You of all people know Microsoft's zero documentation routines. Developers will have to reverse engineer parts of Exploit Guard to figure it out. That statement is absolutely true. For users, forget it. The Enterprise documentation is pathetic, and for Windows Home users there is no documentation.
Who has already played with new W10 security features?
- Thread starter Windows_Security
- Start date
You of all people know Microsoft's zero documentation routines. Developers will have to reverse engineer parts of Exploit Guard to figure it out. That statement is absolutely true. For users, forget it. The Enterprise documentation is pathetic, and for Windows Home users there is no documentation.
The argument that Exploit Guard was intended mostly for Enterprises is bogus. If Microsoft intended that, then they would have never put it into Windows Home. Microsoft is very determined at keeping features intended only for Pro and Enterprise\Education out of Windows Home.
The average Joe is better served not using Windows but instead using Chrome OS.
The average Joe is better served not using Windows but instead using Chrome OS.
- Dec 23, 2014
- 8,119
You have probably thought of putting Exploit Guard into Defender Security Center in Windows Home editions. It is hardly useful for the average users, for sure. I think that, that it was easier for Microsoft, not removing this feature from Defender Security Center.
But, the idea of implementing Exploit Guard in all Windows editions is logical from the security point of view. As I mentioned in one of my previous posts, developers can integrate the right mitigations with the installation of an application, for the benefit of all users. There are some other pros, too.
The developers don't need Windows Defender to have Exploit Guard to be enabled/even on the system at all to make use of enabling mitigations at run-time manually, it has been supported since Windows 8 and even before then you could enable some mitigations like ASLR/DEP in a forced manner (to an extent at-least).
I understand from both point-of-views but I just personally think that having a security feature like this which most average users probably won't understand and be able to use correctly will just lead down a path of chaos... :/
Windows_Security
Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Mar 13, 2016
- 1,298
Because I liked GeSwall and DefenseWall, I switched from XP Home to Vista Business. It took some time to 'grow' into Group Policy, but there are some websites where System Administrators help System Administrators. The fact that even System Admins need assistance from more experience system admins says it all (big smile appears on @Lockdown face while reading).
Guess it will also takes some time to grow into exploit guard and controlled folder access Until now only had to adjust something to allow a (signed) photobook app in Controlled Folder Acces. Everything else (exploit guard added 12 mitigations to Albelli photobook) works fine (on wife's Windows 10 home Yoga 520). !1 december I will meet Florian to implement simular mechanisms for Windows 7 Home and Office users (only ZERO config )
Guess it will also takes some time to grow into exploit guard and controlled folder access Until now only had to adjust something to allow a (signed) photobook app in Controlled Folder Acces. Everything else (exploit guard added 12 mitigations to Albelli photobook) works fine (on wife's Windows 10 home Yoga 520). !1 december I will meet Florian to implement simular mechanisms for Windows 7 Home and Office users (only ZERO config
)
Last edited:
Developers can but won't because they won't want to deal with the aggravation of dealing with it. It's not like it's a free ride. Figuring out some of the moving parts is a real pain in da ass with virtually no economic return for their troubles.
Last edited by a moderator:
Because I liked GeSwall and DefenseWall, I switched from XP Home to Vista Business. It took some time to 'grow' into Group Policy, but there are some websites where System Administrators help System Administrators. The fact that even System Admins need assistance from more experience system admins says it all (big smile appears on @Lockdown face while reading).
Guess it will also takes some time to grow into exploit guard and controlled folder access Until now only had to adjust something to allow a (signed) photobook app in Controlled Folder Acces. Everything else (exploit guard added 12 mitigations to Albelli photobook) works fine (on wife's Windows 10 home Yoga 520). !1 december I will meet Florian to implement simular mechanisms for Windows 7 Home and Office users (only ZERO config
It doesn't make me smile. It angers and annoys me to no end. Using native Windows should be a whole lot easier. Windows Admins and Security Admins shouldn't have to spend countless hours every year (adding up to months and many times hard earned money) to learn what Microsoft should document in the first place.
Users are the ones who get screwed the most.
An entire multi-billion dollar multi-spectrum industry is built upon Microsoft's non-documentation - and the 3rd party security sector is just a small part of it.
The average Joe is much better served not using Windows but instead using Chrome OS.
Considering there are already antivirus with exploit protection. I imagine it would be possible for them to integrate their solution with Windows 10 exploit guard.
Users won't need to tinker with the settings cause a 3rd party product would already do so for them.
Users won't need to tinker with the settings cause a 3rd party product would already do so for them.
Windows_Security
Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Mar 13, 2016
- 1,298
Third party probably want to control the violations. It is possible to set them, but in case of conflicts the user would be confronted with Microsoft warnings with no clue on how to respond to true threats or handle false positives. User would blame the third party vendor, so I guess big security brands will develop their own protection mechanisms.
Predictably, it turns into ##### show - user, publisher, Microsoft. And if the economies of scale are not available in the sales model at sufficient revenue and also to account for all the accounting and cash flow stuff and realistic expenses, then pricing of anything less than 40 Euros is not going to be economically viable unless you are a one-man shop. The numbers don't lie - unless you use a fantasy business plan and model based upon selling 5 licenses per month - in which case your are a charity and not an ongoing business concern.
For stuff like security soft geek toys you have to do a lot more than just throw up a website.
Last edited by a moderator:
Windows_Security
Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Mar 13, 2016
- 1,298
Quotes of a man who knows from experience
I ate oodles of noodles for decades bro. 20 cents per package. Out of necessity. Now I have high blood pressure from all the salt.
Get rich or die tryin'. One foot in the grave and a few more dollars in the pocket. Now I can afford Nissin Cup of Soup.
Last edited by a moderator:
- Dec 23, 2014
- 8,119
It has been supported, but hardly documented. Microsoft was very silent about adopted mitigations.
Now, it is far easier to do it, even for non-experts.
It seems that the mitigations in Exploit Guard do not conflict with each other, so the working setup for non-system programs (media players, document editors, etc.) can be found out, simply by trial and error.
There are many people having advanced knowledge who use Windows Home editions. They do not complain. But, I think that you are right about the danger related to making Exploit Guard available by default, for everyone in Windows Home. The optimal solution would be hiding it by default, and leave the option to unhide it for advanced users.
Microsoft always had the problem with understanding the needs of the average users. The corporation has its own strategy and home users are only pawns in the game.
Last edited:
- Dec 23, 2014
- 8,119
- Jul 5, 2016
- 416
There is problems right now with Malwarebytes anti-exploit. Event viewer shows tons of problems and so I had to shut off MB anti-exploit for now.
- Sep 22, 2014
- 1,767
- Dec 23, 2014
- 8,119
Of course. I uploaded two scripts as text files (MalwareTips limitation). Please, change the txt extensions to vbs.
You can edit the scripts in a text editor and replace the executable path to another one.
- Dec 23, 2014
- 8,119
It seems that Microsoft uses two descriptions for the same ASR rule:
D3E037E1-3EB8-44C8-A917-57927947596D
.
View the Security Analytics dashboard in Windows Defender ATP
Configure how ASR works to finetune protection in your network
.
The second description is far more concrete and can be possibly understood, that If JavaScript or VBScript will download the executable file, the script will be prevented from executing it. If so, then this rule cannot prevent JavaScript or VBScript from running executables which are already on the disk (like notepad.exe, powershell.exe, etc.).
- 'Impede JavaScript and VBScript to launch executables'
- 'Block JavaScript or VBScript from launching downloaded executable content'
D3E037E1-3EB8-44C8-A917-57927947596D
.
View the Security Analytics dashboard in Windows Defender ATP
Configure how ASR works to finetune protection in your network
.
The second description is far more concrete and can be possibly understood, that If JavaScript or VBScript will download the executable file, the script will be prevented from executing it. If so, then this rule cannot prevent JavaScript or VBScript from running executables which are already on the disk (like notepad.exe, powershell.exe, etc.).
- Sep 22, 2014
- 1,767
Of course. I uploaded two scripts as text files (MalwareTips limitation). Please, change the txt extensions to vbs.
You can edit the scripts in a text editor and replace the executable path to another one.
Run booth files and it run OK, but WDSC found one threat.
- Dec 23, 2014
- 8,119
Thanks.
If I correctly read your attachment, then the scripts (RunNotepad.vbs, RunPowerShell.vbs)successfully ran the executables (notepad.exe, powershell.exe), and next, Defender recognized the RunPowerSell.vbs script as dangerous and put it in Quarantine.
If so, then indeed, the executables that are already on the disk are not blocked by this ASR rule (D3E037E1-3EB8-44C8-A917-57927947596D). Your malware test suggests, that the rule is activated when the script can download executable to the disk and tries to execute it. That is a good news.
Anyway, your Defender settings are somewhat more aggressive, because I can run the same script with no Defender intervention.
Could you post the Defender details about the quarantined script (or details from Windows Event Viewer)?
This would help to ensure everyone, that ASR rules have nothing to do with detecting the RunPowerSell.vbs script.
Last edited:
Similar threads
