Make Windows 10 64 bits, ver. 1903 and later versions of Windows resilient to crypto ransomware
This guide is free gift for everyone, for everyone's benefit and it is not limited by money, prices, charges, fees, licenses or in any other way. It is free gift to everyone, for everyone's benefit. Enjoy. Good luck!
We all know this heart breaking feeling to see all of our files encrypted, by a malicious piece of ransomware, extorting us for money. this will not pass away on it's own. It will be here to stay, because there is money involved. Until there is profit for malware authors to do so they will always do. They will be relentless extorting us. How to stop it? Well you can Starting with 5th generation Core I3, I5, I7, I9, Xeon X series, Xeon W series, processors and their respective generation motherboards motherboards, a new set of security features appear, all of them based on advanced virtualization and memory management features, meant to support new virtualization features. These features allow reinforced memory integrity, reinforced system memory area protections and reinforces core isolation, basically improving the security against borrowing a thread or jumping in someone else’s memory space, for further mischief. We will use this to reinforce the main protection against crypto ransomware, and to make defeating it and circumventing it far more difficult.
This guide is made in 3 parts,
part 1 – prerequisites conditions to make it work without visible performance penalty
part 2 – actually securing the files
part 3 – reinforcing whatever security measures have been taken to further increase resilience. Keep in mind the more obstacles you throw on the crypto malware’s path of the malware, the better for you, you will slow it more and more because it will have to deal with more things in its way.
part 1 – prerequisites conditions to make it work without visible performance penalty:
1. Windows 10 x64, ver. 1903 or later, in ver. 1903 this feature is introduced, in later versions it only gets stronger and more resilient.
2. 5th generation or later generation Core I5 or higher CPU, for performance reasons, to make it work without visible performance penalty. The latest generation the higher performance the lowest performance penalty. The higher series CPU, the higher the performance, the least performance penalty.
part 2 – actually securing the files enable following 2 features in windows 10 as follows:
First and foremost activate Windows protected folders, which is basically the essence of the whole thing. In essence protected folders will give the protection of files, everything else following serves means to reinforce and fortify this feature, to be more difficult to circumvent and more resilient against sabotage, to make this feature more resilient to attacks and sabotage, it also serve to reinforce the OS in general against general variety of trouble you can find in the internet.
on this window the feature we need is Microsoft windows Defender application Guard. This makes Windows defender to be sharp on guard, especially with browsing conditions. Keep in mind unsafe browsing is a well known attack vector to infect with whatever is there malware crawling the internet. Crypto ransomware included. When you set other options like guarded host and all virtualization options, you actually prime and prepare for use windows own memory protection routines and features, to greatly reduce the chance of an app being able to escape it's own memory space and try to enter memory space of other programs. in specified processors, there are routines and instructions in hardware which accelerate this and reinforce the protection effect. even if the OS misses memory tampering attempt, the processor will catch it, see that one program try to tamper memory space of another and will throw exception, because the processor does not like what is happening. you may not use sandbox but it sets the environment and variables for memory protection. We are going to use these variables later, to reinforce our defense.
Next step is to activate protected folders. This is a selection of folders, that we want to give special protection. Windows has it's default folders selected by default, but you can add any folder of your choosing.
To activate it, open Windows security, then virus and threat protection, then enable following options:
I would allow programs like word, excel, power point and other programs in Microsoft office suite, Irfanview or other program for managing images, Windows media player, i use it to manage my multimedia content, it can do a lot of security if you know how to, media player classic to manage my movies, Adobe audition, Free Audio Converter, Creative Wavelab, Audacity for music recording and music editing, and misc programs like winrar, notepad++, SumatraPDF, QBit torrent, browser, and most important windows shell - explorer.exe also must be allowed. keep an eye on recently blocked programs it may be blocking a program you want to be allowed.
This guide is made in 3 parts,
part 1 – prerequisites conditions to make it work without visible performance penalty
part 2 – actually securing the files
part 3 – reinforcing whatever security measures have been taken to further increase resilience. Keep in mind the more obstacles you throw on the crypto malware’s path of the malware, the better for you, you will slow it more and more because it will have to deal with more things in its way.
part 1 – prerequisites conditions to make it work without visible performance penalty:
1. Windows 10 x64, ver. 1903 or later, in ver. 1903 this feature is introduced, in later versions it only gets stronger and more resilient.
2. 5th generation or later generation Core I5 or higher CPU, for performance reasons, to make it work without visible performance penalty. The latest generation the higher performance the lowest performance penalty. The higher series CPU, the higher the performance, the least performance penalty.
part 2 – actually securing the files enable following 2 features in windows 10 as follows:
First and foremost activate Windows protected folders, which is basically the essence of the whole thing. In essence protected folders will give the protection of files, everything else following serves means to reinforce and fortify this feature, to be more difficult to circumvent and more resilient against sabotage, to make this feature more resilient to attacks and sabotage, it also serve to reinforce the OS in general against general variety of trouble you can find in the internet.
on this window the feature we need is Microsoft windows Defender application Guard. This makes Windows defender to be sharp on guard, especially with browsing conditions. Keep in mind unsafe browsing is a well known attack vector to infect with whatever is there malware crawling the internet. Crypto ransomware included. When you set other options like guarded host and all virtualization options, you actually prime and prepare for use windows own memory protection routines and features, to greatly reduce the chance of an app being able to escape it's own memory space and try to enter memory space of other programs. in specified processors, there are routines and instructions in hardware which accelerate this and reinforce the protection effect. even if the OS misses memory tampering attempt, the processor will catch it, see that one program try to tamper memory space of another and will throw exception, because the processor does not like what is happening. you may not use sandbox but it sets the environment and variables for memory protection. We are going to use these variables later, to reinforce our defense.
Next step is to activate protected folders. This is a selection of folders, that we want to give special protection. Windows has it's default folders selected by default, but you can add any folder of your choosing.
To activate it, open Windows security, then virus and threat protection, then enable following options:
Real time protection - to make it work at all
Cloud protection - to make it recognize better, by using additional threat data from Microsoft cloud, make it more aware of real malware and reduce false positive alarms.
Tamper protection - this one is very important. this on makes windows OS more aware to monitor strictly what is happening and if one program is trying to sabotage another, or mislead another. This is part of reinforcing the protected folder feature to be stronger and more resilient.
next enable the most important of all reinforcing options, memory integrity and core isolation. this means the malware cannot borrow treads or sabotage memory space with fake data, to falsify access where it should not have any.
Go to Device security, then open it, and find the option core isolation. click on core isolation details:
and activate the memory integrity option:
this is using the processor's memory management routines in hardware, so even if the program or windows miss some attempt for mischief, the processor itself will catch it, and stop it throwing exception, for memory violation an whatever address it is happening. So if the malware try to make some mischief, the processor will be annoyed and will react to stop it. Now Reboot. Let all there options come into effect. If you are with older gen Core I processor and weaker than Core I5 you may experience some performance penalties.
So here we are after the reboot. The computer is working with greatly hardened memory management, and resilience to memory attempts for mischief. as we said, these memory options need to harden the protection option of protected folders against sabotage or circumvention attempts.
So here we are after the reboot. The computer is working with greatly hardened memory management, and resilience to memory attempts for mischief. as we said, these memory options need to harden the protection option of protected folders against sabotage or circumvention attempts.
Now return to virus and threat protection:
click on manage controlled folder access:
Windows will take you to ransomware protection section. There is an option Controlled folder access which is disabled by default. Enable it. This option is the meant and the heart of the whole exercise.
Great. now it works, but you need to say which folders you want protected, so click on protected folders and begin to specify which folders you want protected. choose the folders which contain your important files. Keep in mind Windows also has it's own set of default folders that will be protected. It is fully ok to add your folders to the default set from windows. Add them.
After you finish adding your important folders, it is time to specify which programs are allowed to write in these folders. Click add an allowed app and point windows to an app you want to add to allowed apps, that will be allowed to make changes.
I would allow programs like word, excel, power point and other programs in Microsoft office suite, Irfanview or other program for managing images, Windows media player, i use it to manage my multimedia content, it can do a lot of security if you know how to, media player classic to manage my movies, Adobe audition, Free Audio Converter, Creative Wavelab, Audacity for music recording and music editing, and misc programs like winrar, notepad++, SumatraPDF, QBit torrent, browser, and most important windows shell - explorer.exe also must be allowed. keep an eye on recently blocked programs it may be blocking a program you want to be allowed.
This is white list filter. only programs and applications you allow, will be able to write there. If it is not allowed, i will not write. because the crypto ransomwere will not be allowed, it will not be able to make mischief. all reinforcements will protect form various mischief and will make it more hardened and more resilient to attempts to sabotage. this is why these are important and i have placed them first. because they are important. Of top of all that as the final finishing tough, the final detail, work with explicitly set standard user. this will further away take any access to the crypto ransomware, and further limit the cryptomalware in terms of access and ability to wield damage.
The final hardening piece to make it really strong is the standard non admin account. convert your current account into standard user, by creating another password protected admin account. login to the new admin account and use it to demote your default account to standard user. The Standard - non admin account will help, by deny access to shadow copies - shadow copies are another way to recover after ransomware attack. if you are with administrator attack, the ransomware can attack the shadow copies. When you are standard user the ransomware will be denied access to the shadow copies, and all other memory hardening settings we made, will pose big challenges and big problem for a ransomware to try to use exploits to promote itself to admin, basically because it will not be able to go out of it's memory region to manipulate and sabotage other processes.
That's all. Enjoy much stronger and much hardened Windows 10 ver. 1903 or later, against may typed of malware, crypto ransomware. Good luck!
Preliminary tests were made on my computer at home on my dual Xeon X5660 CPU workstation, equipped With Windows 10 pro for Workstations 64 bit, ver 2004. Results on professional grade equipment computer with professional grade equipment version of Windows were solid as concrete. All files OUTSIDE protected folders fell victims, as expected. All files INSIDE protected Files, were safe, unaffected, perfectly readable, perfectly editable, as expected. I was also able to open the files INSIDE the protected folders, with their own apps, view their original content undamaged, edit them, save them and remain intact with their original content undamaged, and all consequent opens and edits of the file, while computer is infected with ransomware. Result is as expected. This result gives me high hopes for my little project.
What is the main goal of this research?
The main goal of this research is to stop initial damage to your files during infection and give you time to clean and restore your computer to good healthy state.
When these should be applied?
These settings should be applied immediately after the computer is installed drivers and users are set, so they can work and be in effect as soon as possible. When infection comes. If they are already up and running, when infection comes, they will work and help you and protect your files INSIDE protected folders. If you apply them too late - after infection - it is too late. your files are lost. forever.
What is the main goal of this?
The goal is to prevent initial damage and give you time to clean and restore computers to good state.
What it can really do?
If applied in time it will prevent damage to files INSIDE protected folders and give you time to clean and recover computers to good state.
What it cannot do?
It cannot recover all files which are already damaged. These are already beyond repair. These are lost. Forever. It will not protect any files OUTSIDE protected folders.
Which are the protected folders?
Any folder you want. Windows defines few folders as protected by default. Outside of these, you can define any folder you want for any reason you want.
Is all this valid only for protected folders?
Yes. It is valid for protected folders only and it does not affect any other folder or file outside protected folders.
How to make the best out of this?
Choose your protected folders wisely, and make sure you have added all folders you know you will use, and all folders in question if they are going to be used or not. You must move all your files of value there, save only in protected folders, and never save anything outside protected folders.
Who can benefit from this research?
Everyone who has new enоugh and at least medium end computer can benefit from all this, one way, or another, depending on current environment and situation.
Does this research involve installing more programs?
No. It is done by managing windows factory built in options and features only.
Will this make my computer slow?
No performance penalty will be felt on any decent computer.
Will this make my computer unstable?
If all drivers are installed correctly, and you have chosen high quality drivers, WHQL signed - No. No negative impact will be felt.
If your drivers are a mess, then yes. If your drivers are a mess, a wide variety of negative side effects can happen.
Are my programs going to be affected?
Yes. All and any programs which are not explicitly whitelisted will not be allowed to write in protected folders. Please make sure you have added all related to your activities programs to the white list.
How do i add programs to white list?
Detailed instructions how to add programs to white list are provided in the research itself. Please read it carefully before proceed with it.
How do i add folders to protected folders?
Detailed instructions how to add folders to protected folders are provided in the research itself. Please read it carefully before proceed with it.
Does this negate the need of decent backup?
No. Nothing removes the need of decent backup. Decent backup is the most important best practice and the best protection against data loss.
What is the cost for this research?
The price is: 0.00 $
This research is free. This research is free gift for everybody, for everybody's benefit.
This guide is free gift for everyone, for everyone's benefit and it is not limited by money, prices, charges, fees, licenses or in any other way. It is free gift to everyone, for everyone's benefit. Enjoy. Good luck!
