Use Windows 10 build-in (anti)execution options

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Pictures explain it all, when you try to execute a downloaded program it will be blocked (rtight), when clicking on change settings you will be shown options (left) to temporarily allow software not from Microsoft Store (and or non-Microsoft signed code). Windows update works okay while allowing aps from the Store only.

1532541228144.png
 

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
This is great! Still, won't protect from Store malware...

By the way, I've got a question: if it's a Windows feature and it's easily accesible, what avoids malware to run a script to change the settings? Imagine not downloading a program. Instead, being shared via e-mail an infected .pdf which will execute a script that throws some basic commands to change installation settings and then connect to a remote malicious server to download the payload to a temporal folder.
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@RoboMan

I have a added simple SRP and set UAC to only allow signed programs to elevate. Hardened script programs using Windows Defender exploit protection, on top of that Windows 10 has smart screen and proteced folders feature. When you don't want to tweak Windows yourself use NVT System hardener and use @Andy Ful's tools to set these build-in protections.

I checked on Yoga 520 of my wife and Chrome was also allowed to update. A photo book creation program installed in user folders was blocked when updating. So programs installed in UAC protected folders seem to be allowed also.

Windows 10 has so many great build in features. Bu some are hidden or not easy to find. Also with WD exploit protection, every update overwrites the programs alread set by Windows back to its default. When you want to add stuf (e.g. PowerPoint below), you need to ad a full path name rule to make your additions stick/permanent.

1532549884775.png
 
Last edited:
I

illumination

Windows 10 has so many great build in features.
Absolutely... The problem is most average users would not know where to start, and just want a set and forget solution. Most of them i have helped never open the installed security after it has been placed on, they just surf facebook, email and netflix, and flip out when something does happen to disturb their enjoyment...
 

RoboMan

Level 34
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
@RoboMan

I have a added simple SRP and set UAC to only allow signed programs to elevate. Hardened script programs using Windows Defender exploit protection, on top of that Windows 10 has smart screen and proteced folders feature. When you don't want to tweak Windows yourself use NVT System hardener and use @Andy Ful's tools to set these build-in protections.

I checked on Yoga 520 of my wife and Chrome was also allowed to update. A photo book creation program installed in user folders was blocked when updating. So programs installed in UAC protected folders seem to be allowed also.

Windows 10 has so many great build in features.
Amazing! We sometimes underestimate the security Microsoft offers. A very well known spanish hacker -Chema Alonso (a.k.a un informático del lado del mal) joking about the ease to crack iOS security when people claimed it was so safe, mentioned "we often throw garbage to Microsoft engineers, we claim they don't know how to protect their OS, so we choose Mac, iOS, over Microsoft operating systems. Actually Windows is the most secure platform, the space where the teams put more effort into protecting. The fact that Mac is considered secure is the lack of popularity among ordinary users or enterprises. If they were targeted as Microsoft, you would be able to see how hard they are trying."
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Ironically standard users run into zero problems when having these settings all maxed out. My wife just uses software, she does not install software. I have one program to update manually (the photo book creator installed in user folders) which I also had to exclude from Protected Folders feature. Luckily this program can be guarded tightly by WD exploit protection. This shows how stupid Microsoft features are. Only pc enthousiasts can set them, but they are so rigid that most enthousiasts don't use them, so in the end very few people use it. I can't get my head around that Microsoft constantly make GUI changes , but apparently all UX/GUI experts are kicked out of the security development department.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Ironically standard users run into zero problems when having these settings all maxed out. My wife just uses software, she does not install software.
Yes, I also find that users like this can be put on hardened systems and they have no problems.
The problems are with the people who want to install things that aren't good for them.
 

MeltdownEnemy

Level 7
Verified
Well-known
Jan 25, 2018
300
Windows only works safe at denied mode account in guests user, I'm only using windows for the STEAM platform games, for that reason, faraway of the Office, No more Flash, No pdf readers I don't give a damn about the other rest MS programs, little by little I learn with DEBIAN and I face less problems with the annoying terminal and the Repo's.
 
  • Like
Reactions: oldschool

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
I think I recall files downloaded by 3rd party download manager (Eagleget, Internet Download Manager, etc) could bypass that setting.
 
  • Like
Reactions: oldschool

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I think I recall files downloaded by 3rd party download manager (Eagleget, Internet Download Manager, etc) could bypass that setting.
This is a new feature, it simply does not let you install any program, regardless of how it got on your computer, unless it is a Windows store app.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
This is a new feature, it simply does not let you install any program, regardless of how it got on your computer, unless it is a Windows store app.
I have the setting set to warn instead of outright blocking but I imagine it should be the same in this case.

I tested this using the Ccleaner installer. I downloaded it a few times on Edge ( should work the same in other browsers), and each time I decided to run the file a popup similar to what @Windows_Security has in his initial post would show up.

However when pasted the direct url for the download on Free download manager, and decided to run the file the popup didn't appear.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I have the setting set to warn instead of outright blocking but I imagine it should be the same in this case.

I tested this using the Ccleaner installer. I downloaded it a few times on Edge ( should work the same in other browsers), and each time I decided to run the file a popup similar to what @Windows_Security has in his initial post would show up.

However when pasted the direct url for the download on Free download manager, and decided to run the file the popup didn't appear.
That's interesting, thanks. I haven't actually tried it out, I just read about it. So you know more than I do about it.
I wonder what would happen if you set it to block, instead of warn?
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
That's interesting, thanks. I haven't actually tried it out, I just read about it. So you know more than I do about it.
I wonder what would happen if you set it to block, instead of warn?
Just tested on block. The installer bypasses the setting if downloaded via a 3rd party download manager.

My guess is this is because the files don't have the mark of the web. Though someone else might have a better idea
 
I

illumination

Just tested on block. The installer bypasses the setting if downloaded via a 3rd party download manager.

My guess is this is because the files don't have the mark of the web. Though someone else might have a better idea
This is why i avoid 3rd party applications as much as possible, especially when built in will do.
 
  • Like
Reactions: oldschool and Azure

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Just tested on block. The installer bypasses the setting if downloaded via a 3rd party download manager.

My guess is this is because the files don't have the mark of the web. Though someone else might have a better idea
Thanks for the test. This feature started with a bang and ended with a whimper. :)
 
  • Like
Reactions: simmerskool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The feature "Allow apps from the store only" uses MOTW. It works only for applications downloaded via the web browser, Microsoft Store, OneDrive (or similar Internet services).
It will be bypassed if you have got the executable file (BAT, COM, EXE, MSI) using:
  • the downloader or torrent application (EagleGet, utorrent etc.);
  • container format file (zip, 7z, arj, rar, etc.);
  • CD/DVD/Blue-ray disc;
  • CD/DVD/Blue-ray disc image (iso, bin, etc.);
  • non-NTFS USB storage device (FAT32 pendrive, FAT32 USB disk);
  • Memory Card;
Furthermore, I had no problem with bypassing it when running executables from Total Commander (file manager). One can also change the EXE extension to SCR and bypass it.
So, this feature is only for restricting the installations initiated by the user. It is very similar to choosing SmartScreen setting equal to BLOCK in WD (Windows 10). Any payload dropper embedded in the malicious document will bypass it. SmartScreen (on run) can check more file extensions (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, PIF, SCR, and VBE). The difference is that SmartScreen will let run the application with a sufficiently good reputation, but "Allow apps from the store only" will block all apps except those from Microsoft Store.

Edit.
If someone uses Hard_Configurator, then "Run As SmartScreen" and "Run By SmartScreen" work well with "Allow apps from the store only" feature.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top