- November 29, 2019 at 4:21 am
Dan: … we will also have to figure out what to do about temp folders. As we all know, malware loves to hide in these folders, and the problem is so do legitimate apps, and a lot of these legitimate apps do not have a Safe file reputation.
Unfortunately there is no simple answer for temp folders, especially %appdata\local\temp%. We won’t go into the reasons here, there are too many of them, all bad. The most useful idea I have seen is to alter the permissions on all %user\temp% so nothing can execute from them and only ever use the Admin account to do Admin-type stuff. My own ruleset uses the “Block Silently”, but given that so many people have …legitimate (?) softs that operate from %user\temp%, it would be better to force decision-making with a non-silent “Block” action.
It is important to also include c:\Program Data\ in the ruleset, as nothing should ever execute from this location. Again, lazy devs.
I reiterate my policy of feedback to the publishers involved, criticising their poor security practices, also letting them know I have deleted their products from my box in favour of better-behaved programs.
Talking about restricting oneself to your LUA, I use and recommend SuRun, an adaptation of the *nix Sudo. This securely elevates privileges in the LUA context rather than the Admin context. It means I only need the Admin account for system-wide operations.
I hear you on this one, you should see the medical and tax software that are on our client machines, they break every security rule in the book and do not even bother signing their binaries. And these are not small software companies, some of them are multi billion dollar companies and they completely ignore sound security practices. And then everyone wonders why hospitals are smashed with ransomware. Cybersecurity should be a community effort and everyone needs to do their part. Until this happens, there will always be breaches.00