What is your security setup these days?

mounting is irreversibel.
maybe you should consider some type of access restrictions based on windows. sandboxie cant do this.

 

I know it is, that's why I'm asking here for any exe not in sandboxie.

 

you may start a new thread for this.
prequel questions: how do you mount, what do you mount?

 

https://github.com/yokoffing/filterlists => is the best

~ OT Remarks Removed ~

 

Indeed, he makes some nice lists and his GitHub page is a good resource, especially for noobs, plus some sensible suggestions.

 

I just saw in another video review on YouTube, that with CIS 2024 you can disable the components like AV and firewall and choose to use only the HIPS or sandbox for example, pretty cool.

KAR sounds pretty cool, I also saw that it can protect against memory reading.

About Harmony, I assumed that it can only work together with the EDR component, I didn't see any consumer GUI. And ZoneAlarm Anti-Ransomware looks way too bloated and isn't even that good apparently.

BTW, I also saw your newest Raccoon Stealer test, I assume this stuff can be stopped by TinyWall, Secure Folders and you might want to test HMPA against it, which claims to protect against info stealers.

 

As a stealer MUST be able both to package stolen data AND transmit it out to succeed. Stopping the malware at either point is Optimal. Any Outbound alerting FW will certainly stop the transmission, so it really doesn't matter what data is harvested if it can't be sent out.

As for HMPA, it can be bypassed quite easily as I've shown in the past, and there has been no significant coding upgrade for it recently that changes things in any way. Bad thing is, it may give the user a false sense of security, kinda like Microsoft's WD, WF and UAC.

 

Yes, Secure Folders will simply block info stealers from getting access to the browser password file on disk, and TinyWall will block the malicious processes from connecting out. BTW, can CIS 2024 be configured in a way to auto-block outbound connections? Because the alerts would drive me crazy, that's why I switched to TinyWall.

Yes, but it would be nice to test HMPA against info stealers. I believe it claims to block them from connecting out and getting access to browser memory. Now that I think of it, do these info stealers try to grab browser passwords only from disk or also memory?

 

Looks like it's possible:



https://help.comodo.com/topic-72-1-451-4770-Firewall-Behavior-Settings.html

 

In about a week I'll be publishing a rather quick (3 min) video about just that. All Protection, No Popups.

 

have been loaded to the system before. fail in anyway. and if it was well programmed, nothing can stop it.
as you wrote HMPA could be bypassed, defender also, maybe not with ease, but it can happen.

question: prevent intrusion, or defend intrusion?

a good marketing always sell defense, not prevention. guess why.

 

Sphinx Firewall Plus
AppGuard Solo
Spyshelter Silent
DeepFreeze

Mullvad VPN
AdGuard
Raxco InstantRecovery

Process Lasso
1Password

Emsisoft Emergency Kit
Eset Online Scanner

 

Win11 22H2
DefenderUI
SysHardener
OSArmor
NextDNS (HaGeZi - Multi NORMAL)
Macrium Reflect 8
Firefox Betterfox (DarkReader, uBlockOrigin)
+ Brave (DarkReader, Rabby)
+ KeePass 2.54
+ Process Lasso
+ privacy.sexy Standard
+ 2nd opinion scanner Malwarebytes/NPE
+ privaZer
+ sync.com

 

Long time since logging in. Lot of catching up to do...

Webroot Secure Anywhere
Emsisoft emergency kit - backup scanner
ShadowDefender for the odd times - still working on Windows 11.
Opera/chrome browser - adblock and adguard
VPN.AC

Giving HitmanPro.Alert a go as well.

 

comodo firewall with @cruelsister `s (thanks CS) settings.

 

Yes I saw it. But I'm rather surprised that most info-stealers don't make use of code injection, because you would think they would try to bypass the firewall, is this correct? What I'm trying to say is that any default-deny firewall, will easily block them. BTW, have you ever tried HP Wolf Security? It also uses virtualization, but I assume it's micro virtualization since they bought Bromium years ago.

https://www.hpwolf.com/en/

OK cool thanks, will check it out.

 

Hi R! Yes, a stealer absolutely needs to connect out to Malware Command to be effective, and any good outbound Alerting Firewall will prevent such transmission.

About Wolf, it's a dumbed down HP version of DeepInstinct. I don't have a HP machine (God Forbid!) which it is tied to, and although a White Label version of it exists, the feedback that I've seen isn't positive as to system sluggishness.I haven't tested either myself. But I did give DeepInstinct a quick whirl and found it lacking. Although it did very well for exe malware, it did less well for malware of other types (a JS Carbanak as well as a custom coded VBS worm and RAT. (scriptor based all).

Although rules can be created to stop these, that is more of a reactive type protection rather than proactive (which I think is sub-optimal).

m

 

Comodo

 

Kaspersky antivirus free

 

OS: Windows 11 22H2
Antimalware: Eset Nod32 Antivirus
Backup: Macrium Reflect Home
Updates: Sumo
Content blocker: uBlock Origin
Privacy: Mullvad VPN
Encryption: Veracrypt
Passwords: KeePass
On demand scanners: HitmanPro, Norton Power Eraser

 

Win11 22H2
DefenderUI (Recommended Profile)
SysHardener (Home User)
OSArmor (Basic Protection)
ExpressVPN (Threat Manager)
Macrium Reflect 8
GlassWire Elite
Firefox Betterfox (DarkReader, uBlockOrigin - filterlists yokoffing - Pro)
+ Brave (DarkReader, Rabby)
+ KeePass 2.54
+ Process Lasso
+ privacy.sexy Standard
+ 2nd opinion scanner Malwarebytes/NPE
+ privaZer
+ sync.com

 

Thanks for the feedback. But I wondered if you know about info-stealers that actively try to bypass firewalls with code injection or stuff like process hollowing? And I believe that DeepInstinct is another company focused on this AI hype. So it's not like Wolf, which is more focused on virtualization and isolation, similar to Sandboxie and Comodo IS. It's a bit shocking if you could bypass DeepInstinct though, since it's meant to be the ''crème de la crème'' of endpoint security LOL.

 

ReviOS (debloated windows 10 22h2)
Hard_Configurator (Recommended settings)

• ConfigureDefender (Max setting)
• FirewallHardening ( Recommended & LOLBins blacklist enabled)

Process Lasso FREE
Secure Folders
Keyscrambler FREE
Brave Browser

• JShelter extension
  
• Mullvad DNS
  
• NoScript
• disable non-proxied UDP

Kaspersky Anti-Ransomware Tool FREE

 

Hey guys, I'm Back! Hope you all have been well. Nice to see my thread is still going after all these years.

FRESH START - DESKTOP

Oct. 18, 2023- Updated, Added, Removed

Network

• Netgear Orbi AC2200 Tri-Band Mesh Wi-Fi System (3-pack)
• Netgear Armor (Bitdefender) - Enabled
• WiFi WPA2-PSK AES Encryption - Enabled
• SPI & NAT Firewalls Built-In
• Quad9 DNS Configured

Computers

• LOCAL ACCOUNTS - Administrator Password Protected
• DESKTOP (Custom Built) - Windows 11 Pro x64 Ver. 22H2 Built 22621.2428

Built-In Security

• USER ACCOUNT CONTROL: HIGHEST SETTING
• WINDOWS DEFENDER SECURITY CENTER: ALL ENABLED
• WINDOWS FIREWALL: ENABLED
• WINDOWS RANSOMWARE PROTECTION: ENABLED
• WINDOWS CORE ISOLATION: ENABLED

Resident

• Malwarebytes WFC v6.9.6.0 - Medium Filtering, Display Notifications: Outbound
• Keysccrabler 3.17.0.0 - Keystroke Profiling Enabled
• Adguard Premium 7.15 build 4385 (Paid) - Beta Update Channel, Custom Settings, Additional Filters Enabled

On-Demand

• Macrium Reflect Free Edition 8.0.7690 - Backup Template: Full \ Differential
• Adguard VPN 2.18 build 1033 (Paid) - On Demand
• VMware Workstation 17 Pro 17.0.2 build-21581411 (Paid) - Software Testing
• Emergency Toolkit 2023.10.0.12134 - Beta Update Channel

Browsers, Immunization, Tweaks

• Microsoft Edge 118.0.2088.46 Official build (64-bit) - Lastpass, Emsisoft Browser Security & HTTPS Everywhere
• Homepage and Search Providers set to Startpage
• ConfigureDefender 3.1.1.1 - Defender MAX Settings
• Additional Group Policy Defender Settings - Manually Applied.
• Spyware Blaster 6.0 - All Protection Enabled
• Windows & User Temp Folders set to RAMDisk - Cleared on Reboot
• Windows & Documents - Separate NVMe SSD Drives

 

Good to see you, and I see you're using less security tools than in the past, if I recall correctly.