Who has already played with new W10 security features?

Have you enabled and added folders to secure folder access feature?

  • YEs

    Votes: 27 29.7%
  • No

    Votes: 46 50.5%
  • What ??

    Votes: 18 19.8%

  • Total voters
    91

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I was also testing but with some hard tweaks in GPU + some Attack surface reduction settings from HERE
Protection was not so bad but it was just quick test and I didn't check OS with 3rd party app.
Those Attack surface reduction rules should stop most malicious documents from loading payloads, because macros mostly use system executables (cmd.exe, powershell.exe, wscript.exe, bitsadmin.exe,...) to do it.
I am curious how they can fight other document vulnerabilities.
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
This is useful:

Rule: Block JavaScript ok VBScript From launching downloaded executable content
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.

This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.

Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.

This rule prevents scripts that appear to be obfuscated from running.

It uses the AntiMalwareScanInterface (AMSI) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
This is useful:
....
Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.

This rule prevents scripts that appear to be obfuscated from running.

It uses the AntiMalwareScanInterface (AMSI) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them.

For now, AMSI is not good with obfuscated scripts. So, this rule is probably AMSI enhancement. For home users, it will be especially important when fighting malicious PowerShell scripts (Windows Script Host can be easily disabled, but not PowerShell). It will be a good companion to Constrained Language in PowerShell.
I also suspect that the rule:
Impede JavaScript and VBScript to launch executables
may relate only to Windows Script Host (does not block javascript engine when using mshta.exe or web browser).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Using Attack surface reduction rules, the user can make file/folder exclusions (via PowerShell cmdlet):
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "<fully qualified path or resource>"
This possibility makes Attack surface reduction more usable.
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
+ when you add and Zero Tolerance blocking level - it should help a bit...

z.jpg
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
+ when you add and Zero Tolerance blocking level - it should help a bit...

View attachment 170604
If I correctly remember, there are only two first options available in Windows Home (so not the Zero tolerance). I am curious how is the Zero tolerance blocking level, related to SmartScreen?
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Av Gurus Thanks downloaded, now playing with ASR test tool :)

So on my wife' Yoga laptop/tabler running Windows 10 Home:
  • Disabled remote services
  • Put a deny execute ACL on public folders
  • Hardened Office 2016 in TrustCenter and Attack Surface Reduction of exploit guard
  • Added Albelli photo book to Exploit Guard and allowed it in Secure Folder Access
  • Enabled Secure Folder Access and D drive user folders to Secure Folder Access protection
These extra's really feel as present (for free) from Microsoft and makes me think the https://malwaretips.com/conversations/zero-config-jail.58867/#message-205316 should be focusses on Windows 7 users, missing out on all these goodies for some (technical or personal) reason,
 
Last edited:

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
278
We need a "Guide for the Perplexed" for these tweaks.
It would be great yes. I have being using WD for a while and I don't like having to miss out of its full potentials. Just read this morning on Ghacks the article about Configure Attack Surface Reduction in Windows 10. It sound great, unfortunately I tend to mess up thing when using Power Shell tools and the like. My son will kill me if I mess up my computer again.
Hopefully soon a "for VecchioScarpone guide" will come out. :LOL:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
@Av Gurus Thanks downloaded, now playing with ASR test tool :)

So on my wife' Yoga laptop/tabler running Windows 10 Home:
  • Disabled remote services
  • Put a deny execute ACL on public folders
  • Hardened Office 2016 in TrustCenter and Attack Surface Reduction of exploit guard
  • Added Albelli photo book to Exploit Guard and allowed it in Secure Folder Access
  • Enabled Secure Folder Access and D drive user folders to Secure Folder Access protection
These extra's really feel as present (for free) from Microsoft and makes me think the https://malwaretips.com/conversations/zero-config-jail.58867/#message-205316 should be focusses on Windows 7 users, missing out on all these goodies for some (technical or personal) reason,
Have you tried network protection?
Turn Network protection on
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Av Gurus just now: it basically expands Smatscreen to outbound connections also, thx

Microsoft said:
Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.Windows Defender SmartScreen to block all outboud HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Where can be seen when did Windows Defender download/check for update (Reliability Monitor?)?
I set in GPE to check every 1h for update but i can see only 2-3 downloads update at day.
 
  • Like
Reactions: _CyberGhosT_

Nocturnalizer

Level 1
Verified
Oct 23, 2017
16
I've increased the cloud-level blocking up to High and played around just a little bit with the Attack Surface Reduction rules. I feel like what's there is already pretty decent as it is, so just wanted a few minor tweaks to increase security without throwing up lots of FPs!
 
  • Like
Reactions: Handsome Recluse

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
These extra's really feel as present (for free) from Microsoft and makes me think the https://malwaretips.com/conversations/zero-config-jail.58867/#message-205316 should be focusses on Windows 7 users, missing out on all these goodies for some (technical or personal) reason,
It seems fine-tuning MS config still seems some expertise, and delving into Group Policy. So I would still bear Win 10 in mind with he Zero Config Jail project, and not focus just on legacy.
 
  • Like
Reactions: _CyberGhosT_

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
WS, indeed Andy's predefined profile (one or more) + simple GUI to choose the profile, turn ON/OFF the protection + Exploit Protection could be interesting. And could achieve similar to Zero Config Jail ...

Did you get to meet with Florian?
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
WS, indeed Andy's predefined profile (one or more) + simple GUI to choose the profile, turn ON/OFF the protection + Exploit Protection could be interesting. And could achieve similar to Zero Config Jail ...

Did you get to meet with Florian?

We have an appointment on the 11th of December. Florian confirmed the apppointment. I will keep you posted.
 

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
278
I reactivate Process Folder and so far I did not experience the issues I had described on previous posts of mine. I heard that it may take some time and getting used to, for the program to ease on smooth gear.
Time that I did not give, my bad. Hopefully that was the case.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top