Windows_Security

Level 23
Verified
Trusted
Content Creator
Windows 10 is really great. With Windows Defender on highest settings (use Configure Defender) and Software Restriction Policies (use Hard_Configurator with profile Windows_Security) only blocking file formats with hidden code (no executables, that is why you need to se WD on highest protection settings) you can runs as admin without any functional loss and have great protection. You really don't need third party AV or any other additional protection.

I put it on all family members PC when they ask me to help setup their PC's. I also tell them to use Edge and add Windows Defender Exploit protection setting called Code Integrity Guard for current Edge (processes MicrosoftEdge.exe and MicrosoftEdgeCP.exe) and future Chromiun based Edge (process msedge.exe). This makes current (old) Edge and future (new) Edge-chromium the safest browsers around (even safer than Chrome). The other benefit of using Edge is that Microsoft cheats and pre-loads Edge at system start (you can check that it cold-starts much faster than Chrome or Firefox).

So unless Windows Defender slows your PC down to a crawl (even on my tablet with a weak intel Atom Z3740 Windows Defender is the 'fastest' less CPU hungry AV), you really don't need to disable AV and risk shoot-in-the-foot errors. Even on the Intel Atom running without antivirus only reduces program start of Chrome with 0.2 seconds. So why bother?
 
Last edited:

Gandalf_The_Grey

Level 22
Verified
Windows 10 is really great. With Windows Defender on highest settings (use Configure Defender) and Software Restriction Policies (use Hard_Configurator with profile Windows_Security) only blocking file formats with hidden code (no executables, that is why you need to se WD on highest protection settings) you can runs as admin without any functional loss and have great protection. You really don't need third party AV or any other additional protection.

I put it on all family members PC when they ask me to help setup their PC's. I also tell them to use Edge and add Windows Defender Exploit protection setting called Code Integrity Guard for current Edge (processes MicrosoftEdge.exe and MicrosoftEdgeCP.exe) and future Chromiun based Edge (process msedge.exe). This makes current (old) Edge and future (new) Edge-chromium the safest browsers around (even safer than Chrome). The other benefit of using Edge is that Microsoft cheats and pre-loads Edge at system start (you can check that it cold-starts much faster than Chrome or Firefox).

So unless Windows Defender slows your PC down to a crawl (even on my tablet with a weak intel Atom Z3740 Windows Defender is the 'fastest' less CPU hungry AV), you really don't need to disable AV and risk shoot-in-the-foot errors. Even on the Intel Atom running without antivirus only reduces program start of Chrome with 0.2 seconds. So why bother?
Is that the profile "WIndows_10_MT_Windows_Security_hardening.hdc" in the latest (beta) version 4.1.1.1?
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
The profile "WIndows_10_MT_Windows_Security_hardening.hdc" is slightly different as compared to original Windows_Security settings, so it can be used on SUA too.:giggle:

@Andy Ful
Question: when people use configure defender, would it be possible to add Exploit Protection (allow only Microsoft signed DLL's) for old and new Edge?
Technically, this feature is independent of WD. It can be very useful for people who like to use Edge as a safe browser for banking. But there can be problems with using it for daily work.:unsure:
For now, I am not sure about adding it to H_C. But, this can change in the future.:giggle:
 

Gandalf_The_Grey

Level 22
Verified
Windows 10 is really great. With Windows Defender on highest settings (use Configure Defender) and Software Restriction Policies (use Hard_Configurator with profile Windows_Security) only blocking file formats with hidden code (no executables, that is why you need to se WD on highest protection settings) you can runs as admin without any functional loss and have great protection. You really don't need third party AV or any other additional protection.

I put it on all family members PC when they ask me to help setup their PC's. I also tell them to use Edge and add Windows Defender Exploit protection setting called Code Integrity Guard for current Edge (processes MicrosoftEdge.exe and MicrosoftEdgeCP.exe) and future Chromiun based Edge (process msedge.exe). This makes current (old) Edge and future (new) Edge-chromium the safest browsers around (even safer than Chrome). The other benefit of using Edge is that Microsoft cheats and pre-loads Edge at system start (you can check that it cold-starts much faster than Chrome or Firefox).

So unless Windows Defender slows your PC down to a crawl (even on my tablet with a weak intel Atom Z3740 Windows Defender is the 'fastest' less CPU hungry AV), you really don't need to disable AV and risk shoot-in-the-foot errors. Even on the Intel Atom running without antivirus only reduces program start of Chrome with 0.2 seconds. So why bother?
I enabled Code Integrity Guard for MicrosoftEdge.exe, MicrosoftEdgeCP.exe, msedge.exe and (as test) for OUTLOOK.EXE.
Is there a way to verify of this working correctly?

Do you also recommend flags like appcontainer for chromium based edge or should this be enough?
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
I enabled Code Integrity Guard for MicrosoftEdge.exe, MicrosoftEdgeCP.exe, msedge.exe and (as test) for OUTLOOK.EXE.
Is there a way to verify of this working correctly?

Do you also recommend flags like appcontainer for chromium based edge or should this be enough?
Install MBAE and add outlook and edge to the protected programs. It should fail to inject MBAE.dll

BTW you can also add it to Excel, Word, Powerpoint when your are using Outlook, Together with the ASR rules you enable with Configure Defender should block all malware hidden in Office file formats.Nice thing about ASR and Exploit protection is that it even works when you are using a third-party AntiVirus like Ziggo's rebranded F-secure.

I enabled all security related flags in chromium-edge without running into compatibility issues.

But there can be problems with using it for daily work.:unsure:
For now, I am not sure about adding it to H_C. But, this can change in the future.:giggle:
I would NOT add it to H_C. When people use a third party antivirus this settings blocks the DLL the AV might inject in the browser. That is why I asked to add it to Configure Defender. Chances are very low that someone uses CD when they don't use Windows Defender. For people using Windows Defender this only 'allow MS signed' has advantages without any downside. On top of that Google does not like third-party software injecting DLL's in Chrome, so your only speeding up things (fair chance that in a year or two Chrome protects its broker against DLL injection)
 
Last edited:
4

436880927

On top of that Google does not like third-party software injecting DLL's in Chrome
It's a marketing stunt.

Google only mind people injecting code when it isn't through Microsoft's "official" mechanisms, which inject code for AMSI and IOfficeAntiVirus. ;)

On top of that Google does not like third-party software injecting DLL's in Chrome, so your only speeding up things (fair chance that in a year or two Chrome protects its broker against DLL injection)
It is never going to stop the main vendors.

Google resorted to the dirty warning tactic to scare people because they know they have absolutely no idea how to actually prevent AVs from injecting code.

Google are punching above their weight and they know it.

Google Chrome runs with a CPL of 3. Google Chrome will never run with a CPL of 0 or -1 (guest CPL 0).

You cannot block someone running at a higher privilege level at you, and enforcing anything to those running at the same privilege level as you is cat and mouse games.
 
  • Like
Reactions: roger_m and ZeroDay

Windows_Security

Level 23
Verified
Trusted
Content Creator
It is never going to stop the main vendors.

Google resorted to the dirty warning tactic to scare people because they know they have absolutely no idea how to actually prevent AVs from injecting code.

Google are punching above their weight and they know it.

Google Chrome runs with a CPL of 3. Google Chrome will never run with a CPL of 0 or -1 (guest CPL 0).

You cannot block someone running at a higher privilege level at you, and enforcing anything to those running at the same privilege level as you is cat and mouse games.
They can install a driver like MemPortect which safe guards chrome.exe. I did not post that they implemented the broker protection in the broker running medium integrity level :)
 
  • Like
Reactions: Nevi and roger_m

Andy Ful

Level 49
Verified
Trusted
Content Creator
I would NOT add it to H_C. When people use a third party antivirus this settings blocks the DLL the AV might inject in the browser. That is why I asked to add it to Configure Defender. Chances are very low that someone uses CD when they don't use Windows Defender. For people using Windows Defender this only 'allow MS signed' has advantages without any downside. On top of that Google does not like third-party software injecting DLL's in Chrome, so your only speeding up things (fair chance that in a year or two Chrome protects its broker against DLL injection)
CIG will prevent Edge from loading images (usually DLLs) which are not from Microsoft Store or not Microsoft-signed. It is more restrictive than just preventing DLL injections to Edge browser by external applications.:unsure:
 
Last edited:
  • Like
Reactions: harlan4096 and Nevi
4

436880927

They can install a driver like MemPortect which safe guards chrome.exe. I did not post that they implemented the broker protection in the broker running medium integrity level :)
No, that will not stop them.

Most AVs which are injecting code are doing it before the process creation operation has been completed and once they are running under the context of the process who's main thread is yet to be resumed... use APC to hijack the main thread when it is resumed (alerted and then the pending APCs are fired).

You can use file-less stubs and no DLL at all, a file-less stub to behave as a loader for the DLL or just use the address of LdrLoadDll.

Either way, MemProtect cannot really stop people who are also running at the same privilege level as it... which I have already mentioned. You can do things manually with a CPL of 0 and MemProtect won't be any the wiser.

Google can use protected process mechanisms and it still will not stop the main vendors. ROFLAO.
 
4

436880927

Google support DLL injection into Google Chrome via a COM InProcServer32 implementation for AMSI and IOfficeAntiVirus. And that is when you have a CPL of 3, no requirement to do anything "hacky" in kernel mode.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Memprotect can stop DLL injection, Protected processes can stop DLL-injection, Windows integrity guard can stop DLL-injection.
 
4

436880927

Memprotect can stop DLL injection, Protected processes can stop DLL-injection, Windows integrity guard can stop DLL-injection.
MemProtect cannot "stop" DLL injection. MemProtect can prevent handle creation and duplication (or threads) of the processes it is "protecting".

Handles to processes or threads you can access based on your privilege level in user-mode (Windows integrity) can be acquired without MemProtect being able to stop you. I'm just not going to tell you how.

In the Windows kernel, you do not have to open a handle to a process or thread.

In the Windows kernel, you can target physical memory or attach to a specific process and target the pages in virtual memory... without ever messing with process or thread handles.

Protected process mechanisms working in the Windows kernel can be disabled temporarily by others running with a CPL of 0, and then re-enabled after required modifications are performed. Such can be done before the process executes code from it's own image.

Good AVs already have kernel-mode software.

Get it?
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
If I correctly recall, Memprotect cannot prevent loading .NET DLLs. Furthermore, it relies on Protected Process-Light technology, which can be bypassed on the kernel level. It can be also bypassed from the user level by exploiting vulnerable kernel driver.
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
MemProtect stops DLL-injection, I tested it, so you can say that black is white, but that stays black for me. Same with WD Exploit protection Code Intyegrity Guard a member posted that he could confirm it, so keep on dropping techno talk, but fact remains that all three mechanisms can block DLL-injection.
 
Last edited:

Latest Posts

Latest Threads