Advice Request Windows' Security Tweaks

  • Thread starter Deleted member 178
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

Will you use these Windows Security Tweaks?


  • Total voters
    59

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Can you make that .bat file for me, please?
...
Here are the BAT files if required, as attachments to this post. Change the txt extension to bat .
Edit
They have to be executed by "Run As Administrator" from Explorer right click context menu.
 

Attachments

  • DisableVACS.txt
    201 bytes · Views: 1,037
  • EnableVACS.txt
    200 bytes · Views: 1,021
Last edited:
  • Like
Reactions: Av Gurus

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Here are the BAT files if required, as attachments to this post. Change the txt extension to bat .
Edit
They have to be executed by "Run As Administrator" from Explorer right click context menu.

Tnx, but I'm gonna stick with this reg files ;)

Clipboard01.jpg
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Question for those using Windows Defender exploit protection: It seems that after every (major) windows update the default values for already listed programs are reset. I had added protections for Winword,exe for example, but thet are reverted back to ALSR only after (major) updates. Have you observed simular behavior?

I am now trying addig the extra protection using full path, see whether that with stands update reset.

Attached my Exploit Protection settings (it is an XML file, renamed to txt)

(note APC.exe is Albelli Photobook Creator (I posted settings of my wife's laptop running Windows 10)
 

Attachments

  • Settings.txt
    17.6 KB · Views: 850
Last edited:
  • Like
Reactions: SunMan09 and shmu26
5

509322

Thread author
Is this applicable to Windows 10 Pro version 1803?

Yes. You can check it with Process Explorer. Protected processes are colored magenta. Check the colors in the Process Explorer options.

Before enabling the key, lsass.exe does not run as a protected process; after creating the key and rebooting the system, lsass.exe runs as a protected process.
 

Hi Brothers

Level 2
Verified
Apr 19, 2018
71
Hmm, so I did a search with "RunAsPPL" in regedit and I found that HKLM\SYSTEM\ControlSet001\Control\Lsa also has a dword called RunAsPPL with a default value of 1, yet I had to enable the one in CurrentControlSet in order for lsass.exe to show up as protected. As far as I've read ControlSet001 is supposed to be a backup of CurrentControlSet, interesting

I also wonder how many keys located in HKLM\SYSTEM\CurrentControlSet\Control could I randomly add RunAsPPL to them and suddenly something starts running as protected process? You never know what microsoft might have left hidden with their 0 documentation, I'll try to test it when I have more time
 
  • Like
Reactions: shmu26

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Has anyone tried this yet? Apparently you can run Windows Defender Antivirus in a sandbox now:
windows-defender-av-sandbox.png

Windows Defender Antivirus can now run in a sandbox - Microsoft Secure
Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.

No real instructions on how to do this so I assume: This PC (right-click) -> Properties -> Advanced System Settings (left panel) -> Environmental Variables -> System variables -> "New..." -> Cut & paste "MP_FORCE_USE_SANDBOX 1"???? But where? As a variable or as a value (see attachment) and if I choose one, what is the other? No directory to point to? Why can't they give us clear instructions to this? Geez.

I don't know if this actually works. I use a 3rd party AV so if anyone more knowledgeable would like to chime in on how to set this environmental variable please feel free to do so.
 

Attachments

  • advanced-system-settings.PNG
    advanced-system-settings.PNG
    13.5 KB · Views: 806
  • variable.PNG
    variable.PNG
    16.5 KB · Views: 768
Last edited:
5

509322

Thread author
Has anyone tried this yet? Apparently you can run Windows Defender Antivirus in a sandbox now:
windows-defender-av-sandbox.png

Windows Defender Antivirus can now run in a sandbox - Microsoft Secure


No real instructions on how to do this so I assume: This PC (right-click) -> Properties -> Advanced System Settings (left panel) -> Environmental Variables -> System variables -> "New..." -> Cut & paste "MP_FORCE_USE_SANDBOX 1"???? But where? As a variable or as a value (see attachment) and if I choose one, what is the other? No directory to point to? Why can't they give us clear instructions to this? Geez.

I don't know if this actually works. I use a 3rd party AV so if anyone more knowledgeable would like to chime in on how to set this environmental variable please feel free to do so.

It is not for you. It is "experiemental" or "work-in-progress, not-released."

Another justification that some people will come up with to explain why there is no documentation and\or something is hidden in Windows.

Reality is something entirely different. If it is shipped with the OS, then it is released.
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
It is not for you. It is "experiemental" or "work-in-progress, not-released."

Another justification that some people will come up with to explain why there is no documentation and\or something is hidden in Windows.

Reality is something entirely different. If it is shipped with the OS, then it is released.
There are documentations that Microsoft has posted before meant for administrators and they are easier to understand than this LOL. Emphasis on the term "users can". I honestly do not care since this has been the theme of Windows Defender since the beginning. You need a rocket science degree in order to configure it.
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
  • Allow Clipboard synchronization across devices
  • Allow Clipboard History
  • Do not allow Clipboard redirection
  • Prevent Automatic Updates
  • Turn off Windows Location Provider
All the above settings, except Clipboard redirection, can be also set without using policies.
Clipboard redirection can be important only when the user uses Remote Desktop.
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
All the above settings, except Clipboard redirection, can be also set without using policies.
Clipboard redirection can be important only when the user uses Remote Desktop.
Yes but for me, Group policy allows me to keep my settings during each feature update. I realized that Microsoft wipes the registry but Group policy persists so I have changed from registry tweaks to finding the equivalent in Group policy. Set it and forget it. :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top