Microsoft antimalware to lock down system settings

Back in October Microsoft announced that it would soon add detections to its antimalware products for behaviors exhibited by some misbehaving software. On Thursday they announced that some of these changes take effect immediately and others on January 1.

The behaviors mostly deal with browser extensions and settings. Many such problems have been blocked in all major browsers by a disabled-by-default model for newly-installed extensions, requiring the user to affirmatively choose to install new software. But some programs have found hacks around these restrictions. Microsoft has defined these two behaviors as unacceptable:

1. Bypassing consent dialogs from browsers that ask you if you want to install browser toolbars/extensions/add-ons.
2. Preventing you from viewing or modifying browser features or settings.

For example, some software has used Group or Local Policy Objects, registry changes, and preferences file modifications to permit the installation of software which is blocked or disabled by default.

This sort of capability, sometimes called HIPS (Host Intrusion Prevention Service), is common in other modern security suites. Kaspersky calls it Application Privilege Control, part of a set of related services that are much more flexible and comprehensive than Microsoft's.

But Microsoft's antimalware products set an effective baseline that users get by default. In a statement, Microsoft said that the new enforcement applied to all browsers, not just to Internet Explorer.

Microsoft also cites applications and extensions that prevent the user from viewing or modifying browser settings, or change settings back after the user modifies them. And then there are the extensions which prevent the user from modifying or deleting them, such as in this example:

Misbehaving programs do this by disabling the controls in the Manage Add-ons dialog. Other programs have set network proxies and then disabled the control which lets the user change the proxy setting (Internet Options->LAN Settings).

All of the above changes go into effect immediately through all of Microsoft's anti-malware products.

When asked why the enforcement is made through antimalware products rather than in Windows itself, Microsoft noted that "[T]he user consent dialogs are built into the browsers themselves. Protection against applications that are bypassing these dialogs is done through our Microsoft security products which are incorporated into our latest operating system by default."

Microsoft has defined one more behavior as unacceptable: programs may not "... circumvent user consent dialogs from the browser or operating system." This change will go into effect on January 1.

A prime example is that of software which bypass the "Enable" prompt for the extension, as in this phony Microsoft example:

This rule also applies to extensions which interfere with user approval of default search engine changes.