Guide to Tweak of built-in Exploit protection in Windows Security

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Hello everybody
i just come found by coincidence option for exploit protection built in my windows 10 (honestly i don't know it is exist as i depend mainly on Emsisof as animalware and don't get close to windows security center as there is no any red alert notification :) )
anybody can give me a hint about how to adjust it and the meaning of each setting
Note:by default all system setting is enabled however i want to add some programs to program settings

Edit:many settings in program settings as added in spoiler part

1578741975756.png



1578742449411.png


1578742478826.png

1578742510504.png

1578742545888.png
 
Last edited:

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
Hi, not all anti-exploit mitigation applies both at system level and to apps.
Some are specific to apps only:



You will see that if you enable all the mitigations for a certain software this will probably not start.
 
F

ForgottenSeer 823865

There is no guide or formula, each software requires its own selection of mitigations. Win10 Exploit Protection (aka EMET) is the most obscure one among all existing anti-exploits softs. HMPA being the most efficient and easy to use.
So if you want use Win10 Exploit Protection, you wil make it via Trial & Error.

note if you use Chrome/ChromEdge, this is my personal mitigations: SECURE: Complete - Umbra's Lockdown Security 2020
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Thanks @Umbra however i am using Google chrome and mainly need tuning for pdf reader mitigation (in my case Foxit phantom pdf )as it the most vulnerable software as i am using version 9.4 (now it is 9.7- cannot afford for upgrade :D :D -used cheap lifetime upgrade licence from ebay)
so i want best Exploit protection for that soft and also may be add the browser as you suggested until find good alternative
There is no guide or formula, each software requires its own selection of mitigation. Windows 10 Exploit Protection (aka EMET) is the most obscure one among all existing anti-exploits softs. HMPA being the most efficient and easy to use.
So if you want use Windows 10 Exploit Protection, you wil make it via Trial & Error.

note if you use Chrome/ChromEdge, this is my personal mitigations: SECURE: Complete - Umbra's Lockdown Security 2020
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
by the way did you add your pdf reader (if you have one installed ) to Exploit mitigation as i know office and pdf reader are the most targeted desktop applications for spreading malware (javascript in pdf and Macross in office) :unsure: :unsure:

or maybe should i add it in monitored program in Emsisoft if not exist :unsure:
1578754614631.png
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
It is much easier to just set a non-exploitable PDF reader as the default, so when you open a newly downloaded PDF, you will be safe. If, after taking a look at it, you want to edit it or perform some other advanced function, then launch Foxit.

For non-exploitables, you have Edge (on Windows 10), Sumatra, and Windows Store apps of various types, such as the mobile versions of the well-known apps.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
DDE_Server,
Exploit Guard is a good idea if you have to use the concrete desktop application, which is popular and exploitable. If not, then using applications from Microsoft Store with Appcontainer support will be safer. You can look at my post:
https://malwaretips.com/threads/using-os_armor-and-hard_configurator-together.97000/post-849446
thanks @Andy Ful for your reply
yes Foxitphantom is well know company and target for attacks same as Adobe products
so i want to use Exploit Guard. i will ask Emsisoft support if they have Exploit protection embedded in their behavior blocker first
if not i will tweak the mitigation settings using built in Microsoft Defender(Exploit guard)
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
It is much easier to just set a non-exploitable PDF reader as the default, so when you open a newly downloaded PDF, you will be safe. If, after taking a look at it, you want to edit it or perform some other advanced function, then launch Foxit.

For non-exploitables, you have Edge (on Windows 10), Sumatra, and Windows Store apps of various types, such as the mobile versions of the well-known apps.
Good idea but how when i launch the document i will know that Exploit attack is done or not may be i should read about such type of attacks
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Good idea but how when i launch the document i will know that Exploit attack is done or not may be i should read about such type of attacks
I have heard from malware testers that phony PDFs are super-easy to spot. They often call themselves invoices or receipts, for something you never ordered, and when you open them, everything looks wrong. They are designed to fool unthinking company secretaries who get all sorts of receipts and invoices all the time and just process them without even checking whether such a product or service was even ordered. But you as an experienced home user will probably smell that something is fishy even before you open the doc, and surely after you open it.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Exploit protection means locking down doors and windows, so no one gets in. Post-exploit protection means making sure that an intruder can't do any damage.
Most people lump the two together, although technically, it is two very different things.
In theory, exploit protection is preferable, as is obvious from the metaphor, but it is hard to implement because if you lock down the doors and windows too tight, the house becomes inaccessible even to those who should be using it. I.e., your programs don't work.
 

Sampei Nihira

Level 6
Verified
Well-known
Dec 26, 2019
287
DDE_Server,
Exploit Guard is a good idea if you have to use the concrete desktop application, which is popular and exploitable. If not, then using applications from Microsoft Store with Appcontainer support will be safer. You can look at my post:
https://malwaretips.com/threads/using-os_armor-and-hard_configurator-together.97000/post-849446

But if he prefers to use that software he could lower the IL to the "Low" value (also through ICACLS) and check if everything still works.
Often lowering the IL to "untrusted" again prevents the software from starting:

CHML.jpg


Let's say it is a certain safety advantage.

I did this with my portable SumatraPDF in W.10.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
But if he prefers to use that software he could lower the IL to the "Low" value (also through ICACLS) and check if everything still works.
...
This will probably work for several PDF readers. The simplest method to use the application with a low integrity level, is installing it in the "%UserProfile%\AppData\LocalLow" folder.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top