ADVANCED EXPLOIT PROTECTION
At the bottom of the “App & browser control” page, you’ll find a link to “Exploit protection settings”. Click and you’ll see a list of technical features in Windows that make it hard for malware to get into places it shouldn’t – they’re switched on by default and you should leave them all on. If you’re curious about to what they do, though, here’s an overview:
Control flow guard:
Some malware works by tricking a legitimate program into storing a carefully crafted set of binary data in memory, then executing that data as code. “Control flow guard” blocks this by only allowing programs to run functions that were identified at the time of compilation as containing valid code.
Data execution prevention:
Similar to the above, this blocks any attempt to execute instructions that weren’t explicitly declared as executable at the time they were stored in memory.
Mandatory ASLR:
“Address space layout randomisation” (ASLR) ensures that components of Windows and apps aren’t always loaded into the same memory locations. This makes it harder for hackers to discover and exploit vulnerable code.
Bottom-up ASLR and high-entropy ASLR:
These options work similarly to mandatory ASLR, but with progressively greater degrees of randomness. Not all programs support these protections, but if they’re enabled then Windows will take advantage of them wherever it can.
Validate exception chains:
In order to trigger an exploit, a piece of malware may tamper with the information about what code should be executed when a high-priority “exception” event occurs. This feature checks that the exception handling information is intact and consistent before handing over control to the code it refers to.
Validate heap integrity:
This does much the same thing, but focuses on the “heap” of memory allocated to each program, ensuring that it hasn’t been overwritten with unvalidated content that could trigger unintended behaviour.
Windows Security also provides a tab that lets you override settings for specific programs, and offers protections such as blocking untrusted fonts or calls to the old 32-bit Windows kernel. There are settings for many system components here, but unless you’re developing your own code, we recommend you don’t try to add or change anything. Tinkering is unlikely to block any threats that would otherwise have gone unnoticed, but could cause programs to stop working properly.