Who has already played with new W10 security features?

Have you enabled and added folders to secure folder access feature?

  • YEs

    Votes: 27 29.7%
  • No

    Votes: 46 50.5%
  • What ??

    Votes: 18 19.8%

  • Total voters
    91

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I have a ton of these, and have a pretty good balance in Win 10 Pro, some may remember me posting some here and there.
Things are changing, now MS is taking notice and at nearly every update of any importance resets "Services" that may have been user disabled, I used to notice it but not very often now I am seeing it more. kinda like how they reacted when you would remove one of the apps back in early Win10.
Wait for the list till after the Fall Update, and the first patch fix after that, then the list will have some new, and some wont work anymore (Most likely) so we could then skip having to re-edit it in such a short time.
Does that make sense ? I hope so lol
 

Glashouse

Level 4
Verified
Well-known
Jun 4, 2017
174
I also can't play with it as defender is disabled at my systems.
For me Excubits Products are doing quite a good job on performing these actions...
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
windows defender advanced threat protection services is not working, it's set to manual and if i try to change that I got error

Clipboard01.jpg Clipboard02.jpg

Also, I'm not sure if this is connected, but Win Defender can't update

Clipboard03.jpg

Try to run sfc /scannow and dism /online /cleanup-image /restorehealth but no problem found

Clipboard04.jpg
 
  • Like
Reactions: AtlBo

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
  • Like
Reactions: AtlBo and Av Gurus

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Thanks, please post your opinion also. New security features are half good :cool: IMO, what is your take on it?
Controlled Folder Access (CFA) can confuse the average users while installing new applications. Most installers try to create shortcuts on the Desktop, which will be forbidden by CFA. Also, the applications for editing photos, media files, and documents often try to make special directories in protected folders. So, in the real world CFA should be deactivated when installing new applications.
ASR rules are probably related to Microsoft Office 2016, 2013, 2010 and Office 365. So, they are useless for anything else. But, they could be very useful for Microsoft Office users.
Exploit Guard is a very interesting feature, but not for the average users. Maybe, it is possible to prepare the setups for most exploited applications (I did it for 7-ZIP). But, that would require a collective work.
Cloud-delivered protection level cannot be changed in Windows Home editions.
My conclusion is that I will have much work to do.:)
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Exploit Guard is a very interesting feature, but not for the average users. Maybe, it is possible to prepare the setups for most exploited applications (I did it for 7-ZIP). But, that would require a collective work.

Can you share that setup for 7zip?
 
  • Like
Reactions: AtlBo

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful THX

DISABLE EXTENSIONS POINTS (exploit mitigation) seems to work on most processes. Poll - Who has already played with new W10 security features? This is a mitigation introduced with Windows 8 for Desktop Apps. Prevents certain built-in third party extension points from being enabled, preventing legacy extension point DLLs from being loaded into the process. I can't fid which legacy third party DLL''s are meant by M$, but possibly they just block Addobe flash and PDF and simular.
 
Last edited:
5

509322

Controlled Folder Access (CFA) can confuse the average users while installing new applications. Most installers try to create shortcuts on the Desktop, which will be forbidden by CFA. Also, the applications for editing photos, media files, and documents often try to make special directories in protected folders. So, in the real world CFA should be deactivated when installing new applications.
ASR rules are probably related to Microsoft Office 2016, 2013, 2010 and Office 365. So, they are useless for anything else. But, they could be very useful for Microsoft Office users.
Exploit Guard is a very interesting feature, but not for the average users. Maybe, it is possible to prepare the setups for most exploited applications (I did it for 7-ZIP). But, that would require a collective work.
Cloud-delivered protection level cannot be changed in Windows Home editions.
My conclusion is that I will have much work to do.:)

To see anything interesting without the exploit protections you would have to be on Windows 7 or earlier, with unpatched programs like Office 2010 and earlier, badly configured and upatched Windows and programs and do really dodgy, stupid stuff.

I am all for using native Windows protections as long as the user can figure it out. Problem is, 95% of users can barely turn on a PC, let alone figure out how to use Windows itself and tweak it.

I look at what M$ did with Exploit Guard and it makes absolutely no sense - at least not for the typical home user. Not even some multi-decade security forum members can figure out how to use Exploit Guard. There's no documentation. Typical M$ bullshit. Guess people are supposed to figure out they need to dig up ancient EMET guides or something.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
To see anything interesting without the exploit protections you would have to be on Windows 7 or earlier, with unpatched programs like Office 2010 and earlier, badly configured and upatched Windows and programs and do really dodgy, stupid stuff.

I am all for using native Windows protections as long as the user can figure it out. Problem is, 95% of users can barely turn on a PC, let alone figure out how to use Windows itself and tweak it.

I look at what M$ did with Exploit Guard and it makes absolutely no sense - at least not for the typical home user. Not even some multi-decade security forum members can figure out how to use Exploit Guard. There's no documentation. Typical M$ bullshit. Guess people are supposed to figure out they need to dig up ancient EMET guides or something.
That is true for now. But, there is a possibility to utilize the Exploit Guard by software developers. So for example, while installing 7-ZIP, the installator can automatically apply mitigations for 7-ZIP executables. It can also be done by using PowerShell (Set-ProcessMitigation cmdlet).
Enable or disable specific mitigations used by Exploit protection
One can create an application with predefined mitigations for mostly exploited software, etc.
So in my opinion, Exploit Guard feature can be useful for advanced users and software developers.
 
5

509322

2756ed2f-1ada-4c9e-a907-5ecc8d262587.png


Well this does exist.

LOL. It doesn't explain much. It basically reviews the GUI. How the hell can you explain all the necessary details to fully explain exploit mitigations for all the programs in a 2 minute read ? Come on... like I said, typical M$ bullshit documentation. Exploit Guard was implemented into to Windows Home without consideration for the typical Home user - who is never going to figure it out without full, adequate documentation - which Microsoft NEVER provides for Windows - EVER.

That's why 95% of all Windows Home users can barely use Windows beyond the basic level. Most have difficulty with it.
 
Last edited by a moderator:
  • Like
Reactions: AtlBo
5

509322

That is a very brave statement. I would replace the word 'many' with 'a few'.:)
But anyway, that is the right direction.

He doesn't even know what he is talking about because Exploit Guard is barely configured by default. Like I said, it makes no sense how Microsoft cobbled Exploit Guard together.

Typical statement by a typical member on a typical security forum. You can interject adjective expletives if you wish because such statements are extremely annoying and furthermore demonstrate the pervasive ignorance on these forums.

There's a reason that so few security soft publishers remain on the forums. That kind of post is the genera reason.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
More precisely, the below executables have special mitigations:
ExtExport.exe, ie4uinit.exe, ieinstal.exe, ielowutil.exe, ieUnatt.exe, iexplore.exe, mscorsvw.exe, msfeedssync.exe, mshta.exe, ngen.exe, ngentask.exe, PresentationHost.exe, PrintDialog.exe, runtimebroker.exe, svchost.exe, SystemSettings.exe .
There are also PrintIsolationHost.exe, splwow64.exe, spoolsv.exe included on the default Exploit Guard list, but they have only default system-wide mitigations (CFG, DEP, bottom-up ASLR, SEHOP, Heap Integrity).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
That is interesting. From @Av Gurus malware test it follows, that the script Comprobante.js was blocked by ASR rule 'Impede JavaScript and VBScript to launch executables'. On the other side, when I tested ASR, it cannot stop the vbs script:
Code:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\Windows\notepad.exe")
WScript.Quit
@Av Gurus, could you run a similar script on your setup to see if the executable will be blocked?
Edit.
Post edited.
 
Last edited:
  • Like
Reactions: AtlBo and Av Gurus
5

509322

Maybe not for your average joe/Jane but for those of you that used EMET, you can import those settings into Windows 10 Exploit Protection. Also the Exploit Protection is aimed at enterprise as well as Appguard. Deploy Exploit protection mitigations across your organization

No, Microsoft simply published documentation for Enterprise users and left Windows Home users to fend for themselves. If Microsoft meant for Exploit Guard not to be available in Windows Home, then Microsoft is pretty good at not implementing features in it and making them available only in Pro and\or Enterprise\Education. Just like it does with Group Policy.
 
D

Deleted member 65228

I've seen people asking about Windows Defender Exploit Guard, and how to configure it correctly, who likely are not even aware what ASLR stands for. I don't see why there is a point to them wasting time by implementing features which will lack documentation and won't be appropriate for average users, for an OS version which is used by average users.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top