News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – what’s not in 1809

    Posted on September 30th, 2018 at 00:46 Susan Bradley Comment on the AskWoody Lounge

    Patch Lady here – Tonight I was poking around my older Surface that is running the insider version and the about section clearly now says 1809.  I went poking around the security section to find a new feature called “Block Suspicious Behaviors” that was touted in earlier blog posts about the upcoming release.  When I didn’t see it in the security center area I found that in the August 3rd blog post it was removed.

    Thank you everyone who has given us feedback on the “Block Suspicious Behaviors” feature that was recently added to Windows Security. For the time being we’re removing it from the build while we work on addressing some of the things you shared with us.

    So unless it magically comes back between now and when it officially gets released, you aren’t going crazy if you can’t find it.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Patch Lady – what’s not in 1809

    This topic contains 6 replies, has 6 voices, and was last updated by  anonymous 5 months, 2 weeks ago.

    • Author
      Posts
    • #220429 Reply

      Susan Bradley
      AskWoody MVP

      Patch Lady here – Tonight I was poking around my older Surface that is running the insider version and the about section clearly now says 1809.  I wen
      [See the full post at: Patch Lady – what’s not in 1809]

      Susan Bradley Patch Lady

      5 users thanked author for this post.
    • #220436 Reply

      anonymous

      Is force updating to the newest version of Windows 10 classified under “Suspicious Behaviors”?

      I’ve never used an antivirus (and disabled the built-in ones) for the past few years, surprisingly I have no problems, shocking I know!

    • #220441 Reply

      John
      AskWoody Lounger

      Maybe it was blocking too much of Microsoft’s own suspicious behavior? LOL

      • #220492 Reply

        warrenrumak
        AskWoody Plus

        Nah, it’s just a subset of Windows Defender Advanced Threat Protection, which normally only works with Windows 10 Enterprise. The feature does stuff like:

        • Block running unsigned executables off a USB drive
        • Prevent Adobe Reader from launching child processes
        • Block the use of PSExec
        • Block Office macros from using Win32 API calls
        • Block Office applications from creating executable files

        It’s pretty sensible for home users, but does come with the risk of breaking legitimate use cases.

        • This reply was modified 5 months, 3 weeks ago by
           warrenrumak.
    • #220455 Reply

      Noel Carboni
      AskWoody_MVP

      Microsoft claims:

      You can enable a new protection setting, Block suspicious behaviors, which brings Windows Defender Exploit Guard attack surface reduction technology to all users.

      The above notably does NOT say that “Block Suspicious Behaviors” and “Attack Surface Reduction” are one and the same – but they’re clearly related.

      Apparently a focus of Attack Surface Reduction is to block the automatic download/run of malware through Office. At first glance that seems like a good idea, but don’t forget that it will stand in your way if you’re legitimately trying to do something it doesn’t like – e.g., mail a .zip file – to someone. The features being blocked were added to make systems more functional, and people learned to use them.

      I wonder:

      Does the removal of the settable option from v1809 mean it’s now always off, or always on?

      What’s different between “Block Suspicious Behaviors” and the various other well-documented anti-exploit features? Are there key additional functionalities blocked because it’s considered an “end user/home OS” vs. “business (Enterprise) OS”? I.e., is this another case where “Pro” really isn’t professional after all?

      In the process of reducing the likelihood that computer-ignorant masses will propagate malware, is Microsoft making Windows incapable of doing powerful or sophisticated computing operations? This is a case where details really will matter.

      I’m always concerned that something they change in the name of “security” is going to break an ability to do legitimate activities, without reasonable workarounds.

      -Noel

      1 user thanked author for this post.
      • #220481 Reply

        b
        AskWoody Plus

        Microsoft claims:

        You can enable a new protection setting, Block suspicious behaviors, which brings Windows Defender Exploit Guard attack surface reduction technology to all users.

        The above notably does NOT say that “Block Suspicious Behaviors” and “Attack Surface Reduction” are one and the same – but they’re clearly related.

        Microsoft’s documentation clarifies that “Block Suspicious Behaviors” is just a friendly name for the “Windows Defender Exploit Guard attack surface reduction technology.”
        What is the New “Block Suspicious Behaviors” Feature in Windows 10? (first link in Susan’s post)

        Apparently a focus of Attack Surface Reduction is to block the automatic download/run of malware through Office. At first glance that seems like a good idea, but don’t forget that it will stand in your way if you’re legitimately trying to do something it doesn’t like – e.g., mail a .zip file – to someone. The features being blocked were added to make systems more functional, and people learned to use them.

        Where is there any hint that “Block Suspicious Behaviors” would block an emailed .zip file?

        If Block Suspicious Behaviors blocks an action you need to regularly perform, you can return here and disable it. However, the blocked behaviors are not common in normal PC usage.
        What is the New “Block Suspicious Behaviors” Feature in Windows 10? (first link in Susan’s post)

        I wonder:

        Does the removal of the settable option from v1809 mean it’s now always off, or always on?

        Off. The feature was temporarily removed, not just the on/off switch (which was off by default).

        What’s different between “Block Suspicious Behaviors” and the various other well-documented anti-exploit features?

        Attack Surface Reduction disables potentially dangerous features at a higher level.
        What is the New “Block Suspicious Behaviors” Feature in Windows 10? (first link in Susan’s post)

        Are there key additional functionalities blocked because it’s considered an “end user/home OS” vs. “business (Enterprise) OS”?

        No.

        I.e., is this another case where “Pro” really isn’t professional after all?

        No.

        In the process of reducing the likelihood that computer-ignorant masses will propagate malware, is Microsoft making Windows incapable of doing powerful or sophisticated computing operations?

        No.

        I’m always concerned that something they change in the name of “security” is going to break an ability to do legitimate activities, without reasonable workarounds.

        The reasonable workaround is to not switch it on in the first place, or to switch it off as required.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

        1 user thanked author for this post.
    • #221728 Reply

      anonymous

      Thanks for that info , I was wondering why ‘Block Suspicious Behaviors’ was missing from 1809.

      I also found that ‘Memory Integrity’ can’t be enabled in 1809 anymore either.  After putting the setting in the Windows Defender UI in 1803, it seems Microsoft have now decided to change the requirements to be able to enable HVCI.  The only info I can find is below, but it doesn’t give any explanation for the mandatory requirements change (or how to check if you have UEFI MAT):

      ‘Enabled the “Require UEFI Memory Attributes Table” option’

      https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/

      Edit to remove HTML

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – what’s not in 1809

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: