- Dec 23, 2014
- 8,510
Here are the BAT files if required, as attachments to this post. Change the txt extension to bat .
Edit
They have to be executed by "Run As Administrator" from Explorer right click context menu.
Last edited:
Please provide comments and solutions that are helpful to the author of this topic.
Edit
They have to be executed by "Run As Administrator" from Explorer right click context menu.
- Sep 22, 2014
- 1,767
- Mar 13, 2016
- 1,298
Question for those using Windows Defender exploit protection: It seems that after every (major) windows update the default values for already listed programs are reset. I had added protections for Winword,exe for example, but thet are reverted back to ALSR only after (major) updates. Have you observed simular behavior?
I am now trying addig the extra protection using full path, see whether that with stands update reset.
Attached my Exploit Protection settings (it is an XML file, renamed to txt)
(note APC.exe is Albelli Photobook Creator (I posted settings of my wife's laptop running Windows 10)
I am now trying addig the extra protection using full path, see whether that with stands update reset.
Attached my Exploit Protection settings (it is an XML file, renamed to txt)
(note APC.exe is Albelli Photobook Creator (I posted settings of my wife's laptop running Windows 10)
Last edited:
- Apr 19, 2018
- 71
Yes. You can check it with Process Explorer. Protected processes are colored magenta. Check the colors in the Process Explorer options.
Before enabling the key, lsass.exe does not run as a protected process; after creating the key and rebooting the system, lsass.exe runs as a protected process.
- Apr 19, 2018
- 71
Hmm, so I did a search with "RunAsPPL" in regedit and I found that HKLM\SYSTEM\ControlSet001\Control\Lsa also has a dword called RunAsPPL with a default value of 1, yet I had to enable the one in CurrentControlSet in order for lsass.exe to show up as protected. As far as I've read ControlSet001 is supposed to be a backup of CurrentControlSet, interesting
I also wonder how many keys located in HKLM\SYSTEM\CurrentControlSet\Control could I randomly add RunAsPPL to them and suddenly something starts running as protected process? You never know what microsoft might have left hidden with their 0 documentation, I'll try to test it when I have more time
I also wonder how many keys located in HKLM\SYSTEM\CurrentControlSet\Control could I randomly add RunAsPPL to them and suddenly something starts running as protected process? You never know what microsoft might have left hidden with their 0 documentation, I'll try to test it when I have more time
- Jul 1, 2017
- 1,396
Has anyone tried this yet? Apparently you can run Windows Defender Antivirus in a sandbox now:
Windows Defender Antivirus can now run in a sandbox - Microsoft Secure
No real instructions on how to do this so I assume: This PC (right-click) -> Properties -> Advanced System Settings (left panel) -> Environmental Variables -> System variables -> "New..." -> Cut & paste "MP_FORCE_USE_SANDBOX 1"???? But where? As a variable or as a value (see attachment) and if I choose one, what is the other? No directory to point to? Why can't they give us clear instructions to this? Geez.
I don't know if this actually works. I use a 3rd party AV so if anyone more knowledgeable would like to chime in on how to set this environmental variable please feel free to do so.
Windows Defender Antivirus can now run in a sandbox - Microsoft Secure
No real instructions on how to do this so I assume: This PC (right-click) -> Properties -> Advanced System Settings (left panel) -> Environmental Variables -> System variables -> "New..." -> Cut & paste "MP_FORCE_USE_SANDBOX 1"???? But where? As a variable or as a value (see attachment) and if I choose one, what is the other? No directory to point to? Why can't they give us clear instructions to this? Geez.
I don't know if this actually works. I use a 3rd party AV so if anyone more knowledgeable would like to chime in on how to set this environmental variable please feel free to do so.
Attachments
Last edited:
@DeepWeb Open Command Prompt as Administrator and use the following command without "":
"setx /M MP_FORCE_USE_SANDBOX 1"
Source: SetX - Set environment variables - Windows CMD - SS64.com
"setx /M MP_FORCE_USE_SANDBOX 1"
Source: SetX - Set environment variables - Windows CMD - SS64.com
I looked over this entire thread and don't see a post from DeepWeb. Am I missing something again?
Umbra that led me to look at my ignore list and sure enough you are right. lol
Has anyone tried this yet? Apparently you can run Windows Defender Antivirus in a sandbox now:
Windows Defender Antivirus can now run in a sandbox - Microsoft Secure
No real instructions on how to do this so I assume: This PC (right-click) -> Properties -> Advanced System Settings (left panel) -> Environmental Variables -> System variables -> "New..." -> Cut & paste "MP_FORCE_USE_SANDBOX 1"???? But where? As a variable or as a value (see attachment) and if I choose one, what is the other? No directory to point to? Why can't they give us clear instructions to this? Geez.
I don't know if this actually works. I use a 3rd party AV so if anyone more knowledgeable would like to chime in on how to set this environmental variable please feel free to do so.
It is not for you. It is "experiemental" or "work-in-progress, not-released."
Another justification that some people will come up with to explain why there is no documentation and\or something is hidden in Windows.
Reality is something entirely different. If it is shipped with the OS, then it is released.
- Jul 1, 2017
- 1,396
There are documentations that Microsoft has posted before meant for administrators and they are easier to understand than this LOL. Emphasis on the term "users can". I honestly do not care since this has been the theme of Windows Defender since the beginning. You need a rocket science degree in order to configure it.
- Jul 1, 2017
- 1,396
New Windows 10 Group Policy Items:
List of new Group Policy items in Windows 10 version 1809 and Windows Server 2019 - gHacks Tech News
Very interesting items that should be configured immediately if you have Pro/Enterprise such as
List of new Group Policy items in Windows 10 version 1809 and Windows Server 2019 - gHacks Tech News
Very interesting items that should be configured immediately if you have Pro/Enterprise such as
- Allow Clipboard synchronization across devices
- Allow Clipboard History
- Do not allow Clipboard redirection
- Prevent Automatic Updates
- Turn off Windows Location Provider
- Dec 23, 2014
- 8,510
All the above settings, except Clipboard redirection, can be also set without using policies.
Clipboard redirection can be important only when the user uses Remote Desktop.
- Jul 1, 2017
- 1,396
Yes but for me, Group policy allows me to keep my settings during each feature update. I realized that Microsoft wipes the registry but Group policy persists so I have changed from registry tweaks to finding the equivalent in Group policy. Set it and forget it.
Similar threads
- Charlie Bell
- Microsoft Defender