Windows XP Home without antivirus
I recently read the topics " Windows-based computer without antiviruses " and " Configuring group policies for limited use of programs in Windows 7 ... I want to share how I set up Windows XP Home Edition, so as not to use antivirus software, but rather to minimize the chance of infection.
It all started with the fact that in one office, which I had served until recently, there were always problems with viruses. The authorities did not want to give money to the antiviruses, everywhere there were houms, autostart from disks and flash drives were blocked, IE too ... But it did not help. In the end, I got sick of it all and I took the “last step” ...
In Windows, it is possible to create a “white” or “black list”. The “black list” means that the programs listed in it will not be launched, and “white”, that only those programs that are listed in it + necessary for the system to work will be launched.
Based on the "white list", you can make a good protection against Malvari. To create it you need to perform at least two steps:
')
In the future, you can add programs to
In order not to go into the registry editor every time, I created a reg-file in which I entered the list of programs and later, as necessary, corrected it, and after editing it started.
Below is a small piece of this file:
For two years of using this "trick" viruses were not observed. On each computer was ClamWin, which in the evenings scanned disks. Just once a month I checked the system with antivirus offline. The only problem is user dissatisfaction, which was quickly suppressed by explaining to the authorities "what, for what and how."
Once I gave a hint at the beginning about the “black list”, I will tell you a little about him. It can be useful when it is necessary to prohibit the launch of several programs. It is created in the same way as the “white list” in two steps:
1 Parameter names must consist of numbers. Countdown starts from scratch. The numbers must go in order.
2 Winda controls the launch of the prog due to the fact that the
Thanks shiko_1st .
3 For research, I used the program Process Explorer and Process Monitor from Mark Russinovich (Mark Russinovich) .
UPD1: To limit the launch of programs only from Program Files, you can use the Microsoft SteadyState utility. Thank you kondorkm
UPD2: For managing access rights in the home Windows, the console utility cacls.exe is included, as well as:
xcacls.vbs - downloaded from MS
xcacls.exe - included with the Windows Support Tools
subinacl.exe - included with the Windows Resource Kit Tools
Thank you xn__p2a
It all started with the fact that in one office, which I had served until recently, there were always problems with viruses. The authorities did not want to give money to the antiviruses, everywhere there were houms, autostart from disks and flash drives were blocked, IE too ... But it did not help. In the end, I got sick of it all and I took the “last step” ...
In Windows, it is possible to create a “white” or “black list”. The “black list” means that the programs listed in it will not be launched, and “white”, that only those programs that are listed in it + necessary for the system to work will be launched.
"White list"
Based on the "white list", you can make a good protection against Malvari. To create it you need to perform at least two steps:
- In the registry branch
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVerson\Policies\Exploreryou must create aRestrictRunparameter of type DWORD (REG_DWORD) with a value of1. - In the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\branch, create theRestrictRunkey, and in it the parameter01 of the STRING type (REG_SZ) with the value ofregedit.exe.
')
IMPORTANT! If you perform step 1, but do NOT perform step 2, then after a reboot, you will not be able to start any program. To fix this, you will need to log in as another user with admin rights, open the registry editor, find theHKEY_USERSbranch, select it, select the File menu -> Load hive ..., in the file open dialog find theNTUSER.DATfile in the user’s directory , under the name of which this joint was made, and press the "Open" button. After that, find and delete theRestrictRunparameter or assign it a value of0, and then reboot.
Thank you xn__p2a
In the future, you can add programs to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun similar to paragraph 2. In this case, the reboot is no longer needed, the changes take effect immediately.In order not to go into the registry editor every time, I created a reg-file in which I entered the list of programs and later, as necessary, corrected it, and after editing it started.
Below is a small piece of this file:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"RestrictRun"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun]
"0"="regedit.exe"
"1"="notepad.exe"
"2"="wupdmgr.exe"
"3"="cleanmgr.exe"
"4"="wordpad.exe"
"5"="calc.exe"
"6"="mstsc.exe"
"7"="taskmgr.exe"
"8"="7zFM.exe"
"9"="7zG.exe"
"10"="7z.exe"
"11"="firefox.exe"
"12"="java.exe"
"13"="FlashUtil10d.exe"
"14"="NPSWF32_FlashUtil.exe"
"15"="thunderbird.exe"
"16"="soffice.exe"
"17"="soffice.bin"
"18"="python.exe"
"19"="sbase.exe"
"20"="scalc.exe"
"21"="sdraw.exe"
"22"="simpress.exe"
"23"="smath.exe"
"24"="swriter.exe"
disadvantages
- This method will not protect the computer from viruses that do not create files on the disk (for example, ms-blast), as well as from penetrating by “launching” the dynamic library 2 (for example, the configurator).
- The complexity of the implementation. It is necessary to investigate 3 programs, find out which files they launch at startup and in the process of work, in order to include them in the “white list”.
- The inconvenience of making changes. The user cannot write to the
RestrictRunkey, despite the fact that the changes are made in theHKEY_CURRENT_USERbranch. Therefore, you have to log out of the user account, log in under the admin, give the user admin rights, log in under the user, edit the registry, log out again, admin again, select admin rights from the user%) Or, from the admin, through theHKEY_USERSbranch, as described above. - You can not specify the full path . If the virus file is named in the same way as any program from the “white list”, then it (the virus) will be launched. Also, the user can rename the file to the allowed one and start (almost) any programs in this way.
Practice
For two years of using this "trick" viruses were not observed. On each computer was ClamWin, which in the evenings scanned disks. Just once a month I checked the system with antivirus offline. The only problem is user dissatisfaction, which was quickly suppressed by explaining to the authorities "what, for what and how."
"Black list"
Once I gave a hint at the beginning about the “black list”, I will tell you a little about him. It can be useful when it is necessary to prohibit the launch of several programs. It is created in the same way as the “white list” in two steps:
- In the registry branch
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVerson\Policies\Exploreryou need to create aDisallowRunparameter of type DWORD (REG_DWORD) with a value of1. - In the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\branch, create aDisallowRunkey, and in it a parameter01 of type STRING (REG_SZ) with a value, for example, to prevent the calculator from running,calc.exe.
1 Parameter names must consist of numbers. Countdown starts from scratch. The numbers must go in order.
2 Winda controls the launch of the prog due to the fact that the
ShellExecute and ShellExecuteEx functions, which are a wrapper for CreateProcess, check the RestrictRun key. Thus, the proposed method will protect only from unauthorized launching of programs only by the user himself, as well as from those viruses that are trying to launch something through ShellExecute (the majority of which). More details about ShellExecute and RestrictRun can be read here (there we are talking about LockWin, but the mechanism of operation of RestrictRun described well).Thanks shiko_1st .
3 For research, I used the program Process Explorer and Process Monitor from Mark Russinovich (Mark Russinovich) .
UPD1: To limit the launch of programs only from Program Files, you can use the Microsoft SteadyState utility. Thank you kondorkm
UPD2: For managing access rights in the home Windows, the console utility cacls.exe is included, as well as:
xcacls.vbs - downloaded from MS
xcacls.exe - included with the Windows Support Tools
subinacl.exe - included with the Windows Resource Kit Tools
Thank you xn__p2a
Source: https://habr.com/ru/post/102298/
All Articles