MSE; Does Anyone Still Use It?

Windows 10 and Windows Defender in Windows 10 are with the entire context awareness and its OS-wide monitoring of actions performed by every piece of code, script, executable and whatever, way beyond the old fashioned "click, blink and stare"-testing that are feed to the masses currently as pure propaganda.

Sure, those "click, blink and stare"-testers will see the hammer drop much faster across system, no matter what entry point they receive at.

They will like that.

And bottom line - this is what will benefit both enterprise and home users.

But the beauty is underneath.
That the OS itself will keep track of how was this piece of code received, where from and then scan it repeatedly at entry point, at run time, as it decrypts and when deobfuscated in memory and on top of that keep a record of its actions.
Does it try to obtain privileges, change settings, control anything else or alter it and so forth and so forth.

You can't fake that. If your code want to perform an action - well, then it has to do it.

This will in the end paint the big picture and mark that piece of code malicious.

And the even bigger beauty are, that since Windows 10 are now delivered as a service, then Microsoft will tighten this even more each time a black hat finds a clever loophole.

I'm sure you have already noticed this, as each builds rolls out.

 

More information on Windows Defender in Windows 10 in the latest Threat Intelligence Report from Microsoft, released August 2015 - titled "Windows Defender in Windows 10"

Link to download of PDF :

http://www.microsoft.com/en-us/download/details.aspx?id=48723

 

I'm of the opinion that all this Windows10/Defender horn blowing is largely riding the coat tails of the media focus about the newest and latest and greatest and (mostly) free Windows.

In checking About in MSE and Defender running on x64 7, 8.1 & 10...
Antimalware Engine v1.1.12002
Network Inspection System Engine v2.1.11804.0
...on all three.

The protections offered by MSE/Defender span all three Windows equally. I stand to be corrected on that, but that's how I see it.

BTW, as listed About, the Network Inspection System gets its own definitions which, for some reason, MS chose not to display along with the virus and spyware def versions in the Update pane.

 

Is Windows Defender sufficient and enough for Windows 10? (thewindowsclub)

 

'To be honest, Windows Defender only gives baseline protection, which means, it is only good enough for users for regular day-to-day surfing.
For those who mainly use social networks and may download the occasional file here and there, Windows Defender should be just fine.' ~ op cit

This was exactly my point about MSE though, it is essentially quite adequate for most average users. Anything else is really just FUD.

'If you download a lot of torrent related files from the web, then we doubt Windows Defender would provide enough protection.' ~ op cit

I don't utilise a torrent client or download a huge amount so I believe that a good basic AV (such as MSE), and perhaps additional security layers, would suffice and indeed has done for me for a considerable time. My decision to go with a customised (stripped down) version of Avast! is more to do with some of MSE's performance on resources (although they aren't a real problem), it's scanning speed and need to be regularly manually updated.

 

You are judging the product by the wrong parameters.

Engine does not behave the same across the different generations of Windows.

Events, behaviors, actions that are monitored, are increased 20 times in Windows 10 compared with Windows 8.1.

Windows 10 gathers all this information and presents it to Windows Defender.

This is the entire OS working to provide all information to make a decision of, if a malicious behavior are seen.

Not the other way around as usual.

This is not the old fashioned "file scan at first sight and then let it do whatever it wants if not blacklisted"-approach that everybody has tried.
It's not your typical HIPS solution that cries about every single action and needs a ever-growing whitelist the size of a national library in order not to completely destroy your OS.
Neither is it your typical behavior blocker that ignores everything not user initiated, ignores everything with a signature and then draws a blank on the rest and throws a prompt at you, leaving you to flip a coin in the air every time something malicious are perhaps found.

Microsoft are with Windows 10 monitoring the OS as a whole and feeding it to Windows Defender to add a new layer to spot malicious behavior.
A piece of code can do a long series of actions where each of them on their own are legit and it can stretch it slowly across hours, days, weeks.
With Windows 10, all of this is tracked and the combined information can be used to deem it malicious and put a stop to it.

It doesn't matter if the malicious code does things quick, slow or mixed with other deeds.
It's the combinations of its actions that will reveal it.

I must say that in my opinion, Microsoft has done exactly the right thing here and at the same time implemented it extremely well.
Absolutely no drag, overhead or slowness felt at all, as the OS performs all this in the background.

 

Yes, I noticed that one.

Actually there where several small articles posted the last couple of days with exactly the same wording as in the link you just posted.
They are just on different sites and officially by different authors.

Isn't it funny that such a bunch of practically identically articles suddenly appear all over the place while this thread is active.

Of course I would never say that they are planted by someone with an economical interest in badmouthing Windows Defender - but I will say that I find the sheer number of almost identical articles and their timing to be ... ahm ... interesting.

 

Yes, that are a cloud response that was triggered when you was about to access the file.
I see those also. Not the exact same file of course, but similar versions.

And the great thing is that even though you are on Windows 7, then you also benefit from the massive improvements that have been put into the cloud.

It's very noticeable in daily use.

 

Nice story, J R. If I was using an AV in my W7, MSE would be the one. It is the antivirus I install in my friends computers who use Sandboxie. I prefer it instead of any other as it works great along SBIE and my friends don't get infected.

Bo

 

@JRViejo
What would happen if user opened that DOC file and run macros before it got detected by MSE? Would it get blocked by some behavior blocker part of AV or something similar? Or would system become compromised? Some less savvy computer user would probably open that attachment.

 

Nothing would happen if the user opens the DOC file in Sandboxie.

Bo

 

Yes, true Unfortunately, most users don't use SBIE.

 

OK, thanks for explaining.

 

@JRViejo,
A point of clarification -- you said you attempted a context scan of the .doc file with MBAM. MBAM does not target .doc files (amongst others).

A very good explanation/thread on what MBAM does target and how by, David H. LIpman, here : https://forums.malwarebytes.org/index.php?/topic/161986-mbam-premium-v2-what-does-it-not-do/

 

I don't get it, if MSE is so good why it it constantly shown on the bottom when it is tested-the worst place possible?

 

Very good, sir. It's often assumed that MBAM targets all files. Someone'll get bit by that. It's a fine tool for what it does target.

 

If you check earlier posts in this thread you will see that Microsoft have decided to stop trying to pass tests and instead are concentrating on detecting real malware.