- November 28, 2019 at 7:41 am
Dan: … we will also have to figure out what to do about temp folders. As we all know, malware loves to hide in these folders, and the problem is so do legitimate apps, and a lot of these legitimate apps do not have a Safe file reputation.
Unfortunately there is no simple answer for temp folders, especially %appdata\local\temp%. We won’t go into the reasons here, there are too many of them, all bad. The most useful idea I have seen is to alter the permissions on all %user\temp% so nothing can execute from them and only ever use the Admin account to do Admin-type stuff. My own ruleset uses the “Block Silently”, but given that so many people have …legitimate (?) softs that operate from %user\temp%, it would be better to force decision-making with a non-silent “Block” action.
It is important to also include c:\Program Data\ in the ruleset, as nothing should ever execute from this location. Again, lazy devs.
I reiterate my policy of feedback to the publishers involved, criticising their poor security practices, also letting them know I have deleted their products from my box in favour of better-behaved programs.
Talking about restricting oneself to your LUA, I use and recommend SuRun, an adaptation of the *nix Sudo. This securely elevates privileges in the LUA context rather than the Admin context. It means I only need the Admin account for system-wide operations.
_________________________________Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]00