Category Archives: Security

Build 25158 Gains DNS Over TLS Support

Earlier this week, MS released Build 25158 into the Dev Channel. Among the many notes in this build’s announcements, you’ll find an item that starts off “DNS over TLS testing is now available for Windows DNS client query protection.” Thus, when Build 25158 gains DNS over TLS support, that means improved security for DNS traffic on networks everywhere. Given that DNS is a constant focus for direct and indirect attack, this is a good thing. So, how can you try this new feature out?

Putting Build 25158 Gains DNS Over TLS Support to Work

For brevity and convenience, DNS over TLS is usually abbreviated as DoT. Two ingredients are needed to take DoT for a spin:

1. You need to point your IP stack at a DoT DNS server. You’ll find a list of same at the DNS Privacy Project. It provided the lead-in graphic for this story, in fact. For the nonce, I’m using Google’s and addresses (and associated domain names for certificate authentication). There are several other options available.

2. A series of configuration tweaks, including Settings changes, and netsh and ipconfig commands, are required to set this up and make it work. Fortunately, all those details are covered in an MS Networking Blog post entitled “DNS over TLS available to Windows Insiders.” Therein, Tommy Jensen provides nicely illustrated step-by-step instructions to get you through the process.

More to Follow After Additional Try-Outs

I have two (2) test machines running Build 25158. I’ll try DoT on both of them, and let you know what happens. Mr. Jensen’s post on setting things up includes a potentially scary phrase. That is “This may result in a small performance improvement depending on the network environment at the cost of the flexibility HTTPS-based protocols can provide” (italic emphasis mine).

I’m afraid I know what this means. Indeed, I’ll be curious to see what’s still working — and what’s not — after experimenting with these changes. Given an upcoming out of office adventure, I might wait until week after next to put this to a real test. Stay tuned! In the meantime, you might find this Wikipedia article about DoT worth a quick read-through (good discussion and lots of good additional references there).


MS 365 Brings New Defender Aboard

OK, then. Now I finally understand what’s up with the Store-based version of Windows Defender. It’s been “out there” for while now for Insiders. Called “Microsoft Defender for individuals,” it’s available to anyone with an active Microsoft 365 subscription. (Either Personal or Family subscriptions qualify.) That’s why I say “MS 365 brings new Defender aboard” in today’s title. The lead-in graphic shows the dashboard (in part) from my production Windows 10 desktop. Both “other devices” run Windows 11.

When MS 365 Brings New Defender Aboard, Then What?

According to the tool is built on Microsoft Defender Endpoint technology. Thus, it brings the same cloud-based security to end users already available to Enterprise customers. A June 16 Microsoft Security blog post confirms this assertion. It describes this new Defender version as “an exciting step in our journey to bring security to all.” The tool works on Windows, iOS, Android, and macOS devices to provide family-wide protection across whole households.

MS explains Microsoft Defender for individuals as enabling the following capabilities (also including “continuous antivirus and anti-phishing protection for your data and devices”):

  • Manage your security protections and view security protections for everyone in your family, from a single easy-to-use, centralized dashboard.
  • View your existing antivirus protection (such as Norton or McAfee). Defender recognizes these protections within the dashboard.
  • Extend Windows device protections to iOS, Android, and macOS devices for cross-platform malware protection on the devices you and your family use the most.
  • Receive instant security alerts, resolution strategies, and expert tips to help keep your data and devices secure.

I’m giving it a try on my production PC which still runs Norton 360, along with a couple of my Defender-only test machines running Windows 11. Should be interesting to see how it all turns out! If you’d like to check it out for yourself and your devices (and your family’s, if applicable) visit the Microsoft 365 Defender page for a download link.




Various .NET Versions Facing EoS Soon

On April 4, an End of Support notice surfaced in  the MIcrosoft Message Center. Its initial text appears in the lead-in graphic for this story above. A quick summary of its contents is that various .NET versions facing EoS soon. The version numbers involved are 4.5.2, 4.6 and 4.6.1 runtime. MS recommends that affected PCs update to .NET Framework 4.6.2 before April 26, 2022. No updates or security patches will be issued for those versions after that date.

If Various .NET Versions Facing EoS Soon, Then What?

This is an issue only if certain applications still in use employ those older .NET versions, and they themselves haven’t yet been upgraded to use a newer one. As I look at the relevant folder in my production  Windows 10 desktop — namely:


these are the folders that I see

If I understand how this works correctly, all versions lower than 4.0 reflect older .NET versions currently installed on this PC. Thus by reading the version numbers for those folders you can see that 5 such versions are installed, from v1.0.3705 through v3.5.

On the other hand, if you display properties for any .dll file in the V4.0.30319 folder, you’ll see what version of .NET is currently present, to wit:The Product Version line reads 4.8.4084.0, and tells me that I’ve got the latest and greatest .NET version installed here, as well as the earlier versions already mentioned.

What To Do About Impending Retirements?

If you’re using no software that depends on earlier .NET versions, you need do nothing. OTOH, if some of your software does depend on them you must decide if you’ll keep using it and risk possible security exposure, or find an alternative that isn’t subject to such risk. For my part, I recommend the latter approach, unless there’s no other choice. And in that case, the safest thing to do would be to run such software in the MIcrosoft Sandbox as a matter of prudent security policy. ‘Nuff said!


Windows Memory Integrity Now Covers Device Drivers

With the latest versions of Windows 10 and 11, Windows Security gains driver level protection. I’m talking about Build 19044.1586 or higher for Windows 10. Also, 22000.593 or higher for production 11, and 22581.200 or higher for Dev Channel Insider Previews. Looks like those still running Beta (22000.588, or higher) are also covered. Go into Microsoft Security, under the left-panel Device security heading. Drill into Core isolation details, then turn on Memory integrity (see lead-in graphic). Do all those things, and Windows memory integrity now covers device drivers. I’ll explain. . .

What Windows Memory Integrity Now Covers Device Drivers Means

With Core Isolation turned on (requires Hyper-V and VM support turned on in UEFI or BIOS), you can visit the MS Support Core isolation page to learn more. It also provides detailed, step-by-step instructions on how to turn this feature on (note: a restart is required).

Here’s a brief summary:

1. Memory integrity, aka Hypervisor-protected Code Integrity (HVCI), enables low-level Windows security and protects against driver hijack attacks.

2. Memory integrity creates an isolated environment (e.g. a sandbox) using hardware virtualization.

3. Programs must pass code to memory integrity inside the sandbox for verification. It only runs if the memory integrity check confirms code safety. MS asserts “Typically, this happens very quickly.”

Essentially, memory integrity/core isolation puts security inside a more secure area. There it can better protect itself from attack, while prevents drivers (and the runtime environments they serve) from malicious code and instructions.

What Can Go Wrong?

If any suspect drivers  are already present on a target system, you can’t turn memory integrity on. Instead you’ll get an error message something like this:

Note: the name of the driver appears in the warning. Thus, you can use a tool like RAPR.exe to excise it from your system. Be sure to find and be ready to install a safe replacement because that may render the affected device inaccessible and/or unusable.

Should you attempt to install a suspect or known malicious driver after turning this security feature on, Windows will refuse. It will provide a similar error message to report that the driver is blocked because it might install malware or otherwise compromise your PC.

That’s good: because that means driver protection is working as intended. Cheers!


AdwCleaner Roots Out PUAs

For months now, I’ve been seeing traces of a low-risk “potentially unwanted app”  (PUA) on one of my Dev Channel test PCs. You can see the Windows Security log trace entry for this item above. It’s named FusionCore.C and it shows up as low-risk adware. This morning I ran Malwarebytes’ AdwCleaner (v 8.3.1) to see if it would make it go away. It did, so I can report that AdwCleaner roots out PUAs. It’s free and doesn’t install so it inflicts no system footprint, either.

Because AdwCleaner Roots Out PUAs, Use It!

Now that Microsoft Defender has shown itself to be a great first-line of security defense for Windows PCs, I don’t recommend third-party AV or other real-time protection tools anymore. That said, cleanup tools like AdwCleaner can be helpful. That goes double, because while Defender flags FusionCore.C and other adware instances, it doesn’t offer its own clean-up capability (or even remediation advice).

When you run the AdwCleaner executable (adwcleaner_8.3.1.exe), it finds the two offending PUA elements right away. These consist of a .tmp file and and .exe file. Both have FusionCore.C in their file names. If you check those items under the PUP (Potentially Unwanted Program) heading, you can flag them for quarantine and removal. The following screencap shows the two items checked for potential quarantine.

AdwCleaner Roots Out PUAs.checked

All you need to do to flag items is to check the box to the left for each one you’d like to quarantine or remove.

Then, simply click Next to get to the quarantine Window. On this PC a bunch of pre-installed Lenovo items also appear (I don’t care about those: I actually USE most of them). I check none of those items, which are hidden behind the fore-window that says “Cancel” and “Continue.” I choose “Continue” and the items get quarantined. I run another Defender scan and sure enough, the PUAs no longer get reported. A visual inspection of the source folder (shown in the lead-in graphic) shows the items are no longer present there as well. Good-oh!

AdwCleaner Roots Out PUAs.quarantine

Click “Continue” and the checked PUA items go into quarantine, and off Defender’s scan radar. Done!


MS Defender Preview Accepts Personal MSAs

Hoo boy! I’ve been checking in on the Store-based version of the Microsoft Defender Preview since last November. Until this morning, I had no luck getting this cross-platform, multi-device app working. After seeing a story in WindowsUpdate minutes ago, I zipped into the MS Store to try again. And indeed, now that MS Defender Preview accepts personal MSAs (Microsoft Accounts) it appears to be working!

If MS Defender Accepts Personal MSAs, Anybody Can Use It

In the next screencap you can see the dashboard screen from the Microsoft Defender Preview. One must, however, also install this app on other devices before they show up on this dashboard. So naturally, I dashed over to my other Dev Channel test machine (via RDP, no physical movement needed) and used the URL to go straight to the app in Store:

MS Defender Preview Accepts Personal MSAs.dashboard

The dashboard doesn’t look like much until you start adding devices. [Click image for full-sized view.]

After a quick  update, I opened the newest version to see the initial welcome screen I missed on my first MS Defender Preview encounter. I signed up with the same MSA (so both devices would show up on a single dashboard: IDs are deliberately obscured).

To see devices on the same dashboard, you must associate them with a common MSA. [Click image for full-sized view.]

With Time and Exposure, More to Come

That’s about all I have time to deal with this morning. I’m tightly wrapped in legal business this week, so my posts will be short and less frequent than usual. This opening up of the preview, however, was big enough news that I had to share. Check it out, and have fun!


New MS Defender Preview Impediment

I have to chuckle. At the start of November, I wrote here that “I Get No MS Defender Preview.” Just to check up, I went back to the store to grab the Preview. It was no surprise at all that I can still report the same thing. What’s different now is the error message that comes up, as shown in the lead-in graphic. My latest sticking point represents a new MS Defender Preview impediment. As you can see, my account is now recognized, but I can’t log into the preview. Sigh.

Clueless on Overcoming New MS Defender Preview Impediment

I’ve dug around online, at both Microsoft and third-party Windows sites. I cannot find any info on how to subscribe to the Microsoft Defender Preview. Presumably, that would also provide me with necessary login info. But there’s no enlightenment obtainable on how that might be arranged.

Often, when Windows features go into limited release in the Preview channels, I find myself at the end of the pack in gaining access. That phenomenon seems likely in this case, too. I’ll raise a flag in the WIMVP forums and see if I can provoke any action. Shoot! I’d be happy just to get more information on how to subscribe and start participating in the Microsoft Defender Preview.

But — as is so often the case in my experience — I’m on the outside looking in. I know this Preview is happening. I simply can’t get access to it, to sample its functions and capabilities. Stay tuned: I’ll keep you posted as I try to work my way into that charmed space. Hopefully that will happen sooner rather than later. We’ll see!


When Security Stymies Update Remove and Reinstall

Here’s an interesting issue — and another reason why I’m abandoning Norton security after I get my new PC built. I just tried to update CrystalDiskInfo and I couldn’t make it work. Norton data protection prevented the installer from — of all things — deleting old .bmp files for icons and graphics, to replace them with new ones. Even after I turned everything in Norton off for which it provides controls, the &*%$$ program still got in the way. Then it occurred to me: when security stymies update remove and reinstall still works. So that’s what I did, and that’s how I got it to work. Sheesh!

When Security Stymies Update Remove and Reinstall for New Version

Because update operations wouldn’t proceed even after disabling the auto-protect, firewall, and AV functions (see lead-in graphic), I was faced with two alternatives. First, I could completely uninstall Norton and then update. Or second, I could uninstall the old CrystalDiskInfo version, and then cleanly install  the new one. Because it was so much less time and labor intensive to undertake the latter, that’s what I did.

But man! I *HATE* it when security software gets in the way of authorized, valid update behavior and I can’t make it stop. By itself, that’s enough to have pushed me to get rid of Norton. But I’d already planned to do that anyway. I still use the password manager (which is a pretty good one), but I have no use any longer for the rest of the suite.

It just goes to show you: when it comes to maintaining Windows PCs, there’s always something lurking in the background ready to strike. This time, I got stung just a little. But sometimes, workarounds are less obvious, or less easy to find and apply. This time, I got lucky…


I Get No MS Defender Preview

The other day, I found myself unable to partake of Online Service Experience Packs in Windows 11. With tongue in cheek, I asserted that I found myself on the outside looking in. It’s nothing new to me when certain preview or pre-release features open to some — but not all — Windows Insiders. Today, I’m in the same boat again. There’s a new version of Microsoft Defender available in the MS Store for download. As you can see from the lead-in graphic for this story, I get no MS Defender Preview. Instead I get an error message that reads “Your account isn’t authorized to use Microsoft Defender yet.” Sigh. I hope I haven’t jinxed myself.

If I Get No MS Defender Preview, Then What?

It’s frustrating to be a vocal, committed and active Windows Insider yet be denied access to new features and apps as they make their way into release. As far back as I can remember, when an A/B test or a gradual rollout occurs for Insiders, I’m never included early. Rather, I have to wait until the feature goes into general release. Or if I’m lucky, I might find some other way to install it.

I’m trying my best to remain patient and take my turn when it comes. In the meantime, you can read more about what’s up with the Microsoft Defender Preview in this October 27 story from The Windows Club. I’d love to tell you more about it based on personal experience, but it seems I’m not allowed to access the Preview. At least, not yet.

Stay tuned, though: when my turn comes, I’ll tell you more about what’s new and different. Coverage so far on the Preview is light on details. So maybe it won’t be too late to do my readers some good. As usual, time will tell…


Audacity Announces Data Harvest Plans

Dang! I just came across a news item that indicates one of my favorite audio recording and editing apps may be going over to the dark side. I’m talking about the long-time, well-known open source freeware program Audacity. Following  its April acquisition by the Muse Group, the program’s privacy policy updated on July 2. Alas, in that policy, Audacity announces data harvest plans. These include include telemetry data, and sharing of such data.

Audacity Announces Data Harvest Plans: What Kind?

What kind of data will Audacity collect? The types of data to be collected seem pretty innocuous. Namely, OS version, user country based on IP address, OS name and version, CPU. Also, non-fatal error codes and messages, and crash reports in Breakpad MiniDump format. I don’t see any personally identifiable information here, except for the IP address.

Who gets to see it? The desktop privacy notice reads “Data necessary for law enforcement, litigation and authorities’ requests (if any).” Legal grounds for sharing data are “Legitimate interest of WSM Group to defend its legal rights and interests.” That said, we also find language that reads such data may be shared with “…a potential buyer (and its agents and advisors) in connection with any proposed purchase, merger or acquisition of any part of our business…”

What has the user community most up in arms is that Muse asserts the right to occasionally share “…personal data with our main office in Russia…” This contravenes requirements of the GDPR, and could potentially violate data sovereignty requirements in certain EU countries (e.g. Germany) and elsewhere.

Does This Mean It’s Time to Bail on Audacity?

Not yet. These new provisions don’t take effect until the next upgrade to the program (version 3.0.3, one minor increment up from current 3.0.2) take effect. But a lot of people, including me, will be thinking long and hard about whether or not to upgrade. At a bare minimum, it might make sense to run Audacity in a VM through a VPN connection, to obscure its origin and user.

Note: Here’s a shout-out to Anmol Mehrotra at Neowin whose July 6 story “Audacity’s privacy policy update effective makes it a spyware” brought this chance of circumstances to my attention.

Note Added July 23: Audacity Updates Policy

If you check this story from Martin Brinkmann at, you’ll see that Audacity has retreated from all of its controversial or questionable privacy policy language. Seems like the resulting user reactions caused them to revisit, reconsider and move away from data harvest that could touch on user ID info and addresses. Frankly, I’m glad to see this: I like the program, and am happy to understand its new owners have decided to leave its prior policy positions unchanged.