I am evaluating CIS for deployment to several home machines. Some of them run home versions of Windows, and don’t have SRP feature (which I found very effective against malware). Now I’m trying to figure out can I achieve the same or partial functionality with Defense+. Please help me understand if it is possible and how.
My minimum requirements are:
Default policy is DENY. Any program not explicitly allowed to run is blocked, generating no user alerts.
Looks like I can achieve this by suppressing Defense+ alerts in Misc. / Settings / Parental Control. (Is this correct?)
Path rules. Any program started from specified folder or it’s subfolder (i.e. C:\Windows or C:\Program Files) is allowed to run. This should not require enumerating all executable files in a folder, otherwise rules become unmaintainable.
I didn’t find a way to add a whole folder with subfolders to My Own Safe List. Did I missed Something?
Hash rules. Executable file with specified hash is allowed to run. I use hash rules to run some portable utilities and diagnostic tools from USB Flash drives.
I didn’t find a way to allow a program by hash. But documentation says that D+ verifies executables against COMODO Safe List by hash, therefore hash-checking is implemented internally. So it looks strange why can’t I add hashes to My Own Safe List. Was this possibility disabled intentionally?
Vendor certificate rules. This seems to be implemented, but I rarely use them.
Another one common requirement: rule’s working should not depend on how program is started, that is which parent process is loading executable file.
This is something I would like as well. I have experimented in a limited way.
I create two groups in defence+. Safe applications and Safe DLLs. Safe applications would contain:
Safe DLLs would b:
You can allow safe applications to run safe applications and safe DLLs. These global rules should be at the top of the computer security policy in defence+. You also need to change explorer.exe and maybe cmd.exe to only be able to run safe applications. If you then always run as limited user and use the parental control in defence+ then any other applications will be blocked.
Take care setting it up as any mistakes could lock up you computer completely. The way out of any problems is to boot into safe mode where the restrictions do not apply.
This is not as good as a real software restriction policy. It will not restrict anything when booting Windows in safe mode. It would be nice if there was an easy way to restrict limited users from booting into safe mode. It will also reduce protection for an administrator a little as you will get no po-pup when running any program saved to the windows directory. You will still get pop-ups if an unsafe program from a safe locations tries to do anything.
I believe you could use CIS in the manner you requested by doing the following (do a system backup first please):
a) Place ‘All Applications’ D+ policy at the top of the D+ policies list.
b) In the D+ policy for ‘All Applications’, for ‘Run an executable’, select ‘Block’, with folders to allow execution from listed in ‘Allowed Applications’.
This does work but you need to do something when install/updating software. Installs often create temporary directories off the root or similar which would be disallowed. I switch to a different configuration when installing with less strict rules.
Or perhaps a D+ policy for a file group consisting of all files in the folder C:\Downloads (or whatever directory you usually install programs from, if there is one) could be created. The D+ policy for this file group could be the predefined policy ‘Installer or Updater’. This policy would need to be placed first in the D+ policy list.
If I understand right there is a problem with this. If the install program creates a temp folder c:\suehdtrg and runs c:\suehdtrg\setup.exe then this setup.exe would not be able to run c:\suehdtrg\setup2.exe. Some installers do things like this.
I think they only inherit rights if in installation mode.
Also, the rights come from the position in the rule list not the install or updater status so they might not be inherited anyway.
I have sometimes noticed programs added at the top of defence+ security rules. I am not sure if this is a bug or an attempt to allow this sort of thing. I have only noticed it after the event but it may have been associated with installation.
The other downside of this is if you allow all applications under c:\windows and are an administrator you no longer get a pop-up for running a new application under c:\windows which could be malware. More secure as limited user but less secure as administrator.