Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
Maximum Anti-Exploit protection settings for your program
Message
<blockquote data-quote="ForgottenSeer 85179" data-source="post: 873096"><p>I like to open a thread about maximum possibly anti-exploit protection settings (from Windows Defender) so every user can import/ export that settings.</p><p></p><p>First, here some reading material:</p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection[/URL]</p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection[/URL]</p><p></p><p>Some basic's:</p><p>To get all currently settings for a process, use this powershell (no admin rights needed!) command:</p><p>[CODE]Get-ProcessMitigation -Name processName.exe[/CODE] (replace "processname.exe" with your own file and/ or path)</p><p></p><p>To export all currently settings, use this powershell (no admin rights needed!) command:</p><p>[CODE]Get-ProcessMitigation -RegistryConfigFilePath settings.xml[/CODE] (watch out the path (%USERPROFILE%) where powershell save the file!)</p><p></p><p></p><p>Let's go:</p><p>my Microsoft (new Chromium-)Edge settings:</p><p>[SPOILER]</p><p>ProcessName : msedge.exe</p><p>Source : Registry</p><p>Id : 0</p><p></p><p>DEP:</p><p> Enable : ON</p><p> EmulateAtlThunks : ON</p><p> Override DEP : False</p><p></p><p>ASLR:</p><p> BottomUp : ON</p><p> Override BottomUp : False</p><p> ForceRelocateImages : ON</p><p> RequireInfo : ON</p><p> Override ForceRelocate : False</p><p> HighEntropy : ON</p><p> Override High Entropy : False</p><p></p><p>StrictHandle:</p><p> Enable : ON</p><p> Override StrictHandle : False</p><p></p><p>System Call:</p><p> DisableWin32kSystemCalls : NOTSET</p><p> Audit : NOTSET</p><p> Override SystemCall : False</p><p></p><p>ExtensionPoint:</p><p> DisableExtensionPoints : ON</p><p> Override ExtensionPoint : False</p><p></p><p>DynamicCode:</p><p> BlockDynamicCode : NOTSET</p><p> AllowThreadsToOptOut : NOTSET</p><p> Audit : NOTSET</p><p> Override DynamicCode : False</p><p></p><p>CFG:</p><p> Enable : ON</p><p> SuppressExports : OFF</p><p> Override CFG : False</p><p> StrictControlFlowGuard : NOTSET</p><p> Override StrictCFG : False</p><p></p><p>BinarySignature:</p><p> MicrosoftSignedOnly : ON</p><p> AllowStoreSignedBinaries : ON</p><p> EnforceModuleDependencySigning : ON</p><p> AuditMicrosoftSignedOnly : OFF</p><p> AuditStoreSigned : OFF</p><p> AuditEnforceModuleDependencySigning: OFF</p><p> Override MicrosoftSignedOnly : False</p><p> Override DependencySigning : False</p><p></p><p>FontDisable:</p><p> DisableNonSystemFonts : ON</p><p> Audit : OFF</p><p> Override FontDisable : False</p><p></p><p>ImageLoad:</p><p> BlockRemoteImageLoads : ON</p><p> AuditRemoteImageLoads : OFF</p><p> Override BlockRemoteImages : False</p><p> BlockLowLabelImageLoads : ON</p><p> AuditLowLabelImageLoads : OFF</p><p> Override BlockLowLabel : False</p><p> PreferSystem32 : NOTSET</p><p> AuditPreferSystem32 : NOTSET</p><p> Override PreferSystem32 : False</p><p></p><p>Payload:</p><p> EnableExportAddressFilter : NOTSET</p><p> AuditEnableExportAddressFilter : NOTSET</p><p> Override ExportAddressFilter : False</p><p> EnableExportAddressFilterPlus : NOTSET</p><p> AuditEnableExportAddressFilterPlus : NOTSET</p><p> Override ExportAddressFilterPlus : False</p><p> EAFModules : {}</p><p> EnableImportAddressFilter : NOTSET</p><p> AuditEnableImportAddressFilter : NOTSET</p><p> Override ImportAddressFilter : False</p><p> EnableRopStackPivot : NOTSET</p><p> AuditEnableRopStackPivot : NOTSET</p><p> Override EnableRopStackPivot : False</p><p> EnableRopCallerCheck : NOTSET</p><p> AuditEnableRopCallerCheck : NOTSET</p><p> Override EnableRopCallerCheck : False</p><p> EnableRopSimExec : NOTSET</p><p> AuditEnableRopSimExec : NOTSET</p><p> Override EnableRopSimExec : False</p><p></p><p>SEHOP:</p><p> Enable : ON</p><p> TelemetryOnly : OFF</p><p> Audit : NOTSET</p><p> Override SEHOP : False</p><p></p><p>Heap:</p><p> TerminateOnError : ON</p><p> Override HEAP : False</p><p></p><p>Child Process:</p><p> DisallowChildProcessCreation : NOTSET</p><p> Audit : NOTSET</p><p> Override ChildProcess : False</p><p>[/SPOILER]</p><p>I guess their is some tuning possibly, but looks like nobody try yet <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite111" alt=":(" title="Frown :(" loading="lazy" data-shortname=":(" /></p><p></p><p>In the exported text file it looks more easily:</p><p>[SPOILER]</p><p> <AppConfig Executable="msedge.exe"></p><p> <DEP Enable="true" EmulateAtlThunks="true" /></p><p> <ASLR ForceRelocateImages="true" RequireInfo="true" BottomUp="true" HighEntropy="true" /></p><p> <StrictHandle Enable="true" /></p><p> <ExtensionPoints DisableExtensionPoints="true" /></p><p> <ControlFlowGuard Enable="true" SuppressExports="false" /></p><p> <SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="true" Audit="false" AuditStoreSigned="false" EnforceModuleDependencySigning="true" /></p><p> <Fonts DisableNonSystemFonts="true" AuditOnly="false" Audit="false" /></p><p> <ImageLoad BlockRemoteImageLoads="true" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="true" AuditLowLabelImageLoads="false" /></p><p> <SEHOP Enable="true" TelemetryOnly="false" /></p><p> <Heap TerminateOnError="true" /></p><p> </AppConfig></p><p>[/SPOILER]</p><p>This can now be saved in a settings.xml file and then imported by this powershell command:</p><p>[CODE]Set-ProcessMitigation -PolicyFilePath .\settings.xml[/CODE] (change the path to the settings.xml if needed!)</p></blockquote><p></p>
[QUOTE="ForgottenSeer 85179, post: 873096"] I like to open a thread about maximum possibly anti-exploit protection settings (from Windows Defender) so every user can import/ export that settings. First, here some reading material: [URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection[/URL] [URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection[/URL] Some basic's: To get all currently settings for a process, use this powershell (no admin rights needed!) command: [CODE]Get-ProcessMitigation -Name processName.exe[/CODE] (replace "processname.exe" with your own file and/ or path) To export all currently settings, use this powershell (no admin rights needed!) command: [CODE]Get-ProcessMitigation -RegistryConfigFilePath settings.xml[/CODE] (watch out the path (%USERPROFILE%) where powershell save the file!) Let's go: my Microsoft (new Chromium-)Edge settings: [SPOILER] ProcessName : msedge.exe Source : Registry Id : 0 DEP: Enable : ON EmulateAtlThunks : ON Override DEP : False ASLR: BottomUp : ON Override BottomUp : False ForceRelocateImages : ON RequireInfo : ON Override ForceRelocate : False HighEntropy : ON Override High Entropy : False StrictHandle: Enable : ON Override StrictHandle : False System Call: DisableWin32kSystemCalls : NOTSET Audit : NOTSET Override SystemCall : False ExtensionPoint: DisableExtensionPoints : ON Override ExtensionPoint : False DynamicCode: BlockDynamicCode : NOTSET AllowThreadsToOptOut : NOTSET Audit : NOTSET Override DynamicCode : False CFG: Enable : ON SuppressExports : OFF Override CFG : False StrictControlFlowGuard : NOTSET Override StrictCFG : False BinarySignature: MicrosoftSignedOnly : ON AllowStoreSignedBinaries : ON EnforceModuleDependencySigning : ON AuditMicrosoftSignedOnly : OFF AuditStoreSigned : OFF AuditEnforceModuleDependencySigning: OFF Override MicrosoftSignedOnly : False Override DependencySigning : False FontDisable: DisableNonSystemFonts : ON Audit : OFF Override FontDisable : False ImageLoad: BlockRemoteImageLoads : ON AuditRemoteImageLoads : OFF Override BlockRemoteImages : False BlockLowLabelImageLoads : ON AuditLowLabelImageLoads : OFF Override BlockLowLabel : False PreferSystem32 : NOTSET AuditPreferSystem32 : NOTSET Override PreferSystem32 : False Payload: EnableExportAddressFilter : NOTSET AuditEnableExportAddressFilter : NOTSET Override ExportAddressFilter : False EnableExportAddressFilterPlus : NOTSET AuditEnableExportAddressFilterPlus : NOTSET Override ExportAddressFilterPlus : False EAFModules : {} EnableImportAddressFilter : NOTSET AuditEnableImportAddressFilter : NOTSET Override ImportAddressFilter : False EnableRopStackPivot : NOTSET AuditEnableRopStackPivot : NOTSET Override EnableRopStackPivot : False EnableRopCallerCheck : NOTSET AuditEnableRopCallerCheck : NOTSET Override EnableRopCallerCheck : False EnableRopSimExec : NOTSET AuditEnableRopSimExec : NOTSET Override EnableRopSimExec : False SEHOP: Enable : ON TelemetryOnly : OFF Audit : NOTSET Override SEHOP : False Heap: TerminateOnError : ON Override HEAP : False Child Process: DisallowChildProcessCreation : NOTSET Audit : NOTSET Override ChildProcess : False [/SPOILER] I guess their is some tuning possibly, but looks like nobody try yet :( In the exported text file it looks more easily: [SPOILER] <AppConfig Executable="msedge.exe"> <DEP Enable="true" EmulateAtlThunks="true" /> <ASLR ForceRelocateImages="true" RequireInfo="true" BottomUp="true" HighEntropy="true" /> <StrictHandle Enable="true" /> <ExtensionPoints DisableExtensionPoints="true" /> <ControlFlowGuard Enable="true" SuppressExports="false" /> <SignedBinaries MicrosoftSignedOnly="true" AllowStoreSignedBinaries="true" Audit="false" AuditStoreSigned="false" EnforceModuleDependencySigning="true" /> <Fonts DisableNonSystemFonts="true" AuditOnly="false" Audit="false" /> <ImageLoad BlockRemoteImageLoads="true" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="true" AuditLowLabelImageLoads="false" /> <SEHOP Enable="true" TelemetryOnly="false" /> <Heap TerminateOnError="true" /> </AppConfig> [/SPOILER] This can now be saved in a settings.xml file and then imported by this powershell command: [CODE]Set-ProcessMitigation -PolicyFilePath .\settings.xml[/CODE] (change the path to the settings.xml if needed!) [/QUOTE]
Insert quotes…
Verification
Post reply
Top