NT6_SAFER.INF(for Windows Vista and newer versions) and
XP_SAFER.INF(for Windows XP and Windows Server 2003) configure Software Restriction Policies alias SAFER with a proven and well-tested ruleset on all (including Embedded, Home and Starter) editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2 and Windows 10.
This technique is known as Application Whitelisting; its implementation here is but rather loose: it allows execution of all applications which are properly installed by an administrator.
C:\Windows\) and its subdirectories, in the directory
"C:\Program Files\") and its subdirectories, on systems with AMD64 alias x64 processor architecture also in the directory
"C:\Program Files (x86)\") and its subdirectories; execution in all other directories and their subdirectories is denied.
Unlike unreliable, unsafe and vulnerable antivirus
programs which almost always fail to detect new or unknown
horses, viruses, worms, …), known as
or misdetect legitimate clean software as
malware, known as
false positive, this method effectively stops all kinds of
known as well as new or unknown
malware and all other
unwanted or unauthorized software that uses executable files to
infest Windows installations, while allowing all
legitimate software to run!
ERROR_ACCESS_DISABLED_BY_POLICY, while Windows' module loader yields
(Unprivileged) users who are subject to Software Restriction Policies
Note: the exemption of privileged users from
Software Restriction Policies
leaves no loophole!
Privileged users can write files in the directories where execution is allowed, can disable or remove Software Restriction Policies and can thus execute any file.
If you want or need to restrict
use the setup scripts
(for all editions of
Windows Vista and newer versions) and
(for all editions of Windows XP and
Windows Server 2003).
Note: the (predefined) privileged user accounts
NT AUTHORITY\LocalService and
NT AUTHORITY\NetworkService are always exempt
Software Restriction Policies!
Note: user accounts created during
Windows® setup are but privileged
Change their account type to Standard User (Windows Vista and newer versions) or Limited User (Windows XP and Windows Server 2003) respectively if you use them for your routine work!
Change a user's account type:
When you set up Windows, you were required to create a user account. This account is an administrator account that allows you to set up your computer and install any programs that you'd like to use. Once you finish setting up your computer, we recommend that you create a standard account and use it for your everyday computing. If you create new user accounts, you should also make them standard accounts. Using standard accounts will help keep your computer more secure.
Note: the dumb
control panel applet denies to demote the last or only privileged
user account even if the builtin (real)
account has been activated!
Use the real User Accounts control panel applet instead: to start it, run the command line
Caveat: don't forget to
Run the command line
"%SystemRoot%\System32\Net.Exe" User Administrator /Active:Yeswith administrative privileges to enable it.
access rights of the directories
%SystemRoot%\System32\LogFiles\ allow only
privileged users (
NT AUTHORITY\SYSTEM and
BUILTIN\Administrators) to create the file
The file's inherited access rights also allow only privileged users to write, but unprivileged users (
On Windows Vista and newer versions, file operations
of 32-bit applications run by unprivileged users which fail due to
missing access rights in
%SystemRoot%\ and below as
"%ProgramFiles%\" and below, on
64-bit editions also
and below, are redirected to the directory
"%LOCALAPPDATA%\VirtualStore\", resulting in
Caveat: the file
SAFER.Log can grow
The screenshot of a message box on the right shows an antivirus program that has been disabled by malware (ab)using Software Restriction Policies, i.e. this antivirus program was even unable to protect itself!
Self-Protection for Antivirus Software
gives an overview!
Trend Micro: Antivirus industry lied for 20 years:
In the antivirus business, we have been lying to customers for 20 years. People thought that virus protection protected them, but we can never block all viruses. Antivirus refresh used to be every 24 hours. People would usually get infected in that time and the industry would clean them up with a new pattern file.Securing That XP Desktop, Part 1:
In the last 20 years, we have been misrepresenting ourselves. No-one is able to detect five and a half million viruses. Nowadays there are no mass virus outbreaks; [malware] is targeted. But, if there are no virus samples submitted, there's no way to detect them.
The best kind of desktop is a secure desktop. As you all know, hackers are a tricky bunch. You have to go beyond Symantec Antivirus and actually lock Windows down if you want to make sure your computing environment is actually secure.Cyber Resilience And Spear Phishing:
For example, application whitelisting on end-user devices stops advanced and zero day attacks from infecting the system by preventing unauthorized code execution, protecting memory, and blocking attempts to exploit a whitelisted app before it gains a foothold and impacts the business. Application whitelisting is listed as a Quick Win in the SANS Critical Security Controls list and the Australian Government Top 4 Mitigating Controls cybersecurity guidance. According to Australian Signals Directorate Deputy Director Steve Day, attackers have not stolen any sensitive data from government networks because of their adoption of the Top 4 mitigating controls.How to Mitigate Against Targeted Cyber Intrusion:
But there are very effective protections that you can put in place, and they need not require new investment in technology or personnel. The Australian Defence Signals Directorate (DSD) has published guidance on the top 35 strategies to mitigate against targeted cyber intrusion and concluded that at least 85 % of the intrusions they responded to in 2011 and 2012 would have been prevented if only the top four of these mitigations had been in place.
These top four mitigations only require organizations to employ application whitelisting technology, maintain current, patched applications and operating systems and effectively restrict the use of administrative accounts.
and Device Guard are available only on
Ultimate and Enterprise editions of
Windows 7 and newer versions or
Windows 10 respectively.
Unlike antivirus or other so-called
which often are vulnerable themself,
Software Restriction Policies introduce no additional
code which allows to leverage successful attacks in the first place!
Some, but not all (now fixed) vulnerabilities in Microsoft®'s anti-malware products for consumers are documented in the MSKB articles 932135, 952044, 2823482, 2847927, and 3074162, the Security Advisories 2491888, 2846338, 2974294 and 3074162, plus the Security Bulletins MS07-010, MS08-029, MS13-058 and MS13-034.
The additional updates to harden the anti-malware products for consumers are documented in the MSKB articles 2781197, 2856373, 2883200, 2894853, 2939153, 2976536 and 3025417.
Security products of other vendors
are equally bad or even worse!
Analysis and Exploitation of an ESET Vulnerability:
Do we understand the risk vs. benefit trade-offs of security software?Kaspersky: Mo Unpackers, Mo Problems:
Tavis Ormandy, June 2015
Attackers can cause I/O via Web Browsers, Email, IM, file sharing, network storage, USB, or hundreds of other vectors. Whenever a message, file, image or other data is received, it's likely some untrusted data passes through the disk. Because it's so easy for attackers to trigger emulation of untrusted code, it's critically important that the emulator is robust and isolated.
Unfortunately, analysis of ESET emulation reveals that is not the case and it can be trivially compromised.
Because antivirus products typically intercept filesystem and network traffic, simply visiting a website or receiving an email is sufficient for exploitation. It is not necessary to open or read the email, as the filesystem I/O from receiving the email is sufficient to trigger the exploitable condition.How to Compromise the Enterprise Endpoint:
Product Design Flaws
I've also reported some major design flaws in various other components of Kaspersky Antivirus and Kaspersky Internet Security. The patches for the remote network attacks I had planned to discuss here were delayed, and so I'll talk about them in a second post on this topic once the fixes are live.
Security Software Considered Harmful?
We have strong evidence that an active black market trade in antivirus exploits exists. Research shows that it's an easily accessible attack surface that dramatically increases exposure to targeted attacks.
Today we're publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.
These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.
One of the common misconceptions about UAC and about Same-desktop Elevation in particular is that it prevents malware from being installed or from gaining administrative rights. First, malware can be written not to require administrative rights, and malware can be written to write just to areas in the user's profile. More important, Same-desktop Elevation in UAC is not a security boundary and can be hijacked by unprivileged software that runs on the same desktop. Same-desktop Elevation should be considered a convenience feature, and from a security perspective, "Protected Administrator" should be considered the equivalent of "Administrator." By contrast, using Fast User Switching to log on to a different session by using an administrator account involves a security boundary between the administrator account and the standard user session.Update on UAC:
One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, […]Inside Windows 7 User Account Control:
The most effective way to secure a system against malware is to run with standard user privileges.
[…] the primary purpose of elevation is not security, though, it's convenience: […]The Long-Term Impact of User Account Control:
[…] this is also where we run into some of the limitations of UAC. Remember, there is no effective isolation; there is no security boundary that isolates processes on the same desktop.Inside Windows Vista User Account Control:
It's important to be aware that UAC elevations are conveniences and not security boundaries. A security boundary requires that security policy dictates what can pass through the boundary. User accounts are an example of a security boundary in Windows because one user can't access the data belonging to another user without having that user's permission.
Note: in Windows 7 and newer versions UAC performs with default settings silent (automatic) elevation for programs that
autoElevateproperty set in their
%SystemRoot%\and its subdirectories.
protected administratorsto write arbitrary files to write-protected and therefore
%SystemRoot%\and its subdirectories and thus bypass NTFS ACLs and Software Restriction Policies!
To prevent this bypass set
UAC to its highest
Always notify or (better and safer) use a
Standard User account and disable elevation requests
Both settings are documented in the TechNet article UAC Group Policy Settings and Registry Key Settings.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorAdmin"=dword:00000000 ; Prompt for consent on the secure desktop "ConsentPromptBehaviorUser"=dword:00000000 ; Automatically deny elevation requests
Note: according to numbers published by Microsoft in their Security Intelligence Reports about ½ to ¾ of all (some 600 million) Windows installations engaged in their malware telemetry reported only a single active user account.
Google's Project Zero reported several bugs which allow to bypass UAC that Microsoft wont fix: Issue 156 and Issue 220.
Also note that Windows Explorer in combination with
surprising and dangerous behaviour (documented in the
which generally impairs security and safety!
To detect directories with additional NTFS ACL entries created by Windows Explorer as well as writable files eventually created in these directories from your user account, start a Command Prompt, run the following command lines and inspect their output, then remove the additional NTFS ACL entries:
"%SystemRoot%\System32\ICACLs.Exe" "%SystemRoot%\*" /FindSID "%USERNAME%" /C /T "%SystemRoot%\System32\ICACLs.Exe" "%ProgramFiles%\*" /FindSID "%USERNAME%" /C /T "%SystemRoot%\System32\ICACLs.Exe" "%ProgramFiles(x86)%\*" /FindSID "%USERNAME%" /C /T "%SystemRoot%\System32\ICACLs.Exe" "%ProgramData%\*" /FindSID "%USERNAME%" /C /T
On Windows Vista and Windows Server 2008 the optional update 969972 or one of the optional updates 2257986, 2414106 or 2812950 respectively which contain a newer version of the file replaced by 969972 should be installed!
On Windows Server 2003 the optional update 973825 should be installed!
On systems with AMD64 alias x64 processor
architecture running Windows XP or
Windows Server 2003 the optional update
must be installed to enable the special directory
Note: an attacker must be able to call the
LoadLibrary*() to exercise this bypass.
Since Software Restriction Policies block the direct execution of Win32 applications an attacker has to find a way to run code inside one of the trusted Win32 applications installed on a victims computer, which typically means to (ab)use a vulnerability in these applications and compromise them.
WinExec(), independent of their file extension,
LoadLibraryEx(), independent of their file extension,
ShellExecuteEx(), dependent of their file extension,
Unless disabled with the registry entry
Software Restriction Policies control the execution of scripts interpreted and run by the Windows Script Host.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "UseWINSAFER"="0"
Software Restriction Policies control the installation of Windows Installer packages and patches.
To disable the NTVDM and the WOWEXEC subsystem set the registry entry
as described in the Security Advisory 979682 and the Security Bulletin MS13-063 plus the registry entry
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat] "VDMDisallowed"=dword:00000001
as described in the Security Bulletin MS10-098.
REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WoW] "DisallowedPolicyDefault"=dword:00000001
Software Restriction Policies don't control the
applications: these run inside their own optional and separate
(available for Windows XP and
Windows Server 2003) or
(available for or included as
Optional Component in
Windows Server 2003 R2, Windows Vista,
Windows Server 2008, Windows 7,
Windows Server 2008 R2, Windows 8 and
Windows Server 2012, but deprecated).
Caveat: the Local Security Policy
snapin reads the additional SAFER rules only from the
not from the registry: additional SAFER
rules written directly or only to the registry
therefore don't show in the Local Security Policy
If this file exists modifications of the SAFER settings or rules written directly or only to the registry will (periodically) be overwritten with the SAFER settings and rules from the file!
If this file contains neither SAFER settings nor rules
(or does not exist) the Local Security Policy snapin
(creates it and) writes the default SAFER settings and
rules to the file and to the
registry, thereby overwriting existing
SAFER settings and rules in the registry!
To avoid this either run the program
once to export all SAFER settings and
rules from the registry to the file
or download the (
that contains the (missing) setting
which enables all SAFER levels and save it as
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers] "Levels"=dword:00071000
data) from each other as well as from the operating system.
More than 14 years ago Microsoft introduced
Software Restriction Policies
and published the
Using Software Restriction Policies to Protect Against Unauthorized Software,
How Software Restriction Policies Work and
Using Software Restriction Policies to Protect Against Unauthorized Software. �
Note: � � � �: �
From Strategies to Mitigate Targeted Cyber Intrusions:
At least 85 % of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions:� �
#1 use application whitelisting to help prevent malicious software and unapproved programs from running
More than 11 years ago Microsoft introduced DEP alias W^X and enabled it by default.
But even today all (data) files created in the
user profiles, the
%ProgramData%\ and almost all other
directories too are still executable: although not
needed the (inheritable)
ACLs of all these
Execution permission for files!
And Software Restriction Policies are still not enabled by default! � �
The immediate benefit of an
Execution permission or the default SAFER
ruleset is: no (unintended) execution of files like
invoice.pdf.exe etc. stored in
directories, so spreading
Windows systems becomes utterly useless.
If you want to try
DEP in the
filesystem for yourself choose one of the following:
deny execution of files in this directory for everyone, inheritable to all files in all subdirectoriesfor your own
%USERPROFILE%directory (or all of them plus
%PUBLIC%if you have administrative privileges).
ACL entries have
*.exe) only in the directories
%SystemRoot%\System32\and all executable files in the directory
For systems with AMD64 alias x64
processor architecture you'll have to add rules for
%SystemRoot%\Sysnative\*.exe as well as
Follow the step-by-step instructions presented on How to make a disallowed-by-default Software Restriction Policy.
Download and install the setup scripts
(for Windows XP, including embedded editions, and
Windows Server 2003) or
(for Windows Vista, Windows 7,
Windows 8 Windows 8.1 and
Windows 10 as well as
Windows Server 2008,
Windows Server 2008 R2
Windows Server 2012 and
Windows Server 2012 R2) respectively.
invoice.pdf.exeyour anti-virus fails to detect and
XP_SUPER.INFuses a belt & suspenders approach: although the
Defaultrule denies execution, additional
Denyrules are defined for almost all paths and directories except
"%ProgramFiles(x86)%\", i.e. all local drives, all network paths,
SRP2LGPO.EXE, the program to export SAFER
settings and rules from the registry to the file
is a pure Win32 binary, written in
without the use of the
libraries, built with the platform
Windows Server 2003 R2 for use on
Windows 2000 and newer versions of
SRP2LGPO.EXE is available for the I386
alias x86, AMD64 alias x64
and IA64 processor architectures of
SRP2LGPO.EXEare digitally signed using an X.509 certificate issued by WEB.DE.
XP_SAFER.INFare packaged in the digitally signed (compressed) cabinet file
SAFER.CABand verify its digital signature, then open it in Windows Explorer, extract its contents, right-click the extracted setup script
XP_SAFER.INFrespectively to display its context menu and click
Installto run the installation.
Updates, select the entry
Softwarebeschränkungsrichtlinien für 'Windows XP/2003 [R2]'underneath
Systemkonfigurationand click the
On Windows Vista and newer versions open the
Control Panel and click the entry
View installed updates underneath the
Programs and Features or Programs
In Installed Updates select the entry
Softwarebeschränkungsrichtlinien für 'Windows Vista/2008 [R2]/7'
Systemkonfiguration and click the
Uninstall menu entry.
Notes: I dislike
even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.