- Jun 22, 2014
- 899
Right.
Like letting a white listed app install a compromised update through your default deny set up as in the Ccleaner debacle.
Regards Eck
Last edited:
How to know if my Antivirus is really necessary?
- Thread starter JB007
- Start date
Right.
Like letting a white listed app install a compromised update through your default deny set up as in the Ccleaner debacle.
Regards Eck
- Mar 13, 2016
- 1,298
Windows 10 is really great. With Windows Defender on highest settings (use Configure Defender) and Software Restriction Policies (use Hard_Configurator with profile Windows_Security) only blocking file formats with hidden code (no executables, that is why you need to se WD on highest protection settings) you can runs as admin without any functional loss and have great protection. You really don't need third party AV or any other additional protection.
I put it on all family members PC when they ask me to help setup their PC's. I also tell them to use Edge and add Windows Defender Exploit protection setting called Code Integrity Guard for current Edge (processes MicrosoftEdge.exe and MicrosoftEdgeCP.exe) and future Chromiun based Edge (process msedge.exe). This makes current (old) Edge and future (new) Edge-chromium the safest browsers around (even safer than Chrome). The other benefit of using Edge is that Microsoft cheats and pre-loads Edge at system start (you can check that it cold-starts much faster than Chrome or Firefox).
So unless Windows Defender slows your PC down to a crawl (even on my tablet with a weak intel Atom Z3740 Windows Defender is the 'fastest' less CPU hungry AV), you really don't need to disable AV and risk shoot-in-the-foot errors. Even on the Intel Atom running without antivirus only reduces program start of Chrome with 0.2 seconds. So why bother?
I put it on all family members PC when they ask me to help setup their PC's. I also tell them to use Edge and add Windows Defender Exploit protection setting called Code Integrity Guard for current Edge (processes MicrosoftEdge.exe and MicrosoftEdgeCP.exe) and future Chromiun based Edge (process msedge.exe). This makes current (old) Edge and future (new) Edge-chromium the safest browsers around (even safer than Chrome). The other benefit of using Edge is that Microsoft cheats and pre-loads Edge at system start (you can check that it cold-starts much faster than Chrome or Firefox).
So unless Windows Defender slows your PC down to a crawl (even on my tablet with a weak intel Atom Z3740 Windows Defender is the 'fastest' less CPU hungry AV), you really don't need to disable AV and risk shoot-in-the-foot errors. Even on the Intel Atom running without antivirus only reduces program start of Chrome with 0.2 seconds. So why bother?
Last edited:
- Apr 24, 2016
- 7,680
Is that the profile "WIndows_10_MT_Windows_Security_hardening.hdc" in the latest (beta) version 4.1.1.1?
- Mar 29, 2018
- 7,903
- Mar 13, 2016
- 1,298
Yep, I only enable WD console for a while, so I can easily add WD exploit protection for Microsoft browsers. You can also do that before activating that profile of course.
- Dec 23, 2014
- 8,817
- Mar 13, 2016
- 1,298
@Andy Ful
Question: when people use configure defender, would it be possible to add Exploit Protection (allow only Microsoft signed DLL's) for old and new Edge?
Question: when people use configure defender, would it be possible to add Exploit Protection (allow only Microsoft signed DLL's) for old and new Edge?
- Dec 23, 2014
- 8,817
The profile "WIndows_10_MT_Windows_Security_hardening.hdc" is slightly different as compared to original Windows_Security settings, so it can be used on SUA too.
For now, I am not sure about adding it to H_C. But, this can change in the future.
Technically, this feature is independent of WD. It can be very useful for people who like to use Edge as a safe browser for banking. But there can be problems with using it for daily work.
For now, I am not sure about adding it to H_C. But, this can change in the future.
- Apr 24, 2016
- 7,680
I enabled Code Integrity Guard for MicrosoftEdge.exe, MicrosoftEdgeCP.exe, msedge.exe and (as test) for OUTLOOK.EXE.
Is there a way to verify of this working correctly?
Do you also recommend flags like appcontainer for chromium based edge or should this be enough?
- Mar 13, 2016
- 1,298
Install MBAE and add outlook and edge to the protected programs. It should fail to inject MBAE.dll
BTW you can also add it to Excel, Word, Powerpoint when your are using Outlook, Together with the ASR rules you enable with Configure Defender should block all malware hidden in Office file formats.Nice thing about ASR and Exploit protection is that it even works when you are using a third-party AntiVirus like Ziggo's rebranded F-secure.
I enabled all security related flags in chromium-edge without running into compatibility issues.
But there can be problems with using it for daily work.
For now, I am not sure about adding it to H_C. But, this can change in the future.
I would NOT add it to H_C. When people use a third party antivirus this settings blocks the DLL the AV might inject in the browser. That is why I asked to add it to Configure Defender. Chances are very low that someone uses CD when they don't use Windows Defender. For people using Windows Defender this only 'allow MS signed' has advantages without any downside. On top of that Google does not like third-party software injecting DLL's in Chrome, so your only speeding up things (fair chance that in a year or two Chrome protects its broker against DLL injection)
Last edited:
- Mar 29, 2018
- 7,903
I can verify this from experience because
Edit: I should have said Edge Dev issues a warning but with another click opens anyway with AVG installed.
Last edited:
It's a marketing stunt.
Google only mind people injecting code when it isn't through Microsoft's "official" mechanisms, which inject code for AMSI and IOfficeAntiVirus.
It is never going to stop the main vendors.
Google resorted to the dirty warning tactic to scare people because they know they have absolutely no idea how to actually prevent AVs from injecting code.
Google are punching above their weight and they know it.
Google Chrome runs with a CPL of 3. Google Chrome will never run with a CPL of 0 or -1 (guest CPL 0).
You cannot block someone running at a higher privilege level at you, and enforcing anything to those running at the same privilege level as you is cat and mouse games.
- Mar 13, 2016
- 1,298
They can install a driver like MemPortect which safe guards chrome.exe. I did not post that they implemented the broker protection in the broker running medium integrity level
- Dec 23, 2014
- 8,817
CIG will prevent Edge from loading images (usually DLLs) which are not from Microsoft Store or not Microsoft-signed. It is more restrictive than just preventing DLL injections to Edge browser by external applications.
Last edited:
No, that will not stop them.They can install a driver like MemPortect which safe guards chrome.exe. I did not post that they implemented the broker protection in the broker running medium integrity level
Most AVs which are injecting code are doing it before the process creation operation has been completed and once they are running under the context of the process who's main thread is yet to be resumed... use APC to hijack the main thread when it is resumed (alerted and then the pending APCs are fired).
You can use file-less stubs and no DLL at all, a file-less stub to behave as a loader for the DLL or just use the address of LdrLoadDll.
Either way, MemProtect cannot really stop people who are also running at the same privilege level as it... which I have already mentioned. You can do things manually with a CPL of 0 and MemProtect won't be any the wiser.
Google can use protected process mechanisms and it still will not stop the main vendors. ROFLAO.
Google support DLL injection into Google Chrome via a COM InProcServer32 implementation for AMSI and IOfficeAntiVirus. And that is when you have a CPL of 3, no requirement to do anything "hacky" in kernel mode.
- Mar 13, 2016
- 1,298
Memprotect can stop DLL injection, Protected processes can stop DLL-injection, Windows integrity guard can stop DLL-injection.
MemProtect cannot "stop" DLL injection. MemProtect can prevent handle creation and duplication (or threads) of the processes it is "protecting".
Handles to processes or threads you can access based on your privilege level in user-mode (Windows integrity) can be acquired without MemProtect being able to stop you. I'm just not going to tell you how.
In the Windows kernel, you do not have to open a handle to a process or thread.
In the Windows kernel, you can target physical memory or attach to a specific process and target the pages in virtual memory... without ever messing with process or thread handles.
Protected process mechanisms working in the Windows kernel can be disabled temporarily by others running with a CPL of 0, and then re-enabled after required modifications are performed. Such can be done before the process executes code from it's own image.
Good AVs already have kernel-mode software.
Get it?
- Dec 23, 2014
- 8,817
If I correctly recall, Memprotect cannot prevent loading .NET DLLs. Furthermore, it relies on Protected Process-Light technology, which can be bypassed on the kernel level. It can be also bypassed from the user level by exploiting vulnerable kernel driver.
Last edited:
- Mar 13, 2016
- 1,298
MemProtect stops DLL-injection, I tested it, so you can say that black is white, but that stays black for me. Same with WD Exploit protection Code Intyegrity Guard a member posted that he could confirm it, so keep on dropping techno talk, but fact remains that all three mechanisms can block DLL-injection.
Last edited:
Similar threads
