News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Becoming more security-aware

    Home » Forums » AskWoody blog » Becoming more security-aware

    Author
    Topic
    #2395062

    ON SECURITY By Susan Bradley Windows 11 is now nearly a week old, and are we magically more secure? I’d argue not. An up-to-date operating system does
    [See the full post at: Becoming more security-aware]

    Susan Bradley Patch Lady

    5 users thanked author for this post.
    Viewing 10 reply threads
    Author
    Replies
    • #2395112

      Thank you for this post. I use Norton Antivirus, not Microsoft Defender as my default AV. You said ” third-party antivirus solutions disable Defender — which in turn prevents ASR from being used”  Does that mean I am potentially less secure with NORTON or ASR is not a concern (ie, not a problem) to users of third party AV solutions?

      • #2395144

        Lately Norton has added crypto mining to their a/v suite and I’m honestly not a fan of Norton.  I think you are less secure, not more.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
    • #2395135

      You should point to the MS documentation page that lists and explains all the rule for reference.

      • #2395145

        I’m going to cover more of these ASR rules in the future. This one doesn’t cause any side effects in my use of it and I think it adds value and protection to the OS.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
    • #2395155

      Please provide a link to download Windows 11 via installation media.

      On Hiatus {with backup and coffee}
      offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender TRV=1909 WuMgr
      offline▸ Win10Pro 20H2.19042.685 x86 Atom N270 RAM2GB HDD WindowsDefender WuMgr GuineaPigVariant
      online▸ Win10Pro 20H2.19042.804 x64 i5-9400 RAM16GB HDD Firefox86.0 WindowsDefender TRV=20H2 WuMgr
    • #2395157

      I am still using Office 2003 (I know it is out of support).

      Does the Defender fix presented have any effect on child processes under Office 2003?

       

    • #2395162

      I also have a question about your statement ”third-party antivirus solutions disable Defender — which in turn prevents ASR from being used.”

      I use McAfee AT&T Internet Security which my ISP provider offers to its customers. In addition, I have Settings|Windows Security|Virus & threat protection|Microsoft Defender Antivirus options|Period scanning turned on. Since I have GP=2 (notify download/install), each day I get 3 or 4 notifications that Windows Defender wants to do an update and so I agree to download and install. I also occasionally initiate Defender updates at Settings|Windows Security|Virus & threat protection|Virus & threat protection updates. I also occasionally initiate a Windows Defender Full scan at Settings|Windows Security}Virus & threat protection|Current threats|Scan options.

      Since Windows Defender seems not to be disabled, even though McAfee AT&T Internet Security is the other antivirus provider, do the ASR rules work, if I use the group policy to set them?

    • #2395170

      Recommendations for Windows 10 Home

      From the GitHub page linked above, click on C_D_3010_beta2.exe, and on the next page click the download button. Run the executable to install it.

      Run the program and scroll down to the Exploit Guard section.

      Just to clarify, Configure Defender is a portable app which doesn’t install; so when you run the downloaded executable you’re already running the program

      Windows 10 Pro version 21H2 build 19044.1320 + Microsoft 365 (group ASAP)

    • #2395203

      Since Win 10 Version 1909 (which I installed in December of 2019), I have used the following attack surface reduction rules. They have not impacted my day-to-day computer use at all.

      Powershell:

      Set-MpPreference -EnableNetworkProtection Enabled
      Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enable #Block Office applications from creating executable content
      Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enable #Block execution of potentially obfuscated scripts
      Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enable #Block Office applications from injecting code into other processes
      Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enable #Block Win32 API calls from Office macro
      Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enable #Block executable content from email client and webmail
      Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enable #Block JavaScript or VBScript from launching downloaded executable content
      Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enable #Block all Office applications from creating child processes
      

      The last of these is what Ms. Bradly recommends in her article. I personally find on unmanaged machines the use of Powershell to do this is easier than the group policy editor.

      2 users thanked author for this post.
      • #2395374

        Since Win 10 Version 1909 (which I installed in December of 2019), I have used the following attack surface reduction rules. They have not impacted my day-to-day computer use at all.

        The last of these is what Ms. Bradley recommends in her article. I personally find on unmanaged machines the use of Powershell to do this is easier than the group policy editor.

        Thank you… that’s interesting info.

        I understand this works from Windows 10 1709 onwards but only for Windows 10 Pro and Enterprise editions.

        Have you subsequently noticed any Event ID 1126 entries in Windows Event logs to show Defender’s network protection *has* actually fired in block mode?

        (PS – Could a mod please enclose the PowerShell code above in <pre> tags to make it more viewable. Many thanks.)

    • #2395211

      I know that you folks run as admin all the time, but I think that’s a *horrible* practice.

      For the cautious among us it’d be nice if you included that to get the gpedit to work you need to be admin-elevated.

      1 user thanked author for this post.
      • #2395327

        I know that you folks run as admin all the time, but I think that’s a *horrible* practice.

        berniec: I agree with you; that is a horrible practice.  I can’t speak for anyone else, but for me personally I never login to my system as an Admin user, except for once a month or so when I’m actually doing Admin tasks (like installing updates).  Other times — which is like 95% of the time — I’m always logged in as a standard non-Admin user.  I suspect quite a lot of other AskWoody folks here do the same.

        1 user thanked author for this post.
    • #2395216

      I use Trend Micro Maximum Security on my desktop computer. If as you suggest that Windows Defender is much better along with the ASR. Providing that I convert to Windows Defender, what are the steps I should follow in order to do so?

    • #2395226

      Emails and links within are a self parity check nothing more, nothing less. Browser Extensions are another form of injection keep those up-to-date and check-up on them.
      Keep security to bare essentials is my advice, don’t overkill as it’s known to have the entire opposite effect. Surplus non-essential security only creates vectors/traffic for miscreants to latch onto behind your back.

      | Quality over Quantity |
      2 users thanked author for this post.
    • #2395406

      Indeed, becoming more security-aware is good, as a significantly weak link is the human mind. However, we cannot assume we can be and remain so aware as to never click on the best-matching Google link or will somehow just know not to react to important-sounding eMail or to not download software that provides functionality we need… To err is human, and what we need to know to make good decisions is often shrouded. We need our tech looking out for us and helping us where we are frail and stupid.

      Something else to be mindful of… In modern times, consumer-directed talk of “security” often seems more a way for Marketing to try to make us want new things, by encouraging us to distrust the old things.

      Why would newer software be more secure? Is it less complex, longer tested, or less capable than the versions it’s replacing? By contrast, does it introduce new ways to be exploited? Why do we have to have a whole new version every year that does essentially the same things as its predecessor?

      There are tried and true approaches to keep malware away that already exist (and which do not decrease performance – such as managed, self-updating blacklists of bad online servers) through which our software could be MUCH more secure if that were actually the prime goal. Ask yourself “why are these things not built in?”, provided as easy-to-opt-in subsystems. We’ve had enough decades of experience to know that the “go ahead and let the malware in then try to stop it from doing bad things by making the computing environment more complex and restrictive” approach isn’t terribly effective, thought it does tend to make us crave new software…

      -Noel

      • #2395421

        However, we cannot assume we can be and remain so aware as to never click on the best-matching Google link or will somehow just know not to react to important-sounding eMail or to not download software that provides functionality we need.

        I learned (painfully) at a very young age to not touch a hot stove.  Through the years I have incorporated that early lesson into a general ‘hot stove’ rule in many facets of my life.  I don’t use Google, and I write very specific search terms in the search box of DuckDuckGo.  No email is so important that it does not bear scrutiny—it is, after all, only email, the least expensive of all forms of communication other than face-to-face speech.  An unexpected email with an attachment triggers an automatic delete; that is my first reaction.

        The last functionality I downloaded was StartAllBack, from a developer I came to trust since the introduction of Windows 8.  The ‘functionality’ I downloaded prior to that was when I was running XP; I haven’t needed any additional functionality since then.

        All that aside, I’ve found the best protection for any adverse circumstance to be a library of drive images safely stored offline.  I’ve used that to recover from a house fire which destroyed my two PC’s of the time.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

        1 user thanked author for this post.
      • #2395519

        There are tried and true approaches to keep malware away that already exist (and which do not decrease performance – such as managed, self-updating blacklists of bad online servers) through which our software could be MUCH more secure if that were actually the prime goal. Ask yourself “why are these things not built in?”, provided as easy-to-opt-in subsystems.

        They are:

        Microsoft Defender SmartScreen

        What is SmartScreen and how can it help protect me?

        Windows 10 Pro version 21H2 build 19044.1320 + Microsoft 365 (group ASAP)

        1 user thanked author for this post.
    Viewing 10 reply threads
    Reply To: Becoming more security-aware

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.