Who has already played with new W10 security features?

[Andy Ful]

I was also testing but with some hard tweaks in GPU + some Attack surface reduction settings from HERE
Protection was not so bad but it was just quick test and I didn't check OS with 3rd party app.

Those Attack surface reduction rules should stop most malicious documents from loading payloads, because macros mostly use system executables (cmd.exe, powershell.exe, wscript.exe, bitsadmin.exe,...) to do it.
I am curious how they can fight other document vulnerabilities.

 

[Av Gurus]

This is useful:

Rule: Block JavaScript ok VBScript From launching downloaded executable content
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.

This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.

Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.

This rule prevents scripts that appear to be obfuscated from running.

It uses the AntiMalwareScanInterface (AMSI) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.

 

[Andy Ful]

This is useful:
....
Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.

This rule prevents scripts that appear to be obfuscated from running.

It uses the AntiMalwareScanInterface (AMSI) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.

For now, AMSI is not good with obfuscated scripts. So, this rule is probably AMSI enhancement. For home users, it will be especially important when fighting malicious PowerShell scripts (Windows Script Host can be easily disabled, but not PowerShell). It will be a good companion to Constrained Language in PowerShell.
I also suspect that the rule:
Impede JavaScript and VBScript to launch executables
may relate only to Windows Script Host (does not block javascript engine when using mshta.exe or web browser).

 

[Andy Ful]

Using Attack surface reduction rules, the user can make file/folder exclusions (via PowerShell cmdlet):
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
This possibility makes Attack surface reduction more usable.

 

[Av Gurus]

+ when you add and Zero Tolerance blocking level - it should help a bit...

 

[Andy Ful]

+ when you add and Zero Tolerance blocking level - it should help a bit...

View attachment 170604

If I correctly remember, there are only two first options available in Windows Home (so not the Zero tolerance). I am curious how is the Zero tolerance blocking level, related to SmartScreen?

 

[Av Gurus]

As I said, didn't test it long, just 3-4 malware files so I'm not sure what/how is does...

 

[Av Gurus]

On Microsoft site there is a 2 tool for testing your protection (also you have some Event Viewer xml settings to watch what is happening/logging):

• ExploitGuard ASR test tool x86/x64
• ExploitGuard CFA File Creator

Download the Exploit Guard Evaluation Package and extract the file

 

[Windows_Security]

@Av Gurus Thanks downloaded, now playing with ASR test tool

So on my wife' Yoga laptop/tabler running Windows 10 Home:

• Disabled remote services
• Put a deny execute ACL on public folders
• Hardened Office 2016 in TrustCenter and Attack Surface Reduction of exploit guard
• Added Albelli photo book to Exploit Guard and allowed it in Secure Folder Access
• Enabled Secure Folder Access and D drive user folders to Secure Folder Access protection

These extra's really feel as present (for free) from Microsoft and makes me think the https://malwaretips.com/conversations/zero-config-jail.58867/#message-205316 should be focusses on Windows 7 users, missing out on all these goodies for some (technical or personal) reason,

 

[VecchioScarpone]

We need a "Guide for the Perplexed" for these tweaks.

It would be great yes. I have being using WD for a while and I don't like having to miss out of its full potentials. Just read this morning on Ghacks the article about Configure Attack Surface Reduction in Windows 10. It sound great, unfortunately I tend to mess up thing when using Power Shell tools and the like. My son will kill me if I mess up my computer again.
Hopefully soon a "for VecchioScarpone guide" will come out.

 

[Andy Ful]

@Av Gurus Thanks downloaded, now playing with ASR test tool

So on my wife' Yoga laptop/tabler running Windows 10 Home:

• Disabled remote services
• Put a deny execute ACL on public folders
• Hardened Office 2016 in TrustCenter and Attack Surface Reduction of exploit guard
• Added Albelli photo book to Exploit Guard and allowed it in Secure Folder Access
• Enabled Secure Folder Access and D drive user folders to Secure Folder Access protection

These extra's really feel as present (for free) from Microsoft and makes me think the https://malwaretips.com/conversations/zero-config-jail.58867/#message-205316 should be focusses on Windows 7 users, missing out on all these goodies for some (technical or personal) reason,

Have you tried network protection?
Turn Network protection on

 

[Windows_Security]

@Av Gurus just now: it basically expands Smatscreen to outbound connections also, thx

Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.Windows Defender SmartScreen to block all outboud HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).

 

[Andy Ful]

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

 

[Av Gurus]

Where can be seen when did Windows Defender download/check for update (Reliability Monitor?)?
I set in GPE to check every 1h for update but i can see only 2-3 downloads update at day.

 

[Nocturnalizer]

I've increased the cloud-level blocking up to High and played around just a little bit with the Attack Surface Reduction rules. I feel like what's there is already pretty decent as it is, so just wanted a few minor tweaks to increase security without throwing up lots of FPs!

 

[paulderdash]

These extra's really feel as present (for free) from Microsoft and makes me think the https://malwaretips.com/conversations/zero-config-jail.58867/#message-205316 should be focusses on Windows 7 users, missing out on all these goodies for some (technical or personal) reason,

It seems fine-tuning MS config still seems some expertise, and delving into Group Policy. So I would still bear Win 10 in mind with he Zero Config Jail project, and not focus just on legacy.

 

[Windows_Security]

@paulderdash well, let's wait what Andy Ful implements in his Hard Configurator. When most of these hardening settings can be enabled through powershell commandlets, it increases the scope of Hard Configurrator.

@Andy Ful let's discuss possibilities in private conversation. i have an idea.

 

[paulderdash]

WS, indeed Andy's predefined profile (one or more) + simple GUI to choose the profile, turn ON/OFF the protection + Exploit Protection could be interesting. And could achieve similar to Zero Config Jail ...

Did you get to meet with Florian?

 

[Windows_Security]

WS, indeed Andy's predefined profile (one or more) + simple GUI to choose the profile, turn ON/OFF the protection + Exploit Protection could be interesting. And could achieve similar to Zero Config Jail ...

Did you get to meet with Florian?

We have an appointment on the 11th of December. Florian confirmed the apppointment. I will keep you posted.

 

[VecchioScarpone]

I reactivate Process Folder and so far I did not experience the issues I had described on previous posts of mine. I heard that it may take some time and getting used to, for the program to ease on smooth gear.
Time that I did not give, my bad. Hopefully that was the case.