GFlagsX with Mitigation Options

Discussion in 'other anti-malware software' started by Mr.X, Jun 21, 2017.

  1. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,351
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I've been working to help the GFlagsX developer by obtaining (through testing) the latest mitigations from RS3 and also to determine the MitigationOptions registry key format change to REG_BINARY.

    MitigationOptions-RS3.pdf
    Link: https://mega.nz/#!OwIQyBKQ!tLYd1m_9QoDzSAULHiAZuCaqC_tYN0h1BiI2ONjR0ck

    MitigationOptions-RS3.xlsx
    Link: https://mega.nz/#!vpZwmSRT!RLTr23TOHKI4h8mFSu36Pq7oT61kCnDcdINcsGrNQNs

    This gets us one step closer to getting all of the EMET mitigations from RS3 into GFlagsX.

    Many, many hours and days worth of work and time. But this will be beneficial going forward.
     
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    GFlagsX (2018-01-24) with source
    Black Theme
    • this build only adds an all Black Theme
    • slightly polished up button spacing, etc.
    • still NOT compatible with Windows 10 RS3 REG_BINARY MitigationOptions format
    This build/fork is specifically aimed toward managing IFEO MitigationOptions settings only. This applies advanced process mitigations on a per-process basis.

    All credits go to Pavel Yosifovich (https://github.com/zodiacon).


    Download: https://github.com/WildByDesign/GFlagsX/releases/tag/2018-01-24

    Screenshot:
    GFlagsX - Black.png


    Please keep in mind that there is nothing much different with this release. I just wanted a full Black Theme for more contrast when working at night time in darker environments. This Black Theme seems to look much sharper now in those scenarios. Therefore, since I was happy with the final working copy of this build, I decided to share it with anyone else who might use it.

    Also, please keep in mind that this is NOT compatible yet with Windows 10 RS3 REG_BINARY MitigationOptions format which is used by Windows Defender Exploit Guard (WDEG). So if you have already created/modified some exploit protection with WDEG, this GFlagsX tool will crash.

    However, you can still use GFlagsX on latest Windows 10 but only in the case in which you have not yet used WDEG. That is what I do. I decided to drop back from WDEG and all of the latest EMET mitigations that were added to RS3 and create all of my MitigationOptions from scratch with GFlagsX.

    I am still hoping that one day, the GFlagsX developer may add support for REG_BINARY and therefore one day support RS3 mitigations. At that point, I will absolutely continue keeping this up-to-date.

    I personally hate the WDEG interface. Far too much scrolling and wasted space.
     
  5. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    280
    I’m back to using GFlagsX and using your latest version. Thanks @WildByDesign. :thumb:


    Latest Windows update borked my Fall Creators Update system. The whole Start and Taskbar not working occurred. DISM commands were of no help. Did a reset and was back up and running again but not really. Putting the OS through its paces, I don’t use Windows Defender but in testing it would not start no matter what I did. If I started the service it would just disable itself straight away. Did a second reset and all was looking good. That was until removing the Windows.Old folder. Windows would no longer boot. Suffice to say that was it after that. None of this was malware related, I run a very tight ship.


    I am now back to running N 2016 LTSB. Perfect! :) I always debloat Windows 10 anyway. Disable Cortana and banish the store, add the old calculator etc. LTSB this is already done by default and runs like a dream. Also LTSB has security updates until 2021 which is all I want although I will probably update to the 2019 LTSB if all the bloat is taken out. Crosses fingers.


    Other than all that I had a lovely Easter lol :argh:
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @JimboW You're welcome. I'm glad it's still a useful tool for some users. It will become even more useful once the developer adds the rest of the MitigationOptions from RS3/4 but that may take a while since it's not such a priority for him.

    Sounds like you ran into some frustrating times for a bit there. But luckily you ended up with a pretty sweet setup in the end with LTSB. I ran LTSB for some months a while back as well and it's fantastic as far as performance goes.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Has anyone been using GFlagsX with MBAE? Are there conflicts that you know of?
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Hopefully someone with specific usage of MBAE will come along and provide a good answer for you. I just wanted to point out that using GFlagsX would essentially be like using Windows Defender Exploit Guard (WDEG), albeit minus a few of the recent PayloadRestrictions ported over from EMET. But the MitigationOptions are applied the same way with GFlagsX and WDEG for the most part.

    So if someone is using the combination of WDEG and MBAE, they should also be able to answer your question since there will likely be more users in that category because not too many use GFlagsX.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I was thinking WDEG was only available in Windows 10 Educational, and Enterprise. I recognized the similarities in GFlagsX, and WDEG. I figured GFlagsX was using the built in mitigations from Windows that were added in Windows 10.

    I was hoping that these mitigations would be integrated into MBAE, but i've been waiting for quite some time. Maybe they were already added to MBAE without adding then to the Mitigation Settings. I will ask the developer of MBAE "Pbust", what he thinks about compatibility, and whether he plans on adding these mitigation, or if they already exist in MBAE.

    Thank You for the reply!

    CE

    Edited 4/5 @ 11:35
     
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Yes, this is probably the best idea since he's a good developer and will have a greater understanding if they have the same (or similar) mitigations built into MBAE. Sometimes they may have similar mitigations but under slightly different mitigation names but yet cover the same malicious activities.
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Sorry, I edited my post a little bit. I just cleared up what I was attempting to say. I've been studying for 20 hours straight now, and i'm beginning to get a little loopy/smack-happy lol

    I will check with Pbust. I actually would love to see these products combined, but I seriously doubt it will happen. I think the functionality of the two combined would work great if done correctly.
     
  12. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    280
    So installed EMET on LTSB and enabled all system wide settings to always on including ASLR by changing the enable unsafe settings in registry key. Then uninstalled EMET as the settings are preserved.


    GFlagsX settings so far:

    1111010101111105 - Chrome (Chrome.exe)

    1110110101111105 - Office 16 (WINWORD.EXE, OUTLOOK.EXE etc.)

    1110110101111105 - MemProtect (tray.exe)

    1110110101111105 - Windows Firewall Control (wfc.exe)


    I don’t feel I’m missing much without new RS3 mitigations. As we know Code Integrity Guard (Block Non-Microsoft Signed) is probably the strongest setting, especially for Office.


    @WildByDesign agree with your comment about WDEG interface.


    @Cutting_Edgetech I tested MBAE for you. Under Chrome absolutely no conflicts whatsoever. Word put up an error due to the Code Integrity Guard (Block Non-Microsoft Signed) mitigation set in GFlagsX as to be expected. The mbae.dll could not inject itself. Other than that they play nice together. If you wanted to use them together you could not set Code Integrity Guard in GFlagsX for any program MBAE supports and could absolutely use them together without conflict. I personally wouldn’t use the two together due to the overlap and I prefer the OS to handle this. Code Integrity Guard is strong as hell and I wouldn’t want to give that up personally.


    All above was confirmed to be operational through ProcessHacker.
     
  13. guest

    guest Guest

    GFlagsX v0.82 Released (April 12, 2019)
     
  14. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    280
    If your using the new Chromium Edge browser you can now use Code Integrity Guard (Block Non-Microsoft Signed). Not bad browser protection on top of the Chromium sandbox.
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Being off Win 10 forgot this was a really useful addition. Appreciate raising this topic on it again. Downloaded and laid in toolbox for when I start up Win 10 later in 2020.

    Thanks
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.