Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Microsoft should really improve controlled folder access: Malware could simply add an infected .exe file in whitelist and run it. However, if I install a programm which creates an icon on desktop it will be blocked, it's annoying to add every single file to whiteliste before executing. Sometimes I think this version of controlled folder access makes no sense at all, it's like HIPS with auto-blacklist and without any intelligent program decision. Very simple to code but nearly useless for the average user.

 

it works like a basic SRP without any whitelist at all, so users have to setup everything if they want to use the feature, which is basically pointless on a home version OS made for Average Joes...if it was Pro or Enterprise, it would make more sense.

 

There's a world of difference between you doing that to yourself and someone doing that to you.

But I think you knew that very well, because if it was that easy to halt WD or any other AV for that matter, then it would be everywhere in the wild. And it is not.

Security can't be evaluated with a tunnelvision approach. You need to embrace the full protection stack.

What I see with each branch are progress - new features implemented and existing features enhanced.
And I see possibilities when putting them to use. Even more so, when you start combining them.

On a out-of-the-box Win10 1709 branch, start by raising all the SmartScreen settings to Block.
Make sure Windows Defender are active. On default this means all cloud features are active, Block at First Sight are active and also Behavioral Analysis are active which also include the memory scanner that I see you noticed in another thread.

Overview of Windows 10 1709 Fall Creators Update as presented at Microsoft Ignite 2017 :


Now evaluate if you use default block level in Windows Defender, or want to raise it. In addition to default block level, there's High, High+ or if mission critical, then raise to Zero Tolerance that blocks everything unknown.
And activate PUA detection, no matter which block level you decide on.
Now activate Network Protection, that expands SmartScreen to every single process on pc that tries to connect out.
Then activate Controlled Folder Access to only allow vetted processes access to your protected data.
Next activate Attack Surface Reduction rules, to effectively block the vectors an attacker would need.
The Attack Surface Reduction rules has proven to be extremely effective, but since I know you pay extra attention to PowerShell I will quote this part in particular :

Full blog post here : https://blogs.technet.microsoft.com...tack-surface-against-next-generation-malware/
Then start looking at Exploit Protection. The default settings provides good protection without breaking anything in general mass use, but a specific setup might allow for further tightening of mitigations since now you only need to care about the specific applications and workflows relevant to you. Especially if rare/legacy applications present.
All app-level mitigations can be used in audit mode and there's extensive logging in Event Viewer, to make it easier to dail in while you evaluate.
Do all of the above on a clean installation of Win10 1709 Fall Creators Update and then use SUA for all daily activities afterwards, and it becomes clear how well these features all work together.

Then you will have embraced a huge part of the protection stack available on Windows 10 Pro and Home.

The changes Microsoft has made with 1709 Fall Creators Update are massive. All these features are available and ready to use.

Bottom line - there will be two groups of users.
Those who still looks at Windows through Win98->WinXP glasses, and insist on adding and replacing with third-party code. A subset of these will complain about Windows evolving.
And those who are open to the fact that Windows has evolved a lot since then and who evaluate what is actually available now. They will typically enjoy that all the features mentioned above are available and work so well together.

 

The AV-Comparatives Real-World Protection Test October 2017 are now published.

Tested on Windows 10 1703 Creators Update 64 bit.

Microsoft doing very well with zero undetected samples, 3 user-dependent samples and everything else auto-blocked.

Chart : http://chart.av-comparatives.org/chart1.php?chart=chart2&year=2017&month=10&sort=1&zoom=4

Full report : https://www.av-comparatives.org/wp-content/uploads/2017/11/avc_factsheet2017_10.pdf

 

then comes the third and biggest group, the Average Joes which can't deploy the tight setup you mentioned above either because their lack of skills or because they don't want go through the hassle or just prefer/are used to 3rd party AVs .

 

Panda again better than emsisoft and Kaspersky? the test samples are 100 days old or what....but definitely not zero day

 

The same can be said about every single HIPS, application-whitelisting, anti-exe, behavior blocker or AV out there from every single vendor.

In theory "all" you have to do to bypass them, are to shut them down or allow yourself through them.

But in practice, the entire protection stack stand between the wish to bypass and actually being able to bypass.

 

To enable PUA protection even in Windows 10 Home * with Powershell:

Get-MpPreference

search "PUAProtection" if the numeric value is 0, is disable.

To enable it to use the command:

Set-MpPreference -PUAProtection enabled

 

None of that is correct.

All four features in Windows Defender Exploit Guard are tightly integrated with the Microsoft Intelligent Security Graph.

On clean systems without excessive third-party add-on security, the end user do not have to do anything except activate the Controlled Folder Access feature and add any additional folders they want protected.

That is all they need to do.

The features local logic combined with insight from Microsoft Intelligent Security Graph will take care of everything else.

This is implemented in such a elegant way, that the feature are easier to use then it is to boil eggs.

The only users that has issues are those who have third-party security installed which insist on altering things those third-party applications shouldn't touch.

Excellent example if one look one page back in this thread.
A user have two systems.
System A with a not so intrusive third-party add-on security application have zero problems with Controlled Folder Access.
System B with a very intrusive third-party add-on security application has issues.

 

None of that makes any sense what so ever.

This "Average Joe" you always bring up will on a plain out-of-the-box Windows 10 installation running its default native security have protection as seen if one follow the link in this post

And that test is not even on 1709 Fall Creators Update. That test are with the native security that are active by default on 1703 Creators Update.

Users on 1709 Fall Creators Update can then additionally activate the features I mentioned in this post to enjoy even more of the protection stack available in Windows 10 Fall Creators Update.

This thread proves that it is easy.

Several users posted that they activated all the features they needed without any problems.
Some users had a few questions and then activated all the features they needed without any problems.

Absolutely nobody has been scratching their head.

It's a few clicks in the UI and then a few clicks in GPOs or a few PowerShell cmdlets - depending on if user are on Pro or Home.
That's all.

Everybody that wants to set up the additional native security features available in Windows 10 can handle this.

 

maybe for you, but you are clearly not representative of the masses, you understand and know how to use all the built-in features, but many don't...and it is what you seem to miss.

Note: i don't talk about efficiency, only usability, and it is clearly at the moment not user-friendly especially when it is strangely tied to WD which has no real interactions to the Controlled Folder mechanisms.

Anyway, i didn't planned to do a deep debate about it, i just gave my opinion.

 

The average Joe wouldn't even have Controlled Folders enabled since it is disabled by default.

 

Agree.

But shortly taking delivery of a new machine so may give this a go first on clean Win 10 Pro ...

 

I just installed ver. 1709 yesterday via Win Update. Average user is not going to play around with security settings nor should they be required to "tweak" his security settings for max. security protection. Add to that, SmartScreen is "notorious" for alerting on downloads that are in reality safe. Setting action default to block would prevent this software from downloading:

 

Did you test it?

 

Or later:

https://www.amtso.org/feature-settings-check-potentially-unwanted-applications/

 

I would love to learn a bit more about Win Def's behavior blocker, weird that I can't find any info about it.

 

It is cloud based using MS's Azure AI servers. Note: that it is time dependent although the delay to determination can be slightly increased. Also, the process is actually suspended while this is going on. Obviously, "sleeper" malware will be able to evade it.

WD's scanning ability in the cloud was impressive based on the AV Labs - Poland fileless malware test. It was able to detect all processes used including a .bat script which was a Powershell dropper. This contrasts with the majority of AVs detecting by outbound network connections.

 

That is not correct.

You are mixing up three very powerful, but different parts.
Block at First Sight, Behavioral Analysis engine and memory scanner.
Three different parts of Windows Defender.
There's time and entry constraints on Block at First Sight. Not on Behavioral Analysis or memory scanner.

But you are correct that Windows Defender did very well in the fileless malware test that AV Labs - Poland recently published. The combined feature set in Windows Defender are proving to be effective.

 

Since it seems they added a bunch of new protection, I figured I'd try WD again. The protected folder access is crap at this point. Blocks just about everything, so way too many false positives.

Also, protection isn't really my concern with WD, but rather the CPU usage of the main module. Still surprises me that the built in protection is heavier than third party programs.

 

Below is MS's description of "Block at First Sight." In typical MS "security techno-babble," it is WD's local based non-signature analysis which is equivalent to that performed in other third party AV solutions. Bottom line - there is nothing "ground breaking" security-wise in WD's new protections. They are just finally making WD on par to what the third party AV's have had for some time. The only thing really "leading edge" is the use of the cloud AI scanning.

https://docs.microsoft.com/en-us/wi...ock-at-first-sight-windows-defender-antivirus