Serious Discussion Any replacements for Microsoft Defender Exploit Protection?

Victor M

Victor M

Level 8
Thread author
Verified
Well-known
Oct 3, 2022
380
Hi @Rita , That was an interesting video. Thanks.

However, it shows the Kaspersky for Server edition. I have heard different things about protections offered by different editions of a product. Some say that the same protection is available in all editions. Some say you have to specifically buy a certain edition to get a certain protection feature. I tend to believe the latter. What does everybody have to say about that?

In my case, I have Kaspersky Premium.

Anyways, the red team test their tools against common AV's before deploying them. So the chances are great that Kaspersky will fail.
 
Last edited:
  • Like
Reactions: Nevi
Sandbox Breaker

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
435
You need more layers and to be holistic. You can't teach that.

I've setup windows xp laptops for fun and still red teams were rage quitting 😅

Their words were, it's unfair as we cannot even communicate with the targets. I said Find a way. Little do they know that windows firewall kicked their butts due to my policies. They couldn't even get to execution or exploitation.
 
Victor M

Victor M

Level 8
Thread author
Verified
Well-known
Oct 3, 2022
380
Hi @Sandbox Breaker ,
Sandbox Breaker said:
I've setup windows xp laptops for fun and still red teams were rage quitting
Click to expand...
It's great to be in your shoes.

Unfortunately my red team don't know the word 'quit'.

Since we are talking about firewalls, what do you think of this config: Setup Idea - Default Deny Windows Firewall setup How To

There Are other layers in my defenses. But the whole point of this test is to test the abilities of OpenEDR and it's included Comodo Internet Security. I don't like Comodo's firewlall policy and have replaced with the above and added MalwareBytes' Anti-exploit. But I have kept their other protections. And their sales person is pitching me to upgrade to their 'advanced' package. I queried their support about the ability to detect and stop Metasploit's shell Meterpreter on friday, they have kicked the query to the advanced team, but they haven't responded yet.
 
Last edited:
Sandbox Breaker

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
435
Victor M said:
Hi @Sandbox Breaker ,

It's great to be in your shoes.

Unfortunately my red team don't know the word 'quit'.

Since we are talking about firewalls, what do you think of this config: Setup Idea - Default Deny Windows Firewall setup How To

There Are other layers in my defenses. But the whole point of this test is to test the abilities of OpenEDR and it's included Comodo Internet Security. I don't like Comodo's firewlall policy and have replaced with the above and added MalwareBytes' Anti-exploit. But I have kept their other protections. And their sales person is pitching me to upgrade to their 'advanced' package. I queried their support about the ability to detect and stop Metasploit's shell Meterpreter on friday, they have kicked the query to the advanced team, but they haven't responded yet.
Click to expand...
Advice isn't free. I hope you succeed in your project.
 
Victor M

Victor M

Level 8
Thread author
Verified
Well-known
Oct 3, 2022
380
Sandbox Breaker said:
Advice isn't free
Click to expand...
Well, I look at it this way - at my age, if you don't teach, you are going to take it to your grave, or forget half of it after you retire. You just take walks with your dog and watch TV. Unless you plan to go back to school and get that Masters degree to keep your mind young. That's should not be taken to mean that my advice is always the best approach.
 
Last edited:
  • Like
  • Hundred Points
Reactions: Nevi and Jonny Quest
Sandbox Breaker

Sandbox Breaker

Level 9
Verified
Well-known
Jan 6, 2022
435
Victor M said:
Well, I look at it this way - at my age, if you don't teach, you are going to take it to your grave, or forget half of it after you retire. You just take walks with your dog and watch TV. Unless you plan to go back to school and get that Masters degree to keep your mind young. That's should not be taken to mean that my advice is always the best approach.
Click to expand...
I don't know your age. :ROFLMAO: I'm sure others will help.
 
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
Victor M said:
Hi @Rita , That was an interesting video. Thanks.

However, it shows the Kaspersky for Server edition. I have heard different things about protections offered by different editions of a product. Some say that the same protection is available in all editions. Some say you have to specifically buy a certain edition to get a certain protection feature. I tend to believe the latter. What does everybody have to say about that?

In my case, I have Kaspersky Premium.

Anyways, the red team test their tools against common AV's before deploying them. So the chances are great that Kaspersky will fail.
Click to expand...
Business protection (besides Adaptive Anomaly Control) doesnt differ from the home protection - according to someone who I talked to understands K alot.
 
F

ForgottenSeer 93475

Victor M said:
Hi @Rita , That was an interesting video. Thanks.

However, it shows the Kaspersky for Server edition. I have heard different things about protections offered by different editions of a product. Some say that the same protection is available in all editions. Some say you have to specifically buy a certain edition to get a certain protection feature. I tend to believe the latter. What does everybody have to say about that?

In my case, I have Kaspersky Premium.

Anyways, the red team test their tools against common AV's before deploying them. So the chances are great that Kaspersky will fail.
Click to expand...
Hi @Victor M
It's present equally in all Kaspersky products. Enterprise versions may have additional controls, but the basic protection is the same

How to enable and configure Automatic Exploit Prevention in Kaspersky Internet Security 20

Learn how to use Kaspersky Internet Security 20 to protect your computer against malware that exploits application and operating system vulnerabilities.
support.kaspersky.com support.kaspersky.com

Enable or disable exploit protection

support.kaspersky.com support.kaspersky.com

Exploit Prevention | Kaspersky

This technology reveals and blocks in real time the malware's attempts to benefit from software vulnerabilities.
www.kaspersky.com
 
Last edited by a moderator:
  • Like
Reactions: simmerskool and Nevi
F

ForgottenSeer 93475

Also, any program, no matter how powerful, may fail because there is no complete protection, but I do not think it is a good idea to assume a high failure rate for either Kaspersky or other protection programs before testing
 
  • Like
Reactions: simmerskool, Sandbox Breaker and Nevi
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,662
Victor M said:
Hi @SpyNetGirl ,

We meet again. My other layers of protection currently on that box is some hardened/disabled services, SRP, and some group policy items. The main defenses are Comodo's Internet Security which is packaged and free from OpenEDR, and Cyber Lock. This configuration is deployed because I want to test out the recommended configuration of OpenEDR. The Cyber Lock piece is a protection that I always deploy so I left it on.

I tried to deploy MS Security Baseline also but it conflicts with Comodo - system won't boot. I think it is due to one group policy item which disallows turning off Windows Defender. I will try again tomorrow and disable that item and see if that works.

Does it take a long time to understand how to use your hardening?
Click to expand...
You probably already know this, but please make sure you disable the option "Automatically deactivate after 10 minutes of system idle" in CyberLock Settings / Basic tab prior to the red team testing. CyberLock is designed to protect the endpoint while the user is engaging in risky activities, so we left this option on by default. We should probably automatically disable this option after 2-4 weeks, or prompt the user to see if they would like to disable this option at that time. Also, please remember when testing CyberLock, to reset the whitelist when retesting a certain attack.

I would also like to mention that locking the endpoint down to the point where it is completely unusable is actually the easy part. The difficult part is to lock the endpoint down as tightly as possible, WHILE making it user-friendly enough to actually be able to use. For example, could you imagine if a military department was at war and they were unable to execute software necessary to complete their mission?

A wise women once asked me a simple question with an analogy while trying to make a point about security in general. Here question was "What is the best exercise equipment? (e.g. Bowflex, Peloton). Her answer was simply... "It is the one that you use".
 
  • Like
  • +Reputation
Reactions: simmerskool, oldschool and Jonny Quest

Similar threads

R
    • Like
AI Assist Default Exploit Protection Settings in Windows 11
Replies
1
Views
122
AI-Powered Dedicated Forum
Bot
Bot
S
New Microsoft guidance for the DoD Zero Trust Strategy
Replies
1
Views
151
Microsoft Defender
Bot
Bot
Tiamati
    • Like
Question "system override" in Windows exploit protection
Replies
2
Views
1,255
Windows 10
Azazel
Azazel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top