Best protection against malware?

I came across this article that demonstrates how extremely effective a feature like AppLocker is. It becomes very reliable when applied to 500 Windows 7 computers over 3 years as in this case. The result: Not a single malware infection compared to several a week prior to applying AppLocker! Amazing :)

Free, almost perfect, malware protection with GPO App Locker - Spiceworks

Windows 7 versions:

• For Enterprise and Ultimate AppLocker is built-in: AppLocker - Create New Rules
• Professional has SRP(Software Restriction Policy): Preventing computer malware by using Software Restriction Policies. | Peter Gubarevich
• For Home versions there are similar products available like AppGuard(pay software): AppGuard Review | MalwareTips.com
  or Simple Software-restriction Policy: Wilders Security Forums (written by a well known Wilders member)

Personal experience
I'm using SRP and have configured it to only allow executable files to start from the Windows and Program Files folder, folders that require admin permissions to write to. Executable files include exe, com, bat, vbs, dll and more. This basically mean that only installed programs and those part of Windows can start. Any downloaded executable files or files from other drives including USB ones will not be allowed to execute.
Many automatic program updates(including Windows Update) will still work, but apps using files in user folders or in temp folders won't, for example Firefox. So to update such a program or install a new program you'll have to temporarily turn SRP off. It only takes a few seconds extra once you've set it up the way you want to, a small price to pay for a great protection. You might have to add additional exceptions for programs that for example run from AppData instead of Program Files.

Example if you copy the Windows Calculator(calc.exe) to the desktop and try to run it. (your desktop should only contain links/shortcuts to executables)


Stay safe!

Hi,
Sounds like pretty extreme measures
I suppose that last popup message needs a "Mother may I" if I promise to eat all my veg's

I don't think so, it once again proves how anti-virus and anti-malware products fails to protect you. The article mentions prior to AppLocker dealing with 3-5 infections a week, some in need of a complete reimaging. And note that they weren't even using admin accounts.
Monitoring 500 computers over 3 years is not something a home users can do and that's why I think this is an excellent article.

Over time, I've become more aware of "whitelisting" with my security programs, whether it be Classic HIPS, anti-exes, firewalls and so on. APPlocker, among others, are very solid programs, but require a bit of learning and patience, but once you get the hang of things, I think you'll be surprised of how effective they can be. My current set up is almost entirely based on that principal, even while web browsing as I don't allow anything in the page to load, unless its a trusted page, or I go through and manually allow objects.

For the most part, everything that needs to connect to the internet, or have access to certain folders has been white listed in my setup, so that if anything, even if its a non-threat attempts to run, such as the calculator, it will be blocked once, then I can allow it for future use. I like to know what's trying to run and even if sometimes it can be a hassle (forget to temporarily white list objects of decrease protection levels for installs and what not) it's better than getting caught off guard.

Of course, common sense is your best anti-malware tool, but even the best of us slip up now and again, but I've been malware free for years, even in the days of using Anti-viruses, but I prefer prevention over reaction or detection, since I would do a image restore if I became infected anyhow, so removal of malware for me is to nuke it

Berkey, we think the same you and I. I would say prevention is the ONLY true defense :)

I see you have both ERP and AppGuard. In case you didn't know: SRP is built-in and free in Win 7 Pro.

About UAC and Standard vs Admin account I recommend reading this if you haven't seen it already:
Best Practices for User Account Type and UAC?

If there's one thing you could add in your arsenal of protection it's an anti-exploit like EMET or MBAE.

The above are only my thoughts to your list of protection apps. But not many have such a good security setup as you have so I'm not sure any of my "tips" come as news to you

Tookeri said:

Berkey, we think the same you and I. I would say prevention is the ONLY true defense :)

I see you have both ERP and AppGuard. In case you didn't know: SRP is built-in and free in Win 7 Pro.

About UAC and Standard vs Admin account I recommend reading this if you haven't seen it already:
Best Practices for User Account Type and UAC?

If there's one thing you could add in your arsenal of protection it's an anti-exploit like EMET or MBAE.

The above are only my thoughts to your list of protection apps. But not many have such a good security setup as you have so I'm not sure any of my "tips" come as news to you

Indeed. Prevention will save a lot of headaches.

I've used SRP, with great success, but once I started to test applications such as Appguard and NVT, I just got hooked on them, so I've been a user ever since.

The UAC isn't so much as a security setup as much as it is a "are you sure you want to do this" setup, as I learned a hard and valuable lesson a few years ago about being too hasty with decision making, which essentially led to a clean re-install, so more of a double checker if you will.

I've been testing Hitman Pro Alert 3 as my anti-exploit, which has been pretty light weight and seems to be getting stronger and stronger with each build release. Has a nice keystroke encryption, which can be applied to programs like Word and Notepad.

Umatirx I feel is one of the best defenses above all, since when you tweak it the way I have it, nothing will load in a webpage unless whitelisted, which can completely prevent a page from showing anything, or if a particular domain is un-trusted, wont' even all you the chance to whitelist, unless you override it.

Then again, good ol sandboxie always has my back for the "how in the world", but I haven't had any malware detection in ages and that was before I had really anything in this setup, because as we all know, common sense is the best tool for prevention

Thanks for the input!

Thank you too! I've been close myself a few times to install additional security products but I've managed to stop myself in time and realize I don't need more. But it's always interesting to at least read about them :)

I don't use Chrome but I recognize the concept which sounds like NoScript for Firefox. An excellent extension for the more advanced users.

I've been following the development for Alert 3 for the last year and I'm very impressed. It's no doubt better than MBAE and EMET. I must have read your signature wrong and missed "Alert" so I only saw "Hitman Pro". You had it already covered!

I agree Sandboxie is a product you can count on. Seen this? https://www.sevenforums.com/security-...ml#post2981906
A nice proof how good it is when ransomware quits if it detects it's running. For two reasons I believe: they know it's hard to break out from it, and they don't want to leave traces of the malware in a sandbox since it's easier to trace it there.

About UAC I get the feeling maybe you didn't check out the link. A malware only needs standard user access to be able to get around UAC if the user is logged in as an administrator (or Protected Admin as it's called). The link shows one way how this can be done.
Bottom line: You can and should only trust UAC in a standard user account. Not in an admin account.

I've read the link. I use a standard account, as one of the reasons I started to get more into security was way back in college with XP, I always use to create my standard account as the ADMIN, then I'd keep getting infested, until one of the IT guys in the lab sat me down and showed me a few simple "duh" things to do and help your cause.

I like running as standard, with UAC, it allows me to elevate whenever I need to from within a standard user account. Like last week on my VM I was playing with pre made reg files and had them side to side on my desktop, which I boneheadly clicked the wrong on and when the UAC popped up, I read that it was the wrong file, so it saved me from granted the permission. Then again, I read when those boxes pop up, most average users do not, so they generally disable it.

I would hope MS would enhance the meaning behind UAC, as most people are annoyed with it (if they dont' disable it) and just click yes anyhow, so they might as well disable it. However, if the warning box said something like; "Do you want to grant XYZ administrator rights? If yes, you understand that then viruses and malware can be more dangerous if it is contained within the file as they will have the most permission" or something along those lines.


Great input on that thread and your post in particular! I remember reading a very in depth study on UAC and the difference between Standard and ADMIN account. I'll see if I can dig it up and send it to you as it was a fun read.

Berkey said:

I've been testing Hitman Pro Alert 3 as my anti-exploit, which has been pretty light weight and seems to be getting stronger and stronger with each build release. Has a nice keystroke encryption, which can be applied to programs like Word and Notepad.

I tried HitmanPro.Alert3 beta and more recently HitmanPro.Alert3 RC but it didn't want to protect any non standard browsers or non standard internet facing apps and also blocked VLC and Thunderbird. I suspect that's because i've got EMET installed. Do you have EMET or did you need to remove it before installing HitmanPro.Alert3 ?

Thanks!

Callender said:

Berkey said:

I've been testing Hitman Pro Alert 3 as my anti-exploit, which has been pretty light weight and seems to be getting stronger and stronger with each build release. Has a nice keystroke encryption, which can be applied to programs like Word and Notepad.

I tried HitmanPro.Alert3 beta and more recently HitmanPro.Alert3 RC but it didn't want to protect any non standard browsers or non standard internet facing apps and also blocked VLC and Thunderbird. I suspect that's because i've got EMET installed. Do you have EMET or did you need to remove it before installing HitmanPro.Alert3 ?

Thanks!

Hi Callender,

EMET and MHPAshould be compatible but I don't see much use of running both EMET and Alert with Exploit Mitigations, since they are rooted in similar backgrounds. Obviously different software, but it's how I would view running multiple Anti-viruses at the same time (although you might be able to do that now, but I haven;t used an AV in so long I'm not sure)


This should do the trick for adding custom apps

1. If you haven't done so put the GUI in advanced mode. Click on the little gear in upper right hand corner and select advanced GUI
2. Start the app you want to add
3. In the gui click on the big blue box exploit mitigations
4. Select running applications
5. You should see your app as unprotected.
6. Click on it, and then select the protection type that best fits the applications

Then you restart the application and you are good to go.

Let me know how it works out for you