Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

I am using (paid) EAM and all Exploit protections are On by default, except 'Force randomization for images (Mandatory ASLR)'.

Edit: And I use HMP.A .
https://www.wilderssecurity.com/threads/hitmanpro-alert-beta.394398/page-25#post-2713141

 

In the new Windows Defender Exploit Guard, the Attack Surface Reduction rules, Network Protection and Controlled Folder Access are all parts of the protection Windows Defender provides and are available if you have Windows Defender fully active.

Exploit Protection however are always active, no matter what product you are using.

 

I must of missed that class.

 

You mean where to activate them ?
I have posted about it here

 

@Krusty, since I can't remember if you are on Windows 10 Home, then I better add that you can also use PowerShell to activate instead of the GPOs I posted about above.

Read about Attack Surface Reduction rules here : https://docs.microsoft.com/en-us/wi...-guard/attack-surface-reduction-exploit-guard

Then read about how to activate and configure here : https://docs.microsoft.com/en-us/wi...exploit-guard/enable-attack-surface-reduction

Just remember - if you use PowerShell and activate one rule at the time, then use "Add-MpPreference" as warned in the documentation. (since this adds to your active ruleset)
If you use "Set-MpPreference" for every single rule instead, then only the last one are active since this command will overwrite.
You can finish off with "Get-MpPreference" to get status and see what you have active.

There are also an article about this, that @Sampei Nihira posted a link to here

 

Hey guys, I noticed Windows Defender Controlled folders access is not working properly for me.
1) It blocks files made by Microsoft (One file when I attempt to save a fie using Edge and the screenshot tool)
2) Even if I whitelist them and reboot, they are still blocked. Can you help me, please?

 

First thing that comes to mind would be third-party add-on security applications interfering ?

On my own systems and on others systems that I have used since FCU was released, this feature simply works without any problems.

But all of those systems runs all of Windows 10 native security and no third-party add-ons.
Nothing out of the ordinary involved here. Simply activated feature, rebooted, used system for some time and later started adding additional personal drives/shares.

 

I just have COMODO Firewall at my settings

 

What if you try to run Comodo at default settings for day or two?...just to see if it is Comodo fault or not.

 

Same here, it's just unusable....

 

OK, now the whitelist seems to work again. I basically whitelisted all the programs to edit or save files in my PC. But still I don't understand why Microsoft programs are not allowed by default (pickerhost.exe, the screenshot tool, winword, powepoint etc)

 

Who knows? Maybe it was to prevent malware that inject into other processes like Microsoft's from harming your files. That seems to be a major concern some people have about the new controlled folder feature.

 

Is it possible to have your list "Allow an app through controlled folder access"?
TH.

 

Hi @Martin_C ,

It looks like most of that is aimed at Office, right? I don't have Office installed.

Thanks.

 

Now it works, but I had to whitelist every single program I use that edit/saves files. This is not acceptable, especially for Microsoft-made files

 

Same here, on W10-64-pro-1709.

 

Then totally useless to me, if i have to do this i rather use excubits softs.

 

+1

 

By default, known safe programs are supposed to be allowed accesses to Protected Folders as noted below. The question is what "whitelist" is WD using to determine what is a safe program? I suspect it is the same one that native SmartScreen uses. So that is where I would start looking and ensure native SmartScreen is fully functional. For example, a privacy "tweaker" such as OOSU10 might have changed native SS settings.

Another possibility is all these WD "tweaks" mentioned to date. One of those might be overriding this default Controlled Folders allowed program access feature:

https://www.howtogeek.com/329532/ho...h-windows-defenders-controlled-folder-access/

 

Seems plausible, like people setting SRP to maximum tightness and wondering why their soft isn't working

 

However, there are problems with CF. As far as no. 1 posted below, this was noted in a link posted in reply #1267:

https://www.tenforums.com/antivirus...olled-folder-access-problems.html#post1183608

As far as above issue no. 2, you're better off using a HIPS to protect directories since it would indeed alert on any child process modification activities.

 

Yes.
For Libreoffice you only need to add to the list:

Soffice.bin
Soffice.exe

 

Interesting stuff, I wonder if those samples used direct encryption, or if they used process hollowing. Normally speaking, all apps that use file/folder protection will fail against the latter. Hopefully Cruelsister can do some testing.

 

Forget to post this, seems like Win Defender messed up, but that's a risk with all real-time AV's nowadays.

"False positive in Microsoft’s security software causes some Windows PCs to no longer boot".

https://www.myce.com/news/false-pos...ware-causes-windows-pcs-no-longer-boot-82903/

 

Test with Exploit Test Tool (Sophos):

https://www.hitmanpro.com/en-us/downloads.aspx

and also MBAE Test:

https://forums.malwarebytes.com/topic/139368-how-to-verify-that-mbae-is-working-correctly/

identical result in the image below: