Andy Ful

Level 49
Verified
Trusted
Content Creator
SEHOP for 32-bit processes can be activated via reg tweak:
Code:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"DisableExceptionChainValidation"=dword:00000000
.
The value 00000001 (or deleting the key) turn OFF SEHOP for 32-bit processes.
.
Known issues:
existing versions of Cygwin, Skype, and Armadillo-protected applications may not work correctly.
 
5

509322

@shmu26 - the issue of 32 bit processes as a high security risk on 64 bit OSes is a complex one - and entirely Microsoft's fault. One of the primary reason is Microsoft's obsessive avoidance of breaking "legacy" technology. The topic is touched upon here: I honest do not know much about Windows 10 1709 Exploit Guard so ask @Andy Ful. I wouldn't be surprised it it hasn't changed becuase fundamaentally EMET and Exploit Guard are the same.

Latest EMET Bypass Targets WoW64 Windows Subsystem.

However the issue you bring up is a much, much bigger picture one and extends well beyond Microsoft's anti-exploit features. Malc0ders can play all kinds of games with 32 bit processes on 64 bit Windows and accomplish dastardly things. So your very best protection is not to use 32 bit processes on 64 bit Windows as much as you possibly can manage - in the same vein that it is in your best interests not to use widely popular programs that are widely distributed, popular and commonly targeted by malc0ders (e.g. Microsoft Office). The bottom line is that you cannot count upon any security solution to protect you in these situations in absolute terms (not as long as highly imperfect Ai, humans and code are involved). If very high protection without hassle is what you are searching for then you are pursuing a futile enterprise. Give that pursuit up... go spend more time your children... doing so will yield much greater dividends for them, and for you. Anybody that is truly ethical and honest will not say anything other than what I have said. I don't promote some fantasy "Auto-Magical." That's the death-bed, black hole reality of it. I am giving you the perspective of one who has seen stuff you people wouldn't believe - even when people though they had multi- N-layer "impenetrable" fortresses - even using "Auto-Magical." I know this is the last thing you want to here, but there it is.

Just find what you really like - what works for you personally - and stick with it. Nothing is going to be bug free. Nothing is going to without some kind of hassle. You have to pick the lesser of all evils. This is how it works. I cannot stress that it is the best objective in all of security soft\geek "La-La Land." In my particular case, AppGuard, for me, has been the least of all evils and is the reason I work for AppGuard LLC. To some it might seem an odd way of describing my employer's product but within the context of this particular discussion it is the most apt way to describe it; it most certainly is not a derogatory statement. And those who have more than a walnut sized brain sitting on their shoulders should be able to understand the statement within the context of this post. However, there is always some malicious dolt that might come along and extract that statement and re-purpose it out of context to their own ends.

There are multiple, known ways that 32 bit processes can bypass 64 bit protections. Research it. There's all kinds of stuff online that discusses corner cases.

You are beat if you think are completely safe with 32 bit processes running on 64 bit Windows 19, despite all the newly introduced Windows Defender Security Center stuff. Better use @And Ful 's Hard_Configurator default deny or something equivalent - whatever works best for you - whatever you like best.
 
Last edited by a moderator:

Andy Ful

Level 49
Verified
Trusted
Content Creator
So I have a process that runs every once in a while
C:\ProgramData\Logishrd\LogiOptions\Unifying\DJCUHost.exe
...
The unifying software is a program that lets you configure the devices. It will automatically scan for wireless keyboards and mice and add them onto the list. We can enable or disable a certain device using the program.
Any additional application installed outside the 'Program Files ...' folders makes an unnecessary hole in the default-deny security and will cause some problems.
I think that you do not need the unifying software, because Windows is doing pretty well for finding wireless devices.
Anyway, Hard_Configurator settings make difficult managing updates of some applications, if they are updating as standard user. That is also a common way of updating applications installed outside 'Program Files...'. In such cases, the updates should be applied manually using 'Run As SmartScreen' or the user has to turn OFF temporarily the protection. The recommended way is avoiding such applications. That is the price of having advanced 0-day security.
That is similar to avoiding unhealthy meals when applying a healthy diet.:)(y)
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
@shmu26 - the issue of 32 bit processes as a high security risk on 64 bit OSes is a complex one - and entirely Microsoft's fault. One of the primary reason is Microsoft's obsessive avoidance of breaking "legacy" technology. The topic is touched upon here: I honest do not know much about Windows 10 1709 Exploit Guard so ask @Andy Ful. I wouldn't be surprised it it hasn't changed becuase fundamaentally EMET and Exploit Guard are the same.

Latest EMET Bypass Targets WoW64 Windows Subsystem.

However the issue you bring up is a much, much bigger picture one and extends well beyond Microsoft's anti-exploit features. Malc0ders can play all kinds of games with 32 bit processes on 64 bit Windows and accomplish dastardly things. So your very best protection is not to use 32 bit processes on 64 bit Windows as much as you possibly can manage - in the same vein that it is in your best interests not to use widely popular programs that are widely distributed, popular and commonly targeted by malc0ders (e.g. Microsoft Office). The bottom line is that you cannot count upon any security solution to protect you in these situations in absolute terms (not as long as highly imperfect Ai, humans and code are involved). If very high protection without hassle is what you are searching for then you are pursuing a futile enterprise. Give that pursuit up... go spend more time your children... doing so will yield much greater dividends for them, and for you. Anybody that is truly ethical and honest will not say anything other than what I have said. I don't promote some fantasy "Auto-Magical." That's the death-bed, black hole reality of it. I am giving you the perspective of one who has seen stuff you people wouldn't believe - even when people though they had multi- N-layer "impenetrable" fortresses - even using "Auto-Magical." I know this is the last thing you want to here, but there it is.

Just find what you really like - what works for you personally - and stick with it. Nothing is going to be bug free. Nothing is going to without some kind of hassle. You have to pick the lesser of all evils. This is how it works. I cannot stress that it is the best objective in all of security soft\geek "La-La Land." In my particular case, AppGuard, for me, has been the least of all evils and is the reason I work for AppGuard LLC. To some it might seem an odd way of describing my employer's product but within the context of this particular discussion it is the most apt way to describe it; it most certainly is not a derogatory statement. And those who have more than a walnut sized brain sitting on their shoulders should be able to understand the statement within the context of this post. However, there is always some malicious dolt that might come along and extract that statement and re-purpose it out of context to their own ends.

There are multiple, known ways that 32 bit processes can bypass 64 bit protections. Research it. There's all kinds of stuff online that discusses corner cases.

You are beat if you think are completely safe with 32 bit processes running on 64 bit Windows 19, despite all the newly introduced Windows Defender Security Center stuff. Better use @And Ful 's Hard_Configurator default deny or something equivalent - whatever works best for you - whatever you like best.
Very interesting indeed! Dungeons and Dragons at its best.
So anyways, the upshot is that from a security standpoint, one should show a preference for 64 bit apps, when using a 64 bit system.
 

shmu26

Level 83
Verified
Trusted
Content Creator
Any additional application installed outside the 'Program Files ...' folders makes an unnecessary hole in the default-deny security and will cause some problems.
I think that you do not need the unifying software, because Windows is doing pretty well for finding wireless devices.
Anyway, Hard_Configurator settings make difficult managing updates of some applications, if they are updating as standard user. That is also a common way of updating applications installed outside 'Program Files...'. In such cases, the updates should be applied manually using 'Run As SmartScreen' or the user has to turn OFF temporarily the protection. The recommended way is avoiding such applications. That is the price of having advanced 0-day security.
That is similar to avoiding unhealthy meals when applying a healthy diet.:)(y)
Agreed that the unifying software is unnecessary in my case, after the initial setup of the wireless mouse. I renamed the file so it won't bother me anymore.
 
5

509322

The recommended way is avoiding such applications. That is the price of having advanced 0-day security.
That is similar to avoiding unhealthy meals when applying a healthy diet.:)(y)
That is a pretty awesome way of describing a really smart security configuration.

Don't eat unhealthy food that puts your health at risk over time. Don't put stuff on your PC that introduces vulnerabilities and put your system at risk over time.
 
5

509322

...., one should show a preference for 64 bit apps, when using a 64 bit system.
It's virtually impossible even after all these years. Some OEMs and publishers are more lazy than users. Others are just really, really... REALLY behind the 8 ball. And some just don't care. Finally, you have tons of unmaintained and abandoned stuff out there.

It's safe to say that there are a fair number of OEMs and publishers that, if they had their way, they would still be using unsigned, obsolete, 32, 16, and 8 bit stuff in year 4187 on Windows 873.
 
Last edited by a moderator:

Andy Ful

Level 49
Verified
Trusted
Content Creator
I would like to comment the testing procedure adopted by @askalan it Malware Hub:
https://malwaretips.com/threads/30-4-2018-16.82551/#post-732075
.
This setup is based on Hard_Configurator recommended settings, and is similar to Avast with Hardened Aggressive mode with disabled malware signatures but blocked script execution.
PowerShell command lines and cmdlets are allowed to run with Constrained Language mode.
@askalan used SoftMaker Office (No DDE, No MS Office macros, but OLE and ActiveX allowed)
.
Of course, the test results of the above setup cannot be compared with standard AVs.
.
So, what could be the purpose of testing such setup?
It can be used for testing the effectiveness of SmartScreen and Script Restrictions.
I think that it would be very informative for many users, who thinks that SmartScreen is a crap and Windows Defender test results are fake. Also, many users do not realize how important is anti-script protection nowadays.
.
If the Malwaretips testers will be so kind to allow such tests, then the test results have to be posted with the below warning:
Experimental setup for testing the effectiveness of SmartScreen and Script Restrictions against 0-day malware samples. May be not efficient for the older samples.
That would be also fine to add the link to this post for more info.
.

Why this setup will be not so efficient for older samples? Because older samples will be detected by AVs in 100% due to signatures.
That is the reason of using Hard_Configurator as a backup for the standard AV (especially for Defender).
 
Last edited:

In2an3_PpG

Level 17
Verified
Content Creator
I would like to comment the testing procedure adopted by @askalan it Malware Hub:
https://malwaretips.com/threads/30-4-2018-16.82551/#post-732075
.
This setup is based on Hard_Configurator recommended settings, and is similar to Avast with Hardened Aggressive mode with disabled malware signatures but blocked script execution.
PowerShell command lines and cmdlets are allowed to run with Constrained Language mode.
@askalan used SoftMaker Office (No DDE, NO macros, OLE andctive)
.
Of course, the test results of the above setup cannot be compared with standard AVs.
.
So, what could be the purpose of testing such setup?
It can be used for testing the effectiveness of SmartScreen and Script Restrictions.
I think that it would be very informative for many users, who thinks that SmartScreen is a crap and Windows Defender test results are fake. Also, many users do not realize how important is anti-script protection nowadays.
.
If the Malwaretips testers will be so kind to allow such tests, then the test results have to be posted with the below warning:
Experimental setup for testing the effectiveness of SmartScreen and Script Restrictions against 0-day malware samples. May be not efficient for the older samples.
That would be also fine to add the link to this post for more info.
.

Why this setup will be not so efficient for older samples? Because older samples will be detected by AVs in 100% due to signatures.
That is the reason of using Hard_Configurator as a backup for the standard AV (especially for Defender).
I could be mistaken. As i cannot remember but i believe @Solarquest oversees the hub. If he does then I'm sure he could help with allowing this testing.
 

askalan

Level 16
Verified
Malware Hunter
Before I write the message, I wanted to mark @mekelek. Hopefully he will also see the posts.
Hey. Testing this software is not forbidden at the HUB. So no need to worry. In the next tests I will always add the warning. Thanks for that information.
I agree that Hard_Configurator is a backup for the running antivirus. But I am of the opinion that Hard_Configurator does not need a running antivirus in its default configuration.
But if you don't lock .js and .jar files anymore, then these samples actually get through. I was wrong yesterday. That was also the main argument. While other software in the HUB has to recognize the bad scripts, Hard_Configurator does not execute them at all.
So I have a question: Is testing this combo useful in the future or should I test another software?
 

shmu26

Level 83
Verified
Trusted
Content Creator
I think the real thing they are trying to test is the capabilities of Windows SmartScreen. They are just using HC tools in order to do it right.
Now, we could debate whether testing SmartScreen is relevant, and indeed is has been debated already...
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
I think the real thing they are trying to test is the capabilities of Windows SmartScreen. They are just using HC tools in order to do it right.
Now, we could debate whether testing SmartScreen is relevant, and indeed is has been debated already...
I think that the 'restricted script part' of the test is equally important. That also was debated as the possible option for standard AVs. The problem with standard AVs is that they want to satisfy home users and companies. So, AV vendors hate such things as 'script restrictions', which could be the simple and efficient solution for the home users.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
Honestly, I do not understand the meaning of the test. Or better, I do not understand why insert it together with the other AVs. A special section of SRP, sandbox or light virtualization would be more correct.
Both you and @askalan are probably right. The test results cannot be compared, so for this reason, the test could be in another thread for default-deny solutions.
But, Malware Hub is something more than a simple comparison of AV detection results. It also allows recognizing the weak points in
security solutions and helps to improve the home users security.
For this reason, it would be interesting to keep the test in the same thread with other AV solutions (for some time). Then we would see on the same pule of samples, how the simple AV improvements (like restricting scripts) could make some AVs stronger.
Also, the effectiveness of SmartScreen should be tested, because it is available for free to all Windows 8+ users.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
...
I agree that Hard_Configurator is a backup for the running antivirus. But I am of the opinion that Hard_Configurator does not need a running antivirus in its default configuration.
...
So I have a question: Is testing this combo useful in the future or should I test another software?
You are probably right that Windows 8+ with Hard_Configurator settings does not need the AV, because in fact, it uses the AV in the cloud (on demand SmartScreen Application Reputation).
But, there is the principal con of such solution:
  • The protection against one-month malware will be probably similar to any good free AV, and free AVs are more friendly to users. The above follows from the fact that after some weeks almost all malware threats are detected by signature.
Maybe, that could be the solution for the advanced users with Windows 8+ installed on the computers (notebooks) with poor resources. Who knows.