Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    I'm pretty open about using all the native security in Windows 10, the default enabled as well as all of that, that needs to be enabled and configured additionally.

    But lists of additions to as well as further tightening of Exploit Protection and list of Controlled Folder Access whitelist provides insight to external services used as well as related applications.
    The same goes for firewall rules.
    I have never felt it was wise to post such information online.

    Besides, the things I have in there are related to work as well as country specific applications. It wouldn't be relevant to anyone else. :)
     
  2. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    You are welcome, Krusty.

    But even when you don't use Office, I think you should take another look at the mail rule and two script rules.
    Two minutes to activate, and can save your day.
     
  3. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    If that was the case, then I should have faced those problems since I use the increased block levels in Windows Defender and also every aspect of Windows Defender Exploit Guard.
    No problems here.

    Additionally as independent testing shows, the Controlled Folder Access feature works very well against ransomware.
    And when looking through blogposts, twitter and so on, there are far more people where the feature are reported as functioning right away then the opposite. :)
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    :thumb::);)
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    To be clear, can I just enter this command in Run as Admin > PowerShell and ALL rules are enabled?
    Code:
    Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
    Or do I then need to enable individual rules after that?

    Thanks again.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I would say the "verdict is still out" in that regard.

    As @Rasheed187 commented on and further elaborated on as follows:
    http://www.dslreports.com/forum/r31...nsomware-with-Windows-10-Fall-Creators-Update

    A good test would be using the current "Bad Rabbit" ransomware since it used Mimikatz to perform credential stealing and Windows own crypto software to do the encryption. The problem to testing is you have to disable WD's realtime protection so the ransomware is not detected via sig. or cloud lookup detection. When that is done, Controlled Folders is no longer functional. So appears your only choice is to find a 0-day ransomware sample. All this leads me to question any to date "ad hoc" testing of the feature.:doubt::cautious:
     
    Last edited: Oct 30, 2017
  7. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    No, that PowerShell cmdlet wouldn't do anything.

    But you just need to substitute the <rule ID> with one of the actual rule IDs, that are listed in the documentation next to the rule you want to activate.
    Then it works for that rule. :thumb:

    And then remember - first rule you activate, you use "Set-MpPreference".
    All following rules you want to activate, use "Add-MpPreference".
     
  8. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Lots of well-known researchers have tested it and found it very effective.
    Among them are the BleepingComputer staff.
    Not sure if you are implying that they do not know how to handle ransomware ?
    That would definitely be a claim I haven't seen or heard before.

    Asking a user to please add to whitelist, so attacker can please encrypt your files ? - sounds very unlikely that a ransomware should first slip past WD, then ask user to jump through hoops to become whitelisted and succeed and a user should fall for it.
    Stuffing keyboard buffer ? - Not relevant, since you can't allow anything in prompt.
    Compromise allowed application ? - Exploit Protection to the rescue.
    Poisoned office files doing script tricks ? - use Attack Surface Reduction rules.

    There's a reason why there are four features in Windows Defender Exploit Guard. :thumb:

    That is not correct.
    As already mentioned, the Controlled Folder Access feature runs Default-deny.
    If you in any way blind the vetting, then new access are simply not added or allowed.
     
  9. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I can't get it to work on my machine. It gives an error as per my screenshot.

    Edit: Ah, I got it to work now I think. I removed the "<" and ">".
     

    Attached Files:

    Last edited: Oct 30, 2017
  10. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    Valid commands should look like this:
    PS C:\Windows\system32> Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled

    PS C:\Windows\system32> Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

    PS C:\Windows\system32> Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled

    PS C:\Windows\system32> Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled

    PS C:\Windows\system32> Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Yes, these are the three non-Office related commands I've used:
    Code:
    Set-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
    
    Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enabled
    
    Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled
     
  12. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    I can see you got everything working, because your PowerShell cmdlets are correct.
    Perfect. :)
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Yes, all good now. Thanks Martin. :thumb:
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Guys, I have one more tweak I'm considering, raising the protection level of WD to High. Is there an easy to understand and follow guide for configuring this with PowerShell for a Win10 Home Edition user? Step by step instructions would be greatly appreciated.

    Thanks again. Edit: I've downloaded these Registry keys from here as mentioned earlier in this thread. Will that do what I want safely?
     
    Last edited: Oct 30, 2017
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    The problem/s I have with those keys, I have no idea what the Values mean so have no idea how to edit them if required.

    Also; when I downloaded the Enable PUP Detection Reg tweak it came with an Undo Reg tweak, same with my Disable Cortana tweak.
     
  16. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    MartinC, could you please tell me how do you configure Controlled Folder access and Exploit protection? I'm asking this because my freind gave up from it, because it blocks explorer.exeo_Oo_O?
    This is why I'm scared of using Controlled Folder Access.
     
  17. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Yeah, it should.
    You can check here: http://www.howto-connect.com/set-hi...cloud-protection-windows-defender-windows-10/
    Or you can use this tool: https://www.ghacks.net/2017/07/25/policy-plus-brings-group-policy-to-all-windows-editions/
     
  18. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Windows Defender block levels and how-to articles on Windows 10 Home have several good articles linked to earlier in thread.

    @Djigi posted one here

    @imuade posted one here

    And as you mention, @imuade also posted another one here

    All three, great articles that will get you the same result.

    The specific page in Microsoft Docs about block levels in Windows Defender are not updated yet, so it still shows the two levels that was available in 1703 Creators Update.
    I'm sure it won't be long before it's updated to include 1709 Fall Creators Update information, so will link it here

    New for 1709 Fall Creators Update are that there are now two additional new even stronger block levels available in Windows Defender Group Policy configuration as I mentioned here

    And @imuade posted about it here, including link to Microsoft Docs CSP documentation that are updated to cover 1709 Fall Creators Update.

    As you can see, the complete list of Windows Defender block levels in 1709 FCU are:

    Yes, an easy way you could do this on Win10 Home if you are uncomfortable with editing the registry manually, would be to use the .REG file you downloaded and simply edit it first in Notepad.
    Check what block level the .REG file have now and compare it with list above.
    If you want another block level, then replace value according to list above, save .REG file and apply it.
    It's just a single number that needs editing in the .REG file.
    Edit again and apply to alter or revert your settings. :thumb:

    I always do this in Group Policy, so I can't remember what other settings are included in the .REG files you downloaded.
    But if memory serves me correct, then they are ok.
    If you want I can check the files, but I'm on mobile right now and won't be near a pc until later tonight, so will have to get back to you on that later.
     
  19. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    No reason to be scared.
    It's just to activate feature, reboot, use system for some time and later start adding additional personal drives/shares.

    Majority of users doesn't have to do much more.
    Some users needs to whitelist a little.

    From the looks of it since FCU was released, it looks like the less third-party security add-on applications a user has, the less they need to manually whitelist.
    But still - even if you need to whitelist a little, it's easy to do so in the UI. :)
     
  20. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    In my testing Controlled Folder Access did not block explorer.exe. 3rd party shell extensions?
     
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Hi Krusty.
    Once you have entered the new Registry Keys, you can not delete them later.
    Think well.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, I would say most would allow explorer.exe. However, any shell execution of it wouldn't be caught.
     
  23. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    But he can always revert value back to default in case he would want to.
    Same effect. :)
     
  24. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    My speculation was that since my testing was on a pretty clean VM, that when others have explorer.exe blocked, maybe since any shell extensions load 3rd party .dll files into the process, maybe some of them are blacklisted from having access. I have no idea if the controlled folders access goes that far or if they have changed something since my testing. If you have any info on whether they are actually checking for such things or just blanket blocking explorer.exe please share. It seems pointless to just block it though, as it makes the folders unusable unless you create an exception, which everyone would have to do.
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    The problem is Spynet (MAPS).
    You must check which values are the default (W.10 Home).
    Disable Maps.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.