Advice Request Playing with Windows Defender Exploit protection for Chrome and Edge

[Windows_Security]

Just trying to overcome the time difference between New Zealand and the Netherlands (it is 03 at night in NL and can't sleep )

Chrome
Added Chrome.exe to W10 Windows Defender exploit protection and enabled:

• Arbitrary code guard (ACG)
• Blow low integrity images - ENABLED
• Block remote images - ENABLED
• Block untrusted fonts
• Code integrity guard
• Control flow guard (CFG) - ENABLED (on 64 bits Chrome you can also enable strict option)
• Data Execution Prevention (DEP) - ENABLED
• Disable extension points - ENABLED
• Disable Win32 system calls (Chrome enables this flag itself for its rendering processes)
• Do not allow child processes
• Export address filtering (EAF)
• Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
• Randomize memory allocations (Bottom-Up ASLR)
• Import address filtering (IAF)
• Simulate execution (SimExec)
• Validate API invocation (CallerCheck)
• Validate exception chains (SEHOP) - ENABLED
• Validate handle usage - ENABLED
• Validate heap integrity - ENABLED
• Validate image dependency integration - ENABLED
• Validate stack integrity (StackPivot)

Edge
I split this into the broker (Edge) and content processor (EdgeCP).

Added MicrosoftEdge.exe to W10 Windows Defender exploit protection and enabled:

• Arbitrary code guard (ACG) - ENABLED
• Blow low integrity images - ENABLED
• Block remote images - ENABLED
• Block untrusted fonts
• Code integrity guard - ENABLED (also Microsoft Store)
• Control flow guard (CFG) - ENABLED (enforce strict)
• Data Execution Prevention (DEP) - ENABLED
• Disable extension points - ENABLED
• Disable Win32 system calls
• Do not allow child processes
• Export address filtering (EAF)
• Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
• Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
• Import address filtering (IAF)
• Simulate execution (SimExec)
• Validate API invocation (CallerCheck)
• Validate exception chains (SEHOP) - ENABLED
• Validate handle usage - ENABLED
• Validate heap integrity - ENABLED
• Validate image dependency integration - ENABLED
• Validate stack integrity (StackPivot)

Added MicrosoftEdgeCP.exe to W10 Windows Defender exploit protection and enabled:

• Arbitrary code guard (ACG) - ENABLED (important: allow Thread Opt-Out)
• Blow low integrity images - ENABLED
• Block remote images - ENABLED
• Block untrusted fonts
• Code integrity guard - ENABLED (also Microsoft Store)
• Control flow guard (CFG) - ENABLED (important: don't enforce strict)
• Data Execution Prevention (DEP) - ENABLED
• Disable extension points - ENABLED
• Disable Win32 system calls
• Do not allow child processes - ENABLED
• Export address filtering (EAF)
• Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
• Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
• Import address filtering (IAF)
• Simulate execution (SimExec)
• Validate API invocation (CallerCheck)
• Validate exception chains (SEHOP) - ENABLED
• Validate handle usage - ENABLED
• Validate heap integrity - ENABLED
• Validate image dependency integration - ENABLED
• Validate stack integrity (StackPivot)

Have fun happy hardening your browsers with Windows Defender. I am using Windows Defender as AntiVirus (also with Folder access protection enabled). Checkout on AndyFul/ConfigureDefender to enable some other great features )

 

[DeepWeb]

Great config. But I noticed when I enable one of the Exploit Mitigations features, it kicks out my AV hooks and Emsisoft in my case can no longer monitor the program. Which really brings this to the main problem. If you don't know what these things mean they are almost useless. I just trial and error until something breaks. Make sure your antivirus can still monitor the programs after you enable Exploit Mitigations.

 

[Windows_Security]

@DeepWeb better don't use exploit protection with other AV's, it might prevent loading their DLL's and/or setting hooks as you experienced.

For some more explanation you need to dig into Microsoft documentation: Enable or disable specific mitigations used by Exploit protection It still requires some programming knowledge (e.g. Validate handle usage is related to SEH).

There are also differences between 32 and 64 bits versions (e.g. 32 bits Chrome won't run with CFG strict sub-option is enabled, but 64 bits Chrome works like a charm when CFG strict is enabled). Which leads to the suspicion that Chrome development team might be spending more time on code inspection for 64 bits than for 32 bits version.

 

[509322]

Which really brings this to the main problem. If you don't know what these things mean they are almost useless.

The only users experimenting with Windows 10 Exploit Guard - like EMET - are security soft geeks on security forums.

 

[Windows_Security]

The only users experimenting with Windows 10 Exploit Guard - like EMET - are security soft geeks on security forums.

I am not experimenting: experimentation Meaning in the Cambridge English Dictionary

 

[DeepWeb]

I discovered, again through trial and error, what kicks Emsisoft Anti-Malware out of monitoring a program.

You can enable almost everything as long as you don't check this. Now my program has Exploit protections while also being monitored. But, this is quite a price to pay. Disabling Win32k system calls is a powerful feature.

 

[Windows_Security]

On Windows10 (2in1) I am using Edge as primary browser now on Windows7 (desktoop) stil using Chromium as primary browser. I can't imagine what can bypass Edge with this policy container.

 

[Windows_Security]

I also have extra rules for Office, when you add additional protections, windows overwrites them after every update. When you create the additional rules with process path name, they won't be overwritten. After this mornings update on my Asus Transformer (Security: SysHardener of NoVirusThanks, AndyFul's Configure Defender, Added basic user Software Restriction Policy (but you can also use Andy's Hard Configrator) and Windows Defender anti-ransom option Protected Folders and Windows Defender Exploit Guard options (like only allowing microsoft signed, not allowing excel to call other programs, etcetera). An enthousiast tweaker does not need paid third-party software on Windows 10 home

 

[shmu26]

Just trying to overcome the time difference between New Zealand and the Netherlands (it is 03 at night in NL and can't sleep )

Chrome
Added Chrome.exe to W10 Windows Defender exploit protection and enabled:

• Arbitrary code guard (ACG)
• Blow low integrity images - ENABLED
• Block remote images - ENABLED
• Block untrusted fonts
• Code integrity guard
• Control flow guard (CFG) - ENABLED (on 64 bits Chrome you can also enable strict option)
• Data Execution Prevention (DEP) - ENABLED
• Disable extension points - ENABLED
• Disable Win32 system calls (Chrome enables this flag itself for its rendering processes)
• Do not allow child processes
• Export address filtering (EAF)
• Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
• Randomize memory allocations (Bottom-Up ASLR)
• Import address filtering (IAF)
• Simulate execution (SimExec)
• Validate API invocation (CallerCheck)
• Validate exception chains (SEHOP) - ENABLED
• Validate handle usage - ENABLED
• Validate heap integrity - ENABLED
• Validate image dependency integration - ENABLED
• Validate stack integrity (StackPivot)

Edge
I split this into the broker (Edge) and content processor (EdgeCP).

Added MicrosoftEdge.exe to W10 Windows Defender exploit protection and enabled:

• Arbitrary code guard (ACG) - ENABLED
• Blow low integrity images - ENABLED
• Block remote images - ENABLED
• Block untrusted fonts
• Code integrity guard - ENABLED (also Microsoft Store)
• Control flow guard (CFG) - ENABLED (enforce strict)
• Data Execution Prevention (DEP) - ENABLED
• Disable extension points - ENABLED
• Disable Win32 system calls
• Do not allow child processes
• Export address filtering (EAF)
• Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
• Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
• Import address filtering (IAF)
• Simulate execution (SimExec)
• Validate API invocation (CallerCheck)
• Validate exception chains (SEHOP) - ENABLED
• Validate handle usage - ENABLED
• Validate heap integrity - ENABLED
• Validate image dependency integration - ENABLED
• Validate stack integrity (StackPivot)

Added MicrosoftEdgeCP.exe to W10 Windows Defender exploit protection and enabled:

• Arbitrary code guard (ACG) - ENABLED (important: allow Thread Opt-Out)
• Blow low integrity images - ENABLED
• Block remote images - ENABLED
• Block untrusted fonts
• Code integrity guard - ENABLED (also Microsoft Store)
• Control flow guard (CFG) - ENABLED (important: don't enforce strict)
• Data Execution Prevention (DEP) - ENABLED
• Disable extension points - ENABLED
• Disable Win32 system calls
• Do not allow child processes - ENABLED
• Export address filtering (EAF)
• Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
• Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
• Import address filtering (IAF)
• Simulate execution (SimExec)
• Validate API invocation (CallerCheck)
• Validate exception chains (SEHOP) - ENABLED
• Validate handle usage - ENABLED
• Validate heap integrity - ENABLED
• Validate image dependency integration - ENABLED
• Validate stack integrity (StackPivot)

Have fun happy hardening your browsers with Windows Defender. I am using Windows Defender as AntiVirus (also with Folder access protection enabled). Checkout on AndyFul/ConfigureDefender to enable some other great features )

Since Chrome already runs with low integrity level, and on Windows 10 it runs in Appcontainer (especially if you enable the appropriate flags), how much is to be gained by these additional tweaks?
Same question for Edge

 

[Yellowing]

• Arbitrary code guard (ACG)
• Blow low integrity images - ENABLED
• Block remote images - ENABLED
• Block untrusted fonts
• Code integrity guard

Hm. Does that mean you have them all enabled just by them being listed, or are only "Block low integrity images" and "Block remote Images" enabled? Or are you enabling system override, but not the thing itself? Please be more specific.

Also you can't enable Control Flow Guard if you run Chrome in Sandboxie.

BTW: How do I change all system settings? I can only change a few of those that are available under Program-tab.

 

[Windows_Security]

1. Open Windows Defender in taskbar
2. Choose App and Browser (maintenance/defense/ I am on Dutch Windows 10 home here)
3. Scroll down to Exploit Protection
4. Choose exploit protection (settings?)
5. Choose second tab Program Settings

 

[Yellowing]

No, you misunderstood: I can "override system defaults" for many more things under program settings, than there are to set under system settings.

 

[Windows_Security]

OK, I suppose Microsoft will be slowly pushing system defaults to a more secure base line.

 

[Yellowing]

They seem to be all disabled except those that I can set in the settings tab.

 

[Windows_Security]

They seem to be all disabled except those that I can set in the settings tab.

I don't understand what you are trying to tell me, sorry gots lost in translation

 

[Yellowing]

Yea, probably because I am german trying to speak english and you are netherlandish trying to understand that. :emoji_popcorn: (I didn't use "dutch" because apparently that means german, netherland and holland, as well as "missus")
No worries!

 

[CyberTech]

Hmm what about Firefox?

 

[Yellowing]

That depends on how many instances FF starts. I don't know FF or use it.

 

[Windows_Security]

OK, I suppose Microsoft will be slowly pushing system defaults to a more secure base line.

Found an article that most of these settings are enabled now by default. At least on 64 bits systems they seem enabled now

Mitigating arbitrary native code execution in Microsoft Edge - Microsoft Edge Dev Blog

For compatibility reasons, ACG is currently only enforced on 64-bit desktop devices with a primary GPU running a WDDM 2.2 driver (the driver model released with the Windows 10 Anniversary Update)

On Windows 7 using Firefox (in run as other user container with AppLocker, ACL and Parental Control) and on Windows 10 (32 bits) using Edge with additional Windows Defender exploit guard protection (should be default now in 64 bits, but keeping the additional settings just to be sure)

One disadvantage of Edge over Chrome (dumped Chrome completely) is that Edge only allows one language, which is kind of annoying when using Dutch and (US) English forums.