Default deny for all programs

[mojo]

Is there any way to set Windows to by default deny execution of all programs, until the user confirms each one?

 

When you download a program with IE, the first time you run it you get a message box with publisher information and it asks you if you really want to run the program. There is a tick box to remember your choice.

 

If you could make this action the default for all programs, installed via CD, via downloads in Firefox or whatever, it would make it much harder for viruses and spyware to get in.

 

I search on Google and in the MS knowledge base but there does not seem to be a way of doing it. IE must do something special to the files it downloads.

[Andavari]

I don't know how it could be done as of yet, however a different approach is to use a Sandbox program sort of like Sandbox IE, but for every executible if such a thing even exists -- you'd probably have to write such an application.

 

Whatsmore there'd have to be some sort of allowed/protected/expected defaults built-in such as those for Explorer.exe and other OS related files that must work without interruption. In the meantime Sunbelt Kerio Personal Firewall 4 - fully functional 30 day trial and paid version has some application protection built in, however it's not even close to what you've described.

[Eldmannen]

Sounds cool, even though it could be an inconvience. But sometimes for security you have to sacriface some convience.

 

You can auto-scan downloads for viruses, you can also configure your computer not to automatically run files on CD when inserted.

 

And if you're serious about security, try a different operating system...

[Andavari]

There is one way of "increasing" security on XP, it's called Data Execution Prevention. You can make sure it's enabled by doing the following:

1. Right click My Computer and select Properties.

2. Click the Advanced tab.

3. Under Performance click the Settings button.

4. In Performance Options click the Data Execution Prevention tab.

5. Select a type of DEP depending upon your processor.

 

Screenshot:

[mojo]

Thanks for the responses, guys.

 

Looks like there is no way to enable this feature for all executables, which is a shame. It would be very handy, to say the least.

 

Some good tips though. DEP isn`t a bad idea and having a firewall really helps keep on top of what programs are accessing the internet. One other handy tool is Port Explorer, which shows you active network connections.

[Eldmannen]

Never knew about that DEP feature...

[Andavari]

Never knew about that DEP feature...

 

25051[/snapback]

 

 

 

I can't remember for sure but I think Windows XP Service Pack 2 installs it. It's enabled by default, which makes me believe some downloads such as MS AntiSpyware have a warning dialog about the .exe being from another computer, etc.

[lokoike]

I can't remember for sure but I think Windows XP Service Pack 2 installs it.

Yes, DEP is part of SP2. However, you can't fully take advantage of DEP unless your processor supports it. New processors do, but procs that are 2 or more years old most likely don't. For example, I have an AMD Athlon XP-M 2200+ (new at one time ) and it does not support DEP.

 

As far as choosing if an app should run or not, I use ZoneAlarm Pro 6.1.737 with Program Control set to High and SmartDefense Advisor set to Manual, and it prompts me for just about anything. Of course, after you make the initial decisions about which programs should run, you can have it perform the same action every time, but it is all up to you. That is why I like it so much. And I never get viruses, and rarely get spyware. If you want full control over your computer, you may want to give ZoneAlarm a try. They also offer a free version.

[Andavari]

Sunbelt Kerio Personal Firewall has something similiar I think; application execution protection or something along those lines, however I don't really think it's necessary for a firewall and should be more of an anti-virus like task.