Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is enabling of Secure Boot and GPT worth the hassle in clean installing Win 10?


  • Please log in to reply
26 replies to this topic

#16 Chiragroop

Chiragroop

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 AM

Posted 01 October 2018 - 11:47 AM

Happy Birthday :birthday:



BC AdBot (Login to Remove)

 


#17 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:08:15 PM

Posted 02 October 2018 - 09:00 AM

Hi again, Chiragroop!
 
Thank you for the prompt reply and the birthday wishes. :) I and my family (mom and dad) celebrated my birthday with an apple cake and a carbonated soft drink (no alcohol, since we are teetotalers :whistle:).
 
However, back to the topic at hand; I have now done an in-place upgrade install to upgrade Windows 10 keeping apps/programs and user files with the bootable USB from within Windows 10, which went well. :thumbup2:
 
Thank you very much for the help! :)
 
Regards,
midimusicman79

Edited by midimusicman79, 02 October 2018 - 11:16 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#18 Chiragroop

Chiragroop

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 AM

Posted 02 October 2018 - 12:27 PM

No problem! :) You now have a more modern and secure setup with GPT/UEFI and secure boot too (I read about the LoJax malware a firmware-based rootkit   :cold:, which Secure Boot would have stopped, so Secure Boot is a must in my opinion. It almost completely prevents bootkits).



#19 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:08:15 PM

Posted 03 October 2018 - 11:00 AM

Hi again, Chiragroop!

Thank you for the prompt and insightful reply! :)

Yes, I also read the BC News Article on the same LoJax unsigned UEFI rootkit, which triggered my starting this very topic:

https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/

Thank you again! :)

Regards,
midimusicman79

Edited by midimusicman79, 03 October 2018 - 11:04 AM.

MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#20 rp88

rp88

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:15 PM

Posted 10 October 2018 - 04:57 PM

Despite recent news reports about some very nasty LoJax malware that managed to attack systems at a very low level and install itself into places like the the firmware of hard-drives and UEFI/BIOS chips (secure boot could make it a little harder for this horror to get into place), I'm still not sure if secureboot is worth much. The truth is that if you get infedted to the point where secureboot is all that's stopping it getting worse then you have already lost and the malware already has full control of every setting and file in your OS and your personal folders. What would be a good idea, if computer motherboard manufacturers used some common sense, would be a deeply buried hardware switch or some kind of points which must be temporarily linekd together with a wire whenever any software wants to alter low level settings at all. Apparently this used to be the usual way to do things a decade or so ago but nowadays the fashion is to have in circuit flashing and reflashing of firmware hence opening up LoJax like risks.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#21 Chiragroop

Chiragroop

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 AM

Posted 10 October 2018 - 10:11 PM


Despite recent news reports about some very nasty LoJax malware that managed to attack systems at a very low level and install itself into places like the the firmware of hard-drives and UEFI/BIOS chips (secure boot could make it a little harder for this horror to get into place), I'm still not sure if secureboot is worth much. The truth is that if you get infedted to the point where secureboot is all that's stopping it getting worse then you have already lost and the malware already has full control of every setting and file in your OS and your personal folders. What would be a good idea, if computer motherboard manufacturers used some common sense, would be a deeply buried hardware switch or some kind of points which must be temporarily linekd together with a wire whenever any software wants to alter low level settings at all. Apparently this used to be the usual way to do things a decade or so ago but nowadays the fashion is to have in circuit flashing and reflashing of firmware hence opening up LoJax like risks.
By default, this should not even matter. OS typically can't control firmware settings unless you go into the UEFI and change them. What this malware did is it reflashed it with an infected UEFI. Normally, you can update the UEFI using Windows (though it is not recommended). However, there can be checks (like signature checks, etc) before UEFI can be flashed, In this case, the malware infected older versions or those that were not configured properly (ex to see if the firmware is signed before flashing it)
 
Secure boot isn't meant to protect you from firmware attacks (although in this case, it did). Instead, it protects you from bootkits and the like. This almost completely prevents bootkits and severly limits rootkits (They have to load after the kernel is loaded and get around driver signature enforcement and early malware driver loading). Considering the rootkits we had during the Windows 7 era, Secure boot was and is a massive improvement as bootkits are nearly completely eliminated now-a-days. This malware (LoJax) required Nation State attacker (they have significant resources for targeted attacks, and evading them is basically impossible if they are determined to hack you).
 

 

The truth is that if you get infedted to the point where secureboot is all that's stopping it getting worse then you have already lost and the malware already has full control of every setting and file in your OS and your personal folders.

Security is always in depth (having multiple layers). By default, before you even launch a program, it is typically scanned by anti-virus/antimalware tools. Then, Windows checks if it is signed or not (and warns you if it is not). Even if the program launches in standard mode, it can't access all your user files either (due to Controlled Folder Access, which is designed to prevent ransomware from encrypting files). If the malware wants admin access, it will either have to throw a UAC prompt (which will alert the user if something is suspicious). If it doesn't, it will have to use privilege escalation vulnerabilities (which by themselves are somewhat difficult to pull off, and techniques get patched all the time). Even if the malware runs as Administrator, there are some things it still can't do (they are protected by SYSTEM) easily due to more protections. If the malware wanted to inject in the kernel, there are so many defences (like Patch Guard, signed drivers, etc) that it has to pull off. Not to mention techniques like DEP, ASLR and sandboxing protect you if there are indeed vulnerabilities in programs. By having more defences, you make it significantly harder for a malware to damage or to restrict the damage



#22 midimusicman79

midimusicman79
  • Topic Starter

  • Members
  • 762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Norway
  • Local time:08:15 PM

Posted 11 October 2018 - 09:14 AM

Hi, rp88!

 

The truth is that if you get infe[c]ed to the point where secureboot is all that's stopping it getting worse then you have already lost and the malware already has full control of every setting and file in your OS and your personal folders.

 

With all due respect, that is not a likely scenario, since I practice safe computing and browsing, as outlined in Answers to common security questions - Best Practices.

 

I use Emsisoft Anti-Malware as my Anti-Virus and Anti-Malware, and furthermore, I also use many other different security programs and browser extensions, which are mentioned in this topic and in my signature.

 

And just for the record, I also use Malwarebytes 3 Free, NoVirusThanks OSArmor, and Canvas Defender.

 

Regards,

midimusicman79


MS Win 10 Pro 64-bit, EAM Pro/EEK, MB 3 Free, WPP, SWB Free, CryptoPrevent Free, NVT OSA and Unchecky, WFW, FFQ with CanDef, uBO, Ghostery, Grammarly Free and HTTPS Ew. Acronis TI 2018, K. Sw. Upd. AM-tools: 9-lab RT BETA, AdwCleaner, Auslogics AM, aswMBR, Avira PCC, BD ART, catchme, Cezurity AV, CCE, CKS, ClamWin P., Crystal Sec., DDS, DWCI, EMCO MD, eScan MWAV, ESS/EOS, FGP, FMTB, FRST, F-SOS, FSS, FreeFixer, GMP, GMER, hP BETA, HJT, Inherit, JRT, K. avz4, KVRT, K. TDSSKiller, LSP-Fix, MB 3 Free, MBAR BETA, MA Stinger, NMC, NoBot, NPE, NSS, NVT MRF (NMRF), OTL, PCC, QD, RCS, RSIT, RKill, Rs, SC, SR, SAP, SVRT, SAS, SL, TMHC, TSA ART, UHM, Vba32 AR, VRS, WR (AiO), Xvirus PG, ZAM, ZHPC, ZHPD and Zoek. I have 23 Years of PC Experience. Bold = effective.


#23 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 8,998 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:02:15 PM

Posted 11 October 2018 - 09:30 AM

Hi, rp88!

 

The truth is that if you get infe[c]ed to the point where secureboot is all that's stopping it getting worse then you have already lost and the malware already has full control of every setting and file in your OS and your personal folders.

 

With all due respect, that is not a likely scenario, since I practice safe computing and browsing, as outlined in Answers to common security questions - Best Practices.

 

 

And therein lies the crux of the matter.   I have really tired over the years of those who insist that the best way to prevent infections is by armoring a system to the teeth with all sorts of unnecessary "protection" software while never, ever bothering to consider and discuss the human factors of infection.

 

I have also tired of the promotion of the idea that infection vectors lie around every corner and that every computer user is a target for the most exotic of infection vectors.  There are relatively few (though definitely not none) folks writing viruses and the like "just for amusement" and that target "the random stranger" but instead have very specific targets and outcomes/gains in mind.

 

An ounce of prevention, which really requires not a whole lot of thought about what one is about to do before one actually does it, when interacting with cyberspace will prevent 99.999999% of issues.   That same proportion of infections is the direct result of said infections being invited on to a platform through user actions.  You, the person in front of the screen, are either your own best defense or worst enemy, and that choice is yours.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#24 Chiragroop

Chiragroop

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 AM

Posted 11 October 2018 - 01:03 PM

Agreed. 

 

And therein lies the crux of the matter.   I have really tired over the years of those who insist that the best way to prevent infections is by armoring a system to the teeth with all sorts of unnecessary "protection" software while never, ever bothering to consider and discuss the human factors of infection.

Not to mention installing multiple AV can also cause conflicts unless you install tools carefully (such as Malwarebytes, Emsisoft, and Windows Defender turned as secondary opinion, there should be no conflict). Having too many tools also shows things down. As mentioned, being careful goes a long way.

 

There are relatively few (though definitely not none) folks writing viruses and the like "just for amusement" and that target "the random stranger" but instead have very specific targets and outcomes/gains in mind.

Again, a really important point. Unless you are a whistleblower, journalist discussing sensitive material, or there is a reason for governments to target you, you never have to worry about tailored threats. And if your enemy is a nation state, you might as well give up then (NSA wrote malware that reflashed the firmware of a hard drive to hide data and reinfect computers!) as it is nearly impossible unless you don't use computers, etc



#25 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 3,221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:02:15 PM

Posted 11 October 2018 - 01:17 PM

I say GPT is worth it, but secure boot is a ponzi scheme.

Its existence is only there to hinder linux adaption as Linux developers have to pay Microsoft to get a licence to use it.


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

xu847p-6.png


#26 Chiragroop

Chiragroop

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 AM

Posted 11 October 2018 - 04:29 PM

Not necessarily. You could just include the certificate manually in the firmware (and some computers even have Canonical (Ubuntu) certificate built-in). You can also use shim for Secure Boot (which is exactly what I did for my multiboot USB, where Ubuntu was signed but NixOS and Manjaro weren't. Though even Ubuntu would not matter because I was using rEFInd as a bootloader, which had to be signed anyways. Shim gives you the flexibility of getting around Secure Boot but without the hassle of going into firmware, etc.



#27 Chiragroop

Chiragroop

  • Members
  • 101 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:15 AM

Posted 11 October 2018 - 07:12 PM

Also, @MadmanRB, @britechguy, and @rp88 if we want to continue this discussion (and we should, as it is getting interesting) we should do it here: https://www.bleepingcomputer.com/forums/t/684853/secure-boot-pros-and-cons-also-linux-users-discuss-problems-you-have-had/ Just because I feel like Win10 forums is more for people facing windows problems and this is more fundamental (not to mention @midimusicman's problems are now fixed, so this thread keeps getting bumped up and anyone who has posted on this topic will keep getting notified.






1 user(s) are reading this topic

1 members, 0 guests, 0 anonymous users


    mikey11