Microsoft: Here’s How Windows 10 Protected Users Against WannaCry

[Exterminator]

Microsoft: Here’s How Windows 10 Protected Users Against WannaCry

Windows 10 was immune to WannaCry ransomware thanks to updates released by Microsoft in March this year, so the infection compromised mostly unpatched Windows 7 and Windows Server 2008 systems.

In a research published today, Microsoft explains how Windows 10 managed to protect users against WannaCry (also referred to as WannaCrypt), explaining that the built-in mitigation system can provide additional protection, unlike Windows 7 and Windows 8.1 which both lack such features.

The company explains that thanks to virtualization-based security Windows 10 users are protected even before the breach, with the secure kernel stopping malicious code from being loaded into the Windows Kernel through the kernel Control Flow Guard (kCFG).

Furthermore, Windows 10 can stop shellcode injections with non-executable and randomized kernel memory regions (NS Paged Pool and KASLR).

In case the breach does occur, Device Guard and Windows Defender work together to block and intercept the malware in the initial stages of the attack, allowing only authorized applications to run and analyzing suspicious files. Furthermore, there’s Windows Defender Advanced Threat Protection which protects networks, providing IT admins with reports and information on attack attempts for each computer in the network.

Keep systems up-to-date
Microsoft also goes on to explain how critical it is to install the latest security updates on Windows systems, pointing out that most compromised systems were running unpatched version of Windows 7.

“While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. For older Windows versions like Windows 7 and Windows Server 2008 that didn’t take the fix in security bulletin MS17-010, but had cloud protection turned on (in Microsoft Security Essentials or Windows Defender AV) WannaCrypt was prevented from executing,” Microsoft explains.

“However, these older versions do not have the level of exploit hardening and platform features (e.g., Device Guard, instant cloud protection etc.) available in Windows 10 to effectively protect against the threat.”

More recently, white-hat hackers managed to port WannaCry to Windows 10, though no specifics were provided, with the whole project created only for research purposes and not to put Windows users at risk.

 

[ravi prakash saini]

I was very much able to run wannacry and encrypt files on Windows 10 64 bit fully updated.
I do not know about the other parts of the world but in India I saw maximum number of pirated Windows 7 and I think this the real reason for maximum number of infection in Windows 7
if security measures are higher in higher version then maximum infections should be in Xp. do not say Xp is dead it is still being used
mind you in case of Xp no patching program was required to activate it ,if one has one activation key and CD he could install it in many system. it was piracy but the os was virgin.
where as to activate pirated Windows 7 one has to install malware sort of things by himself and by doing so i do not know how many doors were opened for malware to enter

 

[Deleted member 178]

@ravi prakash saini they talk about the exploit part of the wannacry attack , EternalBLue (SMB kernel exploit) + DoublePlulsar (backdoor kernel exploit) , those seems to be stopped by Win10 , Wannacry (the ransomware) won't be , because there is not (yet) a protection against it. However in the next upgrade of Win10 , we will have a mechanism , called "Protected Folders" that prevent programs/processes to access designated folders (Appguard has this feature)

 

[ravi prakash saini]

@Umbra sir does average user can understand the difference between wannacry and wannacry(ransomware) for him it is like windows 10 is protected against wannacry but in the next upgrade it will also be protected against wannacry(ransomware)
and who knows the difference he can protect himself regardless of EternalBLue (SMB kernel exploit) + DoublePlulsar (backdoor kernel exploit)

 

[Deleted member 178]

@Umbra sir does average user can understand the difference between wannacry and wannacry(ransomware) for him it is like windows 10 is protected against wannacry but in the next upgrade it will also be protected against wannacry(ransomware)

They won't understand

and who knows the difference he can protect himself regardless of EternalBLue (SMB kernel exploit) + DoublePlulsar (backdoor kernel exploit)

The user on win10 has nothing to do , win10 feature (Control Flow Guard, etc...) will "normally" take care of the exploits.

 

[kamla5abi]

I admittedly know little about windows 10 security features that are built into windows 10, so some questions:

1) " thanks to virtualization-based security Windows 10 users are protected even before the breach, with the secure kernel stopping malicious code from being loaded into the Windows Kernel through the kernel Control Flow Guard (kCFG)"
---> Is this virtualization based security enabled by default? If not, where do we find this stuff to enable it? And is the kCFG stuff enabled too by default? If not, where is this found?

2) "Windows 10 can stop shellcode injections with non-executable and randomized kernel memory regions (NS Paged Pool and KASLR)"
---> Is this stuff enabled by default? If not, where is this stuff found so we can see if it is enabled, or enable it ourselves if it isn't enabled by default?

3) "In case the breach does occur, Device Guard and Windows Defender work together to block and intercept the malware in the initial stages of the attack, allowing only authorized applications to run and analyzing suspicious files. "
---> Is Device Guard enabled by default? Is Device Guard what "allows only authorized applications to run" or are they talking about Windows Defender for that part?

4) "Furthermore, there’s Windows Defender Advanced Threat Protection which protects networks"
---> Windows Defender ATP is only for "enterprise/education/Pro" version of windows 10 it sounds like? (from quick googling) MS does have links saying "start trial now" but from the documentation it seems it should be installed/used in a managed setting, not so much individual home users. And if you install a 3rd party AV, putting windows defender into passive mode, windows defender still runs kinda and updates but users cant configure anything nor run scans with it. And the ATP part depends on windows defender to run scans. So if you use a 3rd party AV, sounds like the ATP stuff is useless since windows defender is in passive mode? Of course I dont even know if the ATP stuff is as great as MS makes it sound...haven't looked at any testing done by others yet.

-----------Stuff below this isn't from the article----------

1) I've read how "Windows 10 Creators Update brings enhancements to windows defender" and the security features etc (such as this link Windows Defender Antivirus) but it looks like at least some features won't work for windows 10 home (haven't read too much about the new features yet, so maybe there are some that will work for home version, assuming you are using windows defender as the AV i guess). Example: the "block at first sight" stuff requires certain settings to be enabled via group policy, which of course doesn't exist in the home version (explained here: Enable Block at First Sight to detect malware in seconds).

 

[kamla5abi]

@Umbra from your posts (not just in this thread, but others too) it seems like you know a great deal about the windows 10 built in security feature stuff (and I of course do not ). I only recently found @Andy Ful windows 10 hardening configuration tool thing by randomly seeing older threads/posts so I am looking into that when time permits

I am wondering if there's a write up or thread somewhere that you (or someone else) have written about and talked about all of the various built in security features in windows 10 that I can read and try to figure some of that stuff out?

 

[Deleted member 178]

I am wondering if there's a write up or thread somewhere that you (or someone else) have written about and talked about all of the various built in security features in windows 10 that I can read and try to figure some of that stuff out?

most are here:
Microsoft
( the pinned threads)

 

[509322]

It's fine and dandy to want to know the technicals, but what is really, and more practically, important is to upgrade to the latest Windows 10 and always keep the system updated.

The second best thing to do, after putting a sound protection plan in-place, is to stay out of your own mind. 99 % of what goes on on these forums is psychological. It's like holding a $100 bill in your hand, but continually wondering if it is really only a $99 dollar bill - swirling and debating with yourself in your own mind, doubting the decisions that you have made.

News Flash ... the Windows 10 1703+ kernel is sure to contain vulnerabilities. Sooner or later someone will find a way to exploit it. If what they discover is a real doosy, like EB\DB, then someone somewhere will pay a very high price for it and harbor what they paid dearly for as long as they can. At that level, they won't squander it on some ransomware campaign. EB\DB is unusual in that it was dumped onto the net.

 

[HarborFront]

@ravi prakash saini they talk about the exploit part of the wannacry attack , EternalBLue (SMB kernel exploit) + DoublePlulsar (backdoor kernel exploit) , those seems to be stopped by Windows 10 , Wannacry (the ransomware) won't be , because there is not (yet) a protection against it. However in the next upgrade of Windows 10 , we will have a mechanism , called "Protected Folders" that prevent programs/processes to access designated folders (Appguard has this feature)

As a user I just need to know which software can stop EB, DB and Wannacry completely. I just install those software that can do the job will do.

I know I'll need AppGuard, ReHIPS and HMPA

Windows cannot do it is ok for me even with the latest patches

 

[509322]

As a user I just need to know which software can stop EB, DB and Wannacry completely. I just install those software that can do the job will do.

I know I'll need AppGuard, ReHIPS and HMPA

Windows cannot do it is ok for me even with the latest patches

You don't need any of that. Even if you were running obsolete Windows 7 with SMB enabled, you would not be susceptible until you actually connected to an SMB server. If you do not know what SMB is, then it is likely that don't even need to worry about it.

If you are not sharing files by accessing an SMB server, then your system is not the client of an SMB server. Are you still paranoid ? - then run Wireshark and under the protocol search for SMB, SMB2, etc. If you don't see it, then you are not using SMB.

Microsoft pushed security patches for both EB and DP before the WannaCry attack ever took place. So if you applied those security updates, then you are not at risk - if you ever use SMB server-client. Those exploits require a specific set of conditions in order for you to be at risk - and the vast majority of all users were never at risk in the first place.

If you are ultra-paranoid, you can block port 445, disable all SMB, make registry hacks.

AppGuard and ReHIPS are not anti-exploit programs. They will both deal with the post-exploit payload. The HMP.A betas 600 series and higher have mitigations for EB and DP. The easiest and most effective way to deal with exploits is to keep your OS and softs updated always.

Your post is a prime example of the absolute confusion and resultant craziness regarding EB and DP.

 

[Deleted member 178]

You don't need any of that. Even if you were running obsolete Windows 7 with SMB enabled, you would not be susceptible until you actually connected to an SMB server. If you do not know what that it, then you don't even need to worry about it.

Microsoft pushed security patches for both EB and DP before the WannaCry attack ever took place. So if you applied those security updates, then you are not at risk - if you ever use SMB server-client.

If you are ultra-paranoid, you can block port 445, disable all SMB, make registry hacks.

AppGuard and ReHIPS are not anti-exploit programs. They will both deal with the post-exploit payload. The HMP.A betas 600 series and higher have mitigations for EB and DP.

Your post is a prime example of the absolute craziness regarding EB and DP.

Exact.

if i can use an analogy. it is like you prepare a bunker expecting mass nuclear attack from North Korea.

 

[HarborFront]

You don't need any of that. Even if you were running obsolete Windows 7 with SMB enabled, you would not be susceptible until you actually connected to an SMB server. If you do not know what SMB is, then it is likely that don't even need to worry about it.

If you are not sharing files by accessing an SMB server, then your system is not the client of an SMB server. Are you still paranoid ? - then run Wireshark and under the protocol search for SMB, SMB2, etc. If you don't see it, then you are not using SMB.

Microsoft pushed security patches for both EB and DP before the WannaCry attack ever took place. So if you applied those security updates, then you are not at risk - if you ever use SMB server-client. Those exploits require a specific set of conditions in order for you to be at risk - and the vast majority of all users were never at risk in the first place.

If you are ultra-paranoid, you can block port 445, disable all SMB, make registry hacks.

AppGuard and ReHIPS are not anti-exploit programs. They will both deal with the post-exploit payload. The HMP.A betas 600 series and higher have mitigations for EB and DP. The easiest and most effective way to deal with exploits is to keep your OS and softs updated always.

Your post is a prime example of the absolute confusion and resultant craziness regarding EB and DP.

Ultra-paranoid?

Nobody can tell what Wannacry will evolve to like in the near future.

With AG and ReHIPS handling the exploit payloads and HMPA tackling the exploit itself I believe I can sleep peacefully.

 

[HarborFront]

Exact.

if i can use an analogy. it is like you prepare a bunker expecting mass nuclear attack from North Korea.

Preparation is half the battle won

 

[509322]

Nobody can tell what Wannacry will evolve to like in the near future.

WannaCry ransomware itself is just run-of-the-mill ransomware. There is nothing extraordinary about it. It is the network\kernel exploits that made its rapid distribution possible that made the whole WannaCry incident newsworthy.

If you are on Windows 10 1703, then you are not susceptible to those exploits.

If you are on susceptible builds of Windows 10 1607 and earlier, and you have applied the Microsoft security updates, then you are not susceptible to those exploits. Then again you are not susceptible unless you are using SMB in the first place.

There are exploits for which there is no way to mitigate them until Microsoft makes a security patch for them. So piling security soft on top of security soft is not a guarantee that your system is 100 % protected under any and all cases.

A carefully considered and measured multi-layered security configuration provides high security, but what I am saying is that it is not guaranteed 100 % protection against every attack imaginable.

My recommendation to anyone who is ultra-serious about security, the first two things that they should do:

1. Buy a good quality router and learn how to configure it for best security; and
2. A reliable backup solution - a solid file backup strategy that saves all your most important files is sufficient

After that foundation is laid, then you can build a security configuration.

 

[HarborFront]

WannaCry ransomware itself is just run-of-the-mill ransomware. There is nothing extraordinary about it. It is the network\kernel exploits that made its rapid distribution possible that made the whole WannaCry incident newsworthy.

If you are on Windows 10 1703, then you are not susceptible to those exploits.

If you are on susceptible builds of Windows 10 1607 and earlier, and you have applied the Microsoft security updates, then you are not susceptible to those exploits. Then again you are not susceptible unless you are using SMB in the first place.

There are exploits for which there is no way to mitigate them until Microsoft makes a security patch for them. So piling security soft on top of security soft is not a guarantee that your system is 100 % protected under any and all cases.

A carefully considered and measured multi-layered security configuration provides high security, but what I am saying is that it is not guaranteed 100 % protection against every attack imaginable.

My recommendation to anyone who is ultra-serious about security, the first two things that they should do:

1. Buy a good quality router and learn how to configure it for best security; and
2. A reliable backup solution - a solid file backup strategy that saves all your most important files is sufficient

After that foundation is laid, then you can build a security configuration.

I just changed my router from ASUS RT-AC5300 to PORTAL WiFi(below)

Portal WiFi - Home

I changed because it's supposed to provide me with better privacy than ASUS (with TrendMicro) which are collecting my privacy data.

What do you think of this PORTAL router? Is it secure enough?

As for a backup solution I'm going for sandboxing instead with my work files stored externally.

Anyway thanks for your suggestions.

 

[509322]

I just changed my router from ASUS RT-AC5300 to PORTAL WiFi(below)

Portal WiFi - Home

I changed because it's supposed to provide me with better privacy than ASUS (with TrendMicro) which are collecting my privacy data.

What do you think of this PORTAL router? Is it secure enough?

As for a backup solution I'm going for sandboxing instead with my work files stored externally.

Anyway thanks for your suggestions.

I have not used Portal, so I have no basis for judgment.

For backups, I have a simple solution = Dropbox file backup with file versioning (in case the Dropbox file every got picked-off by ransomware).

I also use a USB flash drive, but there is no file versioning to save me it ever gets completely encrypted or other data loss (like I don't take the flash drive out my pocket before I wash my pants).

So a combined local and cloud backup strategy is wise and uncomplicated.

 

[HarborFront]

I have not used Portal, so I have no basis for judgment.

For backups, I have a simple solution = Dropbox file backup with file versioning (in case the Dropbox file every got picked-off by ransomware).

I also use a USB flash drive, but there is no file versioning to save me it ever gets completely encrypted or other data loss (like I don't take the flash drive out my pocket before I wash my pants).

So a combined local and cloud backup strategy is wise and uncomplicated.

IMO virtualization (sandboxing) and backup solutions are equally great in protecting the system although none is perfect

 

[509322]

IMO virtualization (sandboxing) and backup solutions are equally great in protecting the system although none is perfect

Virtualization is sound, but has its downsides.

I use Dropbox because I can install it on my 12 Windows and sync all the files - instead of walking 4 feet to grab a flash drive or go searching for it every time I misplace it. So, in other words, I am lazy.

 

[Deleted member 178]

I just changed my router from ASUS RT-AC5300 to PORTAL WiFi(below)

Portal WiFi - Home

I changed because it's supposed to provide me with better privacy than ASUS (with TrendMicro) which are collecting my privacy data.

What do you think of this PORTAL router? Is it secure enough?

seems good, however i don't buy the privacy stuff, especially when it use a radar stuff thingy
If i go real paranoid, i will say "what prove me that the router doesn't map my house layout and transmit it to this company..."

as you see paranoia has various levels