tried SRP/Applocker and am impressed

Discussion in 'other anti-malware software' started by ncage1974, May 20, 2011.

Thread Status:
Not open for further replies.
  1. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    Overall very impressed with the technology. I went to the MDR and tried to attack the heck out of a machine that only had xp SP2 with no other patches (ie6). After it was all said and done the malware didn't get outside of the temp directories: both %userprofile%\temp and %windir%\temp I wish i could have investigated before this because i almost think its a perfect solution. I can say the only thing i wasn't happy with is this. To be able to install a lot of programs you need to open up the temp directories because the installer extracts everything into the temp directories. Whats bad about opening your temp directories is that would also allow malware to run that got download by the browser. Don't know if there is a way around this one...

    The only way i can think to get around this problem is to create 1 and only one account that you install software under (and don't browse under this account). At least with applocker you could say only this account has access to run stuff in the temp directories. Sure if you run under a user rather than an administrator it would solve the problem but there are still a lot of people that can't run under limited privledges. I'm a programmer and its just way to hard to run visual studio, IIS, SQL Server, Ect under limited user credentials.

    Edit: The other disappointed thing is that it should be made a part of home versions of windows instead of just professional/enterprise/ultimate. This techonology can be used for a lot more than just an enterprise locking down what software a user can run.
     
    Last edited: May 20, 2011
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  3. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    For SRP the simplest method is to switch off the protection, install and then switch it back on.

    That way you do not have to open up temp directories and you do not have the hassle of having to log in and out of different accounts.
     
  4. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    For some strange reason with applocker even if you turn "Application identity" service off applocker is still active. You have to reboot first. Makes it a little hard to do with applocker but still doable.
     
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Ah, I did not realise this because I have not had chance to play with applocker. In that case a log in/out would be preferable to a reboot.

    On my machine, when I switch SRP on/off, there is an approximate delay of 20-30 seconds before the computer registers my change. I am curious if there is a similar delay with applocker.
     
Loading...
Thread Status:
Not open for further replies.