Advice Request Maximum Anti-Exploit protection settings for your program

  • Thread starter ForgottenSeer 85179
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

F

ForgottenSeer 85179

Thread author
Which particular settings do you have in mind?
The ones from Lenny_Fox post above. Or from my post.
Just asking in general.

Also, what's your opinion about that?
@anupritaisno1:
UserShadowStack="true" UserShadowStackStrictMode="true"
this concerns me btw

needs more research

from what i know the shadowstack implementation on x86 is racy

and causes security vulnerabilities
me:
okay? then i wonder why they provide the option
@anupritaisno1:
probably for testing

it's not a ui option for sure

needs research

maybe it is the ROP mitigation

dunno
 
  • Like
Reactions: Nevi

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,186
Using mitigations for Windows Explorer or Script Interpreters/ LOLBins would need a lot of research and testing.
It is much easier to do it for a particular user application. I do not think that restricting LOLBins in this way is a good idea (although it may work in some cases). It is better to block them completely. If LOLBins cannot be blocked (like cmd.exe, rundll.exe) then there are some well known methods that help prevent abusing LOLBins, for example:
  1. Command-line whitelisting.
  2. Command-line blacklisting.
  3. Restricting access to command-lines by blocking/whitelisting shortcuts, scripts, and files with active content (SRP).
 
Last edited:

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
last update: 12 Apr 2019
you shouldn't use such outdated programs for security. Also that tool isn't the topic here.
It is outdated, yes, but it can serve the purpose of the theme created and is an easy-to-use tool for creating mitigations in programs.
 
F

ForgottenSeer 85179

Thread author
This Powershell command activate "Force Random Arrangement for Images(mandatory ASLR)":
Code:
Set-ProcessMitigation -System -Enable ForceRelocateImages
Run Powershell as Admin and reboot after running this command.

Info: It may break some programs but should be activated for security reasons.


The same can also be archived in GUI:
  • Windows Security -> App & Browser control -> Exploit-Protection -> Enable Random Arrangement for Images (Mandatory ASLR) enabled
 

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
My new configuration, I am open to suggestions to improve. :)
 

Attachments

  • Settings.xml.txt
    73.9 KB · Views: 410

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
My new configuration, with the help of LOLBAS. Let me know if I missed any.

 

Attachments

  • Settings.xml.txt
    66.7 KB · Views: 167
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,186
My new configuration, with the help of LOLBAS. Let me know if I missed any.

The problem with such restrictions is that the results can be unpredictable. They can work for a few months and then crash something important.

The mmc.exe should not be blocked in this way. Some important features will not work, like Event viewer, Task scheduler, Computer management, Disk management, and several others.
It is possible to block MMC for standard processes via SRP and run it from the elevated shell, like "Windows PowerShell (Admin)".

Edit.
When applying restrictions it is always recommended to create/keep a profile that can easily restore the default Windows settings.
 
Last edited:

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
It must be by coincidence, but I notice less blocking activity in Windows 10 Firewall Control, after applying these restrictions.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top