (which only locks %appdata% and %startup%). See the screenshot of CryptoPrevent default settings.

    Note also that Kees is suggesting using the default protection level in CryptoPrevent.
     

    Attached Files:

    Last edited: Jun 13, 2015
  25. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Yes you are completely right, :thumb: that is where I gor the idea from.

    A family member has two kids 14 and 12 and got tired of restoring an image when his kids had installed all kind of ****. So he asked how those internet café's protected their PC's against changes (because he asumed that they would have simular problems).

    I use to trail a setup for a week or two, before I install it on the PC of someone else.

    I am now back on my normal setup using OS (WFW, SRP, ACL, UAC, 1806) and application hardening (mail in text format, disable macro's, plug-ins in office etc).

    Regards Kees
     
Loading...