Jump to content

How can I prevent malware execution in specified folder ? ICACLS ?


Recommended Posts

I reserve for "unknown" files the folder E:\Guest-2-Host\

The contents of which I may wish to use after ensuring freedom from infection.

I have used CACLS on XP Home to relax access control in my favour.

I am not familiar with ICACLS in Windows 7 Ultimate and would like advice on restricting danger by malware within E:\Guest-2-Host\

I envisage applying access restrictions to the folder that will be inherited by all its contents whilst they reside inside.


My desktop uses Windows 7 Ultimate x64 and is running VirtualBox

The Guest contained by VirtualBox could be identical to the Host if based on yesterday's Macrium image backup,

or a non-identical Windows 7 or Windows XP


The Guest will be given "FULL" access to the shared folder V:\ so that it can place files in E:\Guest-2-Host\, subject to Desktop creation of V:\ by

SUBST V: E:\Guest-2-Host

Normally I will NOT create V:\ and "what happens in Guest stays in Guest" and never gets home to Host.

When I want to use the Guest to provide files for the Host I will first create V:\, and that opens the door for Guest Malware to enter the Host.


Access Controls are to be applied by the Desktop/Host and should prevent execution,

both by the Guest/malware and also by Host/me having a clicking accident.

Both Guest and Host should have Write and Delete access.

The Host must have read and copy access, but the Guest has no such need.

There seem to be several dozen flavours of access and rights and grants/denials and Explicit\Inherited.

I would appreciate advice on how to "lock down" potential malware as tightly as possible.


N.B. If the Desktop/Host needs "execute" or some other blocked access I expect to :-

confirm freedom from infection whilst within E:\Guest-2-Host\,

and then move/copy the file to a different folder with full inherited permissions.




Link to comment
Share on other sites

Thanks but I was hoping to have my ICACLS homework done for me :)


That article starts with RUNASIL and CMD.EXE gave no help with the DOS command "Runasil /?"

So I googled and found I have to download and install it - it is not part of Windows 7 installation.

It also appears to regulate WHAT a process or application can do, but not WHERE,

whilst I require both the Guest Operating System and the Host O.S. to have standard capabilities within their own boundaries,

BUT for both to be totally disarmed from all offensive capability in the "shared folder",

which is my "border zone quarantine area" where neither may activate or launch any executable or cause any damage.


I do not mind if the Guest gets infected whilst I use it for things I will not risk on my real Desktop,

and I do not mind if the Guest should deposit malware in the "Shared Folder",

but whatever enters must never be launched/activated/armed whilst in there.

After closing down the Guest then the Desktop can do a malware scan on the shared folder,

and then I can either copy or move selected files to another folder or drive which does permit execution.


The other tool I saw was CHML - something else to download. There was this link


That seems to be applicable to Folders and possibly my needs. It had several references to

No execute up: disabled

but never explained that phrase - is it the opposite of "Yes execute Down" ! !


I Googled "No Execute" and found that can be a nono with VMWare



I guess it could also be a problem with VirtualBox


That search also gave me



Since by default Windows launches processes under the Medium integrity level, user-mode malware running on the victim’s host will be prevented from accessing the file that was assigned the High integrity level.

That leaves me concerned that malware can elevate itself (I can read even what I do not understand B) )

so can malware get launched with High Integrity Level ?


CACLS I have used and can probably protect the shared folder.

ICACLS has more options to confuse me

I think both have explicit grant and explicit deny capability.


CHML seems to be very much simpler to configure

but I am concerned about whether some extra "explicit denials" would make me safer.




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.