Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
  2. BobH44AZ

    BobH44AZ Registered Member

    Joined:
    Jul 11, 2013
    Posts:
    41
    Location:
    USA
    It's good to see Windows Defender is doing much better . I hope that Microsoft continues to make more improvements to it.
     
  3. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Slides from Dave Weston's BlueHatIL 2018 presentation "Hardening with hardware : How Windows is using hardware to improve security" are now available :
    Code:
    https://github.com/Microsoft/MSRC-Security-Research/raw/master/presentations/2018_01_BlueHatIL/BlueHatIL18_Weston_Hardening_With_Hardware.pdf
    Absolutely amazing innovation with each new branch.
    Microsoft steadily rewriting the world. :thumb:
     
  4. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Protecting customers from being intimidated into making an unnecessary purchase.
    More in blog here : https://cloudblogs.microsoft.com/mi...timidated-into-making-an-unnecessary-purchase
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Well, even the machine that was blocking the test page isn't now.
     
  6. Turing Doenitz

    Turing Doenitz Registered Member

    Joined:
    Oct 23, 2013
    Posts:
    31
    Location:
    Australia
    I applaud Microsoft for taking a stand on such scamware which is clearly fraudulent activity dressed up as legitimate software/services. It will certainly help our most vulnerable such as the elderly from getting a hit on their credit card.
     
  7. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    So WD is turning into a junk like MBAM, detecting cookies and PUP instead of malware to increase detection. Well, one more reason to disable WD. :thumbd: Basically, if you do not want your software to be detected as PUP, pay us, pay us a lot and everything will be fine. I hate this business model. Thus the reason, malware extensions are blooming on Google store.
     
  8. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,338
    Location:
    Adelaide
    You assume they cannot focus on both things at the same time.
     
  9. Pirate_fin

    Pirate_fin Guest

    Stopped working for me too, now that my Defender updated to version 4.12.17007.18011
     
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Hmm, I had to enable the site in NoScript for Norton to block the Drive-by Download test, so it was probably the same for WD. Norton failed the other two tests as well.

    Norton ConnectSafe did block the other tests both with WD and Norton but when I selected to visit the site anyway I was taken to a Yahoo Search. :cautious:
     
  12. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,540
    Location:
    Triassic
    These scammers are going to look for alternative ways to bypass WD. Thumb drive maybe - follow the FIXME stick lead.

    FIXME stick - their TV ad claims they can 'remove malware and viruses and other stuff' that slow down computers'. I hazard a guess they are accessing standalone AV scanners and Ccleaner. :cautious::cautious::doubt: I assume they do not install any programs.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Wow, very nice presentation. I'm especially interested in Containment Technologies. Would be cool if all apps could make use of stuff like AppContainer. And they must also be protected from code injection attacks, perhaps this can be achieved with a combo of AppContainer and Protected Process Light.
     
  14. guest

    guest Guest

    To fully use Appcontainer, apps must be recoded from scratch to implement capabilities, so it won't happen soon.
     
  15. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Hum ........ I am sure many will find it of note that WDEG is not a security boundary.

    Maybe the most important point is what exactly is a "security boundary" in Windows since this reply is the standard "canned" one MS always issues when one of their security protections have been bypassed?
     
  17. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    I agree with you, seems to be a lame excuse from Microsoft :thumbd:

    If WDEG isnt a security boundary, what is it?
     
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    Users must make their choice:

    1) Do not use Microsoft Office

    or

    2) Use a different anti-ransomware software.
     
  19. guest

    guest Guest

    Indeed.
     
  20. 142395

    142395 Guest

    I don't think that is mystery. WDEG doesn't make security boundary as it is meant to make exploit harder (by blocking most often used technique), but not to stop or limit the damage of exploit. Just like WDAV is not meant to stop malware, but detect and remove as many malware as possible. If you ask what makes the boundary, the best example will be SELinux. It is mathematically proven to make elegant security boundaries. It doesn't mean SELinux can't be bypassed (ofc everything human made can potentially bypassed), but it can assure certain security AS LONG AS IT FUNCTION AS INTENDED. IOW, WDEG & WDAV are designed bypass in mind while security boundary have to ensure certain security by 100% EXCEPT unintentional bug or escape.

    Windows doesn't have the equivalence but sets of ACLs, tokens, and ILs will be closest. VBS and WDAG will also make security boundary, as well as Appcontainer.

    If you understand the logic, you'll also be able to understand why MS says UAC is a not security boundary nor even security feature, and why ASLR doesn't make the boundary.

    The real problem is what logically valid may not always be valid in real world, just like this case shown. Everything is working intended, Office is trusted so it can encrypt files, but an untrusted program can abuse that and encrypt file...what we actual user care is if file can be encrypted by ransomware, not how they're intended.

    [EDIT] What security boundary is can change depending on context. While in general WDEG doesn't make the boundary, DEP as a component of WDEG put a boundary on memory, in this case what matters is not general exploit but area in memory.
    In this case, just disable OLE is enough. It is disabled now on Word, but for other Office apps you need to edit registry. I also recommend disabling DDE and VBA if you don't use them and if you use MS Office.
     
    Last edited by a moderator: Feb 8, 2018
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    TH.;):)
    I have never used M.O.
     
  22. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    Basically speaking ability of driving Office executables programmatically Microsoft sees as a feature. They can't recognize whether program using this feature is meant to do harm or useful thing. Therefore they are not classifying using that feature, even possibly by malware, as bug.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The mitigation you described is detailed in this posting: https://cloudblogs.microsoft.com/mi...ing-ole-embedding-to-deliver-malicious-files/. It applies to these features in the context of an existing .doc/x, etc. MS Office document, spreadsheet, etc. opening under the control of the applicable MS Office executable; excel.exe, winword.exe, etc..

    The bypass noted does the following:
    https://msdn.microsoft.com/en-us/vba/word-vba/articles/application-object-word

    The point the author notes in his article is the below code is detected as a protected folder access violation because Python.exe is not allowed access:
    However by using MS Word via Automation, the attacker can access protected folder files and encrypt them.

    -EDIT- BTW - how to disable OLE within a Word document itself is given here: https://www.linkedin.com/pulse/huh-cerber-ransomware-now-evading-capabilities-winston-marydasan
     
    Last edited: Feb 7, 2018
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    This "feature" in the protected folder stuff is exactly why I don't trust Microsoft for my security. I use Pumpernickel to protect folders and I have complete control
     
  25. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Video from Dave Weston's BlueHat IL 2018 presentation "Hardening with hardware : How Windows is using hardware to improve security" are now also available :
    https://youtu.be/8V0wcqS22vc
     
    Last edited by a moderator: Feb 7, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.