Category Archives: Security

Insider stuff, Recent Activity, Security, WED Blog, Windows 10, Windows 11, Windows OS Musings

Various .NET Versions Facing EoS Soon

Leave a comment

On April 4, an End of Support notice surfaced in  the MIcrosoft Message Center. Its initial text appears in the lead-in graphic for this story above. A quick summary of its contents is that various .NET versions facing EoS soon. The version numbers involved are 4.5.2, 4.6 and 4.6.1 runtime. MS recommends that affected PCs update to .NET Framework 4.6.2 before April 26, 2022. No updates or security patches will be issued for those versions after that date.

If Various .NET Versions Facing EoS Soon, Then What?

This is an issue only if certain applications still in use employ those older .NET versions, and they themselves haven’t yet been upgraded to use a newer one. As I look at the relevant folder in my production  Windows 10 desktop — namely:

C:\Windows\Microsoft.NET\Framework

these are the folders that I see

If I understand how this works correctly, all versions lower than 4.0 reflect older .NET versions currently installed on this PC. Thus by reading the version numbers for those folders you can see that 5 such versions are installed, from v1.0.3705 through v3.5.

On the other hand, if you display properties for any .dll file in the V4.0.30319 folder, you’ll see what version of .NET is currently present, to wit:The Product Version line reads 4.8.4084.0, and tells me that I’ve got the latest and greatest .NET version installed here, as well as the earlier versions already mentioned.

What To Do About Impending Retirements?

If you’re using no software that depends on earlier .NET versions, you need do nothing. OTOH, if some of your software does depend on them you must decide if you’ll keep using it and risk possible security exposure, or find an alternative that isn’t subject to such risk. For my part, I recommend the latter approach, unless there’s no other choice. And in that case, the safest thing to do would be to run such software in the MIcrosoft Sandbox as a matter of prudent security policy. ‘Nuff said!

Facebooklinkedin
Facebooklinkedin
Device drivers, Insider stuff, Recent Activity, Security, WED Blog, Windows 10, Windows 11

Windows Memory Integrity Now Covers Device Drivers

Leave a comment

With the latest versions of Windows 10 and 11, Windows Security gains driver level protection. I’m talking about Build 19044.1586 or higher for Windows 10. Also, 22000.593 or higher for production 11, and 22581.200 or higher for Dev Channel Insider Previews. Looks like those still running Beta (22000.588, or higher) are also covered. Go into Microsoft Security, under the left-panel Device security heading. Drill into Core isolation details, then turn on Memory integrity (see lead-in graphic). Do all those things, and Windows memory integrity now covers device drivers. I’ll explain. . .

What Windows Memory Integrity Now Covers Device Drivers Means

With Core Isolation turned on (requires Hyper-V and VM support turned on in UEFI or BIOS), you can visit the MS Support Core isolation page to learn more. It also provides detailed, step-by-step instructions on how to turn this feature on (note: a restart is required).

Here’s a brief summary:

1. Memory integrity, aka Hypervisor-protected Code Integrity (HVCI), enables low-level Windows security and protects against driver hijack attacks.

2. Memory integrity creates an isolated environment (e.g. a sandbox) using hardware virtualization.

3. Programs must pass code to memory integrity inside the sandbox for verification. It only runs if the memory integrity check confirms code safety. MS asserts “Typically, this happens very quickly.”

Essentially, memory integrity/core isolation puts security inside a more secure area. There it can better protect itself from attack, while prevents drivers (and the runtime environments they serve) from malicious code and instructions.

What Can Go Wrong?

If any suspect drivers  are already present on a target system, you can’t turn memory integrity on. Instead you’ll get an error message something like this:

Note: the name of the driver appears in the warning. Thus, you can use a tool like RAPR.exe to excise it from your system. Be sure to find and be ready to install a safe replacement because that may render the affected device inaccessible and/or unusable.

Should you attempt to install a suspect or known malicious driver after turning this security feature on, Windows will refuse. It will provide a similar error message to report that the driver is blocked because it might install malware or otherwise compromise your PC.

That’s good: because that means driver protection is working as intended. Cheers!

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Security, WED Blog, Windows 11

AdwCleaner Roots Out PUAs

Leave a comment

For months now, I’ve been seeing traces of a low-risk “potentially unwanted app”  (PUA) on one of my Dev Channel test PCs. You can see the Windows Security log trace entry for this item above. It’s named FusionCore.C and it shows up as low-risk adware. This morning I ran Malwarebytes’ AdwCleaner (v 8.3.1) to see if it would make it go away. It did, so I can report that AdwCleaner roots out PUAs. It’s free and doesn’t install so it inflicts no system footprint, either.

Because AdwCleaner Roots Out PUAs, Use It!

Now that Microsoft Defender has shown itself to be a great first-line of security defense for Windows PCs, I don’t recommend third-party AV or other real-time protection tools anymore. That said, cleanup tools like AdwCleaner can be helpful. That goes double, because while Defender flags FusionCore.C and other adware instances, it doesn’t offer its own clean-up capability (or even remediation advice).

When you run the AdwCleaner executable (adwcleaner_8.3.1.exe), it finds the two offending PUA elements right away. These consist of a .tmp file and and .exe file. Both have FusionCore.C in their file names. If you check those items under the PUP (Potentially Unwanted Program) heading, you can flag them for quarantine and removal. The following screencap shows the two items checked for potential quarantine.

AdwCleaner Roots Out PUAs.checked

All you need to do to flag items is to check the box to the left for each one you’d like to quarantine or remove.

Then, simply click Next to get to the quarantine Window. On this PC a bunch of pre-installed Lenovo items also appear (I don’t care about those: I actually USE most of them). I check none of those items, which are hidden behind the fore-window that says “Cancel” and “Continue.” I choose “Continue” and the items get quarantined. I run another Defender scan and sure enough, the PUAs no longer get reported. A visual inspection of the source folder (shown in the lead-in graphic) shows the items are no longer present there as well. Good-oh!

AdwCleaner Roots Out PUAs.quarantine

Click “Continue” and the checked PUA items go into quarantine, and off Defender’s scan radar. Done!

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Security, WED Blog, Windows 11

MS Defender Preview Accepts Personal MSAs

Leave a comment

Hoo boy! I’ve been checking in on the Store-based version of the Microsoft Defender Preview since last November. Until this morning, I had no luck getting this cross-platform, multi-device app working. After seeing a story in WindowsUpdate minutes ago, I zipped into the MS Store to try again. And indeed, now that MS Defender Preview accepts personal MSAs (Microsoft Accounts) it appears to be working!

If MS Defender Accepts Personal MSAs, Anybody Can Use It

In the next screencap you can see the dashboard screen from the Microsoft Defender Preview. One must, however, also install this app on other devices before they show up on this dashboard. So naturally, I dashed over to my other Dev Channel test machine (via RDP, no physical movement needed) and used the URL to go straight to the app in Store: https://mysecurity.microsoft.com/downloads.

MS Defender Preview Accepts Personal MSAs.dashboard

The dashboard doesn’t look like much until you start adding devices. [Click image for full-sized view.]

After a quick  update, I opened the newest version to see the initial welcome screen I missed on my first MS Defender Preview encounter. I signed up with the same MSA (so both devices would show up on a single dashboard: IDs are deliberately obscured).

To see devices on the same dashboard, you must associate them with a common MSA. [Click image for full-sized view.]

With Time and Exposure, More to Come

That’s about all I have time to deal with this morning. I’m tightly wrapped in legal business this week, so my posts will be short and less frequent than usual. This opening up of the preview, however, was big enough news that I had to share. Check it out, and have fun!

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Security, WED Blog, Windows 11

New MS Defender Preview Impediment

Leave a comment

I have to chuckle. At the start of November, I wrote here that “I Get No MS Defender Preview.” Just to check up, I went back to the store to grab the Preview. It was no surprise at all that I can still report the same thing. What’s different now is the error message that comes up, as shown in the lead-in graphic. My latest sticking point represents a new MS Defender Preview impediment. As you can see, my account is now recognized, but I can’t log into the preview. Sigh.

Clueless on Overcoming New MS Defender Preview Impediment

I’ve dug around online, at both Microsoft and third-party Windows sites. I cannot find any info on how to subscribe to the Microsoft Defender Preview. Presumably, that would also provide me with necessary login info. But there’s no enlightenment obtainable on how that might be arranged.

Often, when Windows features go into limited release in the Preview channels, I find myself at the end of the pack in gaining access. That phenomenon seems likely in this case, too. I’ll raise a flag in the WIMVP forums and see if I can provoke any action. Shoot! I’d be happy just to get more information on how to subscribe and start participating in the Microsoft Defender Preview.

But — as is so often the case in my experience — I’m on the outside looking in. I know this Preview is happening. I simply can’t get access to it, to sample its functions and capabilities. Stay tuned: I’ll keep you posted as I try to work my way into that charmed space. Hopefully that will happen sooner rather than later. We’ll see!

Facebooklinkedin
Facebooklinkedin
Recent Activity, Security, Updates, WED Blog, Windows 10, Windows 11

When Security Stymies Update Remove and Reinstall

Leave a comment

Here’s an interesting issue — and another reason why I’m abandoning Norton security after I get my new PC built. I just tried to update CrystalDiskInfo and I couldn’t make it work. Norton data protection prevented the installer from — of all things — deleting old .bmp files for icons and graphics, to replace them with new ones. Even after I turned everything in Norton off for which it provides controls, the &*%$$ program still got in the way. Then it occurred to me: when security stymies update remove and reinstall still works. So that’s what I did, and that’s how I got it to work. Sheesh!

When Security Stymies Update Remove and Reinstall for New Version

Because update operations wouldn’t proceed even after disabling the auto-protect, firewall, and AV functions (see lead-in graphic), I was faced with two alternatives. First, I could completely uninstall Norton and then update. Or second, I could uninstall the old CrystalDiskInfo version, and then cleanly install  the new one. Because it was so much less time and labor intensive to undertake the latter, that’s what I did.

But man! I *HATE* it when security software gets in the way of authorized, valid update behavior and I can’t make it stop. By itself, that’s enough to have pushed me to get rid of Norton. But I’d already planned to do that anyway. I still use the password manager (which is a pretty good one), but I have no use any longer for the rest of the suite.

It just goes to show you: when it comes to maintaining Windows PCs, there’s always something lurking in the background ready to strike. This time, I got stung just a little. But sometimes, workarounds are less obvious, or less easy to find and apply. This time, I got lucky…

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Security, WED Blog, Windows 11, Windows OS Musings

I Get No MS Defender Preview

Leave a comment

The other day, I found myself unable to partake of Online Service Experience Packs in Windows 11. With tongue in cheek, I asserted that I found myself on the outside looking in. It’s nothing new to me when certain preview or pre-release features open to some — but not all — Windows Insiders. Today, I’m in the same boat again. There’s a new version of Microsoft Defender available in the MS Store for download. As you can see from the lead-in graphic for this story, I get no MS Defender Preview. Instead I get an error message that reads “Your account isn’t authorized to use Microsoft Defender yet.” Sigh. I hope I haven’t jinxed myself.

If I Get No MS Defender Preview, Then What?

It’s frustrating to be a vocal, committed and active Windows Insider yet be denied access to new features and apps as they make their way into release. As far back as I can remember, when an A/B test or a gradual rollout occurs for Insiders, I’m never included early. Rather, I have to wait until the feature goes into general release. Or if I’m lucky, I might find some other way to install it.

I’m trying my best to remain patient and take my turn when it comes. In the meantime, you can read more about what’s up with the Microsoft Defender Preview in this October 27 story from The Windows Club. I’d love to tell you more about it based on personal experience, but it seems I’m not allowed to access the Preview. At least, not yet.

Stay tuned, though: when my turn comes, I’ll tell you more about what’s new and different. Coverage so far on the Preview is light on details. So maybe it won’t be too late to do my readers some good. As usual, time will tell…

Facebooklinkedin
Facebooklinkedin
Recent Activity, Security, Software Reviews, WED Blog, Windows 10, Windows 11

Audacity Announces Data Harvest Plans

Leave a comment

Dang! I just came across a news item that indicates one of my favorite audio recording and editing apps may be going over to the dark side. I’m talking about the long-time, well-known open source freeware program Audacity. Following  its April acquisition by the Muse Group, the program’s privacy policy updated on July 2. Alas, in that policy, Audacity announces data harvest plans. These include include telemetry data, and sharing of such data.

Audacity Announces Data Harvest Plans: What Kind?

What kind of data will Audacity collect? The types of data to be collected seem pretty innocuous. Namely, OS version, user country based on IP address, OS name and version, CPU. Also, non-fatal error codes and messages, and crash reports in Breakpad MiniDump format. I don’t see any personally identifiable information here, except for the IP address.

Who gets to see it? The desktop privacy notice reads “Data necessary for law enforcement, litigation and authorities’ requests (if any).” Legal grounds for sharing data are “Legitimate interest of WSM Group to defend its legal rights and interests.” That said, we also find language that reads such data may be shared with “…a potential buyer (and its agents and advisors) in connection with any proposed purchase, merger or acquisition of any part of our business…”

What has the user community most up in arms is that Muse asserts the right to occasionally share “…personal data with our main office in Russia…” This contravenes requirements of the GDPR, and could potentially violate data sovereignty requirements in certain EU countries (e.g. Germany) and elsewhere.

Does This Mean It’s Time to Bail on Audacity?

Not yet. These new provisions don’t take effect until the next upgrade to the program (version 3.0.3, one minor increment up from current 3.0.2) take effect. But a lot of people, including me, will be thinking long and hard about whether or not to upgrade. At a bare minimum, it might make sense to run Audacity in a VM through a VPN connection, to obscure its origin and user.

Note: Here’s a shout-out to Anmol Mehrotra at Neowin whose July 6 story “Audacity’s privacy policy update effective makes it a spyware” brought this chance of circumstances to my attention.

Note Added July 23: Audacity Updates Policy

If you check this story from Martin Brinkmann at Ghacks.net, you’ll see that Audacity has retreated from all of its controversial or questionable privacy policy language. Seems like the resulting user reactions caused them to revisit, reconsider and move away from data harvest that could touch on user ID info and addresses. Frankly, I’m glad to see this: I like the program, and am happy to understand its new owners have decided to leave its prior policy positions unchanged.

Facebooklinkedin
Facebooklinkedin
Recent Activity, Security, Troubleshooting, WED Blog, Windows 10

Pondering IME Recovery State Issues

Leave a comment

OK, then. First let me explain that IME is short for Intel Management Engine. This firmware component is present on all modern PCs with Intel CPUs since 2008. It operates while the OS is active, and IME also runs during boot-up. In fact, IME is accessible even when a PC is shut down or sleeping, as long as power is available. I’m pondering IME recovery state issues for one reason. My 2012-vintage Lenovo X220 Tablet hangs at every restart to report that “ME is in a recovery state.” I must enter a keystroke before boot-up continues.

I’m learning that IME has deep access on any Windows PC where it resides. For more details, check out the Wikipedia article Intel Management Engine.

Why I’m Pondering IME Recovery State Issues

Fixing this issue on my old Lenovo touchscreen PC is proving nearly impossible. Check out this Win-RAID forum thread on ME Cleaner (a management engine cleanup tool). Hopefully, you’ll get a sense of what contortions removing IME entail. Long story short: some real BIOS hacking, with no guarantee of success, is required to disable (or remove) IME at the BIOS level. Sheesh!

The lead-in graphic for this story comes from Intel’s Converged Security and Management Engine Version Detection Tool (CSMEVDT). For the X220 Tablet, it shows that the system is no longer supported (no surprise there, considering its age). No new releases planned, either…

Increasing Horror Results When Pondering IME

In fact, the more I learn about the Intel Management Engine, the more disturbed I become. The Wikipedia article (cited above) does a good job of hitting the high points. What I learned from direct experience on my X220 Tablet is also scary. It goes so far as to speculate that state-level threat actors have been actively seeking out IME exploits for over a decade.

But alas, even after disabling IME in BIOS, the Recovery State error continues. At least the related driver error for “Serial Over LAN” (SOL) access no longer appears in Device Manager.

For the moment, I’m against making BIOS hacks. I’m pretty sure that the absence the SOL driver means IME can no longer access the network. But gosh, this is a scary set of security vulnerabilities to contemplate. Indeed, the rest of my Intel-based systems have IME “working properly.” That’s where my real concerns begin. I’ll have to make sure to patch them all, pronto!

Facebooklinkedin
Facebooklinkedin
Recent Activity, Security, Troubleshooting, WED Blog, Windows 10

Beware Potential Defender Engine 1.1.18100.5 Gotcha

Leave a comment

Here’s an interesting item. Check your system/boot (usually C:) drive in Windows 10. If it’s filling up (or full), that may come from a (hopefully temporary) Windows Defender gotcha. The program starts creating loads of 2K binary files in the Scans/History/Store subfolder. Ghacks reports tens of thousands to nearly a million such files showing up on affected PCs. Normally, a healthy Defender installation has one or two files in this folder (shown in the lead-in graphic). That makes it easy to check if a system is subject to this potential Defender Engine 1.1.18100.5 gotcha.

How to Check For Potential Defender Engine 1.1.18100.5 Gotcha

The complete directory path to check is:
C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store
If  you see more than a handful of files there, you may be subject to the gotcha. It it’s chock-full of files and your C: drive is filling up, the gotcha is active! It’s OK to delete those files (Defender will make more), according to Brinkmann.

Brinkmann theorizes that the current Defender Engine version — namely 1.1.18100.5 — is responsible. He says MS is aware of the gotcha, and is planning a  fix with the next engine update. That new version should carry an ID of 1.1.18100.6, and be ready as soon as Thursday, May 6.

FWIW, I checked all of my Windows 10 PCs. While all of them are indeed running Engine version 1.1.18500.5, none of them is showing symptoms indicative of the gotcha. Clearly, it’s out there. But it’s not clear how widespread or active this gotcha may be. And it sounds like MS is already working on a fix that should do away with it completely.

At least, we don’t have to wait too long to find out if a fix is forthcoming. As I write this item, it could be just over 24 hours from release. For the record, Microsoft updates usually hit the Internet at 9:00 AM Pacific Time on release days. That’s about 26.5 hours from now.

Note Added May 5 Afternoon

A new engine build is already out,  and should download automatically to all Windows 10 PCs running Defender. I just found it already installed on my test PCs, to wit:

Potential Defender Engine 1.1.18100.5 Gotcha.new-engine

Note the new engine is out: 1.1.18100.6. Problem solved!

That was quick! Glad MS is on the ball today. Thanks to @WindowsInsider and the whole Windows Team.

Facebooklinkedin
Facebooklinkedin