behavior Archives

AppWizard

June 25, 2026

Riot Vanguard finally drops its controversial always-on requirement for anti-cheat — new on-demand mode requires a strict Windows 11 security stack

Riot Games has introduced a new feature for its Vanguard anti-cheat system called Vanguard On-Demand, which allows the kernel driver to load only when a Riot game is launched and unload upon exit. This change ends the previous practice of loading the driver at Windows start-up, which has been in place since 2020. The new mode is supported by Windows 11 25H2 and requires specific hardware configurations, including UEFI Secure Boot, TPM 2.0, Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), and IOMMU. Approximately 35% of players currently meet these hardware requirements, while around 3% are using incompatible systems. Riot has created a checklist called Vanguard Pre-Check to help players determine if their systems qualify. The percentage of fully secured machines is estimated to be around 34.33% and is increasing monthly. Players whose systems do not meet the criteria will need to make manual adjustments in their BIOS. Vanguard On-Demand mode will be available for players on Windows 11 starting later today. The feature is based on Microsoft’s Runtime Driver Attestation Report, which tracks driver activity since boot and helps ensure no vulnerable drivers have been loaded while Vanguard is inactive. Riot Games has required TPM 2.0 and Secure Boot on Windows 11 since 2020 and has faced criticism for these requirements. Enabling VBS and HVCI may affect frame rates and could disable older peripheral drivers due to Microsoft's vulnerable driver blocklist.

Winsage

June 25, 2026

Introduction to COM usage by Windows threats

Component Object Model (COM) is a technology in Windows that enables object activation, inter-process communication, and automation across different programming languages. Malware exploits COM interfaces for activities such as lateral movement, execution, downloading, exfiltration, persistence, evasion, system discovery, and automation of Windows and Office functionalities. Reverse engineering COM-heavy binaries involves navigating GUIDs and indirect vtable calls to understand malware mechanics. Research at the AVAR 2025 conference and CARO 2026 workshop discusses methodologies for analyzing COM binaries and case studies of malware families that utilize COM. COM is an application binary interface (ABI) model that allows software components to be reused and enables interaction between different programming languages through interfaces defined at the binary level. Distributed COM (DCOM) allows clients to activate COM objects on remote systems. COM classes are identified by unique class identifiers (CLSIDs), and interfaces by interface identifiers (IIDs). The Windows registry stores COM registration data, with classes and interfaces located under specific keys. Malware often acts as a COM client, utilizing the COM runtime to instantiate classes and request interfaces. ProgIDs provide human-readable registry entries for COM classes. The CoCreateInstance function helps create class objects by resolving CLSID registrations. All COM interfaces derive from IUnknown, which manages object lifetimes and interface querying. COM has its own security model, and identifying classes and interfaces used by malware is crucial for threat researchers. Tools like ComView and OleView.NET assist in inspecting COM registrations. The analysis workflow includes identifying activation API calls, extracting CLSID and IID values, consulting registry definitions, and mapping vtable calls. Qakbot, a banking trojan, exemplifies the use of COM in malware, with its architecture enabling malicious activities like credential theft. Dynamic analysis tools can log COM-related calls in real-time to trace execution flow. Notable malware families that utilize COM include Gh0stRAT, which uses Task Scheduler COM interfaces, and the Attor platform, which employs BITS for file transfers. WarmCookie demonstrates the use of COM for persistence through Task Scheduler. Understanding COM's role in malware is essential for cybersecurity professionals.

Winsage

June 25, 2026

Windows 11 Secure Boot update released to all, hours ahead of expiry

Microsoft has begun rolling out the Secure Boot 2023 certificate update to eligible Windows 11 and Windows 10 PCs ahead of the expiration of the Microsoft Corporation KEK CA 2011 on June 24, 2026. This update enhances device targeting data for automatic Secure Boot certificate updates. Secure Boot is a firmware-level security feature that verifies digital signatures of boot components to prevent rootkits and bootkits. The certificates for Secure Boot were first issued in 2011, with subsequent expirations for related certificates occurring in June and October 2026. Users can check their Secure Boot certificate status through the Windows Security app or System Information. If a PC does not receive the update, it will still boot normally but will lose the ability to receive future boot-level security updates. Multiple restarts after updates are expected due to the Secure Boot certificate process. A new folder, C:WindowsSecureBoot, is not malware but is used for staging cryptographic certificate files. Windows 10 users enrolled in the Extended Security Updates program will also receive the Secure Boot update, while those not enrolled will not. The expiration of the KEK CA 2011 means Microsoft will not be able to sign new Secure Boot revocation payloads using the old key, but existing signed payloads will remain functional.

Winsage

June 24, 2026

Windows 11 Secure Boot update released to all, hours ahead of expiry

Microsoft has begun rolling out the Secure Boot 2023 certificate update for eligible Windows 11 and Windows 10 PCs ahead of the expiration of the original certificates on June 24, 2026. The update includes additional device targeting data to increase coverage for automatic updates. Devices receive the new certificates after demonstrating successful update signals. The original Secure Boot certificates were issued in 2011, with expiration dates set for June 24, 2026, June 27, 2026, and October 19, 2026. Microsoft has been distributing replacement 2023 certificates since 2024, with the June 2026 update expanding eligible devices significantly. Users can check their Secure Boot status through the Windows Security app or System Information. If a PC did not receive the update, it will still function normally but may not receive future boot-level security updates. Multiple restarts after updates are expected behavior, and the SecureBoot folder in Windows is not malware. Windows 10 users in the Extended Security Updates program are also receiving the Secure Boot update. The expiration of the Microsoft Corporation KEK CA 2011 on June 24 means no new Secure Boot revocation payloads can be signed with the old key, but existing signed payloads will continue to function.

Tech Optimizer

June 23, 2026

Meta pauses controversial employee-tracking program after security review

Meta has suspended its employee-tracking program after an internal security review revealed excessive accessibility to sensitive data collected from staff laptops. The program, part of the Model Capability Initiative (MCI), aimed to gather detailed information on employee interactions with work devices, including mouse movements, click locations, keystrokes, and screen content. Concerns arose regarding the privacy and security of the collected data, which included AI prompts, transcriptions, private conversations, and performance-related information. The initiative faced backlash, particularly after an engineer criticized "laptop surveillance," leading to a petition for its termination. The monitoring software was deployed on US workers’ laptops without an opt-out option, capturing comprehensive behavioral datasets. The situation highlighted significant legal and regulatory challenges, as well as the risks associated with managing sensitive data. Access controls, data minimization, and retention policies are critical to mitigate potential breaches.

AppWizard

June 23, 2026

Sand: Raiders of Sophie is like Sea of Thieves on land, but even tougher for solo players

Sand: Raiders of Sophie has entered early access. It is a first-person base-building extraction shooter set in outer space, featuring customizable walking bases called tramplers. Players can construct their own tramplers or use pre-existing models, equipping them with various weapons and ammunition. The game includes both player-versus-player and PvE elements, with NPCs guarding lootable locations. Players can join solos-only servers for a more strategic experience. After gathering loot, players must transport their trampler to an extraction point, which involves climbing a tower to initiate the extraction process. Initial experiences have included server issues and challenges during gameplay.

Winsage

June 23, 2026

Tested: Microsoft just debloated Windows 11 Search without Bing, and it’s crazy fast

Windows 11 has introduced a significant enhancement to its Search functionality, allowing users to completely eliminate web results through a toggle in Insider Experimental build 26300.8697. This feature prioritizes local results and improves search speed. The new toggles for Web Searches and Microsoft Store apps can be found in the Privacy & security settings under "Show suggested search results." Users can still see past web searches if the Search history toggle is active. The web toggle's deactivation leads to local files being displayed first, while the Microsoft Store results can be toggled independently. Disabling both toggles results in a "No results found" message if there are no local matches. The feature is currently experimental and requires enabling via ViveTool. Additional improvements include typo forgiveness for app queries and enhanced search responsiveness. Microsoft is also shifting its strategy to provide users with more control over their Windows experience.

Winsage

June 22, 2026

I tested Microsoft PC Manager’s RAM-freeing tool and learned why high memory usage isn’t always a problem

Users of Windows 11 often report high RAM usage, with figures reaching 70-90 percent, leading to concerns about system performance and the need for memory upgrades. Microsoft has introduced the PC Manager application with a "Boost" option to help free up memory. High memory usage can be normal when Windows 11 caches files, but excessive consumption by poorly optimized applications may indicate a resource issue. The impact of memory usage varies by system; for example, 90 percent usage may be acceptable on a system with 96GB of RAM, while it could be problematic on an 8GB system. Context matters, as high memory usage on high-end machines often represents normal caching, whereas it may signal struggles on lower-end systems. The PC Manager's Boost feature can be useful before resource-intensive tasks but may reinforce misconceptions about high memory usage being inherently negative. Ultimately, performance issues, rather than memory percentage alone, should guide decisions about upgrading RAM.

Tech Optimizer

June 22, 2026

I Turned Off All Antivirus Protection for a Week. Here’s What I Learned

The author conducted an experiment by disabling both Bitdefender and Windows Security for a week to rely solely on personal cybersecurity instincts. They took precautions by using a secondary device and backing up important data. Throughout the week, the author experienced heightened awareness while navigating online tasks, encountered a phishing email, and adapted to a more deliberate browsing rhythm. Key takeaways included exercising caution, verifying sources, being aware of URLs, and keeping software updated. The experiment highlighted the importance of both good habits and antivirus software in maintaining cybersecurity. The author concluded that while personal vigilance is crucial, antivirus software is essential for those lacking strong instincts.

BetaBeacon

June 21, 2026

Top 5 Scary Horror Games For Android And IOS

Google has introduced a passive sign-in feature for YouTube, allowing users to stay signed in to their accounts even when not actively using the platform.