How to "Virus-Proof" Your Computer With Windows AppLocker (Ultimate Guide)
Вставка
- Опубліковано 1 сер 2024
- Well, at least as close to virus-proof as you can get... 🤔
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: ua-cam.com/users/ThioJoejoin
• Download the policies and filters I mentioned here: drive.google.com/file/d/1RwZJ...
(Current resource pack version = 6, Updated 2/14/2024)
📝Additional Notes:
• To get AppLocker policies to actually work, you might have to enable the "Application Identity" service and set it to start automatically if it isn't already. This requires a special command because it is a protect process (as opposed to just opening the services menu). To do this, run the command in command prompt as admin:
sc.exe config appidsvc start= auto
• It turns out you CAN actually add the Group Policy settings for PowerShell core without having to install PowerShell Core. I've added instructions to the ReadMe file in the resource pack in the description, but basically you download the latest zip release from Microsoft's PowerShell GitHub, and copy the files "PowerShellCoreExecutionPolicy.admx" and "PowerShellCoreExecutionPolicy.adml" into the directories "C:\Windows\PolicyDefinitions" and "C:\Windows\PolicyDefinitions\en-US" respectively.
• I figured this went without saying, but obviously if you download something malicious and add a rule to allow it, you will be infected. You still must ALWAYS be vigilant. And you should still also use an Antivirus, it’s not a replacement for that.
▼ Time Stamps: ▼
0:00 - Intro
2:21 - Video Chapters Outline
3:37 - Creating a Shortcut to AppLocker
5:17 - AppLocker Initial Setup
6:17 - Creating AppLocker Log in Event Viewer
9:02 - AppLocker Default Rules
10:44 - File Types For Different Rule "Collections"
12:26 - Adding Rules & How They Work
26:10 - Deny Rules
27:22 - More Rules I Added
31:17 - Allowing Specific Signed Files
32:30 - Why Add Rules Blocking PowerShell?
35:27 - Importing the Policy
36:10 - Note About "Policy Test" Files
36:52 - Note If You Don't Have PowerShell 7
37:41 - AppLocker With Powershell (IMPORTANT)
40:33 - Disabling PowerShell 2.0
40:59 - Setting PowerShell Execution Policy
43:54 - Blocking Bypass of Execution Policy
46:05 - PowerShell Script Block Logging
46:57 - PowerShell 7 Has Separate Execution Policies
47:36 - Setting Up PowerShell 7 Execution Policies
49:46 - Which PowerShell MachinePolicy Should You Use?
50:30 - How to Determine if a File is Signed
51:38 - Wrapping Up
Corrections:
@ 47:52 - If you don't have PowerShell 7 installed, you actually still can add the settings to Group Policy Editor. See instructions in the 'ReadMe' file in the resource pack in the description.
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ - Наука та технологія
![Lp. Последняя Реальность #107 РОДНОЙ ДОМ [Финал] • Майнкрафт](http://i.ytimg.com/vi/IK3QKzKUlHM/mqdefault.jpg)
I knew the video would be longer than average but not this long 😩
📝Notes:
• Also I figured this went without saying, but obviously if you download something malicious and add a rule to allow it, you will be infected. You still must ALWAYS be vigilant. And you should still also use an Antivirus, it’s not a replacement for that.
• To get AppLocker policies to actually work, you might have to enable the "Application Identity" service and set it to start automatically if it isn't already. This requires a special command because it is a protect process (as opposed to just opening the services menu). To do this, run the command in command prompt as admin:
sc.exe config appidsvc start= auto
• Turns out you CAN actually add the Group Policy settings for PowerShell core without having to install PowerShell Core. I've added instructions to the ReadMe file in the resource pack in the description, but basically you download the latest zip release from Microsoft's PowerShell GitHub, and copy the files "PowerShellCoreExecutionPolicy.admx" and "PowerShellCoreExecutionPolicy.adml" into the directories "C:\Windows\PolicyDefinitions" and "C:\Windows\PolicyDefinitions\en-US" respectively.
it’s 52 minutes but ok-
Looooonnngggg 😊
🤣🤣
You made a Documentary....😄👏
Woah, I didn't realize how long this video is until I saw this comment.
I don't know why everybody is emphasizing the duration of this video - for me - it was like watching a super interesting, informative and well-written documentary - the time just flew buy! Excellent work, thank you so much for your effort! Greetings from Croatia :)
is it just me or did this 52 minute tutorial feel like a 10 minute tutorial?
"Good tutorials feel like they took a fraction of the actual time it took to complete it. Bad tutorials are the same, except the reason is because of leaving early due to how bad it is instead of being due to how good it is."
Same !
let's appreciate how much effort this guy spent to help us virus-proof our computers
Yes
Fully Agree
As useful as these tools are, the single best anti-virus you can have is your own common sense.
@@gabe_0xNot when a trusted program randomly downloads malware to your pc
@@gabe_0x Everyone knows that but the human factor will ALWAYS fail. Social Engineering is too powerful because they exploit people in all ways imaginable.
Hardening our systems will help as an early warning system, and if you actually put attention to the video, AppLocker is the single best tool ever for this kind of thing.
Now i wish to know a HID whitelist system.
The hero we didn't know we deserved
He used to be the villain, happy he has become the hero.
@@ziphhyMe too.
Who says we deserve him?
NGL I use to love the villain side of him back in the day
Yes
Here's what I did for my grandma's PC, very simple:
- Require my own password for Administrative privileges so she can't do that
- Set up a single browser so she has no access to other browsers, with downloads always dropping into the Downloads folder
- Wrote a script to instantly delete any executables that enter the Downloads folder
My beloved virus addict is now sober :)
Hey ThioJoe! I appreciate you making this more detailed and longer! 🎉
You know @ThioJoe has a gift for teaching and explaining when the whole 50 minute video felt like 10 and you remember fairly well most of the process!
Totally appreciate this video.
This is amazing, thanks so much for taking the time and putting so much effort into this. You're a legend!
I swear this video is so informative and useful it’s something you could probably charge for and make thousands off of but you were nice enough to give it to everyone for free, what a guy
Best 50 minute of my time, thanks a lot TJ, definitely learned a lot.
We've been waiting! Thank you Thio!! 🎉🎉🎉
This is one of those videos that I've saved up to watch, as you were asking in a recent poll. Thanks for the detailed explanation!
THANK YOU SO MUCH! I've been waiting for a tutorial on how to set this up.
Great video as always!
Congrats on 3M subscribers! Well deserved!
@thiojoe, this was one of the best mapped out videos covering a relatively complex topic and one with lots of settings. We are implementing this, and your video has been shared to the team as the best tutorial about it.
Awesome video ThioJoe! Structured well like a course. 👍
Exactly what I was waiting for 🎉 Many, many thanks Thio ✌️
This might be the best video on your channel! I wanted to thank you for your effort doing this!
one of the best tutorials for applocker, even one of the most in-depth well explained tutorial in general
I know
I have no intention to do any of this myself but I watched it all
You made it very engaging and informative, I didn't noticed the length until it was almost done
I wont mind more "complex" tutorials like this on in the future
that's why you blush the whole time
Thank you for this very comprehensive tutorial, ThioJoe. It is much appreciated.
Thank you for think of us and sharing this knowledge! You are the BEST!! I made the changes on my PC and hopefully the random file explorer windows opening will stop.
Love the content you have been putting out, really made me understand this underused feature!
I think this is your second longest video. Nothing beats that 2 hour one
Thank you for putting so much time into this
This video structure is great and you explain it very well.
Thanks for taking the time
This video seems excalty what I was looking for. You saved me a lot of reading and studying time! Thank you very much!!!
Thank you so much for this detailed guide. I was able to follow all of your instructions easily. I understood each and every step depicted in your video.
By the way, I'm a big fan of your UA-cam Channel. You make great videos. It's always a great time whenever I watch any of your videos. 😁
Holy moly this guy is insane! Take so much time and effort to make us safer
Just what I was looking for! Great vid
Just did it ! Enjoyed the entire video.
I appreciate the effort for this. Thank you Joe.
Very informative. Great job! Much appreciated.
Thanks so much! Glad I was patient :)
"Comprehensive tutorial" is an understatement!
An hour video... thanks man!
Awesome!! Unfortunately we wouldn't get rid of those pesky refund scammers with this but atleast we'd get away from ransomware and so on. Really great video, thanks!! Since I regularly reinstall my Windows I'm gonna have to delve deeper into how to transfer the settings to another computer, didn't know it was that easy!
best time spent on windows security, thank you for sharing!
Another excellent how to video!! Many thanks. Had to enable “Application Identity” service to get AppLocker to work. However to get it to auto start.. Had to regedit and set its start to 2.
I finished. Thank you for the great video and the detailed guide.
Hi ThioJoe, I just wanted to say thank you, although I'll never do any of what you've shown here. Just not Tech savvy enough.I do realize how much time you have spent on video. Thanks
Awsome Video😀
I'm really fascinated by this *type* of security. Antiviruses don't exite me, but this idea of reducing attack surface and plugging security holes is suuper amazing to me. I'd love to see more similar stuff
Yes, whitelisting is so muc more powerful than blacklisting, in fact antivirus solutions are not able to defeat the 100.000 of new attacks nowadays. Plus it doesnt slow the machine down anymore like AV solutions :)
May god bless you thio. Have a great day
One of my favorite youtubers
Well done, Thio! Another suggestion for a video would be about Azure Information Protection and DLP (Data Loss Prevention). What files are protected, what can be managed, tracking files on disk and in transit etc.
Thanks for the long and detailed video, will be testing this out... I'm curious how this is implemented on a domain (as far as scripts go, what has priority.. still local machine?) Keep up the great work!
Thank you for your hard work. Much appreciated.
52 minute ThioJoe video?
Yes please! 🙂
yes
@doubleWmemesYes, a few hours ago
wait what it’s published since 3 minutes but it says you posted this comment 12 hours ago
@@_SJ how did you even watch it before it was posted
paid member @@CanDoesGames
Superb❤
Great section on allow and deny rules also 👍
Great job, thanks!
Gotta commend you on the effort!
Excellent!
Thank you so much!!!
You're excellent, Joe! I would love to share with you my motivational presentation about my life with Cerebral Palsy, and how tech has enabled me to lead a normal life online.
thank you for this been wanting to know how this is set up
Top tip if you are ever applying AppLocker policy in an AD domain NEVER and i mean NEVER edit a live policy always export the rules edit them locally and then re import. If something goes wrong ( and it can ) you can corrupt the policy and brick machines. I learned that the hard way, bricked about 20 machines . The best way to fix this is to switch to editing rules via configuration manager.
With admin rights you can unbrick the machines, in the last instance you can boot from windows cd, shift f10, regedit, mount the local registry hives and remove the applocker rules :)
Oh and to prevent this happening: allow wverything for admins, like the default templats suggests. I mean admins can do whatever they want anyway, effectively delete rules, thats why there is little sense in deleting the admincandoall rule :)
Thankss !❤
perfect video thanks a lot
i didn't even know what this tool do even after using windows for 15 years already 🤣
Wow, awesome work! This is very technical but also very thorough. One thing I found was my Application Identity service was not running for some reason. Even though I'm logged in as admin I could not set it to run automatically. But found a PS script that was able to set it. :) This whole process seems a little "quirky" though. The audit event log doesn't seem to work for me. But when I change it to Enforce, then the events start showing. Microsoft is also so "fun" to try to figure out. :D
Do you mind sharing that PS script? I'm having the same issue. I can get it to run on Windows 11 Pro, but not Windows 10 Pro. Very strange...
You are logged as root. You are a hackers perfect target man. Linux does it right only when you need root, install a program and punch password
you get 15 mins of root running. This is very dangerous having it 24/.
@@Whitemike63 In Windows, it works a bit differently. As far as I can tell, most users have admin-level control of the system by default (without editing group policy settings, of course), which isn't too dangerous because admin accounts, despite the implications in the name, don't actually have full system access, like the Linux root account. In fact, it's supposed to be extremely difficult to scale a user's system-wide authority to root-level in the first place.
"28 second" old, never been this early for a TJ video before, and a very interesting and informative video too! =D
Did you watch it
ago*
@@yashprogamer647I have now, it was very interesting and informative
Love this, suggestion/question for the import files you have (thanks btw), any reason you can't replace all of the WHATEVERUSERNAME placeholders with %USERNAME%
YO ALMOST ONE HOUR OF CONTENT???? I CANT WAIT
Thanks for the super paranoid virus guide, will be installing in my pc
i going around powershell execution policies with the classic command prompt (cmd).
can it restrict it, too? or it is still a legacy security problem, which cannot be regulated other than turning it off completely?
I noticed there a tons of DLLs that are not signed show they will be blocked. I also noticed that regedit the file you are using as a sample is also not signed? Will this cause a problem?
Ok, I watched every second and did that all. Now Im affraid to restart pc :D
Is it feasible to devise a script that establishes an 'allow' rule for executing a specific application, alongside another script to subsequently revoke this 'allow' rule? This would enable me to proactively enable and disable applock rules for a particular application, both prior to and following its execution. Additionally, I'm interested in maintaining a default state of denying the execution of all applications and scripts.????
I'm just curious 🧐.
Is an allow for executable installer or other installer for example make it so a uac prompt doesn't show up when it normally would if no applocker was configured
Super helpful video! Thank you very much.
One thing I noticed is that some malware use a Microsoft certificate that is used to encrypt. Is AppLocker smart enough to not fall for that?
Edit: There is a right-click option to "Automatically generate" also. How well does that work and what does it do?
I heard if you say your favorite youtuber 3 times you will get a hearted comment
ThioJoe
ThioJoe
ThioJoe
👌
Hi, I don't have new window option when I right click on applocker. Is there a reason why or did I do something wrong in the steps? thanks.
Awesome
The " sc.exe config appidsvc start= auto" gives me this error "[SC] OpenService FAILED 5: Access is denied." How do I fix this?
Im really proud lol, I have made a Powershell script which I added to the context menu which allows me to on right clicking the file, instantly whitelisting it.
I have a problem in windows whenever I try to open icon it automatically opens the first icon besides this I can't scroll down it automatically scrolls up please help me this problem I have executed so many commands but can't get of it
ever time I try to save the updated directory path for my username i get an error policy could not be saved error unspecified error violates pattern constraint
You’re literally a legend
Thanks ThioJoe for this great content. For me the length of the video is very OK, considering the content. However, following this tutorial is a challenge. It's difficult to know how you arrived at certain point by the clicks of the mouse due to the speed and rate of zooming in and out. The movement of the mouse pointer on the screen is almost at the "speed of light". Maybe it's just me seeing it that way
Yea I realized afterwards I wasn’t really explaining everything I was doing so I tried to add on-screen explanations at some point. Some parts might be helped by putting the video on 0.5x speed
I have noticed an error at Creating a Shortcut to AppLocker at 3:43. The path you listed is correct, but you forgot to list "Windows Settings" after computer configuration in the red text box path
Best video
So can you make it so games and clients for steam to name a few? But lock everything else down?
Super helpful. The only problem is my Event Viewer isn't showing the audit logs at all. It's as if nothing is run.
I wasn't so paranoid until my avast antivirus was not protecting me, and the UI was bugged so i couldnt access it but in the ui it said that it was protecting me, but in the tray icon it said i wasnt. aa restart showed that my firewall was disabled and i IMMEDIATELY activated it and did a full virus scan. Now here I am, doing this regardless of the inconvenience of it. A few menu navigation clicks as an inconvenience is nothing compared to trying to remove dangerous malware from your computer and possibly spend hundreds to get it repaired if your not good with tech, and possibly even thousands if it cannot be removed and you have to buy a new pc.
"Paranoia is not an inconvenience, it is your body's natural safeguard when it senses danger"
If i want only Google Chrome access the Chrome's cookie foler what rule should i make?
Why create 2 MMC files when Event viewer and GPO AppLocker can be added in a single Console. From there just add some windows. I've got a console with a whole bunch of tools even some custom scripts that I can launch from the MMC.
I am not able to see app locker from the event viewer under custom view. You lost me at 6:35 in your video. Furthermore, I don't see the events under app locker in custom view. My events are found under administrative events.
Only tech creator as an indian i see from us❤❤❤ . Love you bro from India.
Adding more application those can be use pro-actively: Simplewall or Portmaster
Excellent firewall application
Thank you for once again scratching my cybersecurity paranoia itch
It gives me an error when I use a "*" as version any fix?
Also when checking event viewer events in these custom views that just happened disappear even though other older events in other logs are still there.
did 7-zip or bandzip have same Vulnerability with cve-2023-40477
being the winrar Vulnerability was find
Cool
Doesn't Steam set the permissions on some folders in its install directory to be modifiable without elevation? I imagine it would be difficult to configure rules properly to allow games to run but disallow malware from copying executables into the same directories as the games...
That's what the file hash exceptions are for. That said, very few malwares are going to try the trick of copying themselves into a game's directory to attempt to use that as a staging ground, so the possibility of that happening is pretty remote. Most malware authors are not going to be writing it to tailor to your specific security policies/install setup, but hitting broader targets and going for typically unprotected areas like the Windows directory or Program Files directory etc. since most malware is just trying to find as many vulnerable victims as possible and ignore hardened systems. It's certainly possible malware could be written to do that though. Real dangerous malware, like the kind the NSA or other state sponsored hacking organizations create, and not just script kiddie stuff, are going to use previously unknown zero-day vulnerabilities to get around security policies (such as the Windows AppLocker) rendering all of this useless against them. If you're being targeted specifically by the NSA though you're kinda just screwed at that point.
straight fire
Is there some disscusion topic for this video? I have troubles with this. Few moments applocker was working for me, but now refuse to block anything.. even with deny rule.. I cant figure out why
Solved. Problem was in AppIDSvc service. It was been set to "manual" but not starting.. Cant set it to automatic (access deny). Must force it from cmd "sc config AppIDSvc start=auto" Now its ok
Hi, I want to ask you something before setuping this applocker. Will it have any problems with my antivirus-BitDefender? Since bitdefender is already protecting the whole computer and runs its files in the background, I wanna ask if this tool will mess up and block BitDefender from properly working and doing its job? Since I have BitDefender Total I have a Firewall
I had no problems using it with Bitdefender
Same
how did you get to local group policy editor