Advice Request Playing with Windows Defender Exploit protection for Chrome and Edge

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
Windows_Security

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Just trying to overcome the time difference between New Zealand and the Netherlands (it is 03 at night in NL and can't sleep :) )

Chrome
Added Chrome.exe to W10 Windows Defender exploit protection and enabled:
  • Arbitrary code guard (ACG)
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard
  • Control flow guard (CFG) - ENABLED (on 64 bits Chrome you can also enable strict option)
  • Data Execution Prevention (DEP) - ENABLED
  • Disable extension points - ENABLED
  • Disable Win32 system calls (Chrome enables this flag itself for its rendering processes)
  • Do not allow child processes
  • Export address filtering (EAF)
  • Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
  • Randomize memory allocations (Bottom-Up ASLR)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate exception chains (SEHOP) - ENABLED
  • Validate handle usage - ENABLED
  • Validate heap integrity - ENABLED
  • Validate image dependency integration - ENABLED
  • Validate stack integrity (StackPivot)

Edge
I split this into the broker (Edge) and content processor (EdgeCP).

Added MicrosoftEdge.exe to W10 Windows Defender exploit protection and enabled:
  • Arbitrary code guard (ACG) - ENABLED
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard - ENABLED (also Microsoft Store)
  • Control flow guard (CFG) - ENABLED (enforce strict)
  • Data Execution Prevention (DEP) - ENABLED
  • Disable extension points - ENABLED
  • Disable Win32 system calls
  • Do not allow child processes
  • Export address filtering (EAF)
  • Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
  • Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate exception chains (SEHOP) - ENABLED
  • Validate handle usage - ENABLED
  • Validate heap integrity - ENABLED
  • Validate image dependency integration - ENABLED
  • Validate stack integrity (StackPivot)
Added MicrosoftEdgeCP.exe to W10 Windows Defender exploit protection and enabled:
  • Arbitrary code guard (ACG) - ENABLED (important: allow Thread Opt-Out)
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard - ENABLED (also Microsoft Store)
  • Control flow guard (CFG) - ENABLED (important: don't enforce strict)
  • Data Execution Prevention (DEP) - ENABLED
  • Disable extension points - ENABLED
  • Disable Win32 system calls
  • Do not allow child processes - ENABLED
  • Export address filtering (EAF)
  • Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
  • Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate exception chains (SEHOP) - ENABLED
  • Validate handle usage - ENABLED
  • Validate heap integrity - ENABLED
  • Validate image dependency integration - ENABLED
  • Validate stack integrity (StackPivot)
Have fun happy hardening your browsers with Windows Defender. I am using Windows Defender as AntiVirus (also with Folder access protection enabled). Checkout on AndyFul/ConfigureDefender to enable some other great features (y) )
 
Last edited:
  • Like
Reactions: SunMan09, Nestor, Handsome Recluse and 18 others
DeepWeb

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Great config. But I noticed when I enable one of the Exploit Mitigations features, it kicks out my AV hooks and Emsisoft in my case can no longer monitor the program. Which really brings this to the main problem. If you don't know what these things mean they are almost useless. I just trial and error until something breaks. Make sure your antivirus can still monitor the programs after you enable Exploit Mitigations.
 
  • Like
Reactions: shmu26, Kuttz, Andy Ful and 5 others
Windows_Security

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@DeepWeb better don't use exploit protection with other AV's, it might prevent loading their DLL's and/or setting hooks as you experienced.

For some more explanation you need to dig into Microsoft documentation: Enable or disable specific mitigations used by Exploit protection It still requires some programming knowledge (e.g. Validate handle usage is related to SEH).

There are also differences between 32 and 64 bits versions (e.g. 32 bits Chrome won't run with CFG strict sub-option is enabled, but 64 bits Chrome works like a charm when CFG strict is enabled). Which leads to the suspicion that Chrome development team might be spending more time on code inspection for 64 bits than for 32 bits version.
 
Last edited:
  • Like
Reactions: shmu26, Kuttz, Andy Ful and 3 others
DeepWeb

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I discovered, again through trial and error, what kicks Emsisoft Anti-Malware out of monitoring a program.
Uzr2pe7.png

You can enable almost everything as long as you don't check this. Now my program has Exploit protections while also being monitored. But, this is quite a price to pay. Disabling Win32k system calls is a powerful feature.
 
  • Like
Reactions: Handsome Recluse, shmu26, Andy Ful and 2 others
Windows_Security

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
On Windows10 (2in1) I am using Edge as primary browser now on Windows7 (desktoop) stil using Chromium as primary browser. I can't imagine what can bypass Edge with this policy container.
 
  • Like
Reactions: shmu26 and Andy Ful
Windows_Security

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
I also have extra rules for Office, when you add additional protections, windows overwrites them after every update. When you create the additional rules with process path name, they won't be overwritten. After this mornings update on my Asus Transformer (Security: SysHardener of NoVirusThanks, AndyFul's Configure Defender, Added basic user Software Restriction Policy (but you can also use Andy's Hard Configrator) and Windows Defender anti-ransom option Protected Folders and Windows Defender Exploit Guard options (like only allowing microsoft signed, not allowing excel to call other programs, etcetera). An enthousiast tweaker does not need paid third-party software on Windows 10 home
 

Attachments

  • Naamloos.png
    Naamloos.png
    28.4 KB · Views: 964
  • Like
Reactions: Andy Ful, shmu26 and harlan4096
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Windows_Security said:
Just trying to overcome the time difference between New Zealand and the Netherlands (it is 03 at night in NL and can't sleep :) )

Chrome
Added Chrome.exe to W10 Windows Defender exploit protection and enabled:
  • Arbitrary code guard (ACG)
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard
  • Control flow guard (CFG) - ENABLED (on 64 bits Chrome you can also enable strict option)
  • Data Execution Prevention (DEP) - ENABLED
  • Disable extension points - ENABLED
  • Disable Win32 system calls (Chrome enables this flag itself for its rendering processes)
  • Do not allow child processes
  • Export address filtering (EAF)
  • Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
  • Randomize memory allocations (Bottom-Up ASLR)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate exception chains (SEHOP) - ENABLED
  • Validate handle usage - ENABLED
  • Validate heap integrity - ENABLED
  • Validate image dependency integration - ENABLED
  • Validate stack integrity (StackPivot)

Edge
I split this into the broker (Edge) and content processor (EdgeCP).

Added MicrosoftEdge.exe to W10 Windows Defender exploit protection and enabled:
  • Arbitrary code guard (ACG) - ENABLED
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard - ENABLED (also Microsoft Store)
  • Control flow guard (CFG) - ENABLED (enforce strict)
  • Data Execution Prevention (DEP) - ENABLED
  • Disable extension points - ENABLED
  • Disable Win32 system calls
  • Do not allow child processes
  • Export address filtering (EAF)
  • Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
  • Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate exception chains (SEHOP) - ENABLED
  • Validate handle usage - ENABLED
  • Validate heap integrity - ENABLED
  • Validate image dependency integration - ENABLED
  • Validate stack integrity (StackPivot)
Added MicrosoftEdgeCP.exe to W10 Windows Defender exploit protection and enabled:
  • Arbitrary code guard (ACG) - ENABLED (important: allow Thread Opt-Out)
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard - ENABLED (also Microsoft Store)
  • Control flow guard (CFG) - ENABLED (important: don't enforce strict)
  • Data Execution Prevention (DEP) - ENABLED
  • Disable extension points - ENABLED
  • Disable Win32 system calls
  • Do not allow child processes - ENABLED
  • Export address filtering (EAF)
  • Force randomization for images (Mandatory ASLR) - ENABLED (enable no stripped images)
  • Randomize memory allocations (Bottom-Up ASLR) - ENABLED (enable no high entrophy)
  • Import address filtering (IAF)
  • Simulate execution (SimExec)
  • Validate API invocation (CallerCheck)
  • Validate exception chains (SEHOP) - ENABLED
  • Validate handle usage - ENABLED
  • Validate heap integrity - ENABLED
  • Validate image dependency integration - ENABLED
  • Validate stack integrity (StackPivot)
Have fun happy hardening your browsers with Windows Defender. I am using Windows Defender as AntiVirus (also with Folder access protection enabled). Checkout on AndyFul/ConfigureDefender to enable some other great features (y) )
Click to expand...
Since Chrome already runs with low integrity level, and on Windows 10 it runs in Appcontainer (especially if you enable the appropriate flags), how much is to be gained by these additional tweaks?
Same question for Edge
 
  • Like
Reactions: Handsome Recluse, Gandalf_The_Grey and Sunshine-boy
Yellowing

Yellowing

Level 5
Verified
Jun 7, 2018
221
Windows_Security said:
  • Arbitrary code guard (ACG)
  • Blow low integrity images - ENABLED
  • Block remote images - ENABLED
  • Block untrusted fonts
  • Code integrity guard
Click to expand...
Hm. Does that mean you have them all enabled just by them being listed, or are only "Block low integrity images" and "Block remote Images" enabled? Or are you enabling system override, but not the thing itself? o_O Please be more specific. :cry:

Also you can't enable Control Flow Guard if you run Chrome in Sandboxie.

BTW: How do I change all system settings? I can only change a few of those that are available under Program-tab.
 
Last edited:
Windows_Security

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
1. Open Windows Defender in taskbar
2. Choose App and Browser (maintenance/defense/ I am on Dutch Windows 10 home here)
3. Scroll down to Exploit Protection
4. Choose exploit protection (settings?)
5. Choose second tab Program Settings

1531157983766.png
 
  • Like
Reactions: harlan4096 and shmu26
Yellowing

Yellowing

Level 5
Verified
Jun 7, 2018
221
No, you misunderstood: I can "override system defaults" for many more things under program settings, than there are to set under system settings. :giggle:
 
Windows_Security

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
OK, I suppose Microsoft will be slowly pushing system defaults to a more secure base line.
 
Yellowing

Yellowing

Level 5
Verified
Jun 7, 2018
221
Yea, probably because I am german trying to speak english and you are netherlandish trying to understand that. :ROFLMAO::emoji_popcorn: (I didn't use "dutch" because apparently that means german, netherland and holland, as well as "missus") :ROFLMAO:
No worries! :D
 
Windows_Security

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Windows_Security said:
OK, I suppose Microsoft will be slowly pushing system defaults to a more secure base line.
Click to expand...

Found an article that most of these settings are enabled now by default. At least on 64 bits systems they seem enabled now

Mitigating arbitrary native code execution in Microsoft Edge - Microsoft Edge Dev Blog

Microsoft blog said:
For compatibility reasons, ACG is currently only enforced on 64-bit desktop devices with a primary GPU running a WDDM 2.2 driver (the driver model released with the Windows 10 Anniversary Update)
Click to expand...

On Windows 7 using Firefox (in run as other user container with AppLocker, ACL and Parental Control) and on Windows 10 (32 bits) using Edge with additional Windows Defender exploit guard protection (should be default now in 64 bits, but keeping the additional settings just to be sure)

One disadvantage of Edge over Chrome (dumped Chrome completely) is that Edge only allows one language, which is kind of annoying when using Dutch and (US) English forums.
 
Last edited:
  • Like
Reactions: Handsome Recluse and harlan4096
Status
Not open for further replies.

Similar threads

oldschool
    • Like
    • Applause
    • +Reputation
Advanced Security oldschool's surfing laptop configuration
Replies
358
Views
44,556
PC Setup Configuration Help & Showcase
Andy Ful
Andy Ful
ErzCrz
    • Like
    • +Reputation
    • Applause
Advanced Plus Security ErzCrz Security Config 2024
Replies
275
Views
34,645
PC Setup Configuration Help & Showcase
ErzCrz
ErzCrz
SunMan09
    • Like
Advanced Plus Security Thaumiel's Windows Security 2020
Replies
12
Views
3,153
CSC Archive
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top