7Zip exploit protection settings recommendation

[Nikos751]

Hello, are there any recommended 7Zip exploit protection settings for the program's executables in Windows 10 Fall Update? The only thing I can find is about EAF protection in EMET which is not compatible with Windows 10 anymore and I 'm seeking to find how to configure it in Exploit Protection Settings.
Thanks

 

[Deleted member 65228]

Try the following.

1. Force Control Flow Guard (CFG)
2. Force Data Execution Prevention (DEP)
3. Force Address Space Layout Randomisation (ASLR) -> enable for image randomisation and memory allocation randomisation
4. Disable system calls (Win32k)

Try it out for 7Zip only and if everything works well then it should be fine to leave it at that, I doubt you need to adjust anything else. In fact, #1 and #4 isn't really necessary at all and 7Zip already has DEP enabled (from compilation). There must be a reason as to why 7Zip doesn't have ASLR enabled by default (not the version I'm using at-least) so it may cause a problem.

Despite me mentioning all of the above, I highly recommend you don't touch the Exploit Protection Settings at all unless you really know what you are doing (and since you asked what to change for 7Zip I doubt you are familiar with these settings - what the features are for and how they actually work - knowledge on the topics) because it can be very easy to break software by messing with the settings and if you don't know what you are doing then you won't necessarily know the cause/solution.

I hope you manage to figure out how to do what you are trying to do, be cautious with it.

 

[Nikos751]

Try the following.

1. Force Control Flow Guard (CFG)
2. Force Data Execution Prevention (DEP)
3. Force Address Space Layout Randomisation (ASLR) -> enable for image randomisation and memory allocation randomisation
4. Disable system calls (Win32k)

Try it out for 7Zip only and if everything works well then it should be fine to leave it at that, I doubt you need to adjust anything else. In fact, #1 and #4 isn't really necessary at all and 7Zip already has DEP enabled (from compilation). There must be a reason as to why 7Zip doesn't have ASLR enabled by default (not the version I'm using at-least) so it may cause a problem.

Despite me mentioning all of the above, I highly recommend you don't touch the Exploit Protection Settings at all unless you really know what you are doing (and since you asked what to change for 7Zip I doubt you are familiar with these settings - what the features are for and how they actually work - knowledge on the topics) because it can be very easy to break software by messing with the settings and if you don't know what you are doing then you won't necessarily know the cause/solution.

I hope you manage to figure out how to do what you are trying to do, be cautious with it.

Thanks for the analytical answer! Is there any way to check what are the default protections enabled for the 7zip exe's? I don't see them in the program settings list, this was a reason I seeked for custom settings.

 

[Deleted member 65228]

Thanks for the analytical answer! Is there any way to check what are the default protections enabled for the 7zip exe's? I don't see them in the program settings list, this was a reason I seeked for custom settings.

Use Process Hacker -> Properties of the process -> General tab -> Mitigation policies.

E.g.

Notice how there are mitigation policies enforced which can be forced by the new Windows Exploit Protection; I am not on the latest Creators Update yet though. I used Google Chrome as the example, its sandbox is responsible for enabling those mitigation policies.

 

[Andy Ful]

Hello, are there any recommended 7Zip exploit protection settings for the program's executables in Windows 10 Fall Update? The only thing I can find is about EAF protection in EMET which is not compatible with Windows 10 anymore and I 'm seeking to find how to configure it in Exploit Protection Settings.
Thanks

Three mitigations did not work for me: Arbitrary code guard (ACG), Code integrity guard, Disable Win32k system calls.
.
You can allow 7zFM.exe and 7zG.exe:
Block low integrity images, Block remote images, Block untrusted fonts, Control flow guard (CFG but not strict CFG), Data Execution Prevention + ATL (DEP), Disable extension points, Do not allow child processes (but then no execution from archive), Export address filtering (EAF), Import address filtering (IAF), Force randomization for images (Mandatory ASLR), Force randomization for images (Mandatory ASLR, do not tick the checkbox below), Randomize memory allocations (Bottom-Up ASLR with high entropy, do not tick the checkbox below in 64-bit Windows), Simulate execution (SimExec), Validate API invocation (CallerCheck), Validate exception chains (SEHOP), Validate handle usage, Validate heap integrity, Validate image dependency integrity, Validate stack integrity (StackPivot).
.
That was a quick test - if something will cause problems then let me know.
.
Edit1
The above mitigations work well in Explorer right-click context menu for 7-zip options, when opening archiwe to view the file list (but not file content), creating archive, adding new files, delete files from it, or decompressing it. If someone wants to do more (viewing the contents of files, viewing/editing the contents of files, running files) then the mitigation 'Do not allow child processes' should be set to OFF.
.
Edit2
If someone uses external File Manager (for example Total Commander) then it will not probably use 7zFM.exe to open archives but 7zG.exe or one of 7-Zip DLLs (7zip.dll, 7-zip.dll or 7-zip32.dll).

 

[Lzx32]

If i'm not wrong, CFG cannot be forced (on) if binary is not properly compiled to support such mitigation...

Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled.
CFG can be built into applications [...] using Visual Studio 2015

An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled.
Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled...

So how does CFG work?
In simplistic terms, at compile time there is a bit map table built of all the legitimate target locations the code can jump too...

To sum up:
binary A is NOT compiled with CFG in mind = NO bitmap table = NO CFG on (for that process despite a system-aware OS)

 

[Andy Ful]

If i'm not wrong, CFG cannot be forced (on) if binary is not properly compiled to support such mitigation...

You are not wrong.

 

[Nikos751]

Three mitigations did not work for me: Arbitrary code guard (ACG), Code integrity guard, Disable Win32k system calls.
.
You can allow 7zFM.exe and 7zG.exe:
Block low integrity images, Block remote images, Block untrusted fonts, Control flow guard (CFG but not strict CFG), Data Execution Prevention + ATL (DEP), Disable extension points, Do not allow child processes (but then no execution from archive), Export address filtering (EAF), Import address filtering (IAF), Force randomization for images (Mandatory ASLR), Force randomization for images (Mandatory ASLR, do not tick the checkbox below), Randomize memory allocations (Bottom-Up ASLR with high entropy, do not tick the checkbox below in 64-bit Windows), Simulate execution (SimExec), Validate API invocation (CallerCheck), Validate exception chains (SEHOP), Validate handle usage, Validate heap integrity, Validate image dependency integrity, Validate stack integrity (StackPivot).
.
That was a quick test - if something will cause problems then let me know.
.
Edit1
The above mitigations work well in Explorer right-click context menu for 7-zip options, when opening archiwe to view the file list (but not file content), creating archive, adding new files, delete files from it, or decompressing it. If someone wants to do more (viewing the contents of files, viewing/editing the contents of files, running files) then the mitigation 'Do not allow child processes' should be set to OFF.
.
Edit2
If someone uses external File Manager (for example Total Commander) then it will not probably use 7zFM.exe to open archives but 7zG.exe or one of 7-Zip DLLs (7zip.dll, 7-zip.dll or 7-zip32.dll).

I enabled only the two ASLR options for an optimal solution. Thank you.

 

[Andy Ful]

I enabled only the two ASLR options for an optimal solution. Thank you.

I did not analyze the 7-Zip vulnerabilities, so I can not advise you what is the optimal solution. With all mitigations mentioned by me, 7-Zip worked without slowdown or crashes. Personally, I also ticked the mitigation 'Do not allow child processes' because I do not use the editing/viewing/running from the archive. We will see how it will work.
Anyway, if you are using the updated version of 7-Zip, then you probably do not have to do anything special, because in Windows 10 some important mitigations are turned on by default and the 7-Zip developer removed the known bugs. Also, ESET has some anti-exploit capabilities.

 

[Nikos751]

I did not analyze the 7-Zip vulnerabilities, so I can not advise you what is the optimal solution. With all mitigations mentioned by me, 7-Zip worked without slowdown or crashes. Personally, I also ticked the mitigation 'Do not allow child processes' because I do not use the editing/viewing/running from the archive. We will see how it will work.
Anyway, if you are using the updated version of 7-Zip, then you probably do not have to do anything special, because in Windows 10 some important mitigations are turned on by default and the 7-Zip developer removed the known bugs. Also, ESET has some anti-exploit capabilities.

I used the word "optimal" in a more loose way. Thanks for sharing your knowledge!

 

[Av Gurus]

Three mitigations did not work for me: Arbitrary code guard (ACG), Code integrity guard, Disable Win32k system calls.
.
You can allow 7zFM.exe and 7zG.exe:
Block low integrity images, Block remote images, Block untrusted fonts, Control flow guard (CFG but not strict CFG), Data Execution Prevention + ATL (DEP), Disable extension points, Do not allow child processes (but then no execution from archive), Export address filtering (EAF), Import address filtering (IAF), Force randomization for images (Mandatory ASLR), Force randomization for images (Mandatory ASLR, do not tick the checkbox below), Randomize memory allocations (Bottom-Up ASLR with high entropy, do not tick the checkbox below in 64-bit Windows), Simulate execution (SimExec), Validate API invocation (CallerCheck), Validate exception chains (SEHOP), Validate handle usage, Validate heap integrity, Validate image dependency integrity, Validate stack integrity (StackPivot).
.
That was a quick test - if something will cause problems then let me know.
.
Edit1
The above mitigations work well in Explorer right-click context menu for 7-zip options, when opening archiwe to view the file list (but not file content), creating archive, adding new files, delete files from it, or decompressing it. If someone wants to do more (viewing the contents of files, viewing/editing the contents of files, running files) then the mitigation 'Do not allow child processes' should be set to OFF.
.
Edit2
If someone uses external File Manager (for example Total Commander) then it will not probably use 7zFM.exe to open archives but 7zG.exe or one of 7-Zip DLLs (7zip.dll, 7-zip.dll or 7-zip32.dll).

This settings should be applied for both 7zFM.exe and 7zG.exe?

 

[Andy Ful]

This settings should be applied for both 7zFM.exe and 7zG.exe?

Yes.

 

[Av Gurus]

Like this is OK?

 

[Lzx32]

a lot of chaos!

CFG can NOT be forced on if binary is not properly compiled to support such mitigation (see also above).
7zFM image is lacking the proper bitmap table so, if you force this mitigation via WDEG, you got just a useless flag attached to the process.

SimExec,CallerCheck: they support only 32bit image so, if you try to apply them to 64bit image, they are useless as CFG in the exemple above.


In short, nothing prevents you from activating all the mitigations for a process but it is not sure that all of them are really active as some depend on other factors (sorry for my poor english, i hope you understand anyway).


------------------------
CFG = Anti-ROP mitigation ≅ SimExec(32bit only!)+StackPivot+CallerCheck(32bit only!)

Eg:
IE → CFG aware → it's useless to force SimExec+StackPivot+CallerCheck via WDEG since CFG performs better the same function...

 

[Andy Ful]

a lot of chaos!

CFG can NOT be forced on if binary is not properly compiled to support such mitigation (see also above).
7zFM image is lacking the proper bitmap table so, if you force this mitigation via WDEG, you got just a useless flag attached to the process.

SimExec,CallerCheck: they support only 32bit image so, if you try to apply them to 64bit image, they are useless as CFG in the exemple above.


In short, nothing prevents you from activating all the mitigations for a process but it is not sure that all of them are really active as some depend on other factors (sorry for my poor english, i hope you understand anyway).


------------------------
CFG = Anti-ROP mitigation ≅ SimExec(32bit only!)+StackPivot+CallerCheck(32bit only!)

Eg:
IE → CFG aware → it's useless to force SimExec+StackPivot+CallerCheck via WDEG since CFG performs better the same function...

That is right. But, the newer 7-ZIP versions may use CFG. Also, there are 32-bit software versions. The one setup for many program versions/compilations (if possible) makes things simpler.
But of course, things are different, if the flag is unnecessary (in some program version) and also can conflict with something! If someone will find out such conflict, please let me know.

 

[Andy Ful]

Like this is OK?

View attachment 174451 View attachment 174452 View attachment 174453 View attachment 174454 View attachment 174455 View attachment 174456 View attachment 174457

Yes. You can untick the Audit checkboxes.

 

[Av Gurus]

Audit is for monitoring in Event Viewer or not?

 

[Andy Ful]

Audit is for monitoring in Event Viewer or not?

Audit = do not block and monitor.
Both Block and Audit are monitored, but related to different events.
Apply mitigations to help prevent attacks through vulnerabilities

 

[DeepWeb]

Do these changes do anything? Running Process Explorer, it seems that nothing has changed.

 

[Andy Ful]

Do these changes do anything? Running Process Explorer, it seems that nothing has changed.

Try to run a compressed EXE from within the archive.