Hi @ll, more than 20 years ago Microsoft introduced the NTFS filesystem (supporting ACLs) and "user profiles" to separate user data (with emphasis on "data") from the OS and each other. More than 13 years ago Microsoft introduced "software restriction policies" alias SAFER (, , , , ). JFTR: | At least 85% of the targeted cyber intrusions that the Australian ~~~~~~~~ | Signals Directorate (ASD) responds to could be prevented by | following the Top 4 mitigation strategies listed in our Strategies | to Mitigate Targeted Cyber Intrusions: | #1 use application whitelisting to help prevent malicious software | and unapproved programs from running ... More than 10 years ago Microsoft introduced "data execution prevention" alias DEP (, , , and ) and enabled it by default. JFTR: Where Windows "self protection" right now? Even today all (data) files created in the user's profiles, the "%ProgramData%" directory as well as almost all other "data" directories too are still "executable": the NTFS-ACLs of all these directories which are inherited by files and subdirectories created within them include "execution" permission! And SAFER is still not enabled by default. The immediate benefit of an NTFS-ACL without "execution" permission or the default SAFER ruleset is: no (unintended) execution of files like invoice.pdf.exe etc. stored in "data" directories, so spreading malware to Windows would become utterly useless. If you want to try "DEP in the filesystem" for yourself: * add an NTFS-ACE (D;OIIO;WP;;;WD) meaning "Deny execution of files for everyone, inheritable to all files in all subdirectories" for your own %USERPROFILE% directory (or all of them plus %ProgramData% if you have administrative rights). JFTR: "Deny" ACEs take precedence over "Allow" ACEs. * enable the default SAFER ruleset which allows execution (of *.exe) only in %SystemRoot%\ and %SystemRoot%\System32\ and any executable file in %ProgramFiles%\ and below. For x64 you'll have to add rules for %SystemRoot%\SysWoW64\*.exe and %SystemRoot%\Sysnative\*.exe as well as %ProgramFiles(x86)%\ Cf. for instructions, or use the scripts for Windows XP (including embedded versions) and Server 2003 resp. for Windows Vista, 7 and 8 as well as Server 2008 [R2] Then open the SPAM folder of your mail client, get one of the many "invoice.pdf.exe" your anti-virus fails to detect and "open" it. regards Stefan Kanthak # Iranian Exploit DataBase = http://IeDb.Ir [2014-11-30]