Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I am using (paid) EAM and all Exploit protections are On by default, except 'Force randomization for images (Mandatory ASLR)'.

    Edit: And I use HMP.A :isay:.
    https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-25#post-2713141

     
    Last edited: Oct 28, 2017
  2. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    In the new Windows Defender Exploit Guard, the Attack Surface Reduction rules, Network Protection and Controlled Folder Access are all parts of the protection Windows Defender provides and are available if you have Windows Defender fully active.

    Exploit Protection however are always active, no matter what product you are using.
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I must of missed that class. :doubt:
     
  4. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    You mean where to activate them ?
    I have posted about it here
     
  5. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    @Krusty, since I can't remember if you are on Windows 10 Home, then I better add that you can also use PowerShell to activate instead of the GPOs I posted about above.

    Read about Attack Surface Reduction rules here : https://docs.microsoft.com/en-us/wi...-guard/attack-surface-reduction-exploit-guard

    Then read about how to activate and configure here : https://docs.microsoft.com/en-us/wi...exploit-guard/enable-attack-surface-reduction

    Just remember - if you use PowerShell and activate one rule at the time, then use "Add-MpPreference" as warned in the documentation. (since this adds to your active ruleset)
    If you use "Set-MpPreference" for every single rule instead, then only the last one are active since this command will overwrite.
    You can finish off with "Get-MpPreference" to get status and see what you have active.

    There are also an article about this, that @Sampei Nihira posted a link to here
     
  6. TheMalwareMaster

    TheMalwareMaster Registered Member

    Joined:
    Jan 11, 2017
    Posts:
    25
    Location:
    Italy
    Hey guys, I noticed Windows Defender Controlled folders access is not working properly for me.
    1) It blocks files made by Microsoft (One file when I attempt to save a fie using Edge and the screenshot tool)
    2) Even if I whitelist them and reboot, they are still blocked. Can you help me, please?
    bug2.jpg bug.PNG
     
  7. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    First thing that comes to mind would be third-party add-on security applications interfering ?

    On my own systems and on others systems that I have used since FCU was released, this feature simply works without any problems.

    But all of those systems runs all of Windows 10 native security and no third-party add-ons.
    Nothing out of the ordinary involved here. Simply activated feature, rebooted, used system for some time and later started adding additional personal drives/shares.
     
  8. TheMalwareMaster

    TheMalwareMaster Registered Member

    Joined:
    Jan 11, 2017
    Posts:
    25
    Location:
    Italy
    I just have COMODO Firewall at my settings
     
  9. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    What if you try to run Comodo at default settings for day or two?...just to see if it is Comodo fault or not.
     
  10. Duxar

    Duxar Registered Member

    Joined:
    Dec 24, 2016
    Posts:
    24
    Location:
    Germany
    Same here, it's just unusable....
     
  11. TheMalwareMaster

    TheMalwareMaster Registered Member

    Joined:
    Jan 11, 2017
    Posts:
    25
    Location:
    Italy
    OK, now the whitelist seems to work again. I basically whitelisted all the programs to edit or save files in my PC. But still I don't understand why Microsoft programs are not allowed by default (pickerhost.exe, the screenshot tool, winword, powepoint etc)
     
  12. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Who knows? Maybe it was to prevent malware that inject into other processes like Microsoft's from harming your files. That seems to be a major concern some people have about the new controlled folder feature.
     
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    :thumb:

    Is it possible to have your list "Allow an app through controlled folder access"?
    TH.
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Hi @Martin_C ,

    It looks like most of that is aimed at Office, right? I don't have Office installed.

    Thanks.
     
  15. TheMalwareMaster

    TheMalwareMaster Registered Member

    Joined:
    Jan 11, 2017
    Posts:
    25
    Location:
    Italy
    Now it works, but I had to whitelist every single program I use that edit/saves files. This is not acceptable, especially for Microsoft-made files
    whitelist.PNG
     
  16. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Same here, on W10-64-pro-1709.
     
  17. guest

    guest Guest

    Then totally useless to me, if i have to do this i rather use excubits softs.
     
  18. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,360
    +1 :(
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    By default, known safe programs are supposed to be allowed accesses to Protected Folders as noted below. The question is what "whitelist" is WD using to determine what is a safe program? I suspect it is the same one that native SmartScreen uses. So that is where I would start looking and ensure native SmartScreen is fully functional. For example, a privacy "tweaker" such as OOSU10 might have changed native SS settings.

    Another possibility is all these WD "tweaks" mentioned to date. One of those might be overriding this default Controlled Folders allowed program access feature:
    https://www.howtogeek.com/329532/ho...h-windows-defenders-controlled-folder-access/
     
    Last edited: Oct 29, 2017
  20. guest

    guest Guest

    Seems plausible, like people setting SRP to maximum tightness and wondering why their soft isn't working
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    However, there are problems with CF. As far as no. 1 posted below, this was noted in a link posted in reply #1267:
    https://www.tenforums.com/antivirus...olled-folder-access-problems.html#post1183608

    As far as above issue no. 2, you're better off using a HIPS to protect directories since it would indeed alert on any child process modification activities.
     
    Last edited: Oct 29, 2017
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    Yes.
    For Libreoffice you only need to add to the list:

    Soffice.bin
    Soffice.exe
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Interesting stuff, I wonder if those samples used direct encryption, or if they used process hollowing. Normally speaking, all apps that use file/folder protection will fail against the latter. Hopefully Cruelsister can do some testing.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.