• Patch Lady – what’s not in 1809

    Home » Forums » Newsletter and Homepage topics » Patch Lady – what’s not in 1809

    Author
    Topic
    #220429

    Patch Lady here – Tonight I was poking around my older Surface that is running the insider version and the about section clearly now says 1809.  I wen
    [See the full post at: Patch Lady – what’s not in 1809]

    Susan Bradley Patch Lady/Prudent patcher

    5 users thanked author for this post.
    Viewing 3 reply threads
    Author
    Replies
    • #220436

      Is force updating to the newest version of Windows 10 classified under “Suspicious Behaviors”?

      I’ve never used an antivirus (and disabled the built-in ones) for the past few years, surprisingly I have no problems, shocking I know!

    • #220441

      Maybe it was blocking too much of Microsoft’s own suspicious behavior? LOL

      • #220492

        Nah, it’s just a subset of Windows Defender Advanced Threat Protection, which normally only works with Windows 10 Enterprise. The feature does stuff like:

        • Block running unsigned executables off a USB drive
        • Prevent Adobe Reader from launching child processes
        • Block the use of PSExec
        • Block Office macros from using Win32 API calls
        • Block Office applications from creating executable files

        It’s pretty sensible for home users, but does come with the risk of breaking legitimate use cases.

    • #220455

      Microsoft claims:

      You can enable a new protection setting, Block suspicious behaviors, which brings Windows Defender Exploit Guard attack surface reduction technology to all users.

      The above notably does NOT say that “Block Suspicious Behaviors” and “Attack Surface Reduction” are one and the same – but they’re clearly related.

      Apparently a focus of Attack Surface Reduction is to block the automatic download/run of malware through Office. At first glance that seems like a good idea, but don’t forget that it will stand in your way if you’re legitimately trying to do something it doesn’t like – e.g., mail a .zip file – to someone. The features being blocked were added to make systems more functional, and people learned to use them.

      I wonder:

      Does the removal of the settable option from v1809 mean it’s now always off, or always on?

      What’s different between “Block Suspicious Behaviors” and the various other well-documented anti-exploit features? Are there key additional functionalities blocked because it’s considered an “end user/home OS” vs. “business (Enterprise) OS”? I.e., is this another case where “Pro” really isn’t professional after all?

      In the process of reducing the likelihood that computer-ignorant masses will propagate malware, is Microsoft making Windows incapable of doing powerful or sophisticated computing operations? This is a case where details really will matter.

      I’m always concerned that something they change in the name of “security” is going to break an ability to do legitimate activities, without reasonable workarounds.

      -Noel

      1 user thanked author for this post.
      • #220481

        Microsoft claims:

        You can enable a new protection setting, Block suspicious behaviors, which brings Windows Defender Exploit Guard attack surface reduction technology to all users.

        The above notably does NOT say that “Block Suspicious Behaviors” and “Attack Surface Reduction” are one and the same – but they’re clearly related.

        Microsoft’s documentation clarifies that “Block Suspicious Behaviors” is just a friendly name for the “Windows Defender Exploit Guard attack surface reduction technology.”
        What is the New “Block Suspicious Behaviors” Feature in Windows 10? (first link in Susan’s post)

        Apparently a focus of Attack Surface Reduction is to block the automatic download/run of malware through Office. At first glance that seems like a good idea, but don’t forget that it will stand in your way if you’re legitimately trying to do something it doesn’t like – e.g., mail a .zip file – to someone. The features being blocked were added to make systems more functional, and people learned to use them.

        Where is there any hint that “Block Suspicious Behaviors” would block an emailed .zip file?

        If Block Suspicious Behaviors blocks an action you need to regularly perform, you can return here and disable it. However, the blocked behaviors are not common in normal PC usage.
        What is the New “Block Suspicious Behaviors” Feature in Windows 10? (first link in Susan’s post)

        I wonder:

        Does the removal of the settable option from v1809 mean it’s now always off, or always on?

        Off. The feature was temporarily removed, not just the on/off switch (which was off by default).

        What’s different between “Block Suspicious Behaviors” and the various other well-documented anti-exploit features?

        Attack Surface Reduction disables potentially dangerous features at a higher level.
        What is the New “Block Suspicious Behaviors” Feature in Windows 10? (first link in Susan’s post)

        Are there key additional functionalities blocked because it’s considered an “end user/home OS” vs. “business (Enterprise) OS”?

        No.

        I.e., is this another case where “Pro” really isn’t professional after all?

        No.

        In the process of reducing the likelihood that computer-ignorant masses will propagate malware, is Microsoft making Windows incapable of doing powerful or sophisticated computing operations?

        No.

        I’m always concerned that something they change in the name of “security” is going to break an ability to do legitimate activities, without reasonable workarounds.

        The reasonable workaround is to not switch it on in the first place, or to switch it off as required.

        1 user thanked author for this post.
    • #221728

      Thanks for that info , I was wondering why ‘Block Suspicious Behaviors’ was missing from 1809.

      I also found that ‘Memory Integrity’ can’t be enabled in 1809 anymore either.  After putting the setting in the Windows Defender UI in 1803, it seems Microsoft have now decided to change the requirements to be able to enable HVCI.  The only info I can find is below, but it doesn’t give any explanation for the mandatory requirements change (or how to check if you have UEFI MAT):

      ‘Enabled the “Require UEFI Memory Attributes Table” option’

      https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/

      Edit to remove HTML

    Viewing 3 reply threads
    Reply To: Patch Lady – what’s not in 1809

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: