The “guardian” for Windows OS

Most attacks on Windows originate from exploiting vulnerabilities in the memory management of software that users install themselves.

Therefore, Microsoft cannot let the software they do not make affect users and Microsoft’s reputation.

That’s why, instead of waiting for software developers to integrate memory security into their products, Microsoft has gone one step ahead by creating a layer of security at the operating system level (that’s not the case). is a security software that we have to install or can remove).

This security tool, perhaps everyone who uses Windows already knows, it’s called Windows Security (or the old name is Windows Defender) !

#first. More about Windows Security

Previously, Windows Security was known as a antivirus software Free and often ranked lower than other commercial security programs such as Kaspersky, ESET, AVG, Symatec, etc.

But since the Windows 10 operating system appeared so far, Windows Security has gradually become a core component of the Windows operating system (this article I am referring to Windows Defender Exploit Guard, a component of Windows Security). Windows Pro/Enterprise edition only).

Talking a little more about Exploit Guard on Windows, it is a set of security mechanisms to reduce the possibility of Windows users being attacked:

1. Attack Surface Reduction Rules: Helps prevent viruses/malware right from the moment it is sent to the computer (such as malicious macros of the Office suite sent to the user’s Email mailbox).
2. Network Protection: Scans network traffic to detect malware sending/receiving activities.
3. Controlled Folder Access: Support detecting and preventing changes to important files (such as document files, word files, images, system files, …) from viruses such as Ransomeware extortion virus such as.
4. Exploit Protection (EP): Replacing the old Enhanced Mitigation Experience Toolkit (EMET), the EP adds additional exploit prevention measures, for example, for “memory exploitation protection”, there are: DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

In addition to improvements in security mechanism compared to its predecessor EMET, Exploit Protection also integrates with GPO, which helps a lot for administrators because GPO is an effective tool to manage the entire network system. Windows.

By the admin will proactively offer handling methods when detecting malware that takes advantage of the “buffer overflow” error to execute malicious code, the solution is implemented through the “policy”.

After installing the components of Exploit Protection: DEP, ASLR, SEHOP on a sample computer, the admin can export these settings to a file. xml then use GPO deploy to install the sample contained in the file xml this to all the desired machines.

In addition, with Windows PowerShelll, the admin can directly connect to the user’s machine and adjust the settings extremely quickly.

#2. Components that prevent Memory Exploit Mitigation (MEM)

+) Data Execution Prevention

Most malware exploits memory vulnerabilities by inserting malicious code into the RAM memory area of ​​normal applications.

This attack is difficult to trace because after restarting the computer, it will disappear.

DEP helps reduce the risk of this type of attack by limiting the Range-of-available-memory that malware can access as well as not allowing executable files to operate in declared memory areas only- use-store-information.

In combination with CPUs that support this technology, DEP marks this storage area with no-execute (NX) or read-only bits, so these CPUs will reject execute files on the other memory area.

+) Address Space Layout Randomization

In addition to exploiting user-installed applications, malware can attack Windows system processes to determine where this process contains executable code / data in RAM memory and then overwrite the actual code. toxic exam into it.

“Heap spraying” is one of the popular arbitrary execution code attack techniques when ASLR was not yet developed.

ASLR helps the Windows operating system avoid this type of attack by randomizing (randomizing) the memory addresses (where data/executable code) of the Windows system components are in use.

+) Structured Exception Handling Overwrite Protection

Windows SEHOP helps prevent malware from attacking SEH (Structured Exception Handling), a component of the security system responsible for handling exceptions (exceptions) from hardware to software of the machine.

Please note that when SEHOP is enabled, some incompatible applications will crash!

#3. Epilogue

Although this article is very knowledgeable for Windows network administrators (administrators), you must also see that Microsoft’s “cracked minds” are trying to improve the security of Windows with each version. .

(Windows is attacked the most due to the large number of users that come with a huge number of applications / software, along with diverse add-on components).

Microsoft warns that only Administrators knowledgeable about memory-attacking malware will manually adjust the “Exploit Protection” settings of Windows Defender Exploit Guard, which is required to be tested in a test environment before being widely deployed in corporate network, avoid causing “crash” important applications of the system.

You also have to be alert when some articles recommend turning off these features so that the game or the use of applications does not crash, incompatibility errors, etc. This should be the last resort because it will be very dangerous. In a time when malware, ransomware viruses are abundant like today.

The best way to still run old games and apps while ensuring the security of your current computer is to use virtual computer Or rent a Windows VPS and then remote in, feel free to use it without worrying about the file being encrypted and extorting bitcoins one day!

CTV: Duong Minh Thang – Blogchiasekienthuc.com
Edit by Kien Nguyen