Unblock Files on Windows WITHOUT compromising global system security

I have seen a number of posts on this forum that are borderline ill-advising the novice end users to globally unblock files that are being blocked by Windows as a security feature. (Rant ahead: If you want to skip, you can scroll down to the images below to know how to do it securely). Being in cyber security research, I couldn't hereby stay without posting a caution post that this is the age of cyber attacks. The days when internet used to be a safe thing are long gone and a simple petty thing such as opening a news website and consuming your news content can unleash a drive-by attack on your computer without you even realising what just happened. In the worst case scenario, you could end up becoming a part of a global botnet, served a ransomware that could ruin your entire machine and even render your hardware useless by infecting the boot sector of your mechanical hard disk. If you do this on your work machine and end up compromising your corporate network unknowingly, you could potentially have to kiss your job goodbye with a hefty fine (depends upon your contract). I'm hereby advising you to NOT listen to anybody who tells you that it is totally safe to disable file blocking feature globally on your machine. What you can do, however, in a relatively safer way, is to create an exclusion path for your known good files which is a way to tell Windows Defender to not touch the files in that location. Here is a step by step guide regarding how to do it (the process should be VERY similar even if you have a third party anti-virus solution running instead of defender).

1. Step 1: Type Windows Defender Settings in start menu search and click it to open:
2. Click on Open Windows Defender Security Center:
3. Click on Virus & Threat Protection:
4. Click on Virus & Threat Protection Settings:
5. Now, scroll down and click on Add or remove exclusions:
6. Click on Add an exclusion dropdown menu button:
7. Click on "Folder" from the dropdown menu:
8. Now give the path to an existing directory or create a new directory which you want to exclude from Windows Defender's live monitoring. For this example, I've selected the default "Downloads" folder:
9. The "Downloads" folder has now been added to Windows Defender exclusions. Whatever files I download or place locally inside this directory, Windows defender will NOT touch them.
10. If you want to go one step further and want to whitelist a particular file locally, you can do a similar thing for individual executables or any other files as well following the same procedure. Just click on the dropdown menu again and this time select "File":

Once again, I cannot stress it enough. DO NOT unblock files globally on your machine if you don't want to run into unwanted troubles. The cyber threat factor is a real thing and it's good to take things seriously and handle your computer responsibly so that you don't end up ruining your machine and potentially becoming a part of a botnet that helps ruin other machines.

 

Why not use Configure Defender not to scan Downloaded attachments and files?

 

I deleted a number of posts in this thread. Some contained useful information, but there were personal remarks that made many un-editable. If your post has been deleted, you know who you are; you're welcome to repost, but filter out the personal remarks and argue only the facts. Thanks.

Charles

 

The software that you mentioned is not ideal because it restricts Windows Defender to only check restricted number of possible attack vectors, latest being macro code stored inside office files or within adobe reader documents. However, these are just few out of dozens of possible attack vectors that need coverage. The most predominant ones being VBS, Powershell scripts, Silverlight, Java, Flash, HTML embedded shellcodes that directly execute in your command prompt from inside your browser window (yes, that's true, believe it or not), image files carrying executable code, malicious icon files and a whole lot more than this. The worst thing is, your "antivirus" will NOT have a single clue once any of your known "good" plugins / softwares gets compromised. This is the primary reason antivirus/firewall model became obsolete in mid 2000s. MS actively sends suspicious data to cloud services that have partnered with it which actually reproduce the user scenario in a dynamic virtual environment and let things "play" until it's either clear or there is a malicious hint. MS has partnered with a whole bunch of security vendors to safeguard it's platform, (ours being at the top of the list btw). It's optional at the end of the day because it is your machine. But being responsible and not risking your hard earned money and your repute / job by taking care of your OS is a no brainer. I've seen and met people who got fired because they unknowingly became a link in the breach chain for their employer because they were not using best security practices. Plus, I'd totally not want my family data (including pictures) to end up on an unwanted website without me even knowing. That's a real business with a huge black market running for it.

 

Well... I don't use any kind of anti virus or security... just using uBlock, patching host files to block anything at system level... it is been 3 years... never encountered an issue... You Are The Security.. not those so called stupid [AI] anti virus programs just saying.. knowing what you are doing is pretty much enough to live in a peace of mind..

 

It is partially true, but not always. It can't save you from drive-by attacks with an exploit kit dropping a passive payload which activates after 2 weeks of staying passive, using a clean domain. Just an example. If you want max performance, you can turn the anti-virus off when not browsing and only gaming but once connected to the internet, that's a different ballgame. Personally I'd use a virtual machine to connect to the internet always with hyper threading disabled if I intend to browse around websites that serve ads simply because the website owners can only safeguard their websites. They can't safeguard the ad servers that serve ads to their pages and are usually the target of these campaigns. Even bbc.com is not safe (historically speaking)

P.S., Here is one out of the hundreds of recent examples: https://arstechnica.com/information...-the-worst-drive-by-attacks-in-recent-memory/

I go through a lot of this stuff daily (it's my bread and butter) and it's ugly to say the least, and you don't want any of it on your machine, trust me.

 

You can configure it to block everything in Child or Max mode including macros and every crap. For now, WD engine is too aggressive in paranoid mode and blocks my custom cmd or PS scripts, so i have it disabled. You can see Andy has appended !! just to hint that, it can be problematic.
Its a harsh reality that typical non-tech-savy family members have most dangerous malwares in their PCs and devices even though you're a cyber security researcher. Happens to me every time when I cleanup my sis's laptop's weird slow response issues because of tons of drive by downloads and PUPs. So, I installed KSC Free and now switched to WD max containment mode using configure_defender 2.x.
If you want still more protection try SysHardener scripts.

 

Yes the too paranoid approach is needed for the average users because they usually have little to no idea what they are dealing with. Drive-by downloads, however, have really changed the game for the worse in these days which is a big problem. Have you tried moving your scripts to an excluded directory? That should probably take care of that if you run them in administrative mode.
I have a snort engine incident running on my home gateway that consumes signatures from a lot of sources including signatures from Emerging Threat and a lot of my proprietary signatures that I copy from my work activity and I get an sms as soon as there is a malicious hit so I can immediately take a look at the victim machine, which is mostly my wife's phone/computer or someone from the guests is carrying around a nice stack of malwares lol!
One thing that is very important for people to understand is that you cannot protect your network / devices by simply relying on "host file based blacklist" from X/Y/Z sources because drive-by attacks don't really need a malicious domain. Plus, self modifying campaigns that usually target ad service providers mostly dynamically generate a unique url / domain every time they are loaded (the response is usually encrypted which generates the GET requests), so it goes right through the host file based blacklist in most cases.

 

Scripts refuse to work properly and I always get blocked by Admin due to ruleset.
Even admin mode works just partially if I enable No-script execution ruleset in ConfigureDefender.

 

There is no smooth fix for doing advanced stuff on Windows in a secure way (unfortunately). The only easy workaround that is relatively secure is to disable live protection when you want to run one of your scripts and then turn it back on when done. If it's running as a task in the backgorund, then that's where pains begin. AppLocker can help though. But still, I feel hesitant to use internet on my host windows machine. It's just not safe enough no matter what MS or any security vendor says.