Advice Request Maximum Anti-Exploit protection settings for your program

  • Thread starter ForgottenSeer 85179
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

F

ForgottenSeer 85179

Thread author
I like to open a thread about maximum possibly anti-exploit protection settings (from Windows Defender) so every user can import/ export that settings.

First, here some reading material:

Some basic's:
To get all currently settings for a process, use this powershell (no admin rights needed!) command:
Code:
Get-ProcessMitigation -Name processName.exe
(replace "processname.exe" with your own file and/ or path)

To export all currently settings, use this powershell (no admin rights needed!) command:
Code:
Get-ProcessMitigation -RegistryConfigFilePath settings.xml
(watch out the path (%USERPROFILE%) where powershell save the file!)


Let's go:
my Microsoft (new Chromium-)Edge settings:
ProcessName : msedge.exe
Source : Registry
Id : 0

DEP:
Enable : ON
EmulateAtlThunks : ON
Override DEP : False

ASLR:
BottomUp : ON
Override BottomUp : False
ForceRelocateImages : ON
RequireInfo : ON
Override ForceRelocate : False
HighEntropy : ON
Override High Entropy : False

StrictHandle:
Enable : ON
Override StrictHandle : False

System Call:
DisableWin32kSystemCalls : NOTSET
Audit : NOTSET
Override SystemCall : False

ExtensionPoint:
DisableExtensionPoints : ON
Override ExtensionPoint : False

DynamicCode:
BlockDynamicCode : NOTSET
AllowThreadsToOptOut : NOTSET
Audit : NOTSET
Override DynamicCode : False

CFG:
Enable : ON
SuppressExports : OFF
Override CFG : False
StrictControlFlowGuard : NOTSET
Override StrictCFG : False

BinarySignature:
MicrosoftSignedOnly : ON
AllowStoreSignedBinaries : ON
EnforceModuleDependencySigning : ON
AuditMicrosoftSignedOnly : OFF
AuditStoreSigned : OFF
AuditEnforceModuleDependencySigning: OFF
Override MicrosoftSignedOnly : False
Override DependencySigning : False

FontDisable:
DisableNonSystemFonts : ON
Audit : OFF
Override FontDisable : False

ImageLoad:
BlockRemoteImageLoads : ON
AuditRemoteImageLoads : OFF
Override BlockRemoteImages : False
BlockLowLabelImageLoads : ON
AuditLowLabelImageLoads : OFF
Override BlockLowLabel : False
PreferSystem32 : NOTSET
AuditPreferSystem32 : NOTSET
Override PreferSystem32 : False

Payload:
EnableExportAddressFilter : NOTSET
AuditEnableExportAddressFilter : NOTSET
Override ExportAddressFilter : False
EnableExportAddressFilterPlus : NOTSET
AuditEnableExportAddressFilterPlus : NOTSET
Override ExportAddressFilterPlus : False
EAFModules : {}
EnableImportAddressFilter : NOTSET
AuditEnableImportAddressFilter : NOTSET
Override ImportAddressFilter : False
EnableRopStackPivot : NOTSET
AuditEnableRopStackPivot : NOTSET
Override EnableRopStackPivot : False
EnableRopCallerCheck : NOTSET
AuditEnableRopCallerCheck : NOTSET
Override EnableRopCallerCheck : False
EnableRopSimExec : NOTSET
AuditEnableRopSimExec : NOTSET
Override EnableRopSimExec : False

SEHOP:
Enable : ON
TelemetryOnly : OFF
Audit : NOTSET
Override SEHOP : False

Heap:
TerminateOnError : ON
Override HEAP : False

Child Process:
DisallowChildProcessCreation : NOTSET
Audit : NOTSET
Override ChildProcess : False
I guess their is some tuning possibly, but looks like nobody try yet :(

In the exported text file it looks more easily:
<AppConfig Executable="msedge.exe">
<DEP Enable="true" EmulateAtlThunks="true" />
<ASLR ForceRelocateImages="true" RequireInfo="true" BottomUp="true" HighEntropy="true" />
<StrictHandle Enable="true" />
<ExtensionPoints DisableExtensionPoints="true" />
<ControlFlowGuard Enable="true" SuppressExports="false" />
<SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="true" Audit="false" AuditStoreSigned="false" EnforceModuleDependencySigning="true" />
<Fonts DisableNonSystemFonts="true" AuditOnly="false" Audit="false" />
<ImageLoad BlockRemoteImageLoads="true" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="true" AuditLowLabelImageLoads="false" />
<SEHOP Enable="true" TelemetryOnly="false" />
<Heap TerminateOnError="true" />
</AppConfig>
This can now be saved in a settings.xml file and then imported by this powershell command:
Code:
Set-ProcessMitigation -PolicyFilePath .\settings.xml
(change the path to the settings.xml if needed!)
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
what about just using that "configuredefender" program?... is that doing something similar?
No, CD is limited to configuring Windows Defender AV only and not exploit protection (App & browser control).
Also to @Lenny_Fox - users in old MT threads suggested EMET had a more user-friendly GUI, but I don't know as I never used it. The above referenced link shows current exploit protection has been expanded. It appears daunting to use without much guidance from M$, but in reality a little trial and error using WSC to configure one application at a time, is not really difficult.

From my security configuration thread:

Exploit Protection settings for browsers (thanks to @Umbra). These have broken anything yet, e.g. extensions crashing.
- for Brave, Edge and Firefox:

Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

ADD for Edge Chromium only: Code integrity guard - ON (with or without Also allow images signed by M$ Store CHECKED)
________________________________

You may protect other apps (office, music, email clients, etc.) with similar but not necessarily exact settings applied.

Nice thread @security123. It can prove to be a handy resource for some MT members. (y)
 
Last edited:

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Enchanted security is never designed for normal consumer.
Then I doubt anyone using their 3rd party security software for exploit protections would ever bother with this.
I like to open a thread about maximum possibly anti-exploit protection settings so every user can import/ export that settings.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
Both EMET and Exploit protection was not geared towards general consumers to configure.
True .... but
Far too complicated.
Complicated only in name. The names of the settings are intimidating to users who don't understand computer processes well, like myself. The practical reality is that, in the end, these settings are simply a matter of trial and error when configuring an app. Nonetheless, the names remain intimidating to most users - if they even bother to open and investigate exploit protection settings.

I think it is human nature - fear of the unknown. Until someone in the pack breaks through the fear to investigate and then report back "Hey, this isn't what you think it is. No reason to be afraid." Otherwise humans would never evolve. 🤔
 

Tutman

Level 12
Verified
Top Poster
Well-known
Apr 17, 2020
542
Same, but just comodo firewall, mbae or checkmall appcheck, too complicated to make such settings myself, increases paranoia as ive forgotten something, when such tools just do automatically cover everything
Doesn't checkmal appcheck exploit settings do the same thing as malwarebytes Anti epxloit? (is malwarebytes AE still any good?) Or with using add ons like adguard and others in browser is that still needed?
 

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
Doesn't checkmal appcheck exploit settings do the same thing as malwarebytes Anti epxloit? (is malwarebytes AE still any good?) Or with using add ons like adguard and others in browser is that still needed?
Windows 10 has that attack exploit protection wich is enabled by default on settings with the settings that match most users best

Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.

And those additional options are where you can yourself harden browser against some exploits (?)

Soo you dont need specific app just for covering browsers or such anti-exploit tool to run on your computer, but appcheck has somekind of anti-exploit protection for browsers on free version and paid version has that for office stuff

Malwarebytes anti-exploit beta is available for free as standalone program , wich is true antiexploit and that is also nowadays bundled with the paid malwarebytes antimalware

Both appcheck and mbae beta are pretty light standalone apps, free version of appcheck is limited so it only covers browsers, and mbae beta will cover everything you want to.....i dont see any harm to run one of these along with the current setup you have, unless you have such antivirus software wich has some kind of protection modules witch does the exact thing

Im not very familiar with these tools, but i have used mbae beta on my sisters pc for years and appcheck ive tried few times

TLDR: you dont need such anti-exploit app at all, but if you want to have extra layer of security you can try these tools
 

Tutman

Level 12
Verified
Top Poster
Well-known
Apr 17, 2020
542
Both appcheck and mbae beta are pretty light standalone apps, free version of appcheck is limited so it only covers browsers, and mbae beta will cover everything you want to.....i dont see any harm to run one of these along with the current setup you have, unless you have such antivirus software wich has some kind of protection modules witch does the exact thing

Im not very familiar with these tools, but i have used mbae beta on my sisters pc for years and appcheck ive tried few times

TLDR: you dont need such anti-exploit app at all, but if you want to have extra layer of security you can try these tools
Thanks much! I am testing some new things and using WD (for the FIRST time in a looong time!) And.... it's gotten so much lighter! 😲 I am Wanting to see if I need another anti exploit line of defense and seperate ransomware protection. (Can not use the edge/browser exploit protection because I use android emulator and it conflicts if HyperV is turned on) :confused:
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,043
Can not use the edge/browser exploit protection because I use android emulator and it conflicts if HyperV is turned on
Hyper-V is not needed for Windows Security Center > App and browser control > Exploit protection, either in default configuration or customized for browsers & apps. Or you may try MBAE beta if you want an alternative.
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,003
I suppose I should do some research into this but apart from using H_C I don't really tend to do much tweaking.

There's probably a detailed article somewhere, I'm just to lazy to look this evening lol
 

Tutman

Level 12
Verified
Top Poster
Well-known
Apr 17, 2020
542
Hyper-V is not needed for Windows Security Center > App and browser control > Exploit protection, either in default configuration or customized for browsers & apps. Or you may try MBAE beta if you want an alternative.
Yes I got confused, it was the isolated brower settings I turned on that conflicted.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top