Win 11 system requirements and compatibility talk

Started 7 months ago | Discussions
Sean Nelson
Sean Nelson Forum Pro • Posts: 15,164
Re: Will security requirements help with ransomware protection?

abelits wrote:

Billiam29 wrote:

The only means I could ever see being possible for OS protection against ransomware would be to restrict file system access only to code-signed executables.

It won't work. If all executables (really executables and libraries) are signed, then vulnerable executables that are present on the system must be signed, too. So whenever any vulnerability is exploited, file access is open.

Ah, but now you know exactly where that executable came from and whether or not to trust it.  That would be a huge step.  Unfortunately it might rule out a lot of useful software from nonprofessional sources.

OP Billiam29 Senior Member • Posts: 2,180
Re: Will security requirements help with ransomware protection?

Sean Nelson wrote:

abelits wrote:

Billiam29 wrote:

The only means I could ever see being possible for OS protection against ransomware would be to restrict file system access only to code-signed executables.

It won't work. If all executables (really executables and libraries) are signed, then vulnerable executables that are present on the system must be signed, too. So whenever any vulnerability is exploited, file access is open.

Ah, but now you know exactly where that executable came from and whether or not to trust it. That would be a huge step.

The most basic of things would be that hopefully (big fat wish here) CAs that the OS would recognize would simply not be issuing code signing certificates to organizations that create ransomware. The usual trust problems of stolen certificates, sneakily installed CA certs, and so forth would still be present of course. Those are at least on par with what’s already known and actionable though.

Unfortunately it might rule out a lot of useful software from nonprofessional sources.

Right, I checked a handful of apps from independent developers that I have  and the results were a coin toss. For example, a seemingly “small” mp3 tagging utility was code signed. Faststone Image Viewer was not.

abelits
abelits Contributing Member • Posts: 810
Re: Will security requirements help with ransomware protection?

Sean Nelson wrote:

abelits wrote:

Billiam29 wrote:

The only means I could ever see being possible for OS protection against ransomware would be to restrict file system access only to code-signed executables.

It won't work. If all executables (really executables and libraries) are signed, then vulnerable executables that are present on the system must be signed, too. So whenever any vulnerability is exploited, file access is open.

Ah, but now you know exactly where that executable came from and whether or not to trust it.

Once the data is written, you have no idea how exactly it happened. Some systems keep audit log of all accesses, however that requires enormous amount of space, and those records, too may not be reliable once the system is compromised.

If such solutions are considered acceptable, It would be much easier to create a "write-only" file system where all files, once written, are read-only and immutable. That would create less trouble for the users and take up less space, too.

That would be a huge step. Unfortunately it might rule out a lot of useful software from nonprofessional sources.

It would be worthless because vulnerabilities will be still there.

 abelits's gear list:abelits's gear list
Fujifilm X-Pro1 Fujifilm X-T2 Fujifilm XF 35mm F1.4 R Fujifilm XF 14mm F2.8 R Fujifilm XF 55-200mm F3.5-4.8 R LM OIS +16 more
abelits
abelits Contributing Member • Posts: 810
Re: Will security requirements help with ransomware protection?

Austinian wrote:

abelits wrote:

Austinian wrote:

As an individual with only single-user PCs to protect, I fortunately have a much simpler task than IT professionals; I can't begin to grasp the difficulties involved in restoring function to enormous, widely distributed networks after a successful attack.

Restoring everything on a large network is easy -- just use images stored offline and update them from the last known good backup. Because when someone operates a large network, it's not a big deal to have backup that requires multiples of total storage space of all servers, or perform backup procedures that involve physically moving media.

Then recovering from even a massive corporate malware attack is easy!

Once "full restore of all managed computers from backups" procedure is implemented, and all resources are in place, it is trivial to perform it.

How it will affect ongoing operations of the company, is a completely different matter, however at very least it would take care of the ransomware attack.

On the other hand, a home user would never buy a backup appliance with even twice the storage space of his PC, leave alone manually move backup media in and out to ensure that at least one known-good copy is physically inaccessible.

(I hope you are joking.)

I do not. If a home user just bought a 16-terabytes NAS for his desktop with a 4-terabyte SSD, he would not be happy to hear that now he also has to buy a 40-terabyte backup appliance.

 abelits's gear list:abelits's gear list
Fujifilm X-Pro1 Fujifilm X-T2 Fujifilm XF 35mm F1.4 R Fujifilm XF 14mm F2.8 R Fujifilm XF 55-200mm F3.5-4.8 R LM OIS +16 more
Sean Nelson
Sean Nelson Forum Pro • Posts: 15,164
Re: Will security requirements help with ransomware protection?

abelits wrote:

Sean Nelson wrote:

abelits wrote:

Billiam29 wrote:

The only means I could ever see being possible for OS protection against ransomware would be to restrict file system access only to code-signed executables.

It won't work. If all executables (really executables and libraries) are signed, then vulnerable executables that are present on the system must be signed, too. So whenever any vulnerability is exploited, file access is open.

Ah, but now you know exactly where that executable came from and whether or not to trust it.

Once the data is written, you have no idea how exactly it happened.

In an world of online forums, it wouldn't take all that long for the community to find the correlation between what signed program was installed across systems that corresponded to incidents.  You already see that with unsigned software.

filibuster
filibuster Veteran Member • Posts: 4,257
Re: Win 11 Security - Defender

Now here’s a thing: Installed without issue, Win 11 on two Dell laptops thanks to Bouldergramp popping the link to the UUP Dump Tool. On both, and on bootup, I get Defender notifying ‘Windows Security - Actions Recommended’. ‘Virus & Threat Protection’. ‘Turn On’. Which I do. But subsequent reboots or shutdown and boot ups, the same message - every time. (Both laptops). Anyone else experiencing the same, with a resolution?

Keith

-- hide signature --

If it ain't broke, fix it until it is!
filibuster (Bromsgrove, Worcestershire, UK)
RAPID FIRE SLIDESHOW
https://photos.app.goo.gl/nnwA69ZWaEdiUvGY9
FILIBUSTER TOWERS - 2020
https://photos.app.goo.gl/orQzawc5Qx6XUs8E8
APPLIED - MY BATCH PROCESSING SCRIPT
https://photos.app.goo.gl/cg9xuaGWwjB45fTu6
ASTRO TURF THE GARDEN
https://photos.app.goo.gl/GyeDrjncjKh1X7pJ8

Austinian
MOD Austinian Forum Pro • Posts: 11,967
Re: Win 11 Security - Defender
1

filibuster wrote:

Now here’s a thing: Installed without issue, Win 11 on two Dell laptops thanks to Bouldergramp popping the link to the UUP Dump Tool. On both, and on bootup, I get Defender notifying ‘Windows Security - Actions Recommended’. ‘Virus & Threat Protection’. ‘Turn On’. Which I do. But subsequent reboots or shutdown and boot ups, the same message - every time. (Both laptops). Anyone else experiencing the same, with a resolution?

I've currently got two Insider laptops with 11; one does what you say, the other works properly. They're both Dell Inspiron 2in1s, i5-6200U 15" and i5-1135G7 17".

The odd thing is, the newer, 11-compliant laptop is the one with the problems! I've tried a number of workarounds, and nothing has worked. I'm just waiting for a later release that will (hopefully) solve that problem and a glitch where I have no choice of lockscreen image despite tweaking the Registry and a few other attempted fixes. I can, and did, turn off the lockscreen image rather than see the default image.

These things are minor annoyances, but I hope they're eventually fixed.

 Austinian's gear list:Austinian's gear list
Sony a7R IV Panasonic Lumix DC-G9 Sony FE 50mm F2.8 Macro Sony FE 24-105mm F4 Tamron 20mm F2.8 Di III OSD +3 more
filibuster
filibuster Veteran Member • Posts: 4,257
Re: Win 11 Security - Defender

Thanks for that Austinian. More an irritant than a issue. Will probably get auto-sorted with another release further down the line. Not overly bothered. Just wondered if I was alone with that one.

-- hide signature --

If it ain't broke, fix it until it is!
filibuster (Bromsgrove, Worcestershire, UK)
RAPID FIRE SLIDESHOW
https://photos.app.goo.gl/nnwA69ZWaEdiUvGY9
FILIBUSTER TOWERS - 2020
https://photos.app.goo.gl/orQzawc5Qx6XUs8E8
APPLIED - MY BATCH PROCESSING SCRIPT
https://photos.app.goo.gl/cg9xuaGWwjB45fTu6
ASTRO TURF THE GARDEN
https://photos.app.goo.gl/GyeDrjncjKh1X7pJ8

Austinian
MOD Austinian Forum Pro • Posts: 11,967
"How to bypass Windows 11 limits and install on almost any old PC"

"Kids, don't try this at home!"

(IOW, do this at entirely your own risk on a non-essential PC. I will not be trying this myself.)

https://www.zdnet.com/article/how-to-bypass-windows-11-limits-and-install-on-almost-any-old-pc/

 Austinian's gear list:Austinian's gear list
Sony a7R IV Panasonic Lumix DC-G9 Sony FE 50mm F2.8 Macro Sony FE 24-105mm F4 Tamron 20mm F2.8 Di III OSD +3 more
Vernon D Rainwater Forum Pro • Posts: 14,632
Re: Win 11 system requirements and compatibility talk

Billiam29 wrote:

I just thought it would be a good idea to create this thread since Bouldergramps’ “Windows 11 PC Health Check” thread reached the maximum amount of replies. Consider this thread just a continuation of that one.

I hope Austinian doesn’t mind I created this. He’s absolutely welcome to lock or outright delete this thread if he thinks it best. It just seemed like there is still plenty of legitimate discussion to be had on the subject.

It is difficult to understand how so many can become concerned regarding Windows 11 since evidently it is in a VERY unfinished stage at this time.  Perhaps there is a need for something to "Scream" about even though it perhaps will have many changes before it becomes Mature.

-- hide signature --

Vernon...

Austinian
MOD Austinian Forum Pro • Posts: 11,967
Re: Win 11 system requirements and compatibility talk
1

Vernon D Rainwater wrote:

Perhaps there is a need for something to "Scream" about even though it perhaps will have many changes before it becomes Mature.

No one should be screaming. Windows 10 has more than four years of support left; anyone who is interested in simply running their applications doesn't need to be concerned at all about 11. As you say, it's likely to be different when it's released, and may be very different indeed before Windows 10 is unsupported.

 Austinian's gear list:Austinian's gear list
Sony a7R IV Panasonic Lumix DC-G9 Sony FE 50mm F2.8 Macro Sony FE 24-105mm F4 Tamron 20mm F2.8 Di III OSD +3 more
filibuster
filibuster Veteran Member • Posts: 4,257
Re: Win 11 system requirements and compatibility talk

Have to admit, that on both laptops that are running it, I’m finding it pretty slick. But there again, so too is Win 10. And once I got amongst the various settings, configuring it how I wished to look and feel, (which in essence is pretty much the comfort zone of how Win 10 looks, I sometimes needed the reminder that I was on 11 and not 10. Especially when I had shifted the taskbar icons back to left hand side.

-- hide signature --

If it ain't broke, fix it until it is!
filibuster (Bromsgrove, Worcestershire, UK)
RAPID FIRE SLIDESHOW
https://photos.app.goo.gl/nnwA69ZWaEdiUvGY9
FILIBUSTER TOWERS - 2020
https://photos.app.goo.gl/orQzawc5Qx6XUs8E8
APPLIED - MY BATCH PROCESSING SCRIPT
https://photos.app.goo.gl/cg9xuaGWwjB45fTu6
ASTRO TURF THE GARDEN
https://photos.app.goo.gl/GyeDrjncjKh1X7pJ8

Austinian
MOD Austinian Forum Pro • Posts: 11,967
Re: Win 11 system requirements and compatibility talk

filibuster wrote:

Have to admit, that on both laptops that are running it, I’m finding it pretty slick.

Me too. The UI seems quite usable despite having fewer config choices than 10.

But there again, so too is Win 10. And once I got amongst the various settings, configuring it how I wished to look and feel, (which in essence is pretty much the comfort zone of how Win 10 looks, I sometimes needed the reminder that I was on 11 and not 10. Especially when I had shifted the taskbar icons back to left hand side.

I never forget which OS I'm using, since I use a left-side taskbar and custom toolbar on 10. Not possible on 11 AFAIK, but so far I don't mind adapting to it.

 Austinian's gear list:Austinian's gear list
Sony a7R IV Panasonic Lumix DC-G9 Sony FE 50mm F2.8 Macro Sony FE 24-105mm F4 Tamron 20mm F2.8 Di III OSD +3 more
bananahead Contributing Member • Posts: 527
Re: Win 11 system requirements and compatibility talk

Austinian wrote:

Vernon D Rainwater wrote:

Perhaps there is a need for something to "Scream" about even though it perhaps will have many changes before it becomes Mature.

No one should be screaming. Windows 10 has more than four years of support left; anyone who is interested in simply running their applications doesn't need to be concerned at all about 11. As you say, it's likely to be different when it's released, and may be very different indeed before Windows 10 is unsupported.

Indeed.

There has been an update this week. There will be weekly builds introducing polish and features every week.

I have software that checks for OS version and it reports Win 11 as Win 10.

 bananahead's gear list:bananahead's gear list
Canon EOS R5 Canon RF 28-70mm F2L USM
The Point and Shoot Pro
The Point and Shoot Pro Senior Member • Posts: 2,041
Re: Win 11 system requirements and compatibility talk

bananahead wrote:

Austinian wrote:

Vernon D Rainwater wrote:

Perhaps there is a need for something to "Scream" about even though it perhaps will have many changes before it becomes Mature.

No one should be screaming. Windows 10 has more than four years of support left; anyone who is interested in simply running their applications doesn't need to be concerned at all about 11. As you say, it's likely to be different when it's released, and may be very different indeed before Windows 10 is unsupported.

Indeed.

There has been an update this week. There will be weekly builds introducing polish and features every week.

I have software that checks for OS version and it reports Win 11 as Win 10.

Exactly.  It's months away from going public.  All these "issues" will be worked out before they flick the switch.  I do not use insiders programing on my PCs.  I did on my windows mobile devices, but mobile OS are a lot harder to screw up and easier to fix.  My 1020 on 10 mobile was AWESOME.  Way better than my crappy iPhone 11 I have now.  If only MS stayed a player with windows 10 mobile.

-- hide signature --

One Lens, No Problem
The Point and Shoot Pro

 The Point and Shoot Pro's gear list:The Point and Shoot Pro's gear list
Fujifilm X-S1 Fujifilm X10 Canon PowerShot A570 IS Kodak DC220 Apple iPhone 11 +4 more
abelits
abelits Contributing Member • Posts: 810
Re: Will security requirements help with ransomware protection?

Sean Nelson wrote:

abelits wrote:

Sean Nelson wrote:

abelits wrote:

Billiam29 wrote:

The only means I could ever see being possible for OS protection against ransomware would be to restrict file system access only to code-signed executables.

It won't work. If all executables (really executables and libraries) are signed, then vulnerable executables that are present on the system must be signed, too. So whenever any vulnerability is exploited, file access is open.

Ah, but now you know exactly where that executable came from and whether or not to trust it.

Once the data is written, you have no idea how exactly it happened.

In an world of online forums, it wouldn't take all that long for the community to find the correlation between what signed program was installed across systems that corresponded to incidents.

That would require a very large number of people with and also very large number of people without a given program reliably determining success of a particular exploit. It does not work.

You already see that with unsigned software.

At best, it could find blatant and obvious trojan horse programs. Could because it worked when it was unheard of for legitimate software to perform anything invasive or communicate with the vendor, so trojans stood out like sore thumbs.

For vulnerabilities it never worked. They are all either published by their authors or found by proactive testing, or by observation of exploits in the wild.

 abelits's gear list:abelits's gear list
Fujifilm X-Pro1 Fujifilm X-T2 Fujifilm XF 35mm F1.4 R Fujifilm XF 14mm F2.8 R Fujifilm XF 55-200mm F3.5-4.8 R LM OIS +16 more
OP Billiam29 Senior Member • Posts: 2,180
Re: Will security requirements help with ransomware protection?

abelits wrote:

Sean Nelson wrote:

In an world of online forums, it wouldn't take all that long for the community to find the correlation between what signed program was installed across systems that corresponded to incidents.

That would require a very large number of people with and also very large number of people without a given program reliably determining success of a particular exploit. It does not work.

You already see that with unsigned software.

At best, it could find blatant and obvious trojan horse programs. Could because it worked when it was unheard of for legitimate software to perform anything invasive or communicate with the vendor, so trojans stood out like sore thumbs.

For vulnerabilities it never worked. They are all either published by their authors or found by proactive testing, or by observation of exploits in the wild.

I floated this idea specifically as a hypothetical means for an OS to counter ransomware which is what the subject even still says for this sub-thread. Now it appears as if you’re arguing against it based on impracticalities for use combating general exploits and vulnerabilities. That’s not the context.

If you think such an idea is impractical to develop and implement solely for ransomware protection while not also protecting against other types of threats, that’s fine. I’m not getting that based on what you just said though. You appear to be making arguments against the idea based on items other than the idea’s specific intended purpose of ransomware protection.

abelits
abelits Contributing Member • Posts: 810
Re: Will security requirements help with ransomware protection?

Billiam29 wrote:

abelits wrote:

Sean Nelson wrote:

In an world of online forums, it wouldn't take all that long for the community to find the correlation between what signed program was installed across systems that corresponded to incidents.

That would require a very large number of people with and also very large number of people without a given program reliably determining success of a particular exploit. It does not work.

You already see that with unsigned software.

At best, it could find blatant and obvious trojan horse programs. Could because it worked when it was unheard of for legitimate software to perform anything invasive or communicate with the vendor, so trojans stood out like sore thumbs.

For vulnerabilities it never worked. They are all either published by their authors or found by proactive testing, or by observation of exploits in the wild.

I floated this idea specifically as a hypothetical means for an OS to counter ransomware which is what the subject even still says for this sub-thread. Now it appears as if you’re arguing against it based on impracticalities for use combating general exploits and vulnerabilities. That’s not the context.

If you think such an idea is impractical to develop and implement solely for ransomware protection while not also protecting against other types of threats, that’s fine. I’m not getting that based on what you just said though. You appear to be making arguments against the idea based on items other than the idea’s specific intended purpose of ransomware protection.

Ransomware very, very rarely comes packaged under the guise of legitimate software, leave alone identifiable one. While it did happen recently, it may be years or decades before it will happen again at any scale that can be detected by amateurs of a forum, and even then professionals are going to be faster than that. Ransomware usually uses various vulnerabilities in client software (browsers, email readers, viewers of all kinds and libraries they use), and the user can not identify, which action or file resulted in its activation. Even when distributed using social engineering or as a part of software that is less than legitimate (say, license key generator for commercially distributed software), it's usually not specifically identifiable.

 abelits's gear list:abelits's gear list
Fujifilm X-Pro1 Fujifilm X-T2 Fujifilm XF 35mm F1.4 R Fujifilm XF 14mm F2.8 R Fujifilm XF 55-200mm F3.5-4.8 R LM OIS +16 more
CAcreeks
CAcreeks Forum Pro • Posts: 17,572
Re: Will security requirements help with ransomware protection?
1

abelits wrote:

Ransomware very, very rarely comes packaged under the guise of legitimate software, leave alone identifiable one. While it did happen recently, it may be years or decades before it will happen again at any scale that can be detected by amateurs of a forum, and even then professionals are going to be faster than that. Ransomware usually uses various vulnerabilities in client software (browsers, email readers, viewers of all kinds and libraries they use), and the user can not identify, which action or file resulted in its activation. Even when distributed using social engineering or as a part of software that is less than legitimate (say, license key generator for commercially distributed software), it's usually not specifically identifiable.

It's not ransomware, but the NSO spyware "Pegasus" enters cellphones, both iPhone and Android, via WhatsApp (owned by Facebook) software, and other messaging apps.

https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus

The mechanism for entering through WhatsApp has not been characterized in any article I've seen. Pegasus can be detected on your cellphone by installing a toolkit, as covered by the Times of India. They recommend destroying your phone if infected.

India Times - how to detect pegasus spyware

Keyboard shortcuts:
FForum MMy threads