Who has already played with new W10 security features?

[_CyberGhosT_]

I have a ton of these, and have a pretty good balance in Win 10 Pro, some may remember me posting some here and there.
Things are changing, now MS is taking notice and at nearly every update of any importance resets "Services" that may have been user disabled, I used to notice it but not very often now I am seeing it more. kinda like how they reacted when you would remove one of the apps back in early Win10.
Wait for the list till after the Fall Update, and the first patch fix after that, then the list will have some new, and some wont work anymore (Most likely) so we could then skip having to re-edit it in such a short time.
Does that make sense ? I hope so lol

 

[Glashouse]

I also can't play with it as defender is disabled at my systems.
For me Excubits Products are doing quite a good job on performing these actions...

 

[Av Gurus]

windows defender advanced threat protection services is not working, it's set to manual and if i try to change that I got error



Also, I'm not sure if this is connected, but Win Defender can't update



Try to run sfc /scannow and dism /online /cleanup-image /restorehealth but no problem found

 

[Andy Ful]

I tested Attack Surface Reduction rules here:
Hard_Configurator - Windows Hardening Configurator
Also, the new Windows Defender security features are tested by @Av Gurus on Malware Vault (Samples) .

 

[Windows_Security]

I tested Attack Surface Reduction rules here:
Hard_Configurator - Windows Hardening Configurator
Also, the new Windows Defender security features are tested by @Av Gurus on Malware Vault (Samples) .

Thanks, please post your opinion also. New security features are half good IMO, what is your take on it?

 

[Andy Ful]

Thanks, please post your opinion also. New security features are half good IMO, what is your take on it?

Controlled Folder Access (CFA) can confuse the average users while installing new applications. Most installers try to create shortcuts on the Desktop, which will be forbidden by CFA. Also, the applications for editing photos, media files, and documents often try to make special directories in protected folders. So, in the real world CFA should be deactivated when installing new applications.
ASR rules are probably related to Microsoft Office 2016, 2013, 2010 and Office 365. So, they are useless for anything else. But, they could be very useful for Microsoft Office users.
Exploit Guard is a very interesting feature, but not for the average users. Maybe, it is possible to prepare the setups for most exploited applications (I did it for 7-ZIP). But, that would require a collective work.
Cloud-delivered protection level cannot be changed in Windows Home editions.
My conclusion is that I will have much work to do.

 

[Av Gurus]

Exploit Guard is a very interesting feature, but not for the average users. Maybe, it is possible to prepare the setups for most exploited applications (I did it for 7-ZIP). But, that would require a collective work.

Can you share that setup for 7zip?

 

[Andy Ful]

Can you share that setup for 7zip?

Here is my post:
Q&A - 7Zip exploit protection settings recommendation
Please, let me know if you will get any issues with it.

 

[Windows_Security]

@Andy Ful THX

DISABLE EXTENSIONS POINTS (exploit mitigation) seems to work on most processes. Poll - Who has already played with new W10 security features? This is a mitigation introduced with Windows 8 for Desktop Apps. Prevents certain built-in third party extension points from being enabled, preventing legacy extension point DLLs from being loaded into the process. I can't fid which legacy third party DLL''s are meant by M$, but possibly they just block Addobe flash and PDF and simular.

 

[509322]

Controlled Folder Access (CFA) can confuse the average users while installing new applications. Most installers try to create shortcuts on the Desktop, which will be forbidden by CFA. Also, the applications for editing photos, media files, and documents often try to make special directories in protected folders. So, in the real world CFA should be deactivated when installing new applications.
ASR rules are probably related to Microsoft Office 2016, 2013, 2010 and Office 365. So, they are useless for anything else. But, they could be very useful for Microsoft Office users.
Exploit Guard is a very interesting feature, but not for the average users. Maybe, it is possible to prepare the setups for most exploited applications (I did it for 7-ZIP). But, that would require a collective work.
Cloud-delivered protection level cannot be changed in Windows Home editions.
My conclusion is that I will have much work to do.

To see anything interesting without the exploit protections you would have to be on Windows 7 or earlier, with unpatched programs like Office 2010 and earlier, badly configured and upatched Windows and programs and do really dodgy, stupid stuff.

I am all for using native Windows protections as long as the user can figure it out. Problem is, 95% of users can barely turn on a PC, let alone figure out how to use Windows itself and tweak it.

I look at what M$ did with Exploit Guard and it makes absolutely no sense - at least not for the typical home user. Not even some multi-decade security forum members can figure out how to use Exploit Guard. There's no documentation. Typical M$ bullshit. Guess people are supposed to figure out they need to dig up ancient EMET guides or something.

 

[Handsome Recluse]

at least not for the typical home user

Well this does exist.

 

[Andy Ful]

To see anything interesting without the exploit protections you would have to be on Windows 7 or earlier, with unpatched programs like Office 2010 and earlier, badly configured and upatched Windows and programs and do really dodgy, stupid stuff.

I am all for using native Windows protections as long as the user can figure it out. Problem is, 95% of users can barely turn on a PC, let alone figure out how to use Windows itself and tweak it.

I look at what M$ did with Exploit Guard and it makes absolutely no sense - at least not for the typical home user. Not even some multi-decade security forum members can figure out how to use Exploit Guard. There's no documentation. Typical M$ bullshit. Guess people are supposed to figure out they need to dig up ancient EMET guides or something.

That is true for now. But, there is a possibility to utilize the Exploit Guard by software developers. So for example, while installing 7-ZIP, the installator can automatically apply mitigations for 7-ZIP executables. It can also be done by using PowerShell (Set-ProcessMitigation cmdlet).
Enable or disable specific mitigations used by Exploit protection
One can create an application with predefined mitigations for mostly exploited software, etc.
So in my opinion, Exploit Guard feature can be useful for advanced users and software developers.

 

[509322]

Well this does exist.

LOL. It doesn't explain much. It basically reviews the GUI. How the hell can you explain all the necessary details to fully explain exploit mitigations for all the programs in a 2 minute read ? Come on... like I said, typical M$ bullshit documentation. Exploit Guard was implemented into to Windows Home without consideration for the typical Home user - who is never going to figure it out without full, adequate documentation - which Microsoft NEVER provides for Windows - EVER.

That's why 95% of all Windows Home users can barely use Windows beyond the basic level. Most have difficulty with it.

 

[Andy Ful]

...
They made exploit protection just what it needs to be - turned on by default with default settings for many commonly exploited programs...

That is a very brave statement. I would replace the word 'many' with 'a few'.
But anyway, that is the right direction.

 

[509322]

That is a very brave statement. I would replace the word 'many' with 'a few'.
But anyway, that is the right direction.

He doesn't even know what he is talking about because Exploit Guard is barely configured by default. Like I said, it makes no sense how Microsoft cobbled Exploit Guard together.

Typical statement by a typical member on a typical security forum. You can interject adjective expletives if you wish because such statements are extremely annoying and furthermore demonstrate the pervasive ignorance on these forums.

There's a reason that so few security soft publishers remain on the forums. That kind of post is the genera reason.

 

[Andy Ful]

More precisely, the below executables have special mitigations:
ExtExport.exe, ie4uinit.exe, ieinstal.exe, ielowutil.exe, ieUnatt.exe, iexplore.exe, mscorsvw.exe, msfeedssync.exe, mshta.exe, ngen.exe, ngentask.exe, PresentationHost.exe, PrintDialog.exe, runtimebroker.exe, svchost.exe, SystemSettings.exe .
There are also PrintIsolationHost.exe, splwow64.exe, spoolsv.exe included on the default Exploit Guard list, but they have only default system-wide mitigations (CFG, DEP, bottom-up ASLR, SEHOP, Heap Integrity).

 

[boredog]

Maybe not for your average joe/Jane but for those of you that used EMET, you can import those settings into Windows 10 Exploit Protection. Also the Exploit Protection is aimed at enterprise as well as Appguard. Deploy Exploit protection mitigations across your organization

 

[Andy Ful]

That is interesting. From @Av Gurus malware test it follows, that the script Comprobante.js was blocked by ASR rule 'Impede JavaScript and VBScript to launch executables'. On the other side, when I tested ASR, it cannot stop the vbs script:

Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\Windows\notepad.exe")
WScript.Quit

@Av Gurus, could you run a similar script on your setup to see if the executable will be blocked?
Edit.
Post edited.

 

[509322]

Maybe not for your average joe/Jane but for those of you that used EMET, you can import those settings into Windows 10 Exploit Protection. Also the Exploit Protection is aimed at enterprise as well as Appguard. Deploy Exploit protection mitigations across your organization

No, Microsoft simply published documentation for Enterprise users and left Windows Home users to fend for themselves. If Microsoft meant for Exploit Guard not to be available in Windows Home, then Microsoft is pretty good at not implementing features in it and making them available only in Pro and\or Enterprise\Education. Just like it does with Group Policy.

 

[Deleted member 65228]

I've seen people asking about Windows Defender Exploit Guard, and how to configure it correctly, who likely are not even aware what ASLR stands for. I don't see why there is a point to them wasting time by implementing features which will lack documentation and won't be appropriate for average users, for an OS version which is used by average users.