Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Windows 10, version 1803 has five new Attack surface reduction rules:

• Block executable files from running unless they meet a prevalence, age, or trusted list criteria
• Use advanced protection against ransomware
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)
• Block process creations originating from PSExec and WMI commands
• Block untrusted and unsigned processes that run from USB

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard

Example:

Set to rule "Block untrusted and unsigned processes that run from USB" with powershell:

Set-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled

To insert other rules use the command below:

Add-MpPreference

Verify:

Get-MpPreference

The Set command will always overwrite the existing set of rules while the Add command adds to it without overwriting existing rules.



The rule "Block untrusted and unsigned processes that run from USB" in action:



ConfigureDefender is not signed.

 

Tnx

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus

Has anyone enable e-mail scanning?

 

http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html

 

Running w10x64 1803 (17134.48 ) .
When trying to open defender UI or WDSC the wait cursor starts flashing and MsMpEng.exe is consuming a lot of memory.
First observed after installing definitions 1.267.1203.0.

Anyone else facing this issue?

 

OK my bad, must have missed this, thanks. But it seems like a must have feature for security tools, so if it's easy to implement for third parties, I doubt they won't do it.

Quite clever attack.

 

Microsoft uses Windows Defender Antivirus to boost malware protection.

Much more in blog post here : https://www.microsoft.com/itshowcas...efender-Antivirus-to-boost-malware-protection

 

AV-Comparatives has published chart and report with their results for April 2018 Real-World Protection Test :

Testing are on Windows 10 1709 Fall Creators Update 64bit.

Chart : http://chart.av-comparatives.org/chart1.php?chart=chart2&year=2018&month=4&sort=1&zoom=3

Full report : https://www.av-comparatives.org/wp-content/uploads/2018/05/avc_factsheet2018_04.pdf

Microsoft doing very well. Zero malicious samples managed to compromise the test system.
8 user-dependent samples and everything else auto-blocked.

 

Video from Microsoft with demonstration of how OneDrive Files Restore and Windows Defender takes ransomware protection one step further :

The video - Ransomware Protection with Windows Defender and OneDrive - are found here :

Code:

https://m.youtube.com/watch?v=QRb4bKUwoB8

(link to blog post about this feature are posted here)

Excellent integration between the products.

 

Is Windows Defender Mature Enough to Replace Third-Party Anti-virus/Anti-malware?

http://www.itprotoday.com/industry-...gh-replace-third-party-anti-virusanti-malware

 

Well I've been using windows 10 for the past 3 years and 8.1 for 2 years and during the use of windows 8.1 i had to use several antiviruses mainly avast and the then i came to know about the bit defender. Bitdefender was a good anti virus, since it did not slow done my pc performance at all but was a powerful malware detector. It was a fee software, well an update cam during my use and thereafter i couldn't use it any more. Then only i started to install windows 10 , this had the in built windows defender initially it was not good but the recent versions are much better, it can detect vast areas of malware and best thing is that it doesn't slow down the pc when it runs background .Hope it will grow well in the future.

 

Question. Is the improvement in performance in Windows Defender AV applicable only to the Windows 10 environment or would that also be as true for Windows 8.1? I know that Windows Defender in Windows 7 is an entirely different animal, being just a rebrand of Security Esssentials which was never very good. I have a client that I am reinstalling Windows 8.1 for on an HP AIO. They had been using Kaspersky but they don't have the product key anymore to be able to reinstall it. So I'm looking for something free and effective that doesn't nag.

 

Cool, but what about the SE Labs test where Win Def performed poorly together with Webroot? Do you have any comments on this?

https://www.wilderssecurity.com/threads/se-labs-home-anti-malware-protection-q1-2018.403678/

Cool, but it's time to put Win Def ATP to the test! I would like to seem them participate in tests done by NSS Labs and MRG for example.

It's crap on Win 8.

 

Notable point you bring up. NSS Labs specializes in Endpoint testing. As such, one would assume that at least Win 10 Pro would be employed as the host OS.

Until WD ATP effectiveness can be verified through independent lab testing, Microsoft's statements about it amount to nothing more than marketing "hype."

 

Hi Rasheed,

I see that you got response from the usual drama seeking crowd across several other threads.

A friendly advice, don't waste too much time on them.

 

The latest MRG Effitas test has been published - the MRG Effitas 360 Degree Assessment & Certification Q1 2018.

Microsoft doing very well.

In the "Q1 2018 In the Wild 360 / Full Spectrum Test", Microsoft successfully auto-blocked 99.1% of malicious samples and additionally 0.3% behavior block, bringing Microsofts combined block rate to 99.4%
One additional sample was blocked within 24 hours.
And only one single sample was missed.

In the PUA test, 32 samples was tested.
With 31 auto-blocks and 1 behavior-block, Microsoft blocked all test samples.

Full report : https://www.mrg-effitas.com/wp-content/uploads/2018/05/MRG-Effitas-2018Q1-360-Assessment.pdf

 

@Martin_C

The document date is now 05/17/2018:



https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction

Why the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" was not deleted?

https://www.wilderssecurity.com/threads/dll-injection-methods-test-apps-discussion.400434/page-5#post-2755832

 

Hi Sampei Nihira,

Yes, I know specific pages has been updated. That doesn't mean everything are fully updated.
Microsoft Docs are huge. Tons of pages needs updating, as you can see when looking through various sections.

Rapid rolling releases like Windows 10 are great for developers but nightmare for those doing the documentation.
Tons of developers across every aspect of Windows improving and changing existing code while also implementing new features.
The Docs team can't be ahead of time, because features change frequently during insider builds.
When new branch are declared stable and released, then developers are already full speed working on features for next series of insider builds for next upcoming branch.

Some features works differently on different SKUs.
Some features are documented for everybody, some features only for partners and some only for internal use.
And in an ideal world, all documentation should be fully updated every six months.

Give them time. It's an insane amount of work, keeping documentation of this size updated.

 

Thanks for your explanation.

 

Windows 10 x64 1803
The last couple days I am getting lots of blocks from Windows Defender, all related to lsass.exe

For instance:
Windows Defender Antivirus has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2018-05-21T15:27:25.803Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\lsass.exe
Process Name: C:\Program Files\Macrium\Common\MacriumService.exe
Signature Version: 1.267.1712.0
Engine Version: 1.1.14901.4
Product Version: 4.16.17656.18051

I get similar blocks for VMware and other programs.

Why is this happening, and what to do?

 

You have the ASR rule active and then it seems working.

The ID confirms it.

This seems in contrast to what Martin_C writes.

Help !!!

P.S.

 

It just means that the rule has now been activated by Microsoft.
ASR changes are pushed out with signatures.

So Docs was in fact spot on with the update.

 

I enabled the ASR rule with Powershell.
Important.
Exclusions do not apply to this rule.