Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Slides and video from John Lambert's presentation "The New Paradigm of Security Controls" at BlueHat IL 2018 are available :

Slides :

Code:

http://www.bluehatil.com/files/The%20New%20Paradigm%20of%20Security%20Controls.pdf

Video :

Code:

https://youtu.be/OpTGFcJXL8g

Fantastic deep dive into Microsoft's Machine Learning systems - using data to improve security.

Crash reports revealing zero-days. Great insights to how valuable telemetry are to security. Finding the root cause and fixing it.

The massive data pumps driving Office 365 ATP and Windows Defender Antivirus.
Self-tuning, cross-checking and self-correcting Machine Learning in cloud at massive scale.

Extremely impressive.

 

There is no simple decision that Microsoft can make to satisfy everybody at this point. There can be and probably are programs developed for companies to do useful things leveraging this feature. Complete removal of this feature would break these programs. On the other hand leaving this feature "as is" is going to irritate people requiring security.

 

Woops! So that registry hack is no relevant to this bypass, I completely misunderstood, sorry @Sampei Nihira !
I ran that script and confirmed that test.docx was encrypted regardless of registry setting.
So the question: are there any way to disable that feature, or block this bypass other than blocking an executable or script first?
Well, actually I don't care much. I still keep my belief of taking redundant backups (system and data) which are separated each other will be enough protection against ransomware. Has situation changed?

 

Agreed. Although I feel MS may be better than Google, still quite many data will be sent even on 'basic' telemetry setting. The problem is that not only we don't know what can be done with those data, but probably MS too, until some clever guy (either white hat or black) find a way to abuse them. Not collecting PII and transparency is good start, but never enough.

 

IMO it's enough if you want to restore data after encryption. It's not enough if you don't want bad guys to upload your data to their servers.

 

Ah, I remember some malware who took porn photo as hostage and scared the owner. Then I just hope my malware protection stops them and hope I don't do sth stupid. Still I may get infected through supply chain...(sigh)

 

Yes good point, didn't think about that. What I'm basically looking for is that processes can not be modified, and that they can't modify other processes. So this means that DLL/code injection can be blocked completely. Windows should provide a way for this.

 

.

Of note is that AppContainer does not prevent .dll injection into IE11 or Edge. It does prevent executable files from being run from the injected .dll. Additionally, this action is user controlled in that a pop-up will be generated whereby either "allow" or "deny" must be selected which is problematic in itself.

http://blog.jpcert.or.jp/2016/08/appcontainers-p-d296.html

-EDIT- I also should add that .dll injection is much more difficult on Edge running Win 10 1709 due to WDEG. All .dlls must be MS code signed via the Code Integrity Guard mitigation. Whereas this mitigation could be enabled for IE11, it will bust in all likelihood your third party AV .dll/s injection since most of those are not MS code signed. Ditto for Edge although you can't disable AIG in Edge at the WDEG app level.

 

Windows Defender ATP support in Windows 7 and 8.1
February 13, 2018
https://www.ghacks.net/2018/02/13/windows-defender-atp-comes-to-windows-7-and-8-1/

 

How artificial intelligence stopped an Emotet outbreak

More in blog post here :
https://cloudblogs.microsoft.com/mi...icial-intelligence-stopped-an-emotet-outbreak

 

Interesting link, but AppContainer will indeed not stop code injection, you need the "Protected Process" feature for this. But it will make it harder for exploits to succeed. But anyway, this thread is about Win Def, so I will stop about it.

 

Interesting. I wonder what will be done when a malware passed through the last DL layer. Just hope some MS experts manually examine them. Unfortunately it can't be avoided by the nature of ML.

 

@Martin_C ,

Any idea why Network Protection has stopped working for some of us?

 

I want to like WD but it failed several tests here - https://demo.smartscreen.msft.net/

Looks like I'll have to reinstall Norton.

 

What kind of test it failed? The URL Rep Demos?

You need to use Edge for SmartScreen URL Reputation.

 

I used Edge.

 

Everything worked fine here, I just tested it.

https://image.prntscr.com/image/coxCuDGiSZWn7O27HjXSUw.png

 

That shows one block which I can't read as I only know English, but if WD is working properly for you that's great.

 

All tests were blocked/behaved as they were supposed to with Edge browser and Defender for me Krusty

 

Try the test using IE11. Make sure SmartScreen is enabled in it.

There might be an issue with your Edge installation. Make sure SmartScreen is enabled in Edge.

 

A bit late for me to test now guys, as I'm in the process of cloning my original Win7 HDD to a SSD, just for fun. Can't wait to see if I can get that to work.

I've never been very patient.

 

I tested everything and everything was blocked, I posted only the exploit one (look at the adress bar) just to show how it worked at my end.