Guide to Tweak of built-in Exploit protection in Windows Security

F

ForgottenSeer 85179

Anyone play with ChromiumEdge Anti-Exploit settings?

From Umbra i get the following:
(for msedge.exe & MicrosoftEdgeCP.exe)
ACG (off)*
BLII (on)
BRI (on)
BUF (on)
CIG (off)* - loading (off) this setting can be turned ON if you use ChromEdge, however don't run it in 3rd party sandbox if you do enable it.
CFG (on) - Strict (Off)*
DEP (on) - ATL (on)
Dep (on)
Win32k (off)*
Child Process (off)
EAF (off)*
Mandatory ASLR (on) - Stripped (on)
IAF (off)*
BottomUp ASLR (on)
SimExec (off)*
CallerCheck (off)*
SEHOP (on)
VHU (on)
VHI (on)
VIDI (on)
StackPivot (off)

(* will break Chrome or extensions)

But these are maybe not up2date anymore
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Guys, please .... this can not be true .... does a junior member of this forum has to explain something so important to seasoned forum members?

How many times has Tavis Ormandy ranted against Antivirus vendors hooking or injecting DLL's into Google's browser (because the injected DLL, opened a hole as big as the Golden Gate bridge into the low and untrusted integrity level sandbox of Google)?

How many times have experienced members posted security news of Tavis Ormandy finding again a security hole in an anti-virus solution? Often the AV-companies hooking or injecting Google's browser! Have you ever wondered why would Google spend scarce security resources in investigating third-party software? Exactly to proof Google's (Tavis) point about AV companies punching holes in the browsers security architecture!

How many times has Google threatened to start blocking third-party DLLs into their browser (but they did not had the guts to implement it yet).

Now Microsoft provides an option to ONLY load MICROSOFT SIGNED DLL's into Edge and your advise is to DISABLE the CODE INTEGRITY GUARD?


So for anyone using Windows Defender as antivirus or using a smart third-party antivirus which does not touch Chrome (like Kaspersky Free): ENABLE the CODE INTEGRITY GUARD for EDGE


1586075594003.png
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Code Integrity Guard is already implemented in Edge (native and Chromium). It can be disabled via Windows Policies:

"RendererCodeIntegrityEnabled

Enable renderer code integrity

Supported versions:

  • On Windows since 78 or later
Description
If this policy is enabled or left unset, then Renderer Code Integrity is enabled. This policy should only be disabled if compatibility issues are encountered with third party software that must run inside Microsoft Edge's renderer processes.

Disabling this policy has a detrimental effect on Microsoft Edge's security and stability because unknown and potentially hostile code will be allowed to load inside Microsoft Edge's renderer processes.
"

See also point 24 in the article below:

This mitigation conflicted for some time with Symantec antivirus:

It is an important mitigation in Edge:

"Wrapping up the renderer exploit

Getting code execution in Microsoft Edge renderer is a bit more involved in contrast to other browsers since Microsoft Edge browser employs mitigations known as Arbitrary Code Guard (ACG) and Code Integrity Guard (CIG). Nevertheless, there is a way to bypass ACG. Having an arbitrary read-write primitive it is possible to find the stack address, setup a fake stack frame and divert code execution to the function of choice by overwriting the return address. This method was chosen to execute the sandbox escape payload."
 
Last edited:

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Code Integrity Guard is already implemented in Edge (native and Chromium). It can be disabled via Windows Policies:

"RendererCodeIntegrityEnabled

Enable renderer code integrity

Supported versions:

  • On Windows since 78 or later
Description
If this policy is enabled or left unset, then Renderer Code Integrity is enabled. This policy should only be disabled if compatibility issues are encountered with third party software that must run inside Microsoft Edge's renderer processes.

Disabling this policy has a detrimental effect on Microsoft Edge's security and stability because unknown and potentially hostile code will be allowed to load inside Microsoft Edge's renderer processes.
"

See also point 24 in the article below:

This mitigation conflicted for some time with Symantec antivirus:

It is an important mitigation in Edge:

"Wrapping up the renderer exploit

Getting code execution in Microsoft Edge renderer is a bit more involved in contrast to other browsers since Microsoft Edge browser employs mitigations known as Arbitrary Code Guard (ACG) and Code Integrity Guard (CIG). Nevertheless, there is a way to bypass ACG. Having an arbitrary read-write primitive it is possible to find the stack address, setup a fake stack frame and divert code execution to the function of choice by overwriting the return address. This method was chosen to execute the sandbox escape payload."
Yep but with wd exploit protection you also add that to the broker, not only renderer process.
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Guys, please .... this can not be true .... does a junior member of this forum has to explain something so important to seasoned forum members?

How many times has Tavis Ormandy ranted against Antivirus vendors hooking or injecting DLL's into Google's browser (because the injected DLL, opened a hole as big as the Golden Gate bridge into the low and untrusted integrity level sandbox of Google)?

How many times have experienced members posted security news of Tavis Ormandy finding again a security hole in an anti-virus solution? Often the AV-companies hooking or injecting Google's browser! Have you ever wondered why would Google spend scarce security resources in investigating third-party software? Exactly to proof Google's (Tavis) point about AV companies punching holes in the browsers security architecture!

How many times has Google threatened to start blocking third-party DLLs into their browser (but they did not had the guts to implement it yet).

Now Microsoft provides an option to ONLY load MICROSOFT SIGNED DLL's into Edge and your advise is to DISABLE the CODE INTEGRITY GUARD?


So for anyone using Windows Defender as antivirus or using a smart third-party antivirus which does not touch Chrome (like Kaspersky Free): ENABLE the CODE INTEGRITY GUARD for EDGE


View attachment 236282
Hi @Lenny_Linux this forum is created to discuss that Exploit protection techniques not to make a guide. i didn't introduce any guide or tutorial here but hear opinions of our geek here.
happy to learn from you also and i learned few thing from you also
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
like Kaspersky Free
Are you sure about this? I know Emsisoft doesn't inject dll into browsers. Even Kaspersky free version by default injects script into browsers, scans HTTPS connections and even disabling those don't stop it from injecting dlls I think mainly to block malicious sites in browsers. Can anyone check and verify this?
 
Last edited:

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Are you sure about this? I know Emsisoft doesn't inject dll into browsers. Even Kaspersky free version by default injects script into browsers, scans HTTPS connections and even disabling those don't stop it from injecting dlls I think mainly to block malicious sites in browsers. Can anyone check and verify this?
Edge-Chromium with enabled "Code Integrity Guard" running fine here alongside KSC free & KIS (both version 2020), so maybe in this case there isn't any injections(.dll) into Edge-Chromium or just isn't fully supported by Kaspersky for now and may will be in upcoming version K2021...
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Edge-Chromium with enabled "Code Integrity Guard" running fine here alongside KSC free & KIS (both version 2020), so maybe in this case there isn't any injections(.dll) into Edge-Chromium or just isn't fully supported by Kaspersky for now and may will be in upcoming version K2021...
Similarly to Symantec antivirus, Kaspersky and other popular vendors probably sign properly the DLLs to be compatible with Edge CIG.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The broker, is in broad terms, a privileged controller/supervisor of the activities of the sandboxed processes, quote from ...
The renderer processes are the untrusted level processes
I asked the question about a broker because Edge Chromium often does not use additional executables for broker processes. On the contrary, native Edge always uses special executables like Browser_Broker.exe and RuntimeBroker.exe .
Of course, AppContainer and Chromium Sandbox have to use brokers to perform privileged operations (usually with standard rights).
Anyway, the Control Integrity Guard mitigation implemented by default in Edge Chromium protects the processes in the Sandbox and also the brokers from the attacks initiated from the Sandbox.
There is no need to apply CIG via Exploit protection to protect Edge, except when the system is already infected. In such a case, the broker can be exploited by the malware already running in the system. Applying CIG also to brokers can produce software incompatibilities, for example with some device drivers. But, if this is not a case, then it can be additional anti-exploit protection.
 
Last edited:
F

ForgottenSeer 85179

I asked the question about a broker because Edge Chromium usually does not use additional executables for broker processes. On the contrary, native Edge always uses special executables like Browser_Broker.exe and RuntimeBroker.exe .
Of course, AppContainer and Chromium Sandbox have to use brokers to perform privileged operations (usually with standard rights).
Anyway, the Control Integrity Guard mitigation implemented by default in Edge Chromium protects the processes in the Sandbox and also the brokers from the attacks initiated from the Sandbox.
There is no need to apply CIG via Exploit protection to protect Edge, except when the system is already infected. In such a case, the broker can be exploited by the malware already running in the system. Applying CIG also to brokers can produce software incompatibilities, for example with some device drivers. But, if this is not a case, then it can be additional anti-exploit protection.
So which are your exploit recommendations then for (new) Edge?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
So which are your exploit recommendations then for (new) Edge?
I did not research this topic, yet. I can recommend using Edge with additional mitigations (also CIG via Exploit protection) for the separate Edge browser used only for banking. So, one can add as many mitigations as possible without breaking the banking website.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Similarly to Symantec antivirus, Kaspersky and other popular vendors probably sign properly the DLLs to be compatible with Edge CIG.
I just tested Eset with both the new and old Edge and it's working fine with Code Integrity Guard manually enabled. Just a month ago I used to get multiple errors but it's not the case anymore. So, you're right I think. Kaspersky, Bitdefender, Eset, Symantec, other popular vendors have made their DLLs compatible with Edge CIG (y)
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
There is no need to apply CIG via Exploit protection to protect Edge, except when the system is already infected.
Relating the use of CIG to being infected ?????????????????????????????????????? CIQ extends this added protection from renderer processes only to all msedge process instances. This reply makes no sense to me, so let's agree to disagree.

I asked the question about a broker because Edge Chromium usually does not use additional executables for broker processes
Edge-chromium is based on Chromium, that is why I linked to the official Google documentation about Chromium's architecture (with medium IL broker). When Google says Chrome has a broker process, I assume most chromium based browsers follow this architecture (with first instance launched being the broker process).

Applying CIG also to brokers can produce software incompatibilities, for example with some device drivers
Are not most drivers co-signed by Microsoft and does not Edge being an App has to confine to the Windows S requirements? Link: Windows 10 in S mode Driver Requirements - Windows drivers
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Relating the use of CIG to being infected ?????????????????????????????????????? CIQ extends this added protection from renderer processes only to all msedge process instances. This reply makes no sense to me, so let's agree to disagree.
Ha, ha. I meant that if you do not apply CIG via Exploit protection, then Edge can be more vulnerable, but the system has to be first infected by something else which next wants to attack the Edge. In other words, Edge will not be a source of infection, but rather a victim of already infected system. Furthermore, the malware usually has to get the ability to exploit the Edge broker to interact with the sandboxed area.
...
Are not most drivers co-signed by Microsoft and does not Edge being an App has to confine to the Windows S requirements? Link: Windows 10 in S mode Driver Requirements - Windows drivers
As you know the Windows 10 S, requires special devices. If there would not be such problems, then Microsoft could apply Exploit protection for Edge brokers by default.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top