Weaver I agree but the core windows design is oblivious to that.
You have 3 wrappers on the windows OS as an example
rundll32
svchost
runonce
Malware can choose to access the internet via say rundll32 and bypass whitelist mitigations. This flaw has stayed in place from windows 95 to today I assume for backward compatibility reasons. Its very old legacy vulnerable code, to show how old it is, Microsoft still have to keep MS-DOS 8.3 filename support enabled on C: by default because rundll32 needs it.
Microsoft windows has an excellent whitelisting tool built in called applocker, its absolutely amazing. But only works on enterprise versions of windows as microsoft consider it a "corporate" feature. It was also enabled in windows 7 ultimate, but there is no ultimate for win8 and win10. SRP does the same (remember cryptolocker which uses it?) but SRP is no longer supported by microsoft, has some unresolved bugs and is less user friendlly to use. Applocker has a wizard which will scan your app directories and auto whitelist whats there.
I personally use all of the following, I currently have no a/v installed as I consider that very obsolete and ineffective practice. Although a/v that scans emails I still consider useful so it may get reinstalled at some point (my laptop still has a/v on top of what I list here).
Registry tweaks that do the following.
Disable SMBv1
Disable NTFS encryption (anti ransomware)
Disable powershell, vb scripts etc.
Prevent dll's from non system folders overiding system dll's.
DEP default on for 32bit processes (stock is default off, DEP is enforced on all 64bit processes regardless, so yes 64bit browsers are natively more secure than 32bit browsers)
ASLR, SEHOP enabled.
Also
Secure boot enabled
Anti exploit software currently I use hitman pro alert for this.
SRP whitelisted binaries policy as well as whitelised dll's this took a fair amount of time to configure, but it makes things very difficult for attackers.
Filter outbound traffic (windows default is to allow all silently).
My network via pfsense blocks traffic to known malware control ip's, compromised domains etc.
My network via pfsense enforces DNS queries via trusted DNS servers.
Whitelisting of binaries, dlls is clearly the way forward, but the industry will resist it as the security software market is huge, if the OS becomes secure, then the likes of ESET and kaspersky go out of business.
Even with whitelisting memory exploiting is becoming a bigger issue with every passing year, thats what exploit protection is for, the likes of DEP etc. are designed to mitigate the risk. These cpu exploits fall into this category.
Windows 10 has made some strides, Windows Defender (or whatever its called now), now implements exploit protection (based on what is in EMET), but has no proper whitelisting, which microsoft still see as a corporate only feature.
HIPS aiso an effective form of security (behaviour blocking), this is similar to what selinux does in linux. Currently windows has no native HIPS.
