Who has already played with new W10 security features?

Sunshine-boy · Nov 29, 2017

Andy Ful said:
check it

Pls I'm not an idiot :notworthy:i know how to check it! it's not signed!I was lazy to check it at that time.

Andy Ful · Nov 29, 2017

Av Gurus said:
Here is the test.
I run that .vbs and WDSC block & quarantine file but can't find anything in EV for ASR.
Here are pictures:

View attachment 174784 View attachment 174785

There is no 1121 EventId, so the script was not blocked by ASR. It is clear that Defender's local Artificial Intelligence (not signatures) detected the script as suspicious, because you have very aggressive Defender settings. If you ran the script on the virtual machine where you tested malware, it is possible that local AI learned to block some suspicious behavior. Anyway, the script was not recognized as dangerous after additional analysis in the cloud, so the signature for it was not created (I can still run it).
As for, the ASR rule 'Block JavaScript or VBScript from launching downloaded executable content', it works when one tries to run some script trojan downloaders, but can be easily bypassed.

Andy Ful · Nov 29, 2017

Sunshine-boy said:
Pls I'm not an idiot :notworthy:i know how to check it! it's not signed!I was lazy to check it at that time.

I knew it.

Andy Ful · Nov 29, 2017

Av Gurus said:
Here is the test.
I run that .vbs and WDSC block & quarantine file but can't find anything in EV for ASR.
Here are pictures:
View attachment 174784 View attachment 174785

By the way, why there is a 5007 EvenId present in your Event Log. Have you changed ASR or Controlled Folder Access settings, when testing? I can see a fragment of it, that is related to protected folders. This EventID is also created when adding Exclusions to ASR or Controlled Folder Access rules (generally when the antimalware platform configuration was changed).
Edit.
Post edited.

Av Gurus · Nov 29, 2017

Andy Ful said:
By the way, why there is a 5007 EvenId present in your Event Log. Have you changed ASR or Controlled Folder Access settings, when testing? I can see a fragment of it, that is related to protected folders. This EventID is also created when adding Exclusions to ASR or Controlled Folder Access rules.

Settings for EV are download from Microsoft site (Use Attack surface reduction rules to prevent malware infection) and then imported:

boredog · Nov 29, 2017

Which folder is the Exploit Guard Package in? I am not seeing it with your directions posted in your screen shot.

Andy Ful · Nov 29, 2017

Av Gurus said:
Settings for EV are download from Microsoft site (Use Attack surface reduction rules to prevent malware infection) and then imported:

View attachment 174798

Thanks. I was curious why you had many 5007 EventIds on the log, visible in the posted attachment https://malwaretips.com/attachments/174785/. This is the event: 'MALWAREPROTECTION_CONFIG_CHANGED '
When I ran the scripts, I also had the 5007 EventId, related to adding an exclusion rule for the quarantined script (from my previous post Poll - Who has already played with new W10 security features?).
But anyway, it is not important for ASR test.

Av Gurus · Nov 29, 2017

boredog said:
Which folder is the Exploit Guard Package in? I am not seeing it with your directions posted in your screen shot.

Ask me?
Sorry, but don't understand your question...

boredog · Nov 29, 2017

Av Gurus said:
Ask me?
Sorry, but don't understand your question...

Yes
I open event viewer, click import custom view and a windows pops up that wants me to navigate to a folder.

Av Gurus · Nov 29, 2017

You have to:
Download the Exploit Guard Evaluation Package and extract the file asr-events.xml to an easily accessible location on the machine.

boredog · Nov 29, 2017

Av Gurus said:
You have to:
Download the Exploit Guard Evaluation Package and extract the file asr-events.xml to an easily accessible location on the machine.

Ok thanks, that explains it.

Andy Ful · Dec 8, 2017

The ASR rules were tested here:
Windows Defender Exploit Guard ASR Obfuscated Script Rule
Windows Defender Exploit Guard ASR Rules for Office
Windows Defender Exploit Guard ASR VBScript/JS Rule
.
The above posts are simple, but very informative. Good reading.

The results are similar to the results of my tests, though the darkoperator.com tests are more comprehensive.
Anyway, there are some bypasses to any of the above ASR rules.

Andy Ful · Dec 14, 2017

Did anybody test the Defender 'Network Protection' on Windows 10 Pro?
The link SmartScreen Test , should be blocked by this feature when opening in a non-Microsoft browser.
It does not work on my computer.

And when I applied 'Network Protection' on the second computer with Windows Home, it worked.

Deleted member 65228 · Dec 14, 2017

@Andy Ful It could just be a bug, contact Microsoft and let them kn.... Hold on guys. How do we contact them again?

Sunshine-boy · Jan 12, 2018

Can we guard the Sandboxie with exploit guard?! I meant to defend Sandboxie from bypass:/ can someone do this and share the settings?
The list of applications that I want to protect:
1-Yandex browser.
2-Sandboxie.
3-PeaZip.
That's enough for me

I have not enough knowledge to assign rules.

Search

Who has already played with new W10 security features?

Have you enabled and added folders to secure folder access feature?

YEs

No

What ??

Sunshine-boy

Level 28

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

Av Gurus

Level 29

boredog

Level 9

Andy Ful

From Hard_Configurator Tools

Av Gurus

Level 29

boredog

Level 9

Av Gurus

Level 29

boredog

Level 9

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

Deleted member 65228

Sunshine-boy

Level 28

Similar threads