Thanks Pedro, I had already read the Wilders stuff but the one link to the person that has tested AE pretty thoroughly was very interesting. According to his tests AE does a pretty good job of blocking stuff. He has proven to me that AE does the job. I see no point in testing AE further as he has proven to me that it works.
As far as testing DeepFreeze I did try all of the pertinent leak tests at testmypcsecurity and I was able to return the OS to its original state after a reboot each time, including after running DeleteVolume. DF is kinda quirky at releasing the OS for changes and LowWaterMark had mentioned that previously in the posts at Wilders. So I think it does it’s job fairly well also.
Now to my original intent at posting this thread. What intrigued me was AE. It seems to have the ability to stop anything off of the internet, including zero-day threats. I had been wanting to test running without an AV/AS by using Comodo firewall\D+ for some time and this got my peanut brain thinking (not always good). Do you think Defense+ could be setup to protect a person like AE does or is it already there with the default settings? Has it ever been tested anywhere thoroughly like the AE test. I am talking real world drive-bys, zero-day attacks, and the like? I have really never dug deep into D+ yet as I have been too lazy with an attitude that if they say it works and it isn’t causing me any problems then it must be working.
Another thing that I noticed, from the Matousec tests, he is testing the firewalls without an AV present and is basically testing D+ to stop viruses, malware, and the like. What I want to do is to be able to stop a rogue program dead in its tracks at the first sign of something not right and D+ would stop all of the other processes from running too with just one popup telling me that something tried to mess with my system and that it was stopped. The rest of this thread hopefully will be, what is the least I can do to achieve this.
Ok, here is what i found so far to block them with d+ of v3:
One can have wscript.exe and cmd.exe as trusted under computer security policy. The trick is that when someone tries to execute .vbs or .bat file alert is shown “explorer.exe tries to execute wscript.exe” or “explorer.exe tries to execute cmd.exe”. So on this stage you can allow known script and block any other.
Please correct me if i’m wrong and there is a way to pass commands from .vbs or .bat file directly to wscript.exe or cmd.exe in such way that d+ cannot intercept them.
@Ragwing,
I have been fiddling with stopping wscript since you posted and I was not ignoring you but waiting to get to this point of trying to set up D+ before I commented. I did put wscript in the My Protected Files section and made it an Isolated Application, without modifying anything else. This was after I had already rebooted so it did stop it from running with a pop up saying I didn’t have rights to run the file and stopped it dead. I also tried to run it from a command prompt and I got “access denied”. This is what I am wanting, no other prompts just kill it and keep anything else from the process from running. But, when I rebooted this morning I found that explorer.exe and svchost both were trying to access wscript.exe and were being blocked in the D+ log. Nothing out of the ordinary happened on bootup as I was able to get a connection to the internet and everything seemed to be normal. Blocking access to wscript this way I think could be done but then I think I might try going into wscript and allowing access to it by listing all of the files that can have access to it by using the instructions in the screenshot below and the D+ log as a guide. What I hope to find out by allowing these files access to wscript is do these files having access to wscript compromise the protection. I am trying to dig thru the help file on D+ to see how it works so I can get a better understanding of it and how the chain works.
Looking forward to comments from all. I am looking for cold hard facts here. If you have a way to stop something and can prove it from having tested it or an idea on how it might be done then please post your idea so all of us can either try it or learn from it. My goal is to stop anything that is not on my clean system from the beginning dead in it’s tracks with a popup saying it has been stopped and no other processes can run. Nothing to clean up (Not wishing for much am I?). TIA
One warning I should probably give to people following this thread is that if you don’t have a way of restoring your system then please don’t try anything suggested until the changes can be proven to be safe and reliable. Even changes that are determined to be working ok on my system may not work on yours so keep that in mind and be prepared to lose your OS and have to restore it from scratch if something goes haywire.
later
jasper
[attachment deleted by admin]