Skip to content

Strana-Mechty/ExploitProtection-Templates

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

60 Commits
Unstable_XMLs
Unstable_XMLs
 
 
XMLs
XMLs
 
 
.gitattributes
.gitattributes
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Settings.xml
Settings.xml
 
 

Repository files navigation

ExploitProtection-Templates

A set of tested profiles for Windows Exploit Protection.

Windows ships with a wide array of internal protection measures to enforce restrictions upon an application's behaviour and stop the insertion and deployment of zero-click malware through susceptible applications. Sadly Microsoft elected not to configure this by default.

This set of XMLs is meant to be baseline set of templates for applications that would form the most obvious point of exploitation by malware or remote intrusion by a hostile entity.

Examples would be applications that interface with the internet (chat clients and browsers for example) or load data potentially packed with a malicious payload (Videoplayers, and PDF reader as example). Applications that work outside of these classes are a low priority in this project, and specific software like videogames are out of the scope for this project.

This repository packs it's own set of templates in addition to the templates found in the microsoft and Jgregson's repositories. Additionally, Productivity app templates have been based off Palantir's studies on securing productivity applications. You can also use the Settings.XML file for all the aforementioned settings, however these are not updated as often.

Known issues

Chromium-based templates may suffer from a rare crash when merging tabs from different windows while a video is playing.

Garmin's template for CefSharp.BrowserSubprocess is intentionally relaxed due to conflicts with identical processes spawned by Syncthing and Baldur's Gate 3.

Telegram will silently fail to follow clickable links making copying and pasting a necessity.

SumatraPDF and Syncthing have had hardware shadowing explicitly turned off, these applications crash even in compatibility mode.

Foobar2000 will complain about not being able to spawn it's fileassociation script as a separate process, you can either disable it from running it the preferences menu or apply the mitigation after the application is set up.

ASLR causes GOG Galaxy based applications to fail. The templates account for this, however the mini-installers from the gog.com website will still fail if ASLR is enforced globally.

Only Implement the Jellyfin Shim template when you use it. The executable name (run.exe) is extremely generic and might cause collisions with other applications.

How to apply

The XML settings can be validated in powershell by doing

Set-ProcessMitigation -PolicyFilePath .\discord.xml -IsValid

And subsequently applied with

Set-ProcessMitigation -PolicyFilePath .\discord.xml

Disclaimer

All templates have been carefully tested, however updates and differences in Windows build and application version might still cause these settings to fail and cause the application to crash.

About

A set of tested profiles for Windows Exploit Protection

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published