Guide to Tweak of built-in Exploit protection in Windows Security

[ForgottenSeer 85179]

Anyone play with ChromiumEdge Anti-Exploit settings?

From Umbra i get the following:
(for msedge.exe & MicrosoftEdgeCP.exe)

ACG (off)*
BLII (on)
BRI (on)
BUF (on)
CIG (off)* - loading (off) this setting can be turned ON if you use ChromEdge, however don't run it in 3rd party sandbox if you do enable it.
CFG (on) - Strict (Off)*
DEP (on) - ATL (on)
Dep (on)
Win32k (off)*
Child Process (off)
EAF (off)*
Mandatory ASLR (on) - Stripped (on)
IAF (off)*
BottomUp ASLR (on)
SimExec (off)*
CallerCheck (off)*
SEHOP (on)
VHU (on)
VHI (on)
VIDI (on)
StackPivot (off)

(* will break Chrome or extensions)

But these are maybe not up2date anymore

 

[oldschool]

I'm using the same. if something breaks, I fix it.

 

[Lenny_Fox]

Guys, please .... this can not be true .... does a junior member of this forum has to explain something so important to seasoned forum members?

How many times has Tavis Ormandy ranted against Antivirus vendors hooking or injecting DLL's into Google's browser (because the injected DLL, opened a hole as big as the Golden Gate bridge into the low and untrusted integrity level sandbox of Google)?

How many times have experienced members posted security news of Tavis Ormandy finding again a security hole in an anti-virus solution? Often the AV-companies hooking or injecting Google's browser! Have you ever wondered why would Google spend scarce security resources in investigating third-party software? Exactly to proof Google's (Tavis) point about AV companies punching holes in the browsers security architecture!

How many times has Google threatened to start blocking third-party DLLs into their browser (but they did not had the guts to implement it yet).

Now Microsoft provides an option to ONLY load MICROSOFT SIGNED DLL's into Edge and your advise is to DISABLE the CODE INTEGRITY GUARD?


So for anyone using Windows Defender as antivirus or using a smart third-party antivirus which does not touch Chrome (like Kaspersky Free): ENABLE the CODE INTEGRITY GUARD for EDGE

 

[Andy Ful]

Code Integrity Guard is already implemented in Edge (native and Chromium). It can be disabled via Windows Policies:

"RendererCodeIntegrityEnabled

Enable renderer code integrity

Supported versions:

• On Windows since 78 or later

Description
If this policy is enabled or left unset, then Renderer Code Integrity is enabled. This policy should only be disabled if compatibility issues are encountered with third party software that must run inside Microsoft Edge's renderer processes.

Disabling this policy has a detrimental effect on Microsoft Edge's security and stability because unknown and potentially hostile code will be allowed to load inside Microsoft Edge's renderer processes."

Microsoft Edge Browser Policy Documentation

Windows and Mac documentation for policies supported by Microsoft Edge.

docs.microsoft.com

See also point 24 in the article below:

Still have Windows 7? 32 Security Reasons to Move to Windows 10

How important is it to upgrade from Windows 7 before it reaches end of life? Learn about the many ways Windows 10 can improve enterprise security now.

www.sentinelone.com

This mitigation conflicted for some time with Symantec antivirus:

Edge Beta broken since latest Windows 10 1803 / Microsoft Edge update

Since the last Windows 10 1803 update 10 10.0.17134 and Microsoft Edge update 1.3.111.43, Microsoft Edge Beta no longer works. On launch, whether running as..

techcommunity.microsoft.com

It is an important mitigation in Edge:

"Wrapping up the renderer exploit

Getting code execution in Microsoft Edge renderer is a bit more involved in contrast to other browsers since Microsoft Edge browser employs mitigations known as Arbitrary Code Guard (ACG) and Code Integrity Guard (CIG). Nevertheless, there is a way to bypass ACG. Having an arbitrary read-write primitive it is possible to find the stack address, setup a fake stack frame and divert code execution to the function of choice by overwriting the return address. This method was chosen to execute the sandbox escape payload."

Pwn2Own 2019: Microsoft Edge Renderer Exploitation (CVE-2019-0940). Part 1 - Exodus Intelligence

By Arthur Gerkis This year Exodus Intelligence participated in the Pwn2Own competition in Vancouver. The chosen target was the Microsoft Edge browser and a full-chain browser exploit was successfully demonstrated. The exploit consisted of two parts: renderer double-free vulnerability exploit...

blog.exodusintel.com

 

[Lenny_Fox]

Code Integrity Guard is already implemented in Edge (native and Chromium). It can be disabled via Windows Policies:

"RendererCodeIntegrityEnabled

Enable renderer code integrity

Supported versions:

• On Windows since 78 or later

Description
If this policy is enabled or left unset, then Renderer Code Integrity is enabled. This policy should only be disabled if compatibility issues are encountered with third party software that must run inside Microsoft Edge's renderer processes.

Disabling this policy has a detrimental effect on Microsoft Edge's security and stability because unknown and potentially hostile code will be allowed to load inside Microsoft Edge's renderer processes."

Microsoft Edge Browser Policy Documentation

Windows and Mac documentation for policies supported by Microsoft Edge.

docs.microsoft.com

See also point 24 in the article below:

Still have Windows 7? 32 Security Reasons to Move to Windows 10

How important is it to upgrade from Windows 7 before it reaches end of life? Learn about the many ways Windows 10 can improve enterprise security now.

www.sentinelone.com

This mitigation conflicted for some time with Symantec antivirus:

Edge Beta broken since latest Windows 10 1803 / Microsoft Edge update

Since the last Windows 10 1803 update 10 10.0.17134 and Microsoft Edge update 1.3.111.43, Microsoft Edge Beta no longer works. On launch, whether running as..

techcommunity.microsoft.com

It is an important mitigation in Edge:

"Wrapping up the renderer exploit

Getting code execution in Microsoft Edge renderer is a bit more involved in contrast to other browsers since Microsoft Edge browser employs mitigations known as Arbitrary Code Guard (ACG) and Code Integrity Guard (CIG). Nevertheless, there is a way to bypass ACG. Having an arbitrary read-write primitive it is possible to find the stack address, setup a fake stack frame and divert code execution to the function of choice by overwriting the return address. This method was chosen to execute the sandbox escape payload."

Pwn2Own 2019: Microsoft Edge Renderer Exploitation (CVE-2019-0940). Part 1 - Exodus Intelligence

By Arthur Gerkis This year Exodus Intelligence participated in the Pwn2Own competition in Vancouver. The chosen target was the Microsoft Edge browser and a full-chain browser exploit was successfully demonstrated. The exploit consisted of two parts: renderer double-free vulnerability exploit...

blog.exodusintel.com

Yep but with wd exploit protection you also add that to the broker, not only renderer process.

 

[Andy Ful]

Yep but with wd exploit protection you also add that to the broker, not only renderer process.

Does Edge Chromium need a broker?

 

[DDE_Server]

Guys, please .... this can not be true .... does a junior member of this forum has to explain something so important to seasoned forum members?

How many times has Tavis Ormandy ranted against Antivirus vendors hooking or injecting DLL's into Google's browser (because the injected DLL, opened a hole as big as the Golden Gate bridge into the low and untrusted integrity level sandbox of Google)?

How many times have experienced members posted security news of Tavis Ormandy finding again a security hole in an anti-virus solution? Often the AV-companies hooking or injecting Google's browser! Have you ever wondered why would Google spend scarce security resources in investigating third-party software? Exactly to proof Google's (Tavis) point about AV companies punching holes in the browsers security architecture!

How many times has Google threatened to start blocking third-party DLLs into their browser (but they did not had the guts to implement it yet).

Now Microsoft provides an option to ONLY load MICROSOFT SIGNED DLL's into Edge and your advise is to DISABLE the CODE INTEGRITY GUARD?


So for anyone using Windows Defender as antivirus or using a smart third-party antivirus which does not touch Chrome (like Kaspersky Free): ENABLE the CODE INTEGRITY GUARD for EDGE


View attachment 236282

Hi @Lenny_Linux this forum is created to discuss that Exploit protection techniques not to make a guide. i didn't introduce any guide or tutorial here but hear opinions of our geek here.
happy to learn from you also and i learned few thing from you also

 

[SeriousHoax]

like Kaspersky Free

Are you sure about this? I know Emsisoft doesn't inject dll into browsers. Even Kaspersky free version by default injects script into browsers, scans HTTPS connections and even disabling those don't stop it from injecting dlls I think mainly to block malicious sites in browsers. Can anyone check and verify this?

 

[Lenny_Fox]

Does Edge Chromium need a broker?

The broker, is in broad terms, a privileged controller/supervisor of the activities of the sandboxed processes, quote from ...

Sandbox

The renderer processes are the untrusted level processes

 

[silversurfer]

Are you sure about this? I know Emsisoft doesn't inject dll into browsers. Even Kaspersky free version by default injects script into browsers, scans HTTPS connections and even disabling those don't stop it from injecting dlls I think mainly to block malicious sites in browsers. Can anyone check and verify this?

Edge-Chromium with enabled "Code Integrity Guard" running fine here alongside KSC free & KIS (both version 2020), so maybe in this case there isn't any injections(.dll) into Edge-Chromium or just isn't fully supported by Kaspersky for now and may will be in upcoming version K2021...

 

[oldschool]

Edge-Chromium with enabled "Code Integrity Guard" running fine here alongside KSC free & KIS (both version 2020),

Same here with BD Free.

 

[Andy Ful]

Edge-Chromium with enabled "Code Integrity Guard" running fine here alongside KSC free & KIS (both version 2020), so maybe in this case there isn't any injections(.dll) into Edge-Chromium or just isn't fully supported by Kaspersky for now and may will be in upcoming version K2021...

Similarly to Symantec antivirus, Kaspersky and other popular vendors probably sign properly the DLLs to be compatible with Edge CIG.

Edge Beta broken since latest Windows 10 1803 / Microsoft Edge update

Since the last Windows 10 1803 update 10 10.0.17134 and Microsoft Edge update 1.3.111.43, Microsoft Edge Beta no longer works. On launch, whether running as..

techcommunity.microsoft.com

 

[Andy Ful]

The broker, is in broad terms, a privileged controller/supervisor of the activities of the sandboxed processes, quote from ...

Sandbox

The renderer processes are the untrusted level processes

I asked the question about a broker because Edge Chromium often does not use additional executables for broker processes. On the contrary, native Edge always uses special executables like Browser_Broker.exe and RuntimeBroker.exe .
Of course, AppContainer and Chromium Sandbox have to use brokers to perform privileged operations (usually with standard rights).
Anyway, the Control Integrity Guard mitigation implemented by default in Edge Chromium protects the processes in the Sandbox and also the brokers from the attacks initiated from the Sandbox.
There is no need to apply CIG via Exploit protection to protect Edge, except when the system is already infected. In such a case, the broker can be exploited by the malware already running in the system. Applying CIG also to brokers can produce software incompatibilities, for example with some device drivers. But, if this is not a case, then it can be additional anti-exploit protection.

 

[ForgottenSeer 85179]

I asked the question about a broker because Edge Chromium usually does not use additional executables for broker processes. On the contrary, native Edge always uses special executables like Browser_Broker.exe and RuntimeBroker.exe .
Of course, AppContainer and Chromium Sandbox have to use brokers to perform privileged operations (usually with standard rights).
Anyway, the Control Integrity Guard mitigation implemented by default in Edge Chromium protects the processes in the Sandbox and also the brokers from the attacks initiated from the Sandbox.
There is no need to apply CIG via Exploit protection to protect Edge, except when the system is already infected. In such a case, the broker can be exploited by the malware already running in the system. Applying CIG also to brokers can produce software incompatibilities, for example with some device drivers. But, if this is not a case, then it can be additional anti-exploit protection.

So which are your exploit recommendations then for (new) Edge?

 

[Andy Ful]

So which are your exploit recommendations then for (new) Edge?

I did not research this topic, yet. I can recommend using Edge with additional mitigations (also CIG via Exploit protection) for the separate Edge browser used only for banking. So, one can add as many mitigations as possible without breaking the banking website.

 

[SeriousHoax]

Similarly to Symantec antivirus, Kaspersky and other popular vendors probably sign properly the DLLs to be compatible with Edge CIG.

Edge Beta broken since latest Windows 10 1803 / Microsoft Edge update

Since the last Windows 10 1803 update 10 10.0.17134 and Microsoft Edge update 1.3.111.43, Microsoft Edge Beta no longer works. On launch, whether running as..

techcommunity.microsoft.com

I just tested Eset with both the new and old Edge and it's working fine with Code Integrity Guard manually enabled. Just a month ago I used to get multiple errors but it's not the case anymore. So, you're right I think. Kaspersky, Bitdefender, Eset, Symantec, other popular vendors have made their DLLs compatible with Edge CIG

 

[Lenny_Fox]

There is no need to apply CIG via Exploit protection to protect Edge, except when the system is already infected.

Relating the use of CIG to being infected ?????????????????????????????????????? CIQ extends this added protection from renderer processes only to all msedge process instances. This reply makes no sense to me, so let's agree to disagree.

I asked the question about a broker because Edge Chromium usually does not use additional executables for broker processes

Edge-chromium is based on Chromium, that is why I linked to the official Google documentation about Chromium's architecture (with medium IL broker). When Google says Chrome has a broker process, I assume most chromium based browsers follow this architecture (with first instance launched being the broker process).

Applying CIG also to brokers can produce software incompatibilities, for example with some device drivers

Are not most drivers co-signed by Microsoft and does not Edge being an App has to confine to the Windows S requirements? Link: Windows 10 in S mode Driver Requirements - Windows drivers

 

[Andy Ful]

Relating the use of CIG to being infected ?????????????????????????????????????? CIQ extends this added protection from renderer processes only to all msedge process instances. This reply makes no sense to me, so let's agree to disagree.

Ha, ha. I meant that if you do not apply CIG via Exploit protection, then Edge can be more vulnerable, but the system has to be first infected by something else which next wants to attack the Edge. In other words, Edge will not be a source of infection, but rather a victim of already infected system. Furthermore, the malware usually has to get the ability to exploit the Edge broker to interact with the sandboxed area.

...
Are not most drivers co-signed by Microsoft and does not Edge being an App has to confine to the Windows S requirements? Link: Windows 10 in S mode Driver Requirements - Windows drivers

As you know the Windows 10 S, requires special devices. If there would not be such problems, then Microsoft could apply Exploit protection for Edge brokers by default.