Who has already played with new W10 security features?

Have you enabled and added folders to secure folder access feature?

  • YEs

    Votes: 27 29.7%
  • No

    Votes: 46 50.5%
  • What ??

    Votes: 18 19.8%

  • Total voters
    91
5

509322

I've seen people asking about Windows Defender Exploit Guard, and how to configure it correctly, who likely are not even aware what ASLR stands for. I don't see why there is a point to them wasting time by implementing features which will lack documentation and won't be appropriate for average users, for an OS version which is used by average users.

You of all people know Microsoft's zero documentation routines. Developers will have to reverse engineer parts of Exploit Guard to figure it out. That statement is absolutely true. For users, forget it. The Enterprise documentation is pathetic, and for Windows Home users there is no documentation.
 
5

509322

The argument that Exploit Guard was intended mostly for Enterprises is bogus. If Microsoft intended that, then they would have never put it into Windows Home. Microsoft is very determined at keeping features intended only for Pro and Enterprise\Education out of Windows Home.

The average Joe is better served not using Windows but instead using Chrome OS.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
...
I don't see why there is a point to them wasting time by implementing features which will lack documentation and won't be appropriate for average users, for an OS version which is used by average users.
You have probably thought of putting Exploit Guard into Defender Security Center in Windows Home editions. It is hardly useful for the average users, for sure. I think that, that it was easier for Microsoft, not removing this feature from Defender Security Center.:)
But, the idea of implementing Exploit Guard in all Windows editions is logical from the security point of view. As I mentioned in one of my previous posts, developers can integrate the right mitigations with the installation of an application, for the benefit of all users. There are some other pros, too.
 
D

Deleted member 65228

As I mentioned in one of my previous posts, developers can integrate the right mitigations with the installation of an application, for the benefit of all users.
The developers don't need Windows Defender to have Exploit Guard to be enabled/even on the system at all to make use of enabling mitigations at run-time manually, it has been supported since Windows 8 and even before then you could enable some mitigations like ASLR/DEP in a forced manner (to an extent at-least).

I understand from both point-of-views but I just personally think that having a security feature like this which most average users probably won't understand and be able to use correctly will just lead down a path of chaos... :/
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Because I liked GeSwall and DefenseWall, I switched from XP Home to Vista Business. It took some time to 'grow' into Group Policy, but there are some websites where System Administrators help System Administrators. The fact that even System Admins need assistance from more experience system admins says it all (big smile appears on @Lockdown face while reading).

Guess it will also takes some time to grow into exploit guard and controlled folder access Until now only had to adjust something to allow a (signed) photobook app in Controlled Folder Acces. Everything else (exploit guard added 12 mitigations to Albelli photobook) works fine (on wife's Windows 10 home Yoga 520). !1 december I will meet Florian to implement simular mechanisms for Windows 7 Home and Office users (only ZERO config :) )
 
Last edited:
5

509322

As I mentioned in one of my previous posts, developers can integrate the right mitigations with the installation of an application, for the benefit of all users. There are some other pros, too.

Developers can but won't because they won't want to deal with the aggravation of dealing with it. It's not like it's a free ride. Figuring out some of the moving parts is a real pain in da ass with virtually no economic return for their troubles.
 
Last edited by a moderator:
5

509322

Because I liked GeSwall and DefenseWall, I switched from XP Home to Vista Business. It took some time to 'grow' into Group Policy, but there are some websites where System Administrators help System Administrators. The fact that even System Admins need assistance from more experience system admins says it all (big smile appears on @Lockdown face while reading).

Guess it will also takes some time to grow into exploit guard and controlled folder access Until now only had to adjust something to allow a (signed) photobook app in Controlled Folder Acces. Everything else (exploit guard added 12 mitigations to Albelli photobook) works fine (on wife's Windows 10 home Yoga 520). !1 december I will meet Florian to implement simular mechanisms for Windows 7 Home and Office users (only ZERO config :) )

It doesn't make me smile. It angers and annoys me to no end. Using native Windows should be a whole lot easier. Windows Admins and Security Admins shouldn't have to spend countless hours every year (adding up to months and many times hard earned money) to learn what Microsoft should document in the first place.

Users are the ones who get screwed the most.

An entire multi-billion dollar multi-spectrum industry is built upon Microsoft's non-documentation - and the 3rd party security sector is just a small part of it.

The average Joe is much better served not using Windows but instead using Chrome OS.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Considering there are already antivirus with exploit protection. I imagine it would be possible for them to integrate their solution with Windows 10 exploit guard.

Users won't need to tinker with the settings cause a 3rd party product would already do so for them.
 
  • Like
Reactions: AtlBo and Andy Ful

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Third party probably want to control the violations. It is possible to set them, but in case of conflicts the user would be confronted with Microsoft warnings with no clue on how to respond to true threats or handle false positives. User would blame the third party vendor, so I guess big security brands will develop their own protection mechanisms.
 
5

509322

Third party probably want to control the violations. It is possible to set them, but in case of conflicts the user would be confronted with Microsoft warnings with no clue on how to respond to true threats or handle false positives. User would blame the third party vendor, so I guess big security brands will develop their own protection mechanisms.

Predictably, it turns into ##### show - user, publisher, Microsoft. And if the economies of scale are not available in the sales model at sufficient revenue and also to account for all the accounting and cash flow stuff and realistic expenses, then pricing of anything less than 40 Euros is not going to be economically viable unless you are a one-man shop. The numbers don't lie - unless you use a fantasy business plan and model based upon selling 5 licenses per month - in which case your are a charity and not an ongoing business concern.

For stuff like security soft geek toys you have to do a lot more than just throw up a website.
 
Last edited by a moderator:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Predictably, it turns into ##### show - user, publisher, Microsoft. And if the economies of scale are not available in sales model, then pricing of anything less than 40 Euros is not going to be economically viable unless you are a one-man shop. The numbers don't lie.
Quotes of a man who knows from experience ;)
 
5

509322

Quotes of a man who knows from experience ;)

I ate oodles of noodles for decades bro. 20 cents per package. Out of necessity. Now I have high blood pressure from all the salt.

Get rich or die tryin'. One foot in the grave and a few more dollars in the pocket. Now I can afford Nissin Cup of Soup.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
The developers don't need Windows Defender to have Exploit Guard to be enabled/even on the system at all to make use of enabling mitigations at run-time manually, it has been supported since Windows 8 and even before then you could enable some mitigations like ASLR/DEP in a forced manner (to an extent at-least).
It has been supported, but hardly documented. Microsoft was very silent about adopted mitigations.
Now, it is far easier to do it, even for non-experts.:)
It seems that the mitigations in Exploit Guard do not conflict with each other, so the working setup for non-system programs (media players, document editors, etc.) can be found out, simply by trial and error.
I understand from both point-of-views but I just personally think that having a security feature like this which most average users probably won't understand and be able to use correctly will just lead down a path of chaos... :/
There are many people having advanced knowledge who use Windows Home editions. They do not complain. But, I think that you are right about the danger related to making Exploit Guard available by default, for everyone in Windows Home. The optimal solution would be hiding it by default, and leave the option to unhide it for advanced users.
Microsoft always had the problem with understanding the needs of the average users. The corporation has its own strategy and home users are only pawns in the game. :coffee:(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Developers can but won't because they won't want to deal with the aggravation of dealing with it. It's not like it's a free ride. Figuring out some of the moving parts is a real pain in da ass with virtually no economic return for their troubles.
Maybe you are right, we will see.:)
 
  • Like
Reactions: AtlBo

boredog

Level 9
Verified
Jul 5, 2016
416
Considering there are already antivirus with exploit protection. I imagine it would be possible for them to integrate their solution with Windows 10 exploit guard.

Users won't need to tinker with the settings cause a 3rd party product would already do so for them.
There is problems right now with Malwarebytes anti-exploit. Event viewer shows tons of problems and so I had to shut off MB anti-exploit for now.
 
  • Like
Reactions: AtlBo

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
That is interesting. From @Av Gurus malware test it follows, that the script Comprobante.js was blocked by ASR rule 'Impede JavaScript and VBScript to launch executables'. On the other side, when I tested ASR, it cannot stop the vbs script:
Code:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("c:\Windows\notepad.exe")
WScript.Quit
@Av Gurus, could you run a similar script on your setup to see if the executable will be blocked?
Edit.
Post edited.

This script or some others?
Can you make one for me to test?
 
  • Like
Reactions: AtlBo

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
This script or some others?
Can you make one for me to test?
Of course. I uploaded two scripts as text files (MalwareTips limitation). Please, change the txt extensions to vbs.
You can edit the scripts in a text editor and replace the executable path to another one.:)
 

Attachments

  • RunNotepad.txt
    101 bytes · Views: 396
  • RunPowerShell.txt
    136 bytes · Views: 411

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
It seems that Microsoft uses two descriptions for the same ASR rule:
  • 'Impede JavaScript and VBScript to launch executables'
  • 'Block JavaScript or VBScript from launching downloaded executable content'
Both descriptions are related to the rule:
D3E037E1-3EB8-44C8-A917-57927947596D
.
View the Security Analytics dashboard in Windows Defender ATP
Configure how ASR works to finetune protection in your network
.
The second description is far more concrete and can be possibly understood, that If JavaScript or VBScript will download the executable file, the script will be prevented from executing it. If so, then this rule cannot prevent JavaScript or VBScript from running executables which are already on the disk (like notepad.exe, powershell.exe, etc.).
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Of course. I uploaded two scripts as text files (MalwareTips limitation). Please, change the txt extensions to vbs.
You can edit the scripts in a text editor and replace the executable path to another one.:)

Run booth files and it run OK, but WDSC found one threat.

Clipboard01.jpg
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Run booth files and it run OK, but WDSC found one threat.

View attachment 174488
Thanks. :)
If I correctly read your attachment, then the scripts (RunNotepad.vbs, RunPowerShell.vbs)successfully ran the executables (notepad.exe, powershell.exe), and next, Defender recognized the RunPowerSell.vbs script as dangerous and put it in Quarantine.
If so, then indeed, the executables that are already on the disk are not blocked by this ASR rule (D3E037E1-3EB8-44C8-A917-57927947596D). Your malware test suggests, that the rule is activated when the script can download executable to the disk and tries to execute it. That is a good news.
Anyway, your Defender settings are somewhat more aggressive, because I can run the same script with no Defender intervention.
Could you post the Defender details about the quarantined script (or details from Windows Event Viewer)?
This would help to ensure everyone, that ASR rules have nothing to do with detecting the RunPowerSell.vbs script.
 
Last edited:
  • Like
Reactions: AtlBo and Av Gurus

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top