I open this thread to resume a forgotten topic. We all know the meaning of exploit. I include a table that reminds us that some mitigations that are probably still present in some anti-exploits softwares are mitigated by the Windows 10/11 operating system itself: https://learn.microsoft.com/en-us/w...to-the-enhanced-mitigation-experience-toolkit Null Page (Mitigations for this threat are built into Windows 10/11) ROP Mitigations (Mitigated in Windows 10/11 with applications compiled with Control Flow Guard) Elsewhere it is written that the maximum mitigations that can be activated are specific to softwares. The most obvious distinction is between not Microsoft softwares and Microsoft softwares. At the link below the various applicable mitigations: https://learn.microsoft.com/en-us/m...tomize-exploit-protection?view=o365-worldwide Elsewhere I found this list of mitigations applicable to Firefox Table 1: Block low integrity images - ON Block remote images - ON Block untrusted fonts - ON Control flow guard (CFG) - ON Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED Disable extension points - ON Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED Randomize memory allocations (Bottom-up ASLR) - ON Validate exception chains (SEHOP) - ON (Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications) Validate handle usage - ON Validate heap integrity - ON Validate image dependency integrity - ON If we take for correct (?) the enabling of SEHOP mitigation this subsequent mitigations (32-bit only) is also enabled in Firefox (with no obvious problems): Simulate execution (SimExec) - ON (Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG.) Validate API invocation (CallerCheck) - ON (Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG) And even this mitigation not limited to 32-bit softwares: Validate stack integrity (StackPivot) - ON (Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG) These additional mitigations are likely to cause problems for all Chromium-based browsers. I have only tried them with Edge. With Edge you can also add mitigation under: Code Integrity Guard (CIG) - ON It would be interesting not only to check the mitigations that can be enabled or disabled in WD but also in other anti-exploit softwares that forum members use. Thanks to all. P.S. Firefox: Edge:
I have added a new Media Player to the Anti-Exploit list, which now seems to predominate over the default player Video.UI.exe:
I guess most people don't really use this anti-exploit feature in Windows, most likely because the GUI isn't exactly userfriendly. I rather just use a tool like Malwarebytes Anti-Exploit or HMPA.
I, on the other hand, believe that it is quite easy to configure WD anti-exploit protection. Also with less third party softwares installed there is a lower probability of any incompatibilities with other softwares. This possibility usually occurs after a few updates. More third-party code installed,also corresponds to a greater statistical probability of having more bugs in the System.
Probably the easiest way by far to maximize built-in Windows exploit mitigations is to use ConfigureDefender, Hard_Configurator or Simple Windows Hardening. These utilities are stable, with pretty much zero impact on both Windows and other installed software. No need at all to navigate through the OS trying to find all the different mitigations, when these tools do it all with only a few mouse clicks.
The purpose of these softwares is not to maximize mitigation against exploits. You can verify this in the description of the various softwares you mentioned. If then indirectly they can interrupt the chain of events that can lead to the success of an exploit this I will grant you.
I don't understand what you wrote. The mitigations I have applied to my softwares are working regularly. I can also verify this from the settings exported as xml files.
Okay, so it looks like you are referring to different kinds of exploit mitigations than what the tools I mentioned enable. Non the less, these utilities enable built-in security features - including SRP in Home versions - that can stop exploits at the beginning of the attack chain or at least somewhere later in it. All i'm really trying to get at is that these tools offer a very easy and effective way for one to secure their Windows device against mainstream threats. EDIT I just took a quick look at your most recent security setup, and you are using H_C and CF. You are also using an arm's length list of policies and browser flags, quite clever of you I might add but these are mitigations that most don't know about and will never research and utilize in their security setup.
i know. what you have set are exclusions for programs, modifying means to reduce security for the programs listed there. you do NOT raise security, you lower it. It maximizes nothing. SRP is deprecating since 2020, first time unusable in w11 22h2 (any) to clarify - all settings in exploit settings are enabled by default except mandatory ASLR (for reason, because its tied to a switch). if you enter progam settings the only option is to disable the default settings. so you lower and do raise nothing. and the MS article you linked is explaining this in detail. in short: to mitigate threats you better leave those settings untouched, unless you experience issues. PS the second link - MS Endpoint protection and 365 defender are enterprise solutions and need a "plan" which means "paid", and neither nor available for endusers.
You are in error. You are confusing system mitigations (7) with those applicable to softwares. I have been a beta tester with EMET,unless you have turned the World upside down today,the tick in the softwares mitigations was never to disable but to enable. P.S. Are you able to export to HD the mitigations applied in XML files to your Firefox? So you can see too that you are confusing glow-worms for lanterns. P.S.1 Code: <AppConfig Executable="C:\Program Files\Mozilla Firefox\firefox.exe"> <DEP Enable="true" EmulateAtlThunks="true" /> <ASLR ForceRelocateImages="true" RequireInfo="true" BottomUp="true" HighEntropy="true" /> <StrictHandle Enable="true" /> <ExtensionPoints DisableExtensionPoints="true" /> <ControlFlowGuard Enable="true" SuppressExports="false" /> <SignedBinaries EnforceModuleDependencySigning="true" /> <Fonts DisableNonSystemFonts="true" AuditOnly="false" Audit="false" /> <ImageLoad BlockRemoteImageLoads="true" AuditRemoteImageLoads="false" BlockLowLabelImageLoads="true" AuditLowLabelImageLoads="false" /> <Payload EnableRopStackPivot="true" AuditEnableRopStackPivot="false" EnableRopCallerCheck="true" AuditEnableRopCallerCheck="false" EnableRopSimExec="true" AuditEnableRopSimExec="false" /> <SEHOP Enable="true" TelemetryOnly="false" /> <Heap TerminateOnError="true" /> </AppConfig> These are my enabled mitigations in Firefox. I not only support it,but also the OS. It's easy, if you have less,it means you don't have the maximum mitigations applicable to Firefox.
Actually quite usable with the right tool My underling added. Version 6.1.1.1 beta 3 https://github.com/AndyFul/Hard_Configurator But I think Sampei wants to discuss Windows policies, mitigation switches and flags.
i dont care about other tools. SRP is deprecated and replaced with another method. but you got it already here https://malwaretips.com/threads/win...rts-software-restriction-policies-srp.118472/ you may add with registry, anyhow SRP is no longer fully working since 22h2, means, microsoft is phasing it out. this one is official. https://learn.microsoft.com/en-us/w...iction-policies/software-restriction-policies and people should be aware whats different between clients and servers. so users using SRP should be prepped that it wont work sometimes any more. no tricks, no registry to revive. yes, voice are right, its not "removed", but since 1803 (for now 5 years!) no longer maintained, it may work, or not.
As I replied to another one of your posts I previously used Windows 7 + EMET and now implementing Windows 11 + TPM 1.2. Thanks for the links. IIRC with EMET I also had MS Office and Adobe covered. Based on https://madaidans-insecurities.github.io/firefox-chromium.html I will use Edge as my default browser as FF seems seriously lacking features. FF seems better for privacy due to it's DNS resolution API. There's also a list with exploit mitigations with references to source on https://github.com/nccgroup/exploit_mitigations/tree/master I'm not very concerned about (MS) Office (365) mitigations as old school macro still seem to be the preferred attack vector. More concerning is .pdf as attack vector through either e-mail or browser. The classic choice for opening .pdf is either Acrobat Reader DC, default browser reader of Sumatra. I want to minimize the number of 3rd party software such as Acrobat Reader DC or Sumatra, although there are some great mitigations for Acrobat Reader DC and Sumatra is kind of security by obscurity. But with Edge now supporting Acrobat Reader plugin I guess that will be the preferred choice, although it's unknown if the Acrobat Reader mitigations also apply or can be applied. See https://media.defense.gov/2022/Jan/...CONFIGURING_ADOBE_ACROBAT_READER_20220120.PDF Almost forgot: one of my architecture requirements is that I intend to use winget to install and manage applications so I don't need 3rd party tools to uninstall or upgrade applications and would be nice if the preferred .pdf reader can also be managed using winget if it's not a browser extension.
