Use Windows 10 build-in (anti)execution options

[Windows_Security]

Pictures explain it all, when you try to execute a downloaded program it will be blocked (rtight), when clicking on change settings you will be shown options (left) to temporarily allow software not from Microsoft Store (and or non-Microsoft signed code). Windows update works okay while allowing aps from the Store only.

 

[RoboMan]

This is great! Still, won't protect from Store malware...

By the way, I've got a question: if it's a Windows feature and it's easily accesible, what avoids malware to run a script to change the settings? Imagine not downloading a program. Instead, being shared via e-mail an infected .pdf which will execute a script that throws some basic commands to change installation settings and then connect to a remote malicious server to download the payload to a temporal folder.

 

[shmu26]

This feature does not protect from scripts, only from installer files. To block scripts, you can use other built-in Windows features, or use 3rd party software.

 

[Windows_Security]

@RoboMan

I have a added simple SRP and set UAC to only allow signed programs to elevate. Hardened script programs using Windows Defender exploit protection, on top of that Windows 10 has smart screen and proteced folders feature. When you don't want to tweak Windows yourself use NVT System hardener and use @Andy Ful's tools to set these build-in protections.

I checked on Yoga 520 of my wife and Chrome was also allowed to update. A photo book creation program installed in user folders was blocked when updating. So programs installed in UAC protected folders seem to be allowed also.

Windows 10 has so many great build in features. Bu some are hidden or not easy to find. Also with WD exploit protection, every update overwrites the programs alread set by Windows back to its default. When you want to add stuf (e.g. PowerPoint below), you need to ad a full path name rule to make your additions stick/permanent.

 

[illumination]

Windows 10 has so many great build in features.

Absolutely... The problem is most average users would not know where to start, and just want a set and forget solution. Most of them i have helped never open the installed security after it has been placed on, they just surf facebook, email and netflix, and flip out when something does happen to disturb their enjoyment...

 

[RoboMan]

@RoboMan

I have a added simple SRP and set UAC to only allow signed programs to elevate. Hardened script programs using Windows Defender exploit protection, on top of that Windows 10 has smart screen and proteced folders feature. When you don't want to tweak Windows yourself use NVT System hardener and use @Andy Ful's tools to set these build-in protections.

I checked on Yoga 520 of my wife and Chrome was also allowed to update. A photo book creation program installed in user folders was blocked when updating. So programs installed in UAC protected folders seem to be allowed also.

Windows 10 has so many great build in features.

Amazing! We sometimes underestimate the security Microsoft offers. A very well known spanish hacker -Chema Alonso (a.k.a un informático del lado del mal) joking about the ease to crack iOS security when people claimed it was so safe, mentioned "we often throw garbage to Microsoft engineers, we claim they don't know how to protect their OS, so we choose Mac, iOS, over Microsoft operating systems. Actually Windows is the most secure platform, the space where the teams put more effort into protecting. The fact that Mac is considered secure is the lack of popularity among ordinary users or enterprises. If they were targeted as Microsoft, you would be able to see how hard they are trying."

 

[Windows_Security]

Ironically standard users run into zero problems when having these settings all maxed out. My wife just uses software, she does not install software. I have one program to update manually (the photo book creator installed in user folders) which I also had to exclude from Protected Folders feature. Luckily this program can be guarded tightly by WD exploit protection. This shows how stupid Microsoft features are. Only pc enthousiasts can set them, but they are so rigid that most enthousiasts don't use them, so in the end very few people use it. I can't get my head around that Microsoft constantly make GUI changes , but apparently all UX/GUI experts are kicked out of the security development department.

 

[shmu26]

Ironically standard users run into zero problems when having these settings all maxed out. My wife just uses software, she does not install software.

Yes, I also find that users like this can be put on hardened systems and they have no problems.
The problems are with the people who want to install things that aren't good for them.

 

[MeltdownEnemy]

Windows only works safe at denied mode account in guests user, I'm only using windows for the STEAM platform games, for that reason, faraway of the Office, No more Flash, No pdf readers I don't give a damn about the other rest MS programs, little by little I learn with DEBIAN and I face less problems with the annoying terminal and the Repo's.

 

[Ink]

Remember Windows Vista and UAC, I can only imagine Windows 10 users saying "It's annoying". So if no one uses this feature, it's because everyone's too smart.

 

[Azure]

I think I recall files downloaded by 3rd party download manager (Eagleget, Internet Download Manager, etc) could bypass that setting.

 

[shmu26]

I think I recall files downloaded by 3rd party download manager (Eagleget, Internet Download Manager, etc) could bypass that setting.

This is a new feature, it simply does not let you install any program, regardless of how it got on your computer, unless it is a Windows store app.

 

[Azure]

This is a new feature, it simply does not let you install any program, regardless of how it got on your computer, unless it is a Windows store app.

I have the setting set to warn instead of outright blocking but I imagine it should be the same in this case.

I tested this using the Ccleaner installer. I downloaded it a few times on Edge ( should work the same in other browsers), and each time I decided to run the file a popup similar to what @Windows_Security has in his initial post would show up.

However when pasted the direct url for the download on Free download manager, and decided to run the file the popup didn't appear.

 

[shmu26]

I have the setting set to warn instead of outright blocking but I imagine it should be the same in this case.

I tested this using the Ccleaner installer. I downloaded it a few times on Edge ( should work the same in other browsers), and each time I decided to run the file a popup similar to what @Windows_Security has in his initial post would show up.

However when pasted the direct url for the download on Free download manager, and decided to run the file the popup didn't appear.

That's interesting, thanks. I haven't actually tried it out, I just read about it. So you know more than I do about it.
I wonder what would happen if you set it to block, instead of warn?

 

[Azure]

That's interesting, thanks. I haven't actually tried it out, I just read about it. So you know more than I do about it.
I wonder what would happen if you set it to block, instead of warn?

Just tested on block. The installer bypasses the setting if downloaded via a 3rd party download manager.

My guess is this is because the files don't have the mark of the web. Though someone else might have a better idea

 

[illumination]

Just tested on block. The installer bypasses the setting if downloaded via a 3rd party download manager.

My guess is this is because the files don't have the mark of the web. Though someone else might have a better idea

This is why i avoid 3rd party applications as much as possible, especially when built in will do.

 

[shmu26]

Just tested on block. The installer bypasses the setting if downloaded via a 3rd party download manager.

My guess is this is because the files don't have the mark of the web. Though someone else might have a better idea

Thanks for the test. This feature started with a bang and ended with a whimper.

 

[Azure]

Thanks for the test. This feature started with a bang and ended with a whimper.

As long as those using the setting to block don’t download installers via a 3rd party download manager, it should work fine.

 

[Andy Ful]

The feature "Allow apps from the store only" uses MOTW. It works only for applications downloaded via the web browser, Microsoft Store, OneDrive (or similar Internet services).
It will be bypassed if you have got the executable file (BAT, COM, EXE, MSI) using:

• the downloader or torrent application (EagleGet, utorrent etc.);
• container format file (zip, 7z, arj, rar, etc.);
• CD/DVD/Blue-ray disc;
• CD/DVD/Blue-ray disc image (iso, bin, etc.);
• non-NTFS USB storage device (FAT32 pendrive, FAT32 USB disk);
• Memory Card;

Furthermore, I had no problem with bypassing it when running executables from Total Commander (file manager). One can also change the EXE extension to SCR and bypass it.
So, this feature is only for restricting the installations initiated by the user. It is very similar to choosing SmartScreen setting equal to BLOCK in WD (Windows 10). Any payload dropper embedded in the malicious document will bypass it. SmartScreen (on run) can check more file extensions (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, PIF, SCR, and VBE). The difference is that SmartScreen will let run the application with a sufficiently good reputation, but "Allow apps from the store only" will block all apps except those from Microsoft Store.

Edit.
If someone uses Hard_Configurator, then "Run As SmartScreen" and "Run By SmartScreen" work well with "Allow apps from the store only" feature.

 

[Deleted member 178]

Really? there is some idiots that put their phone in their backpockets and sit on it...?