Thanks.Hello, the Documents Antiexploit tool is marked as a threat by the Sophos ML (Generic ML PUA). Well, I just wanted to report this.
HelloAll programs (EXE, MSI) and DLLs which are accepted by Microsoft as safe
Sounds like a great idea, I am looking forward to it!I am thinking about adding two H_C options: <Harden EXE> and <Harden EXE via WDAC>.
Both can be applied as additional protection to any Allow EXE profile.
The first will simply block EXE files via SRP in the default user folders on the system partition like: Desktop, Download, Videos, Documents, Pictures, Music.
The second will be based on Windows Defender Application Control (WDAC). It will apply the additional protection to all drives and partitions, except system partition (usually C:\). This protection includes:
Both <Harden EXE> and <Harden EXE via WDAC> are prepared to work with any "Allow Exe" setup. So, with Allow EXE setting the commonly used user folders will be protected as in the H_C Recommended Settings, other locations on system drive will allow EXE files, and non-system drives (also USB drives) will be additionally protected by Windows Defender Application Control.
- All programs (EXE, MSI) and DLLs which are accepted by Microsoft as safe (Intelligent Security Graph Authorization) are allowed.
- All other programs (EXE, MSI) and DLLs are blocked (also .NET DLLs).
- PowerShell and Windows Script Host scripting is restricted also for elevated processes.
- "Run As SmartScreen" or "Run By SmartScreen" can bypass blocking MSI and EXE files.
- The system partition (usually C:\) is whitelisted, so EXE, MSI, and DLL files from system partition are allowed by WDAC, but can be restricted by other H_C features.
The H_C Allow EXE setup + <Harden EXE> + <Harden EXE via WDAC> will be probably included in H_C as "Default Profile". There will be no problems with installing & updating applications in UserSpace on the system partition. Still, while installing applications the user will usually have to use "Run As SmartScreen" from the Explorer context menu, because the installers will be started from Download or Desktop folder, or non-system drive/partition.
1. It is slightly more restrictive for EXE and MSI files, checks all loaded DLLs, and does not require MOTW.Hello
1-what's the difference between SmartScreen and this feature?
2-Does it works only on execution(directly by user ) or it also covers child execution (like a script that dl and run the malicious Exe or Msi)
Thanks for the careful explanation. I like it!1. It is slightly more restrictive for EXE and MSI files, checks all loaded DLLs, and does not require MOTW.
2. Works on execution (even when executed by malware as payload), covers child processes.
But, the version used in H_C will not use most of this because the system partition is whitelisted. On system partition, H_C will not use this protection, but SRP. Only files on non-system drives/partitions will be blocked by WDAC.
Here are some examples:
- The user executes something from the USB drive which will try to load malicious DLL from this drive. WDAC will block the execution of malicious DLL.
- The user has copied the EXE file from the USB drive to the Desktop or Download folder. The file execution will be blocked by SRP, even with the H_C Allow EXE setup.
- The user has copied the file from an infected USB drive (shortcut malware) which is, in fact, a shortcut to malware (DLL, EXE, etc.) hidden somewhere on the USB drive. The shortctuts on Desktop are normally allowed in H_C, but when the shortcut will be executed, then the malware on USB will be blocked by WDAC, anyway.
It is worth to know that one of WD ASR rules works similarly to <Harden EXE via WDAC>, but does not cover DLLs and works only for USB drives. So, this ASR rule can be bypassed when running the legal but vulnerable file from USB that loads malicious DLL.Thanks for the careful explanation. I like it!
First, let me ty for your excellent work. I'm relatively new at the forum, but i'm already impressed about how people help each other here! If i had more knowledge in developing tools, i would certainly join you.
If you don't mind, can you solve some fast doubts?
1) Considering I would like to accept *.exe file to be run normally when double clicking them through explorer or through the download tab from chrome for example. I concluded that there are 2 ways to get that: 1) Add EXE and TMP files to whitelist bt path; 2) Setting H_C with No enforcement setting. Wich option would be less vulnerable? There is any other way?
2) Installing H_C could, in any way, open vulnerabilities to be explored (at the same time it closes other ones)?
3) In case i would like to remove the H_C, following the guide steps would remove 100% of the changes?
4) H_C would in any way conflict with IOBIT unninstaller functions, like the one that monitore the installation of new software and log the changes?
I found one small conflict that i was able to solve but i'll let you know anyway. When i installed H_C, i was not able to run Brave through windows task bar cause the standard shortcut was a *.LNK file. I solved it by deleting it, creating a new shortcut and adding the new one to the taskbar. Idk why that happened.
After some weeks of using the current profile, you can try to harden it a little:...
Should I enable "block power shell scripts" when using "Windows_10_MT_Windows_Security..." profile?
Please remember, that the EXE file can have the icon of a photo or video clip to misguide the user, so he/she may expect to open a photo or video clip, but not an EXE file. This information makes the file very suspicious....
I would care more about the warning/bypass than that the file is an exe