White paper: How to use Trend Micro Vulnerability Protection to patch virtually

Topic

New Reply

An interesting PDF (link below) from Daniel Portenlanger: Microsoft’s new patching policies have introduced new challenges to keeping Windows endpoint
[See the full post at: White paper: How to use Trend Micro Vulnerability Protection to patch virtually]

1 user thanked author for this post.

WildBill

Reply | Quote

Replies

You would think with all the telemetry collected, and built-in Defender, that MS could do this themselves on the fly – yet they don’t.

Meanwhile you’ve got Linux distributions adopting LivePatching… Ubuntu has had it since 14.04 LTS which came out years ago. Security patching without requiring a reboot – who’d’a’thunk’it.

1 user thanked author for this post.

WildBill

Reply | Quote

I use Trend Micro for my Windows machines and my Android and iOS devices. I am very pleased with Trend Micro. Their software is very non-intrusive and highly-rated. And it is extremely simple to opt out of auto-renewal.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

If you recall, AskWoody.com documented the zero day fix from Adobe, Microsoft and others was breaking some applications. The site also indicated that uninstalling the software patch resolved those issues. Of course, that then reintroduces the vulnerability. In a corporate environment, having a patch break applications critical to a business could be a disaster.

Applications critical to a business is a stretch in this example. It was a golf game.

Does Daniel Portenlanger work for Trend Micro?

$40 or $60 per user per year?

Reply | Quote

Woody had commented on the topic of a virtual patch in a previous post.  I am a contractor and have many customers with different security suites.  One customer had a license for Vulnerability Protection that was included with their Enterprise Security Suite.  I used the experience to write a simple document for  our peers to understand the technology.

The document uses the flash player exploit as an example.  If you recall, there was a flash player update that broke VMware.  There was also a Windows patch that broke virtual network cards.  It is my opinion that those patch issues caused business critical failures.

1 user thanked author for this post.

SueW

Reply | Quote

Thanks for the explanation. But how much does this cost?

Reply | Quote

Jim,

I’m delighted Trend Micro has improved their product.

About 16 years ago I installed it, and then my computer filled up with viruses.  The S**s at Trend Micro wouldn’t refund my money.  Later in the same year, either PCWorld or PCMag stated this company would do the rest of us a favor if they quit making this product.

If someone else is considering changing their antimalware protection, I suggest checking AV-test or AV-comparatives.  The latter is affiliated with the Austrian government and an Austrian university.  My choice is to use the paid version of Malwarebytes’ and the free version of AVAST.  Every four years, I buy the paid version of AVAST, but don’t install it.

Here’s hoping everyone’s antimalware works well!

Reply | Quote

I haven’t heard of it being called virtual patching, but we use Palo Alto’s Advanced Endpoint Protection which does essentially this.  Microsoft EMET offers a similar but more barebones system.  Unfortunately it seems EMET is going away shortly.

Reply | Quote

I thought EMET had already gone! My installation got disabled and the website points to the new functionality in Windows Defender.

Reply | Quote

My mistake – it looks like it is still available for non-Win 10 installations. Does the move of this functionality to Windows Defender in Windows 10 mean that Defender will take on the role of virtual patching, or am I just being hopeful?

Reply | Quote

Search “Windows Defender ATP”  It looks like they rolled EMET’s functionality into a paid application.  Seems to call it “Exploit Protection.”  Base Windows Defender may do it too if you have Real-Time Protection enabled, but the marketing talk on MS’s site makes it sound like “no.”  Can’t say since there’s nothing really configurable in Defender.

Reply | Quote

It’s also already there in Windows 10 built-in Defender Security Center. Open up the Defender app and select “App & browser control” and scroll to the bottom. If you click on “exploit protection settings” there are 2 tabs, one for systems settings and one to allow you to fine-tune settings for individual programs.

Reply | Quote

FYI at least two programs I have encountered so far forget/reset the configured w10 exploit protection (WDEP, formerly EMET) when installed updated or repaired:

Office 2013,2016
Adobe Reader DC

Also Office 2016 still doesn’t even support Control Flow Guard (CFG) even though microsoft introduced it 2014.

microsoft: “We’ve introduced anti-exploit technology, you can enable for whichever program you want and feel good about it, but office will forget/overwrite it’s own WDEP settings on every install, update, or repair, also we didn’t bother to compile office with CFG.”

Reply | Quote

How does this technoology compare with what they are trying to do with “0patch” mentioned in several other threads?

Reply | Quote

Mitja Kolsek of 0patch here. Per Trend Micro, their virtual patching is agentless and “uses intrusion detection and prevention technologies to shield vulnerabilities before they can be exploited”, which is in line with my standard understanding of virtual patching. So they sit between your vulnerable code and the environment (mostly network or file system) and detect+block attempts at exploiting known vulnerabilities.

In contrast, 0patch comes with an agent that actually patches the vulnerable code in memory of running processes, so while a virtual patch (essentially a collection of detection and action rules) might be bypassable by mutating an exploit, with a micropatched code there is really nothing to bypass because the vulnerability is “physically” no longer there.

These two technologies are to some extent competitive (some vulnerabilities can be patched well with both), and to some extent complementary (one can imagine vulnerabilities that are better/faster fixed with virtual patching, and ones for which 0patch is a better solution).

Both technologies are trying to solve the “security update gap“, further exacerbated by the above-described monolithic security updates that make users choose between functionality and security.

4 users thanked author for this post.

Elly, windows7wasthebest, woody, b

Reply | Quote