Another key Win10 security feature bites the dust: Say goodbye to Windows Defender Exploit Guard

Topic

New Reply

There’s a reason why I’m skeptical about the fancy new security features touted for Win10 versions. In many cases, at least for me, they don’t work. E
[See the full post at: Another key Win10 security feature bites the dust: Say goodbye to Windows Defender Exploit Guard]

6 users thanked author for this post.

ve2mrx, DriftyDonN, lmacri, GreatAndPowerfulTech, CyGuy, doriel

Reply | Quote

Replies

So, should I turn it off? I am on 1803 pro, for now, til you tell us to upgrade ; )

My settings are set to the default (which appears to be all ‘on’) – I just loaded Defender yesterday, my paid a/v subscription expired.

Reply | Quote

Coming soon … a script to turn off Windows and go back to DOS.

Byte me!

2 users thanked author for this post.

lanceboil, Cybertooth

Reply | Quote

Is that even possible anymore? Probably for Micro$oft, but not for real-world users… okay, it’s probably a jokey jab at M$, but some people would actually prefer to go back to the old-school MS-DOS command line.

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

Oh yes, DOS had less Adware/Bloatware/C***ware pushing with considerably less Spying, update forcing, and useless UI changes than 10. And no cloud logins surreptitiously enforced by trying to hide the local login options.

Windows 10 really wants to become the cable box of OSs where the end user has little say in their captive state of take it or take it again options under Windows 10.

1 user thanked author for this post.

TaskForce141

Reply | Quote

If you (the Famous Woody!) couldn’t get Exploit Guard to work, what hope did us average schlub users have? & now M$ wants everyone to disable it in Win10 1909?! What were the odds that it ever worked… for power users and enterprise security “experts”?!?

Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...

Reply | Quote

[warrenrumak]

Woody, you’re being pretty dishonest here.

Microsoft isn’t “recommending” that WDEG be turned off.  That’s not what the linked content says at all.  What’s happening here is that they aren’t pushing it to be turned on by default anymore because of compatibility concerns.

I’ll give you an extremely practical example: untrusted fonts.

Fonts are a viable attack vector because they contain executable code, and any application that displays a font preview could potentially trigger an exploit. There have been many security vulnerabilities found & fixed over the years with font handling, and it’s part of the reason why font handling was moved out of the kernel after Windows Vista.  So, it is worth considering whether fonts that aren’t formally installed into C:\Windows\Fonts should be allowed to be used.  This includes printer servers that might not have the requested font installed, so the font gets sent with the print job.  In Windows 10, this is turned off by default, but enabling WDEG turns it on.

So what ended up happening is, people would apply the Security Baseline, which includes enabling WDEG, and find they couldn’t print anymore.  That’s a step too far for many people, and it made the Security Baseline useless.

Reading material: Block untrusted fonts in an enterprise

• This reply was modified 5 years, 6 months ago by warrenrumak.
• This reply was modified 5 years, 6 months ago by warrenrumak.

2 users thanked author for this post.

AlexEiffel, woody

Reply | Quote

You’re right, of course.

Dropping it from the official baseline, though, is a pretty drastic step.

Reply | Quote

To make this a bit easier I’ve downloaded the SB and extracted the necessary files (2).

I’ve also modified the PowerShell so it looks for the .xml file in the same folder as the .ps1 file.

Here’s a .zip file with both files. Just extract them to your scripts directory then run the  Remove-EPBaselineSettings.ps1 file.  Note: You will get no output if successful otherwise you will get PowerShell errors.

EP-reset

HTH

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

2 users thanked author for this post.

CyGuy, woody

Reply | Quote

Is this a concern for those of us on Win 10 Home 1909? Should we leave everything as is or is there anything specific we need to do? Everything is set to the default “on”.

Reply | Quote

woody wrote:

There’s a reason why I’m skeptical about the fancy new security features touted for Win10 versions. In many cases, at least for me, they don’t work.

Take, if you will, the Windows Defender Exploit Guard. When Win10 version 1709 hit the street, it was billed as a major new security feature that the whole world needs. Although on the surface it seemed like something I could understand — keep rogue programs out of key pieces of Windows — I never got it to work right.
…
So this once-highly-touted security feature has not only bitten the dust, there’s a handy program included in the Security Baselines toolbox that makes it easy to ensure that the %$#@! thing has been turned off everywhere.

There’s a reason to be skeptical of new security “features” that you don’t understand….

I think you’ve totally misinterpreted the recommended change, and also totally misremembered what you couldn’t get to work.

No feature has “bitten the dust” here. Windows Defender Exploit Guard consists of four parts:

The four components of Windows Defender Exploit Guard are:

Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats

Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen

Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders

Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

The recommended changes only affect the ASR component. Check the newly-provided EP.reset file and you will find it only removes previously recommended ASR settings for 26 common programs.

This is only likely to affect Enterprises who had opted for higher-than-normal security by following the version 1709 security baseline (if not already reverted due to issues over the last two years).

 

The part you tried, but dismissed almost immediately, was Controlled Folder Access (the anti-ransomware component, which is why you mention “keep rogue programs out of key pieces of Windows”):

woody wrote:

Yep, but Controlled Folder Access, in my experience, is a monumental pain. Far too many false positives.

Controlled Folder Access was initially very difficult to manage in version 1709 as allowing access for a specific program involved finding the appropriate path and .exe filename yourself. But it was made MUCH easier in version 1809 which lists recently blocked apps which can be allowed with a single click:

Controlled folder access improvements: Controlled folder access can help prevent ransomware and other destructive malware from changing your personal files. Sometimes apps that you normally use might be blocked from making changes to common folders like Documents and Pictures, and we’ve listened to feedback and made it easier for you to allow apps that were recently blocked so you can stay productive while using this great feature.

To allow a recently blocked app to make changes to your protected folders, open the Virus & threat protection section, then click Ransomware protection, and Allow an app through Controlled folder access. From there you can click the plus button to allow an app, and you’ll see the new option to add Recently blocked apps. This will open a list where you can easily choose which blocked items you’d like to trust to make changes. Alternately you can still browse for an app to allow.

Find out what’s new in Windows and Office in October [2018]

It was recommended in the AskWoody newsletter only a couple of months ago:

Next up, Controlled folder access should also be enabled; it prevents malicious programs from changing system and personal-profile files and folders.
How to block malware with Windows’ built-in security

And earlier this year in the Newsletter, Susan Bradley mentioned it as one of the reasons Windows 10 is more secure than Windows 7: “… and controlled folder access (anti-ransomware protection) — none of which you’ll find in Windows 7.”

It should provide excellent protection against ransomware. I’ve been using it for the last year without any issues. You really should give it another try.

Reply | Quote

This had passed my by entirely. Should this have been something I should have configured?

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Controlled Folder Access? You said you had it enabled earlier this year:

wavy wrote:

I ahve just yesterday updated PM with no change and i do have “Controlled folder access” on, seems like a good idea.

Reply | Quote

sorry I meant Windows Defender Exploit Guard. Still a bit confused over the other parts. I getting Controlled Folder Access.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

wavy wrote:

Still a bit confused over the other parts.

You’re far from the only one.

Reply | Quote

To be fair here, Microsoft has always been in a delicate position with these kind of features. If they enable the security features, things developed with lazy standards stop working. If they don’t enable them, lots of developers don’t even care coding with them in mind and things don’t change.

==

-Hey big security company, how come your camera’s client software doesn’t work under a standard user account? This concept has been around for a very long time and being in the industry you are in, you should, of all suppliers, know better.

-Oh, just disable UAC and use the normal admin account on your user station and it will work.

==

-Hey, software supplier, could you just recompile your software with more recent tools so it doesn’t break under ASLR?

-What?

==

-Hey bank, your web site doesn’t work properly.

-Could you disable your firewall and antivirus? We sometimes have problems with those.

or

-Are you behind a firewall? Oh, yeah, well sometimes we have issues with companies using firewalls.

or

-Sorry, do you use Chrome because our web site only works with Chrome?

Reply | Quote