F
ForgottenSeer 85179
Thread author
I like to open a thread about maximum possibly anti-exploit protection settings (from Windows Defender) so every user can import/ export that settings.
First, here some reading material:
Some basic's:
To get all currently settings for a process, use this powershell (no admin rights needed!) command:
(replace "processname.exe" with your own file and/ or path)
To export all currently settings, use this powershell (no admin rights needed!) command:
(watch out the path (%USERPROFILE%) where powershell save the file!)
Let's go:
my Microsoft (new Chromium-)Edge settings:
I guess their is some tuning possibly, but looks like nobody try yet
In the exported text file it looks more easily:
This can now be saved in a settings.xml file and then imported by this powershell command:
(change the path to the settings.xml if needed!)
First, here some reading material:
Turn on exploit protection to help mitigate against attacks - Microsoft Defender for Endpoint
Learn how to enable exploit protection in Windows. Exploit protection helps protect your device against malware.
docs.microsoft.com
Customize exploit protection - Microsoft Defender for Endpoint
You can enable or disable specific mitigations used by exploit protection using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
docs.microsoft.com
Some basic's:
To get all currently settings for a process, use this powershell (no admin rights needed!) command:
Code:
Get-ProcessMitigation -Name processName.exe
To export all currently settings, use this powershell (no admin rights needed!) command:
Code:
Get-ProcessMitigation -RegistryConfigFilePath settings.xml
Let's go:
my Microsoft (new Chromium-)Edge settings:
ProcessName : msedge.exe
Source : Registry
Id : 0
DEP:
Enable : ON
EmulateAtlThunks : ON
Override DEP : False
ASLR:
BottomUp : ON
Override BottomUp : False
ForceRelocateImages : ON
RequireInfo : ON
Override ForceRelocate : False
HighEntropy : ON
Override High Entropy : False
StrictHandle:
Enable : ON
Override StrictHandle : False
System Call:
DisableWin32kSystemCalls : NOTSET
Audit : NOTSET
Override SystemCall : False
ExtensionPoint:
DisableExtensionPoints : ON
Override ExtensionPoint : False
DynamicCode:
BlockDynamicCode : NOTSET
AllowThreadsToOptOut : NOTSET
Audit : NOTSET
Override DynamicCode : False
CFG:
Enable : ON
SuppressExports : OFF
Override CFG : False
StrictControlFlowGuard : NOTSET
Override StrictCFG : False
BinarySignature:
MicrosoftSignedOnly : ON
AllowStoreSignedBinaries : ON
EnforceModuleDependencySigning : ON
AuditMicrosoftSignedOnly : OFF
AuditStoreSigned : OFF
AuditEnforceModuleDependencySigning: OFF
Override MicrosoftSignedOnly : False
Override DependencySigning : False
FontDisable:
DisableNonSystemFonts : ON
Audit : OFF
Override FontDisable : False
ImageLoad:
BlockRemoteImageLoads : ON
AuditRemoteImageLoads : OFF
Override BlockRemoteImages : False
BlockLowLabelImageLoads : ON
AuditLowLabelImageLoads : OFF
Override BlockLowLabel : False
PreferSystem32 : NOTSET
AuditPreferSystem32 : NOTSET
Override PreferSystem32 : False
Payload:
EnableExportAddressFilter : NOTSET
AuditEnableExportAddressFilter : NOTSET
Override ExportAddressFilter : False
EnableExportAddressFilterPlus : NOTSET
AuditEnableExportAddressFilterPlus : NOTSET
Override ExportAddressFilterPlus : False
EAFModules : {}
EnableImportAddressFilter : NOTSET
AuditEnableImportAddressFilter : NOTSET
Override ImportAddressFilter : False
EnableRopStackPivot : NOTSET
AuditEnableRopStackPivot : NOTSET
Override EnableRopStackPivot : False
EnableRopCallerCheck : NOTSET
AuditEnableRopCallerCheck : NOTSET
Override EnableRopCallerCheck : False
EnableRopSimExec : NOTSET
AuditEnableRopSimExec : NOTSET
Override EnableRopSimExec : False
SEHOP:
Enable : ON
TelemetryOnly : OFF
Audit : NOTSET
Override SEHOP : False
Heap:
TerminateOnError : ON
Override HEAP : False
Child Process:
DisallowChildProcessCreation : NOTSET
Audit : NOTSET
Override ChildProcess : False
Source : Registry
Id : 0
DEP:
Enable : ON
EmulateAtlThunks : ON
Override DEP : False
ASLR:
BottomUp : ON
Override BottomUp : False
ForceRelocateImages : ON
RequireInfo : ON
Override ForceRelocate : False
HighEntropy : ON
Override High Entropy : False
StrictHandle:
Enable : ON
Override StrictHandle : False
System Call:
DisableWin32kSystemCalls : NOTSET
Audit : NOTSET
Override SystemCall : False
ExtensionPoint:
DisableExtensionPoints : ON
Override ExtensionPoint : False
DynamicCode:
BlockDynamicCode : NOTSET
AllowThreadsToOptOut : NOTSET
Audit : NOTSET
Override DynamicCode : False
CFG:
Enable : ON
SuppressExports : OFF
Override CFG : False
StrictControlFlowGuard : NOTSET
Override StrictCFG : False
BinarySignature:
MicrosoftSignedOnly : ON
AllowStoreSignedBinaries : ON
EnforceModuleDependencySigning : ON
AuditMicrosoftSignedOnly : OFF
AuditStoreSigned : OFF
AuditEnforceModuleDependencySigning: OFF
Override MicrosoftSignedOnly : False
Override DependencySigning : False
FontDisable:
DisableNonSystemFonts : ON
Audit : OFF
Override FontDisable : False
ImageLoad:
BlockRemoteImageLoads : ON
AuditRemoteImageLoads : OFF
Override BlockRemoteImages : False
BlockLowLabelImageLoads : ON
AuditLowLabelImageLoads : OFF
Override BlockLowLabel : False
PreferSystem32 : NOTSET
AuditPreferSystem32 : NOTSET
Override PreferSystem32 : False
Payload:
EnableExportAddressFilter : NOTSET
AuditEnableExportAddressFilter : NOTSET
Override ExportAddressFilter : False
EnableExportAddressFilterPlus : NOTSET
AuditEnableExportAddressFilterPlus : NOTSET
Override ExportAddressFilterPlus : False
EAFModules : {}
EnableImportAddressFilter : NOTSET
AuditEnableImportAddressFilter : NOTSET
Override ImportAddressFilter : False
EnableRopStackPivot : NOTSET
AuditEnableRopStackPivot : NOTSET
Override EnableRopStackPivot : False
EnableRopCallerCheck : NOTSET
AuditEnableRopCallerCheck : NOTSET
Override EnableRopCallerCheck : False
EnableRopSimExec : NOTSET
AuditEnableRopSimExec : NOTSET
Override EnableRopSimExec : False
SEHOP:
Enable : ON
TelemetryOnly : OFF
Audit : NOTSET
Override SEHOP : False
Heap:
TerminateOnError : ON
Override HEAP : False
Child Process:
DisallowChildProcessCreation : NOTSET
Audit : NOTSET
Override ChildProcess : False
In the exported text file it looks more easily:
<AppConfig Executable="msedge.exe">
<DEP Enable="true" EmulateAtlThunks="true" />
<ASLR ForceRelocateImages="true" RequireInfo="true" BottomUp="true" HighEntropy="true" />
<StrictHandle Enable="true" />
<ExtensionPoints DisableExtensionPoints="true" />
<ControlFlowGuard Enable="true" SuppressExports="false" />
<SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="true" Audit="false" AuditStoreSigned="false" EnforceModuleDependencySigning="true" />
<Fonts DisableNonSystemFonts="true" AuditOnly="false" Audit="false" />
<ImageLoad BlockRemoteImageLoads="true" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="true" AuditLowLabelImageLoads="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
</AppConfig>
<DEP Enable="true" EmulateAtlThunks="true" />
<ASLR ForceRelocateImages="true" RequireInfo="true" BottomUp="true" HighEntropy="true" />
<StrictHandle Enable="true" />
<ExtensionPoints DisableExtensionPoints="true" />
<ControlFlowGuard Enable="true" SuppressExports="false" />
<SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="true" Audit="false" AuditStoreSigned="false" EnforceModuleDependencySigning="true" />
<Fonts DisableNonSystemFonts="true" AuditOnly="false" Audit="false" />
<ImageLoad BlockRemoteImageLoads="true" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="true" AuditLowLabelImageLoads="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
</AppConfig>
Code:
Set-ProcessMitigation -PolicyFilePath .\settings.xml