Settings for running Steam [Draft] [v6] [v7]

Cannot at the moment work out what does the steam program updating. No obvious updater. Maybe the service does it.

Steam service needs admin privs according to this thread, and is use for tasks needing higher privs. I’m guessing it acts as the steam installer as well as game installer.

For installing games, setting Steam.exe as Installer/updater in HIPS should be enough; for installing Steam updates, the relevant files are already signed and in TVL so nothing needed there.

I do not know how the BB works with excluding child processes, I’d imagine all that is needed is Steam.exe as exclusion with the child process thing ticked, I’ll give it a try.
Edit: I set up BB with Steam.exe in exclusions and ticked to also exclude child processes, were able to install and play unrecognized game without it getting sandboxed. Worth noting is that you need to restart Steam.exe for the changes to come into effect (for example if you have Steam running and then make the exclusion rules then unrecognized games will still be sandboxed but after you restart Steam they will no longer be sandboxed)

Sorry missed the thread from the above: Steam Community :: Discussions

So I think the service needs to be an installer updater if HIPS is active in relation to them.

Not sure exactly what CIS does regarding services. It does not BB them, but maybe it BBs files run by them.

The big problem is what happens if some Steam executables are unsigned. In CIS 6/7 the steam updater (probably steam service) cannot be made a trusted installer by policy application, AFAIK. Adding updaters to exclusions merely disables the s/b. Making them installer/updaters in HIPS has no effect on the BB now. So the files cannot be automatically made trusted by the BB. Even MS keeps on issuing non-trusted files in in-place updates. FF has caused lots of problems that way. In FS mode you just don’t know there’s a problem.

Do people normally run the main Steam executable in FS mode would you think?

Maybe so long as games are allowed to run we could say that any Steam executable trust problems are Steams fault.

Best wishes

Mike

Theres something called big picture mode. What is that for. No menus so it seems to be a sort of FS mode in which alerts would not be seen.

???

FS? ???

FS=Full Screen :slight_smile:

Does it matter if they run Steam in full screen? (Assuming it’s possible, haven’t seen any such option except Big Picture Mode) ???

Yes (see above) that’s one key issue. You cannot see alerts. If there is no such mode then I think, the risk of unsigned Steam executables causing problems is low I guess they would most likely be opened when games were not full screen. So probably installer updater for Steam and Steam service should do re HIPS, and recursive exemption for same re BB, despite the risk of the occasional updater mistake. Unfortunately BO and AV exclusions are not so simple, we’ll need to exclude the games directories for those. So two groups maybe… Steam and Games. Will think tomorrow.

But maybe ‘big picture’ also suppresses alerts?

Full Screen doesn’t suppress alerts, the alerts simply show below the Window, by default the user should hear the alert sound and can then tab out (alt + tab) to answer the alert, sometimes the full screen application is minimized automatically and if neither of those are possible then ctrl+alt+del should work, however in some situations that won’t work either, mainly for games that actively try to stay in full screen (for example won’t let you tab out) and this is in my opinion border-line malicious behavior on the developers side of the game and honestly I would personally boycott such games… Although if you have KillSwitch set to replace the task manager then you can as a last resort press CTRL+SHIFT+ESC or whatever the combo is and make sure to keep pressing SHIFT, this will kill most processes and most likely the game as well.

Steam.exe as Installer/Updater policy should never give you any HIPS alerts regarding the game or Steam or at least that is my experience, I haven’t had the need to set the Steam Service as installer/updater, perhaps because KillSwitch lists it as “Trusted (Installer)” even though I’ve made no such HIPS settings, perhaps Steam.exe initiates SteamService in which case the installer/updater policy of Steam.exe carries over to SteamService? Or perhaps the file is simply set as Installer in the TVL or whatever? Either way I’ve been using only Steam.exe as installer/updater for months now and not a single HIPS alert for any Steam process nor Game process.

I do not know how this works for BB though, for example if I set Steam.exe as excluded and also tick to exclude child processes, then the processes that Steam.exe launches will be excluded from the Sandbox, but will processes created by those processes also be excluded? If yes then Steam.exe is the only needed exception, If no then the directory needs to be added.

Now firewall alerts is the real issue here, you can set up HIPS and BB to allow Steam and all games fairly easily with the power of child processes, the firewall doesn’t have any such options and hence you have to do it on an application per application basis or you know, make a group. Personally I just deal with it on an application per application basis.

Thanks Sanya. Sorry was guilty of inprecise language. Yes it’s about the alerts being hidden and games preventing alt tab.

I’m trying to get a set of settings which will allow Steam and absolutely all Steam Games to run without alerts or other adverse effects for that reason, and for user convenience.

Partly also to choke off the ‘bugs’ and help issues which have been reported re Steam and Cis from v4 onwards.

Settings that will be suitable for the average user to use without problems. So the security-usability tension is acute. Maybe there need to be multiple set of settings from more to less secure, dunno.

Best wishes

Mike

Another problem. Steam, the company, say these should be excluded from FW, but I cannot find them in my 8.1 installation. Maybe they come from unpacked update executables. Anyway I have no path for them:

steaminstall.exe (installer, clearly)
hl.exe (?)
hl2.exe (?)
steamTmp.exe (install temp file?)

Iunno, this may refer to the installer for Steam but I’m not sure, it could also be the installer for games… If my first guess is true then it’s obsolete since it’s now called SteamSetup.exe and if the later is true then I don’t know where to find it.

If the later then setting Steam.exe to Installer/updater should be enough from a HIPS perspective since it would be Steam.exe that initializes Steaminstall.exe, for BB setting Steam.exe to exclude and exclude child processes should also be enough (I think, depends if “Steam > Steaminstall > Unrecognized install executable” means the unrecognized install executable is sandboxed or not)

hl.exe refers to the executable for Half-Life or otherwise games that build on Half-Life (mods of Half-Life) and I guess perhaps certain games built on the GoldSrc engine.

For HIPS setting Steam.exe as installer/updater is enough since hl.exe is launched by steam.exe
For BB setting Steam.exe as excluded and exclude child processes should be enough since Steam.exe launches hl.exe

hl2.exe refers to the executable for Half-Life 2 (including Episode 1 and 2) or otherwise games that build on Half-Life 2 (including Episode 1 and 2) and perhaps certain games built on the Source engine.

For HIPS setting Steam.exe as installer/updater is enough since hl2.exe is launched by steam.exe
For BB setting Steam.exe as excluded and exclude child processes should be enough since Steam.exe launches hl2.exe

Iunno and I don’t know where to find it but for HIPS setting Steam.exe as installer/updater is most likely enough since most likely Steam.exe is the one to launch steamTmp.exe, for BB setting Steam.exe as exclusion and exclude child processes is probably enough too.

I just tested it and setting Steam.exe as exclusion in BB and excluding child processes means that if Steam.exe launches launcher.exe then launcher.exe will start outside of the sandbox BUT ALSO if launcher.exe launches for example Starbound.exe then Starbound.exe is launched outside of the sandbox. (launcher.exe and Starbound.exe are both unrecognized)

Video proof/example: Desktop 05 10 2014 12 43 28 02 - YouTube
Edit: Sure in the video I show it in the wrong order, I go Exception first then no exception then HIPS… Should have gone no exception first, then exception and then HIPS… Would make more sense but the video is still accurate.

So literally all that is needed on the HIPS front is setting Steam.exe to Installer/updater and for BB set Steam.exe as excluded and tick to exclude child processes. Now the only issue is AV and Firewall. I have personally never had any issues with plain AV on any games I have played, for this I’d suggest a per application approach when it is needed (which is rarely in my experience) and for Firewall I would personally suggest to do it on a per application basis but I can understand if that might not be good enough for this guide.

That’s the spec as I undersand it.

So literally all that is needed on the HIPS front is setting Steam.exe to Installer/updater and for BB set Steam.exe as excluded and tick to exclude child processes. Now the only issue is AV and Firewall. I have personally never had any issues with plain AV on any games I have played, for this I'd suggest a per application approach when it is needed (which is rarely in my experience) and for Firewall I would personally suggest to do it on a per application basis but I can understand if that might not be good enough for this guide.
Yes I think for general users an Av exemption is needed. Steam service is so critical that I will exclude that as well - if you check the steam site there have been quite a lot of problems with Steam Service permissions. Maybe it does not always get trusted/admin as it needs. May depend on OS, or signing problems. No real loss from doing this I think, though I accept in principle it should not be needed. BO exemption and FW allowed/stealth ask status is needed too, as there are some incoming connections (see above). I'll redraft.

Ok here’s a proposal before we change

  • If BB is on Steam and Steam Service should be excluded from BB with child exclusion
  • IF HIPS is on Steam and Steam Service should be installer updaters, and if in paranoid the other executables should be at least allowed apps
  • Program Files (x86)\Steam* should be excluded from AV & made allowed for FW (There are various reports of Steam executables as well as games being detected by AV, probably heuristics, and in such a rich environment one could never know when another .exe might be added)
  • for BO exclusions, which cannot be recursive, maybe we just exclude Steam\SteamApps\Common and Steam\Steam\games or maybe we just make it Program Files (x86)\steam* for simplicity

I guess on 32 bit Steam would be in Program Files not Program Files (x86)

So your HIPS settings assume the user still has BB enabled? Otherwise I don’t see the relevance with excluding in BB (and you already mentioned it one line above so it’s probably redundant to type it out once again since if the user has both HIPS and BB enabled they should already have done the step above and if the user doesn’t have BB enabled then the BB instructions are irrelevant… ???)

Sorry cut and paste mistake, amended

Oh sorry didn’t realize >_<

I didn’t know you could run the Steam executable in full screen mode. You can maximize it but that’s not the same thing.