Defence+(protection settings)

Good day to all,

I would just like to bring up the topic of the “Protection Settings” part of Defence+/computer security policy.
On a default installation it seems that of the options given that only 2 are checked yes for CFP v3,these being “interprocess memory access” and “process terminations” which is fine.
The “protection settings” as far as i can tell are turned off for everything else,including Trusted Application,Windows System Application or Custom.
Does anyone have any settings they use regarding these when it comes to certain applications eg your AV.
Also would it be beneficial to turn on these protection settings for all applications which are set to “Trusted” or for “Windows system applications”

Any advise on what you think is the best configuration?
Have you changed any of these settings/why
Are they worth it or is it best just to leave them off.

Regards Matty

ps I have read the help section,am just throwing this out for ideas :-TU

Hi Matty

If you mark your apps as trusted you will not be able to change the protection settings. I expect it is because they are all allowed under trusted. The same applies to Windows System Applications. You can change those marked custom only. I personally have not changed any to allow more permissions. CFP allows as default and is the only one that I know of with extra permissions at default.

John

Hi John et all,
I`ve been doing some tinkering around today,basically trying a few things out.

I manually edited the protection settings for “Trusted Application” to include protection for process terminations.After this modifyed to allow “Windows System Applications” group as exceptions.
This seems to be going ok (trusted apps unable to be killed via task manager) but after they run an exe they seem to change back to “Custom” but keep the same settings as “Trusted” ???
I think it may have something to do with which setting you have D+ in (currently clean pc) but i have yet to establish this.
Am also trying to add to the predefined list with some new policies (av policy etc) but it still needs some work.

Regards,

Matty

Matty

I will do some more tests and see if I can get the same results that you do. I was checking the settings of the application itself rather than changing the settings of the predefined security policy. Will get back to you.

John

I can confirm your findings for trusted application- John

Have managed to get a policy for my AV(Avira Antivir) up and running fine with the same protection settings as CPFV3
I suppose this will work for any application.

1.Made a new group for the application:Defence+/My Protected Files/Groups.Click Add/Select From/Browse.
Find the folder your after C:Program Files …,highlight it and transfer it accross to selected items then Apply.New group is now created

2.Create a new Predefined Policy for the application:Defence+/Advanced/Predefined Security Policies/Add

Give a name to the new group and click on access rights.I allowed all but run an executable(same as Trusted).On run an executable choose “Modify”/Add/File Groups/Add the new group you just made/Apply to all Windows.(This should allow interaction within the application eg sched.exe runs update.exe ect)

3.Create protection for the Policy:Defence+/Advanced/Predefined Security Policies
Click on your new Policy and choose Edit/Protection Settings/Check yes for "Process Terminations and “Interprocess Memory Accessess”.
Now on each of these click on Modify/Add/File Groups and add “Windows System Applications” Apply to close all Windows.(This makes WSA an exception)

4.Give all files in Computer Security Policy the Policy:Defence+/Advanced/Computer Security Policy
[You can move the files together by holding down left mouse button on file(a red line appears) and move up or down with mouse to group together.]
Right click/Edit/Choose a predefined policy/choose your new policy/Apply to all Windows

This should now give your new policy the same protection as CFPV3.

Regards

Matty

ps This is only my choice it may be differant for you, also any other ways you have used Defence+ to further protect your system i would be grateful for.

[attachment deleted by admin]

Here is what I did regarding Protection Settings:
a) Create a file group called ‘Interprocess Memory Access Allowed’. Within this group add those programs that should be allowed to access the memory of protected programs. For security program processes only, add this file group to the exceptions list of ‘Interprocess Memory Access’. You could also add other programs if you wish, but I didn’t. Look at the Defense+ logs to see candidate processes to add to this file group.
b) Create a file group called ‘Hooking Allowed’. Within this group add those programs that should be allowed to hook protected programs. For security program processes only, add this file group to the exceptions list of ‘Windows/WinEvent Hooks’. You could also add other programs if you wish, but I didn’t. Look at the Defense+ logs to see candidate processes to add to this file group.

You could do the same for the other 2 types of protection settings if necessary.