Who has already played with new W10 security features?

[Windows_Security]

My wife (who only uses her PC like average users do) has report ZERO issues. But as said she only uses Microsoft Office, Photo app to cut and crop photo's, Albelli photo book and Chrome.

 

[Andy Ful]

My wife (who only uses her PC like average users do) has report ZERO issues. But as said she only uses Microsoft Office, Photo app to cut and crop photo's, Albelli photo book and Chrome.

Windows built-in security was always usable, when users do not:

• install many programs,
• make system tweaks,
• change connected devices,
• make system maintenance,

but stick with the fixed software and standard daily tasks (Internet browsing, document viewing/editing, watching media, etc). If so, then the old built-in security (SRP, blocking scripts, AppContainer ....) and the new (Exploit protection, Control Folders Access) can be very useful.

 

[VecchioScarpone]

Windows built-in security was always usable, when users do not:

• install many programs,
• make system tweaks,
• change connected devices,
• make system maintenance,

but stick with the fixed software and standard daily tasks (Internet browsing, document viewing/editing, watching media, etc). If so, then the old built-in security (SRP, blocking scripts, AppContainer ....) and the new (Exploit protection, Control Folders Access) can be very useful.

You may have struck a cord here. I only have MBAE free and VS, that could be enough to create some sort of conflict with WD anti exploit feature.
I hope to get around it soon as an extra layer of protection is good to have.

 

[paulderdash]

Windows built-in security was always usable, when users do not:

• install many programs,
• make system tweaks, ...

No Hard Configurator then?

 

[Andy Ful]

No Hard Configurator then?

That is why Hard_Configurator can help, because the user can quickly configure, turn off, turn on, save security profiles, etc. But still, this is not a tool for newbies. It is rather for 'above average' user, who wants to configure his own computer (Windows Home) or the computers of newbies.
If the inexperienced user has no help from experienced one, then the preferred security is just standard AV (Defender in Windows 10) + PUA protection. More complicated security causes more problems than it is worth.

 

[AlanOstaszewski]

I tried out Defender with all new features without HC with @silversurfer new samples two days ago. The system was not clean but Defender could handle all samples. But I forgot to save the screenshots -_-

 

[ForgottenSeer 65219]

I'm just Enabled Controlled Folder Access and It's Really Annoying. Alerts Come From left and right.

 

[shmu26]

That is why Hard_Configurator can help, because the user can quickly configure, turn off, turn on, save security profiles, etc. But still, this is not a tool for newbies. It is rather for 'above average' user, who wants to configure his own computer (Windows Home) or the computers of newbies.
If the inexperienced user has no help from experienced one, that the preferred security is just standard AV (Defender in Windows 10) + PUA protection. More complicated security causes more problems than it is worth.

Some of the Hard Config settings are very good for noobs, such as disable script host and powershell. There are probably a couple others that can work painlessly for a noob.
Maybe you should make a special noob config or installation package?
Windows 10 with updates + WD + a couple Hard Config tweaks = decent security without headaches.

 

[Andy Ful]

Windows 10 default security (without hardening) is not the best, but pretty good for home users. It can be compared with any free solution, but the user has to download and install applications through EXE/MSI files using the web browser.
If downloaded installers are in archive format (*.zip, 7-zip, *.arj, etc.) or their direct source is not web browser (for example FAT32 pendrive, file downloader, torrents, etc), then SmartScreen does not work as usual, and malware detection may be worse.
.
Edit
There will be also problems with detection of obfuscated malicious scripts embedded in documents.

 

[Andy Ful]

Some of the Hard Config settings are very good for noobs, such as disable script host and powershell. There are probably a couple others that can work painlessly for a noob.
Maybe you should make a special noob config or installation package?
Windows 10 with updates + WD + a couple Hard Config tweaks = decent security without headaches.

I am thinking about it, from a couple of months. It should be a predefined profile (one or more) + simple GUI to choose the profile, turn ON/OFF the protection. Who knows, maybe in the next year?
.
Edit
I am also thinking about adding <Exploit Protection> option to Hard_Configurator to configure some useful mitigations.

 

[Av Gurus]

I tried out Defender with all new features without HC with @silversurfer new samples two days ago. The system was not clean but Defender could handle all samples. But I forgot to save the screenshots -_-

Did you do some tweak (in GPE) or you test all on default?

 

[AlanOstaszewski]

Did you do some tweak (in GPE) or you test all on default?

Default with secured folders (on default too).

 

[Andy Ful]

I tried Exploit Protection and found it more complicated than EMET. Using EMET was very simple as compared to Exploit Protection.
Folder protection (Controlled folder access) is very basic. It only covers write/modify access to protected folders. But, If I remember correctly, there is an option to add programs that will have access to protected folders. So, I think that the alerts can be avoided after the proper configuration.

 

[shmu26]

I am also thinking about adding <Exploit Protection> option to Hard_Configurator to configure some useful mitigations.

I am eagerly looking forward to that.

 

[Windows_Security]

I did a few of hard configurator tweaks manually (disable remote stuff, set UAC to block unsigned) plus disabled macro's add-ons etc in Office 2016 Pro. Only blok I noticed was Chrome installer being blocked to write chrome shortcut to the desktop. Both the Exploit Guard tweaks (for Office) and Controlled Folders access give zero problems.

 

[bribon77]

A question in this update has corrected the CPU consumption of Windows Defender?

 

[Windows_Security]

On wife's Yoga 520 with Pentium 4425U the CPU usage of all Windows Defender processes combined between 2 - 5 percent.

 

[paulderdash]

I am thinking about it, from a couple of months. It should be a predefined profile (one or more) + simple GUI to choose the profile, turn ON/OFF the protection. Who knows, maybe in the next year?
.
Edit
I am also thinking about adding <Exploit Protection> option to Hard_Configurator to configure some useful mitigations.

Looking forward to that. Especially if one does not want to fork out for AppGuard Business.

And Exploit Protection option would be a bonus.

 

[Av Gurus]

Default with secured folders (on default too).

I was also testing but with some hard tweaks in GPE + some Attack surface reduction settings from HERE
Protection was not so bad but it was just quick test and I didn't check OS with 3rd party app.

 

[shmu26]

We need a "Guide for the Perplexed" for these tweaks.