• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

protection from .settingcontent-ms filetype abuse

I see a worrying article from Matt Nelson, in the Specter Ops site below, about the .SettingContent-ms filetype. His research has revealed that is is extremely easy to bypass the Attack Surface Reduction (ASR) rules.

Although Microsoft introduced Attack Surface Reduction (ASR) rules into Windows 10, it requires Windows Defender AV as a dependency. This means that if you have another registered AV installed (e.g. Norton Security), then the ASR rules that WOULD OTHERWISE be handled by Defender, are now dependent on the 3rd-party AV taking on the ASR role instead.

My question is:

Will Norton Security protect my system from the scenarios posted in the article (either with ANY of the "triple" command strings used that executes a file already on the system, or with the method whereby a user is tricked into clicking on a link that merely CONTAINS a crafted .SettingContent-ms file, that appears to run unchallenged). My version is: 22.14.2.13.

https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

Replies

Kudos0

Re: protection from .settingcontent-ms filetype abuse

Hi, td47. I'll see if we can get an answer from one of the Symantec Admins..

@Mohan_G

@Sunil_GA

Windows 10 Home X 64

This thread is closed from further comment. Please visit the forum to start a new thread.