Hello guest, if you read this it means you are not registered. Click here to register in a few simple steps, you will enjoy all features of our Forum.
Rules have been updated! Here

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

windows hardening ms

Hardening MS Windows
Thumbs Up 
Attack Surface Reduction
Attack Surface Reduction (ASR), a security feature of Microsoft Windows 10, forms part of Microsoft Defender Exploit Guard. It is designed to combat the threat of malware exploiting legitimate functionality in Microsoft Office applications. In order to use ASR, Microsoft Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations.
ASR offers a number of attack surface reduction rules, these include:
  • Block executable content from email client and webmail
  • Block all Office applications from creating child processes
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block JavaScript or VBScript from launching downloaded executable content
  • Block execution of potentially obfuscated scripts
  • Block Win32 API calls from Office macro
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Use advanced protection against ransomware
  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  • Block process creations originating from PSExec and WMI commands
  • Block untrusted and unsigned processes that run from USB
  • Block Office communication application from creating child processes
  • Block Adobe Reader from creating child processes
  • Block persistence through WMI event subscription
Early Launch Antimalware
Another key security feature of Trusted Boot, supported by Microsoft Windows 10 and motherboards with an Unified Extensible Firmware Interface (UEFI), is Early Launch Antimalware (ELAM). Used in conjunction with Secure Boot, an ELAM driver can be registered as the first non-Microsoft driver that will be initialised on a workstation as part of the boot process, thus allowing it to verify all subsequent drivers before they are initialised. The ELAM driver is capable of allowing only known good drivers to initialise; known good and unknown drivers to initialise; known good, unknown and bad but critical drivers to initialise; or all drivers to initialise. To reduce the risk of malicious drivers, only known good and unknown drivers should be allowed to be initialised during the boot process.
The following Group Policy setting can be implemented to ensure only known good and unknown drivers will be initialised at boot time.
Can MS Defender Antivirus replace security bundles products like Norton 360? Or it just work as an antivirus? Does anybody knows if it can block cryptomining powershell scripts loaded in memory?
I don't think so. 
I've found a helpful tip, is to get a firewall like tinywall that blacks everything except for what you all, so even if you do get a coinminer,  it won't be able to connect to the Internet.  
Also try this and this. You may have to do some tweaking to get the right abalnace of running your software and blocking the rest. 
Also you can adjust your software restriction policies with this to block coin miners running from specific folders.
[-] The following 1 user says Thank You to ibay770 for this post:
  • Skunk1966
I ever get ransomware, all my files on my laptop cannot open

Forum Jump:

Users browsing this thread: 1 Guest(s)