Monday, October 23, 2017

Windows Defender’s New Exploit Protection

How Windows Defender’s New Exploit Protection Works (and How to Configure It)


Microsoft’s Fall Creators Update finally adds integrated exploit protection to Windows. You previously had to seek this out in the form of Microsoft’s EMET tool. It’s now part of Windows Defender and is activated by default.

How Windows Defender’s Exploit Protection Works

We’ve long recommended using anti-exploit software like Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) or the more user-friendly Malwarebytes Anti-Malware, which contains a powerful anti-exploit feature (among other things). Microsoft’s EMET is widely used on larger networks where it can be configured by system administrators, but it was never installed by default, requires configuration, and has a confusing interface for average users.
Typical antivirus programs, like Windows Defender itself, use virus definitions and heuristics to catch dangerous programs before they can run on your system. Anti-exploit tools actually prevent many popular attack techniques from functioning at all, so those dangerous programs don’t get on your system in the first place. They enable certain operating system protections and block common memory exploit techniques, so that if exploit-like behavior is detected, they’ll terminate the process before anything bad happens. In other words, they can protect against many zero-day attacks before they’re patched.
However, they could potentially cause compatibility problems, and their settings might have to be tweaked for different programs. That’s why EMET was generally used on enterprise networks, where system administrators could tweak the settings, and not on home PCs.
Windows Defender now includes many of these same protections, which were originally found in Microsoft’s EMET. They’re enabled by default for everyone, and are part of the operating system. Windows Defender automatically configures appropriate rules for different processes running on your system. (Malwarebytes still claims their anti-exploit feature is superior, and we still recommend using Malwarebytes, but it’s good that Windows Defender has some of this built-in now as well.)
This feature is automatically enabled if you’ve upgraded to Windows 10’s Fall Creators Update, and EMET is no longer supported. EMET can’t even be installed on PCs running the Fall Creators Update. If you already have EMET installed, it will be removed by the update.
Windows 10’s Fall Creators Update also includes a related security feature named Controlled Folder Access. It’s designed to stop malware by only allowing trusted programs to modify files in your personal data folders, like Documents and Pictures. Both features are part of “Windows Defender Exploit Guard”. However, Controlled Folder Access isn’t enabled by default.
How to Confirm Exploit Protection is Enabled
This feature is automatically enabled for all Windows 10 PCs. However, it can also be switched to “Audit mode”, allowing system administrators to monitor a log of what Exploit Protection would have done to confirm it won’t cause any problems before enabling it on critical PCs.
To confirm that this feature is enabled, you can open the Windows Defender Security Center. Open your Start menu, search for Windows Defender, and click the Windows Defender Security Center shortcut.
Click the window-shaped “App & browser control” icon in the sidebar. Scroll down and you’ll see the “Exploit protection” section. It will inform you that this feature is enabled.
If you don’t see this section, your PC probably hasn’t updated to the Fall Creators Update yet.

How to Configure Windows Defender’s Exploit Protection

Warning: You probably don’t want to configure this feature. Windows Defender offers many technical options you can adjust, and most people won’t know what they’re doing here. This feature is configured with smart default settings that will avoid causing problems, and Microsoft can update its rules over time. The options here seem primarily intended to help system administrators develop rules for software and roll them out on an enterprise network.
If you do want to configure Exploit Protection, head to Windows Defender Security Center > App & browser control, scroll down, and click “Exploit protection settings” under Exploit protection.
You’ll see two tabs here: System settings and Program settings. System settings controls the default settings used for all applications, while Program settings controls the individual settings used for various programs. In other words, Program settings can override the System settings for individual programs. They could be more restrictive or less restrictive.
At the bottom of the screen, you can click “Export settings” to export your settings as an .xml file you can import on other systems. Microsoft’s official documentation offers more information about deploying rules with Group Policy and PowerShell.
On the System settings tab, you’ll see the following options: Control flow guard (CFG), Data Execution Prevention (DEP), Force randomization for images (Mandatory ASLR), Randomize memory allocations (Bottom-up ASLR), Validate exception chains (SEHOP), and Validate heap integrity. They’re all on by default except the Force randomization for images (Mandatory ASLR) option. That’s likely because Mandatory ASLR causes problems with some programs, so you might run into compatibility issues if you enable it, depending on the programs you run.
Again, you really shouldn’t touch these options unless you know what you’re doing. The defaults are sensible and are chosen for a reason.
The interface provides a very short summary of what each option does, but you’ll have to do some research if you want to know more. We’ve previously explained what DEP and ASLR do here.

Click over to the “Program settings” tab, and you’ll see a list of different programs with custom settings. The options here allow the overall system settings to be overridden. For example, if you select “iexplore.exe” in the list and click “Edit”, you’ll see that the rule here forcefully enables Mandatory ASLR for the Internet Explorer process, even though it’s not enabled by default system-wide.
You shouldn’t tamper with these built-in rules for processes like runtimebroker.exe and spoolsv.exe. Microsoft added them for a reason.
You can add custom rules for individual programs by clicking “Add program to customize”. You can either “Add by program name” or “Choose exact file path”, but specifying an exact file path is much more precise.
Once added, you can find a long list of settings that won’t be meaningful to most people. The full list of settings available here is: Arbitrary code guard (ACG), Block low integrity images, Block remote images, Block untrusted fonts, Code integrity guard, Control flow guard (CFG), Data Execution Prevention (DEP), Disable extension points, Disable Win32k system calls, Do not allow child processes, Export address filtering (EAF), Force randomization for images (Mandatory ASLR), Import Address Filtering (IAF), Randomize memory allocations (Bottom-up ASLR), Simulate execution (SimExec), Validate API invocation (CallerCheck), Validate exception chains (SEHOP), Validate handle usage, Validate heap integrity, Validate image dependency integrity, and Validate stack integrity (StackPivot).
Again, you shouldn’t touch these options unless you’re a system administrator who wants to lock down an application and you really know what you’re doing.
As a test, we enabled all the options for iexplore.exe and tried to launch it. Internet Explorer just showed an error message and refused to launch. We didn’t even see a Windows Defender notification explaining that Internet Explorer wasn’t functioning because of our settings.
Don’t just blindly attempt to restrict applications, or you’ll cause similar problems on your system. They’ll be difficult to troubleshoot if you don’t remember you changed the options, too.
If you still use an older version of Windows, like Windows 7, you can get exploit protection features by installing Microsoft’s EMET or Malwarebytes. However, support for EMET will stop on July 31, 2018, as Microsoft wants to push businesses toward Windows 10 and Windows Defender’s Exploit Protection instead.

No comments:

Post a Comment