Windows Defender: Unauthorised Changes Blocked

[stumped]

Quote:

Originally Posted by FrustratedReader

...

How does malware get on a computer? Either via the Web Browser or plugged in storage..

and via gullibility / social engineering. clicking on free porn links or other clickbait - opening strange emails.....

[BetterRed]

↑ ↑ ↑ ✔️

@FrustratedReader - I'm a volunteer for a community service provider that targets the disabled and elderly. As such, I have probably eradicated at least a 100 malware infestations on various computers. I'd say 70% came from email attachments, and 20% from software downloads - I can't recall ever tracing one to a USB stick or direct intrusion.

BR

[theducks]

Quote:

Originally Posted by BetterRed

↑ ↑ ↑ ✔️

@FrustratedReader - I'm a volunteer for a community service provider that targets the disabled and elderly. As such, I have probably eradicated at least a 100 malware infestations on various computers. I'd say 70% came from email attachments, and 20% from software downloads - I can't recall ever tracing one to a USB stick or direct intrusion.

BR

Remember the days of boot viruses passed by infecting the boot block on floppies.?
The only on not mentioned is 'drive by' type (no click or open needed). Most modern browsers do stop these, but there are folk running W9x that might be vulnerable as their browser is so out dated (no basic support).

[Quoth]

" Most modern browsers do stop these,"
No they don't unless you have a script blocking plugin such as noScript or uMatrix.

Indeed Never open any email attachment without being 100% sure who sent it. The From address doesn't count. Make sure file endings are enabled (Windows) and you know which files are safe to open.

Infected SD cards USB sticks are a common corporate attack vector. Make sure no autorun repartition any recycled or new one. They are not a likely source of malware for people not in the work force and not in youth culture. Unprotected browsers are the problem.
All the many PCs I've removed viruses, trojans and root kits from had working AV software. All were used with unprotected browsers and by people that had never been told about spoofed From in Emails, turning off remote content in emails and assuming you can click on email attachments. Many fooled by filename.txt<loads of spaces>.exe etc.
Some of the PCs had vital system files "quarantined" by AV software by mistake and thus would not reboot or would crash.
Education, a script blocker, no remote content in email viewer (don't use Web mail), no autorun is FAR better than any AV and won't break Calibre or other programs.

[Miss Chief]

Quote:

Originally Posted by stumped

protected from what exactly?

there is no way that using calibre's add books to library will import ransomware !

I am not worried about Calibre importing ransomware. I'm not sure why you would think that?

Frankly, I'm not particularly worried at all but if I am going to have ransomware protection on my system... my ebook library of 2893 books is pretty high up my list of directories I would like protected.

Quote:

Originally Posted by stumped

AFAIK, it is impossible to plant dangerous malware inside of an epub or AZW book,

Well I am sorry to have to tell you that you are mistaken, as Symantec point out here.

In fact this very topic was a source of another issue I had with Windows Defender, you see I am a Unix Admin and I work with security so a good portion of the aforementioned ebooks are about Programming, Shell Scrips, Pen Testing, Blockchain that kind of thing and it seems that books about computer security triggers Defender and it gets, well... defensive, I fixed that issue although I didn't bother posting it here as it wasn't an issue with Calibre per se, but if you're curious here is my post.

However, I am also not worried about getting ransomware from any of my ebooks. Again not sure why you would think that? In the event I do get ransomware on my system though... it would be nice if my ebook library wasn't the only directory that is actually vulnerable to attack.

Obviously I backup my system frequently so even if I was foolish enough to run something I shouldn't (and I never have been so far), it wouldn't really be an issue... that is not the point. The point is a built in part of system is not working as it should. I am familiar with the third party options... I have third party options, I am happy with my setup, it is just bugging me that this isn't working as it should. I'm pretty sure I mentioned I had a workaround sorted already in my initial post. I only posted here to see if anyone had a regedit, shell command or even a group policy edit that might remedy the situation. Not because I'm worried... just because it isn't working and it should be and that is annoying!

As I said I am not particularly concerned, I was just curious if anyone here had a solution, you know since this is the main Calibre forum, I thought it was worth posting here as well as the Microsoft forums, don't worry though I won't make that mistake again

Quote:

Originally Posted by stumped

PS criticizing those who try to help is a good way to get yourself ignored.

To be honest I sincerely doubt I will ever bother posting another thread here. You're such a lovely, welcoming group... the snarky, patronising comments, telling me to do the things I explained in my first post, it's given me such a warm fuzzy feeling, definitely not in a good way.

[BetterRed]

MS seemed to have changed the message

With the Ransomware feature enabled, if I try to switch to a folder in Documents, I get this as a right bottom corner notify message,



I don't know what calibre-file-dialog.exe is or where it is, so I can't add it to the exclusions list.

I also noticed this in the CFA settings

Quote:

Most of your apps will be allowed by controlled folder access, without adding them here. Apps determined by Microsoft as friendly are always allowed.

With Ransomware checks enabled I can open an EPUB in Documents with Sigil.exe, calibre's ebook-edit and ebook-viewer without having to exclude them from CFA. I can also open a text file in Documents with the installed version of Bowpad.exe, but I can't open the same file with the portable version of Bowpad.

BR

[Sarmat89]

Quote:

Originally Posted by FrustratedReader

Why they EVER thought "Autorun", ActiveX in Web browser, remote content on by default in Outlook, VBA on by default in Office or hiding file endings was a good idea is a mystery.

Because people don't like to browse the CD to install the software they've just bought.
Because people like to do more in their browser than reading and sending forms.
Because people like automation in their routine office tasks.
Because file extensions are confusing for most people, and they will delete them inadvertently when renaming their files.

What do you propose looks like a certain 'secure' OS enjoying <2% of the market share.

[DNSB]

Quote:

Originally Posted by Miss Chief

Quote:

Well I am sorry to have to tell you that you are mistaken, as Symantec point out here.

In fact this very topic was a source of another issue I had with Windows Defender, you see I am a Unix Admin and I work with security so a good portion of the aforementioned ebooks are about Programming, Shell Scrips, Pen Testing, Blockchain that kind of thing and it seems that books about computer security triggers Defender and it gets, well... defensive, I fixed that issue although I didn't bother posting it here as it wasn't an issue with Calibre per se, but if you're curious here is my post.

However, I am also not worried about getting ransomware from any of my ebooks. Again not sure why you would think that? In the event I do get ransomware on my system though... it would be nice if my ebook library wasn't the only directory that is actually vulnerable to attack.

Sadly, the item you reference from the Symantec site does not make it very clear that the hazards from downloading pirated ebooks lies more in the files that are supplied as .pdf, .zip, .rar or .exe and not the ebooks in epub, azw3, mobi or whatever format themselves.

In theory, you could embed malicious javascript in an epub3 ebook. After seeing one item titled "Security Diligence Required to Prevent ePub or Mobi Javascript Hacks", I did some playing with the idea. I could not find an ebook renderer that would execute those malicious code snippets on my ereaders. Blasted programmers who limit the functionality of their code. As for the mobi format ebooks? Given the age of that format, embedding javascript is not a viable option.

[stumped]

The threat to book libraries from ransomware really is miniscule. 99% of all book libraries will backup to on a cheap removable usb stick or we card, which cannot be infected and held for ransom if stored offline. 64 Or 128gb storage probably costs less than single years subscription to a paid for anti ransomware solution and an offline backup is easy to update.

flipping it around, having your my documents folder protected from ransomware is little comfort if the rest of your machine gets encrypted.. you would probably have to wipe the hard drives and rebuild it all anyway if that happened.

Anyway multiple solutions and workarounds have been offered. The OP seems to have thrown her toys out of the pram and moved on. Maybe we should all do the same - move on that is , not throw toys

[BetterRed]

Quote:

Originally Posted by BetterRed

<snip>
I don't know what calibre-file-dialog.exe is or where it is, so I can't add it to the exclusions list.

Found - it is in C:\Program Files\Calibre2\app\DLLs

So, I'll try to figure out why I don't need to exclude C:\Program Files\Calibre2\ebook-viewer.exe from CFA checks to view epubs in Documents; but -- assuming it gets rid of the CFA message -- I do have to exclude C:\Program Files\Calibre2\app\DLLs\calibre-file-dialog.exe to use calibre to manage libraries in Documents.

I do not have CALIBRE_NO_NATIVE_FILEDIALOGS set, so .... ?

BR

Moderator Notice
Just a gentle reminder - this thread is about Defender's protection against ransomware via its Controlled Foider Access mechanism, and its affects on calibre. We might have lost sight of that. The fact that the OP has departed doesn't mean there not issues to be discussed.

[kovidgoyal]

calibre-file-dialog.exe is a helper program calibre uses to show file dialogs -- it was needed because there are idiot applications like spideroak that write explorer extensions in python and you cannot have multiple python interpreters in a single process. Therefore to work around them I had to write a dedicated helper program in C just for selecting files.

[Miss Chief]

Quote:

Originally Posted by DNSB

Sadly, the item you reference from the Symantec site does not make it very clear that the hazards from downloading pirated ebooks lies more in the files that are supplied as .pdf, .zip, .rar or .exe and not the ebooks in epub, azw3, mobi or whatever format themselves.

In theory, you could embed malicious javascript in an epub3 ebook. After seeing one item titled "Security Diligence Required to Prevent ePub or Mobi Javascript Hacks", I did some playing with the idea. I could not find an ebook renderer that would execute those malicious code snippets on my ereaders. Blasted programmers who limit the functionality of their code. As for the mobi format ebooks? Given the age of that format, embedding javascript is not a viable option.

I think the issue is that EPUB's in particular can be opened and read in a browser these days (not sure about other formats since I tend to buy/edit books as EPUB then convert them to what I need, which largely depends on where I plan on reading them). I was quite miffed that Edge made itself the default app for opening EPUB's after an update some time ago, it kind of makes sense though, EPUBs are written in HTML they even use CSS.

I doubt anyone is targeting ebook readers themselves (the hardware I mean) as there isn't much to be gained from doing so (possibly your Amazon login from Kindles) but people who read on their computers or tablets using a browser, or even using a ereader program that supports scripts could be vulnerable. Browsers themselves have a lot of personal info about people from the autofill alone and if they can get at the saved passwords well that would be the kind of thing they might want to target, without considering anything outside of the browser. Browsers can often access your filesystem too. I will add that Chrome and Firefox don't seem to be willing to open them so perhaps it's just Edge that is vulnerable. Perhaps when it switches to Chromium it will no longer work.

Just to be clear I don't think anyone is suggesting ransomware is being embedded in an ebook but some malicious scripts could be and if opened using a program that supports scripts (Adobe Acrobat for PDF, Edge for EPUB, as two examples) then you could be vulnerable to attack.

Like I said I am not concerned about my ebooks containing anything untoward, I was just responding to someone who seemed to think I was... but your post was interesting so I thought I would respond

[stumped]

Quote:

Originally Posted by Miss Chief

Like I said I am not concerned about my ebooks containing anything untoward, I was just responding to someone who seemed to think I was... but your post was interesting so I thought I would respond

I think we are all on the same page here: the only people at risk from e-books are those who get them from very dubious sources. I for one have little sympathy if they suffer unexpected consequences.

[Quoth]

Quote:

Originally Posted by Miss Chief

I think the issue is that EPUB's in particular can be opened and read in a browser these days (not sure about other formats since I tend to buy/edit books as EPUB then convert them to what I need, which largely depends on where I plan on reading them). I was quite miffed that Edge made itself the default app for opening EPUB's after an update some time ago, it kind of makes sense though, EPUBs are written in HTML they even use CSS.

I doubt anyone is targeting ebook readers themselves (the hardware I mean) as there isn't much to be gained from doing so (possibly your Amazon login from Kindles) but people who read on their computers or tablets using a browser, or even using a ereader program that supports scripts could be vulnerable. Browsers themselves have a lot of personal info about people from the autofill alone and if they can get at the saved passwords well that would be the kind of thing they might want to target, without considering anything outside of the browser. )

Even PDFs in a Browser are stupid. Or that's especially stupid. I've been getting people to disable that for YEARS. Used to be standard thing on IT setup maybe 15 years ago to disable everything except basic necessities in a Browser.
Go to Browser "Applications". Set anything not a "Web Page" to be prompting to Save.
Install a real PDF reader (Summatra, Foxit, PDF express, even Ghostview). Linux comes WITH two real PDF readers as default.
Install Calibre and use its ePub & Mobi ebook reader standalone.
Add a script blocking plugin such as uMatrix or NoScript.
Don't use Edge or Internet Explorer unless mandated by your company as MS has lost the Plot on Browser and Windows design.
Use Safari, Firefox, Waterfox etc. Chrome is Google Spyware.