Who has already played with new W10 security features?

Have you enabled and added folders to secure folder access feature?

  • YEs

    Votes: 27 29.7%
  • No

    Votes: 46 50.5%
  • What ??

    Votes: 18 19.8%

  • Total voters
    91

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Here is the test.
I run that .vbs and WDSC block & quarantine file but can't find anything in EV for ASR.
Here are pictures:

View attachment 174784 View attachment 174785
There is no 1121 EventId, so the script was not blocked by ASR. It is clear that Defender's local Artificial Intelligence (not signatures) detected the script as suspicious, because you have very aggressive Defender settings. If you ran the script on the virtual machine where you tested malware, it is possible that local AI learned to block some suspicious behavior. Anyway, the script was not recognized as dangerous after additional analysis in the cloud, so the signature for it was not created (I can still run it).
As for, the ASR rule 'Block JavaScript or VBScript from launching downloaded executable content', it works when one tries to run some script trojan downloaders, but can be easily bypassed. :(
 
Last edited:
  • Like
Reactions: AtlBo and Av Gurus

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Here is the test.
I run that .vbs and WDSC block & quarantine file but can't find anything in EV for ASR.
Here are pictures:
View attachment 174784 View attachment 174785
By the way, why there is a 5007 EvenId present in your Event Log. Have you changed ASR or Controlled Folder Access settings, when testing? I can see a fragment of it, that is related to protected folders. This EventID is also created when adding Exclusions to ASR or Controlled Folder Access rules (generally when the antimalware platform configuration was changed).
Edit.
Post edited.
 
Last edited:
  • Like
Reactions: AtlBo

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
By the way, why there is a 5007 EvenId present in your Event Log. Have you changed ASR or Controlled Folder Access settings, when testing? I can see a fragment of it, that is related to protected folders. This EventID is also created when adding Exclusions to ASR or Controlled Folder Access rules.

Settings for EV are download from Microsoft site (Use Attack surface reduction rules to prevent malware infection) and then imported:

asr.jpg
 
  • Like
Reactions: AtlBo and Andy Ful

boredog

Level 9
Verified
Jul 5, 2016
416
Which folder is the Exploit Guard Package in? I am not seeing it with your directions posted in your screen shot.
 
  • Like
Reactions: AtlBo

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Settings for EV are download from Microsoft site (Use Attack surface reduction rules to prevent malware infection) and then imported:

View attachment 174798
Thanks. I was curious why you had many 5007 EventIds on the log, visible in the posted attachment https://malwaretips.com/attachments/174785/. This is the event: 'MALWAREPROTECTION_CONFIG_CHANGED '
When I ran the scripts, I also had the 5007 EventId, related to adding an exclusion rule for the quarantined script (from my previous post Poll - Who has already played with new W10 security features?).
But anyway, it is not important for ASR test.:)
 
Last edited:
  • Like
Reactions: AtlBo and Av Gurus

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Which folder is the Exploit Guard Package in? I am not seeing it with your directions posted in your screen shot.

Ask me?
Sorry, but don't understand your question...
 
  • Like
Reactions: AtlBo

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Did anybody test the Defender 'Network Protection' on Windows 10 Pro?
The link SmartScreen Test , should be blocked by this feature when opening in a non-Microsoft browser.
It does not work on my computer. :(
And when I applied 'Network Protection' on the second computer with Windows Home, it worked.:sick:
 

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,782
Can we guard the Sandboxie with exploit guard?! I meant to defend Sandboxie from bypass:/ can someone do this and share the settings?
The list of applications that I want to protect:
1-Yandex browser.
2-Sandboxie.
3-PeaZip.
That's enough for me :) I have not enough knowledge to assign rules.
 
Last edited:
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top