This one is for the select few. Advanced users who like:
- version 3 over the rest
- AEs over HIPS
- to tweak things
- to be clean freaks
If you don’t belong to either of those and hold no interest in this topic, please don’t participtate.
The goal is to make Defense+ the lightest it can be while maintaining its role as an anti-executable by disabling most security settings. As an added bonus effect, there are fewer Defense+ app rules created. This is something I’ve recently came up with. It’s still as secure as before, except obviously during installations and uninstallations, but that’s the idea: either trust the software I’m about to install or don’t install it all. I’ve been “around the block” long enough to know the associated risks and conveniences. Should the worst happen, I re-image my PC. Even I have grown tired of HIPS alerts, regardless of whether I know how to answer them or not and regardless of Installation Mode (which ultimately creates rules for temporary files and requires maintenance later). There has never been a malicious application or executable in my Defense+ rules. I also have in the past confirmed my PC’s cleanliness by checking with various scanners from time to time with nothing but false positives. Of course, all this fits my own needs based on my usage patterns, so it won’t apply to others.
So with all that mumble jumbo background out of the way, here are my imperfect settings in no particular order:
My Protected Files & My File Groups
I remove everything in my Protected Files. I do the same in My File Groups but leave those 3 just for clarity in my Computer Security Policy screen (although I could easily removed them if I wished).
My Blocked Files
Obviously nothing here because all my programs are used and “trusted” by me
My Pending Files
While I’m in Clean PC Mode, this will start to populate new executables, and of course will be purged once I’m done installing them.
My Own Safe Files
Nothing here.
My Blocked Files
All cleared out. Even the two default Comodo ones.
My Protected Registry Keys
All cleared.
My Protected COM Interfaces
Nothing.
Predefined Security Policies
Windows System Applications is the only one left. Again, I could remove this too but I leave it there for clarity’s sake to separate my app rules into groups.
Defense+ Settings
General Settings tab - Always in Clean PC Mode except when I’m (un)installing, it’s Disabled.
Disable the three options
Monitor Settings tab- All disabled
Image Execution Control Settings - The plot thickens ;D.
General tab - Leave them at defaults - Normal Image Execution Control Level and Detect shellcode injections. Buffer Overflow protection I believe is a separate nasty entity on its own, but my worries could be for naught if I’m setting Defense+ as an AE. Let me know if I’m wrong on this.
Files to Check tab - Removed all. At first, I misunderstood that this is the list Defense+ checks on all executables. Wrong. I added *.msi and tested by installing a MSI file without any prevention at all. Reading through old posts by Egemen and another forum, this is something that Defense+ checks after those files are launched (probably tied in with the Shellcode injections check - again, correct me if I’m mistaken).
Predefined Security Policies - The main dish :).
Pic # 1 is basically all the applications I ever use and need for Windows to operate. I’ve tried to launch everything and every setting I could remember to build this list while in Clean PC mode.
Pic # 2 is from the * application / process rule {basically, the “every” file rule }, which is used to accommodate for potential applications and process that Windows might launch or that I might have missed in the future. I set all the sub-options to allow, except the first one to Ask on launch. Now, of course being in Clean PC mode, instead of asking, Defense+ will automatically and silently create the necessary rules. It saved me time when I first was rebuilding my rules because they all adopt the same structure.
After all that, I access each individual app from pic # 1 and set the “Run an executable” option to Block. This should cover any possible exploit. I’ll give a more complicated example and the relationship between two applications (Pic # 3): My Opera browser is allowed launch/execute only certain programs (e.g. I sometimes click on the downloaded or transfer window to launch instead of minimizing Opera and then double-clicking on the file on my desktop). Using MS PowerPoint Viewer 2003 as specific example, Opera is allowed to launch .pps, .ppt and similar file extensions. Conversely, MS PowerPoint Viewer is allowed to launch Opera (e.g. sometimes a .ppt file has a URL embedded that I want to launch as a shortcut). You might wonder, “what happens if that .ppt file contains malware and therefore PowerPoint Viewer, as a trust app, can inadvertently cause harm?!”. Remember what I mentioned earlier: after launching and operating all my useable programs, I go back to each rule and set the “Run as executable” from Ask to Block. That means in this example, Opera is only allowed to launch said programs, while PowerPoint Viewer is only allowed to launch Opera, nothing else. This explains why I put the * rule at the bottom, as shown in pic # 2.
The only flaw I can see that I haven’t covered are script executable files. I’m not as familar with these. Feel free to jump in if you have an idea. Sure it’s a pain to configure at first, but like before, once it’s done it is “set and forget”.
PS: I forgot to include that I enable Parental Mode with supressed all alerts. And again, each time I’m about to install or uninstall something, I disable Defense+.
[attachment deleted by admin]