News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Another key Win10 security feature bites the dust: Say goodbye to Windows Defender Exploit Guard

    Home Forums AskWoody blog Another key Win10 security feature bites the dust: Say goodbye to Windows Defender Exploit Guard

    This topic contains 15 replies, has 9 voices, and was last updated by  AlexEiffel 1 week, 4 days ago.

    • Author
      Posts
    • #2009401 Reply

      woody
      Da Boss

      There’s a reason why I’m skeptical about the fancy new security features touted for Win10 versions. In many cases, at least for me, they don’t work. E
      [See the full post at: Another key Win10 security feature bites the dust: Say goodbye to Windows Defender Exploit Guard]

      6 users thanked author for this post.
    • #2009413 Reply

      anonymous

      So, should I turn it off? I am on 1803 pro, for now, til you tell us to upgrade ; )

      My settings are set to the default (which appears to be all ‘on’) – I just loaded Defender yesterday, my paid a/v subscription expired.

    • #2009446 Reply

      pHROZEN gHOST
      AskWoody Lounger

      Coming soon … a script to turn off Windows and go back to DOS.

      Byte me!

      2 users thanked author for this post.
      • #2009451 Reply

        WildBill
        AskWoody Plus

        Is that even possible anymore? Probably for Micro$oft, but not for real-world users… okay, it’s probably a jokey jab at M$, but some people would actually prefer to go back to the old-school MS-DOS command line.

        Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V1909. As long as it's a Lot Less Buggy!
        Wild Bill Rides Again...

      • #2009456 Reply

        anonymous

        Oh yes, DOS had less Adware/Bloatware/C***ware pushing with considerably less Spying, update forcing, and useless UI changes than 10. And no cloud logins surreptitiously enforced by trying to hide the local login options.

        Windows 10 really wants to become the cable box of OSs where the end user has little say in their captive state of take it or take it again options under Windows 10.

        1 user thanked author for this post.
    • #2009447 Reply

      WildBill
      AskWoody Plus

      If you (the Famous Woody!) couldn’t get Exploit Guard to work, what hope did us average schlub users have? & now M$ wants everyone to disable it in Win10 1909?! What were the odds that it ever worked… for power users and enterprise security “experts”?!?

      Windows 8.1, 64-bit, back in Group A... & leaning toward Windows 10 V1909. As long as it's a Lot Less Buggy!
      Wild Bill Rides Again...

    • #2009448 Reply

      warrenrumak
      AskWoody Plus

      Woody, you’re being pretty dishonest here.

      Microsoft isn’t “recommending” that WDEG be turned off.  That’s not what the linked content says at all.  What’s happening here is that they aren’t pushing it to be turned on by default anymore because of compatibility concerns.

      I’ll give you an extremely practical example: untrusted fonts.

      Fonts are a viable attack vector because they contain executable code, and any application that displays a font preview could potentially trigger an exploit. There have been many security vulnerabilities found & fixed over the years with font handling, and it’s part of the reason why font handling was moved out of the kernel after Windows Vista.  So, it is worth considering whether fonts that aren’t formally installed into C:\Windows\Fonts should be allowed to be used.  This includes printer servers that might not have the requested font installed, so the font gets sent with the print job.  In Windows 10, this is turned off by default, but enabling WDEG turns it on.

      So what ended up happening is, people would apply the Security Baseline, which includes enabling WDEG, and find they couldn’t print anymore.  That’s a step too far for many people, and it made the Security Baseline useless.

      Reading material: Block untrusted fonts in an enterprise

      2 users thanked author for this post.
      • #2009468 Reply

        woody
        Da Boss

        You’re right, of course.

        Dropping it from the official baseline, though, is a pretty drastic step.

    • #2009452 Reply

      RetiredGeek
      AskWoody MVP

      To make this a bit easier I’ve downloaded the SB and extracted the necessary files (2).

      I’ve also modified the PowerShell so it looks for the .xml file in the same folder as the .ps1 file.

      Here’s a .zip file with both files. Just extract them to your scripts directory then run the  Remove-EPBaselineSettings.ps1 file.  Note: You will get no output if successful otherwise you will get PowerShell errors.

      EP-reset

      HTH 😎

      May the Forces of good computing be with you!

      RG

      PowerShell & VBA Rule!
      Computer Specs

      Attachments:
      2 users thanked author for this post.
    • #2009526 Reply

      anonymous

      Is this a concern for those of us on Win 10 Home 1909? Should we leave everything as is or is there anything specific we need to do? Everything is set to the default “on”.

    • #2009573 Reply

      b
      AskWoody Plus

      There’s a reason why I’m skeptical about the fancy new security features touted for Win10 versions. In many cases, at least for me, they don’t work.

      Take, if you will, the Windows Defender Exploit Guard. When Win10 version 1709 hit the street, it was billed as a major new security feature that the whole world needs. Although on the surface it seemed like something I could understand — keep rogue programs out of key pieces of Windows — I never got it to work right.

      So this once-highly-touted security feature has not only bitten the dust, there’s a handy program included in the Security Baselines toolbox that makes it easy to ensure that the %$#@! thing has been turned off everywhere.

      There’s a reason to be skeptical of new security “features” that you don’t understand….

      I think you’ve totally misinterpreted the recommended change, and also totally misremembered what you couldn’t get to work.

      No feature has “bitten the dust” here. Windows Defender Exploit Guard consists of four parts:

      The four components of Windows Defender Exploit Guard are:

      Attack Surface Reduction (ASR): A set of controls that enterprises can enable to prevent malware from getting on the machine by blocking Office-, script-, and email-based threats

      Network protection: Protects the endpoint against web-based threats by blocking any outbound process on the device to untrusted hosts/IP through Windows Defender SmartScreen

      Controlled folder access: Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders

      Exploit protection: A set of exploit mitigations (replacing EMET) that can be easily configured to protect your system and applications

      Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

      The recommended changes only affect the ASR component. Check the newly-provided EP.reset file and you will find it only removes previously recommended ASR settings for 26 common programs.

      This is only likely to affect Enterprises who had opted for higher-than-normal security by following the version 1709 security baseline (if not already reverted due to issues over the last two years).

       

      The part you tried, but dismissed almost immediately, was Controlled Folder Access (the anti-ransomware component, which is why you mention “keep rogue programs out of key pieces of Windows”):

      Yep, but Controlled Folder Access, in my experience, is a monumental pain. Far too many false positives.

      Controlled Folder Access was initially very difficult to manage in version 1709 as allowing access for a specific program involved finding the appropriate path and .exe filename yourself. But it was made MUCH easier in version 1809 which lists recently blocked apps which can be allowed with a single click:

      Controlled folder access improvements: Controlled folder access can help prevent ransomware and other destructive malware from changing your personal files. Sometimes apps that you normally use might be blocked from making changes to common folders like Documents and Pictures, and we’ve listened to feedback and made it easier for you to allow apps that were recently blocked so you can stay productive while using this great feature.

      To allow a recently blocked app to make changes to your protected folders, open the Virus & threat protection section, then click Ransomware protection, and Allow an app through Controlled folder access. From there you can click the plus button to allow an app, and you’ll see the new option to add Recently blocked apps. This will open a list where you can easily choose which blocked items you’d like to trust to make changes. Alternately you can still browse for an app to allow.

      Find out what’s new in Windows and Office in October [2018]

      It was recommended in the AskWoody newsletter only a couple of months ago:

      Next up, Controlled folder access should also be enabled; it prevents malicious programs from changing system and personal-profile files and folders.
      How to block malware with Windows’ built-in security

      And earlier this year in the Newsletter, Susan Bradley mentioned it as one of the reasons Windows 10 is more secure than Windows 7: “… and controlled folder access (anti-ransomware protection) — none of which you’ll find in Windows 7.

      It should provide excellent protection against ransomware. I’ve been using it for the last year without any issues. You really should give it another try.

      Windows 10 Version 1909 (Group ASAP)

    • #2009585 Reply

      wavy
      AskWoody Plus

      This had passed my by entirely. Should this have been something I should have configured?

      🍻

      Just because you don't know where you are going doesn't mean any road will get you there.
      • #2009599 Reply

        b
        AskWoody Plus

        Controlled Folder Access? You said you had it enabled earlier this year:

        I ahve just yesterday updated PM with no change and i do have “Controlled folder access” on, seems like a good idea.

        Windows 10 Version 1909 (Group ASAP)

        • #2009696 Reply

          wavy
          AskWoody Plus

          sorry I meant Windows Defender Exploit Guard. Still a bit confused over the other parts. I getting Controlled Folder Access.

          🍻

          Just because you don't know where you are going doesn't mean any road will get you there.
          • #2009737 Reply

            b
            AskWoody Plus

            Still a bit confused over the other parts.

            You’re far from the only one.

            Windows 10 Version 1909 (Group ASAP)

    • #2011041 Reply

      AlexEiffel
      AskWoody_MVP

      To be fair here, Microsoft has always been in a delicate position with these kind of features. If they enable the security features, things developed with lazy standards stop working. If they don’t enable them, lots of developers don’t even care coding with them in mind and things don’t change.

      ==

      -Hey big security company, how come your camera’s client software doesn’t work under a standard user account? This concept has been around for a very long time and being in the industry you are in, you should, of all suppliers, know better.

      -Oh, just disable UAC and use the normal admin account on your user station and it will work.

      ==

      -Hey, software supplier, could you just recompile your software with more recent tools so it doesn’t break under ASLR?

      -What?

      ==

      -Hey bank, your web site doesn’t work properly.

      -Could you disable your firewall and antivirus? We sometimes have problems with those.

      or

      -Are you behind a firewall? Oh, yeah, well sometimes we have issues with companies using firewalls.

      or

      -Sorry, do you use Chrome because our web site only works with Chrome?

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Another key Win10 security feature bites the dust: Say goodbye to Windows Defender Exploit Guard

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.