Windows 10: What programs do you protect with Windows Defender Exploit protection?

Interested to hear what others have decided on...

:)

 

I want to infect my PC

Hi Rob

You most likely are aware but for the benefit of all readers let me provide more rather than less information.

Windows Defender Exploit Guard
(introduced in Windows 10 Fall Creators Update) includes four components of new intrusion prevention capabilities designed to lock down a system against various attack vectors and block behaviors commonly used in malware attacks before any
damage can be done.

• Exploit protection consists of exploit mitigations which
  can be configured to protect the system and applications whenever suspicious or malicious exploit-like behavior is detected.
  
• Controlled folder access protects common system folders
  and personal data from ransomware by blocking untrusted processes from accessing and tampering (encrypting) sensitive files contained in these protected folders.
  
• Attack Surface Reduction (ASR) is comprised of
  a set of rules which helps prevent exploit-seeking malware by blocking Office, script and email-based threats.
• Network protection protects against web-based threats
  by blocking any outbound process attempting to connect with untrusted hosts/IP/domains with low-reputation utilizing
  
  Windows Defender SmartScreen.

Windows Defender EG is intended to replace Microsoft’s EMET which was confusing to novice users and allowed hackers to bypass because the mitigations were not durable and often caused operating system and application stability issues as explained

here. Microsoft advises that Windows Defender EG features all work best with

Windows Defender Advanced Threat Protection which provides detailed reporting into Windows Defender EG events and blocks.

As noted in the link I provided above, some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can hamper the effectiveness of

Return-oriented programming (ROP), and other exploit checks.

Fabian Wosar of Emsisoft has said multiple anti-exploit programs can result in the system becoming even more vulnerable than if only one anti-exploit application is running. In some cases multiple tools can cause interference
with each other and program crashes.

As such, users need to know and understand the protection features of any third-party anti-exploit/anti-ransomware program they are considering to use alongside Windows Defender EG..

 

Bug? In Windows Defender Exploit Guard.

If we assume that this is just a glitch, then you might be able to reset the Exploit protection defaults by exporting the settings from an unaffected PC (with default settings) and then importing those settings on the affected machines. This looks
to be the backup/restore tool for the Exploit protection settings:

Deploy Exploit protection mitigations across your organization

Export and Import Exploit Protection Settings in Windows 10

 

If you download Microsofts' Sysinternals Suite, you can use the "Process Explorer.exe tool" to see what processes have the protections provided by Windows Defender.
You can get that set of tools here: Sysinternals Suite 2018.2.18 Download - TechSpot

I forgot to answer your question, lol. Tired. I have everything in exploit section set to on by default. I have everything in app and browser section set to warn.
I run in a normal user account.
I have UAC set to all programs. (you get used to the constant nag after a while)
I have uninstalled Windows script host, Power Shell, Adobe everything, JAVA, all because I don't need or use any of them and they are the frequent source of being commandered into losing control of your machine.
I use Malwarebytes Premium along with Windows Defender and backup the C drive with Macrium Reflect to disconnected drives.

 

Do you mean the DEP column in process Explorer?

 

@Slippery

Cheers for your response. So you haven't decided on any 3rd party apps that might benefit from protection?

I decided to give running from a standard account a go also and have been for the last few Win 10 releases. The constant nag for the admin password to run programs can get pretty tiring but I suppose the added protection is worth it.. I have wondered for my most frequently used programs that require admin to run whether I could set them to permanently run as admin without the password request but I'm not aware any such method.

 

Where do you find the DEP column in Process Explorer?

 

@Kol12, you need to right click Process Explorer and run as admin to see all the columns.
There are plenty of folks here who are in the upper echelons of geekdom who can help you with permissions and task scheduler to accomplish that if possible. I look on computers as a toy, not to be relied on for the important stuff anymore than is absolutely necessary.

@Steve C, yes DEP, ASLR, Control Flow Guard

 

Yes, that is where I turned on DEP for all programs. Process explorer is a monitoring utility. You can't use it to change the system, just what it is monitoring.

 

You can all also turn DEP on for all programs and services through System - Advanced System settings - Advanced - Performance Settings - DEP tab. *Smile