Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    dear guest, a lot of idiocies in your latest statement (eg: for you waiting years to isolate WD's processes because they realized it can't even self-protect itself is good coding?¹) so fly down please...


    ¹infact you simply ignore the underlying issues that have delayed the large-scale adoption of sandbox technology on its own processes
     
  2. guest

    guest Guest

    idiocies? for you probably...now go out from the forum and go ask corporate admins and devs if they share your opinion...
    how many struggles everytime MS release an update? to the point they block updates preferring being vulnerable than breaking the endpoints...

    Come on, do you really consider Windows a well coded OS? i don't remember having BSODs on other OSes...LOL

    About WD , they change it every build , one day the process is located there , the next day it is located elsewhere, and the next one it is simply removed or replaced...
    the WD sandbox? if it wasn't for Tormandy, they won't care to protect WD processes...
    Windows was never made for security, now they rush to catch up by implementing features after features treating users as guinea pigs.

    yes so much for well coding and unity, Windows is a mess and users have to swallow it...
     
    Last edited by a moderator: Feb 19, 2019
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    If corporations were running their custom-made, specially configured software on another OS, it probably could not run at all, and even if it did, it would break with every update, just like Win Doze.
     
  4. guest

    guest Guest

    Of course, you develop a custom-made soft for a specific platform , you can't expect it to work on another...i don't see your point.
     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    The point is that Windows is a pretty versatile OS, it supports a wide range of software. Although updates do break things, this is true of other OSes as well. Linux Manjaro is a good example. Lots of people left it because updates broke things. You have to read their forum before you even apply an update, or they call you stupid.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Case in point.

    Windows Defender's self-protection vulnerabilities are well known and documented by the pen-testers. Microsoft's recent sandboxing of the WD engine is the current Microsoft "Band-Aid" lowest cost solution response that is the norm these days. By sandboxing the engine if it is compromised by malware, at least it can't be used to fully compromise the rest of system using its kernel level privileges. Microsoft then as is also typical these days, "spins" this sandboxing as an exclusive and great advancement in security software. Where in fact, the major AV software vendor products have no need in doing so since their software is adequately self-protected.

    Bottom line is it is irrelevant as to Windows Defender's malware protection capability if it can be compromised by malware which is indeed the current state of affairs.
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Which AV cannot be compromised? The pen testers trash all the major AVs as far as I know. However, Defender is too easy to turn off. That's its weakest point, I think.
     
  8. guest

    guest Guest

    Being versatile is one thing, adding half-completed buggy features is another.

    If people are dumb enough to praise that, their business.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    No need to do that. You can just "neuter" it.

    Here's a recent bypass to join the long list of existing ones:
    https://www.elteni.com/how-we-were-...-a-windows-10-machine-to-get-a-reverse-shell/
     
  10. guest

    guest Guest

  11. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    If by security vendors you mean AV/AM vendors then I can dismiss you as having never worked in security industry.
    Since the majority of 3rd party AV/AM cause more damage than they prevent, we can safely say it is not security software.

    I'm not sure if you mean sandboxing or self protection here, but WD does both. The main process is protected by the PSProtectedSignerAntimalware-Light template and foreign files are scanned in a separate sandboxed process.

    Dumbest statement 2019 right here.
    Imagine claiming you work in the security industry and then trying to say that a good coder produces a program with 0 exploits.
    I guess there are 0 good coders in the world then!
    Also, exploits are found in Linux and Linux related software that date back a decade.
    Just the other day a severe exploit was found in systemd that dates back a decade.
    Linux is not magical sauce.

    If you want to reduce exploits you need to use memory safe languages like Rust and Go.

    That's just fine for the majority of uses especially for the Sandboxie diehards.

    I agree this is annoying.

    Please don't spew BS. VMs are used where needed, and we can safely say there are more corporations not using VMs than there are.

    Did you actually read the article? The target machine needs to be fully compromised already.

    We tested MpCMDRun.exe as both a standard user and local administrator and found that local administrator access was required to run the MpCMDRun command.
     
  12. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,933
    Location:
    UK
    Contents and post of private message removed .. and content noted.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    You misinterpreted the statement. You just have to be running as a limited admin which after all, is the default Win installation account. MpCMDRun.exe needs admin privileges to run; acquiring same is no big deal as evidenced by the numerous malware attacks that have done so.
     
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    But that is exactly the point. If malware has already attained admin privileges, and your security software did not detect it, your system is pwned. Gameover.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    If one is running as a limited admin which many are, UAC needs to be set to the highest level. How many users have UAC set to this level? If set to this level, do they have the "smarts" to deny the MpCMDRun.exe elevation request? Finally, the previous can be bypassed for example by using Win mechanisms that perform hidden privilege escalation such as Task Scheduler.
     
  16. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Exactly, if a malicious code is already running, your system is compromissed and no self-defense or voodoo will change that.

    About third party antivirus self-defense:
    https://blog.silentsignal.eu/2018/01/08/bare-knuckled-antivirus-breaking/

    Generic self-defense always were "mehh" to say the least, Protected Process Light (PPL) is much more viable and functional.

    About Windows Defender and Windows 10 security; they are much more powerful than some self proclaimed experts believe, IMO most third party security vendors are already obsolete and soon or later wont survive in this mega competitive market.

    @elapsed
    Thanks for your brilliant insights, it is very much appreciated.
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I agree. Antivirus self-defense is not something we want to base our security on. It's just a last-ditch attempt to avert disaster.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    For those not creatively inclined, this command alternative utility will allow you run silently with highest privileges and bypass UAC:
    https://www.thewindowsclub.com/run-batch-files-silently-on-windows
     
  19. Spec7re

    Spec7re Guest

    @shmu26 and @Nightwalker
    I agree with both of you. The way I look at it is that if your system is compromised it's too late and quite frankly it doesnt matter what the security solution is. WD IMO deserves more credit than its being given. No product is perfect and will fail at some point. Imo it's fine and dandy to talk about these exploits and workarounds, but how many of those are directed towards home users vs businesses and governments? Probably not very much IMO. People still need to ensure that no matter what security solution they use, they still practice good, safe computing higene.
    Like it or not Microsoft is slowly making 3rd parties a thing of the past. You can kick and scream as much as you want, it's going to happen, if not already happed.


    @elapsed spot on post, agree with everything you said. :thumb:
     
  20. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    I'll say it one more time: To gain admin priviledges the system needs to be compromised.
    You need to 1) Get past SmartScreen (unlikely for average joe) and 2) Get past Defender/Cloud Protection.

    At that point it doesn't matter how easy it is to elevate.

    Thanks but please note I do not profess to be an expert, I am also always learning and I am here looking for people to prove me wrong.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Good lead in for my next bypass posting which I believe still might work. BTW - this is my last like posting. Like I stated previously, there are plenty of postings on the web about these.

    First, SmartScreen's primary mechanism for trust is certificates. Of note:
    Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI
    Ref:https://acmccs.github.io/papers/p1435-kimA.pdf

    Here is an e-mail based SmartScreen/WD bypass that I believe still might work: https://dzone.com/articles/pwned-by-a-shortcut . The beginning of the article states the difficulty of getting around SmartScreen certificate checking on downloaded executables. The author posts a link reference to a site which will give you all the info you need to create fake certificates to get around SmartScreen.

    All that is a bit of effort and I believe there is a better way to bypass SmartScreen altogether. Download to your target your payload without an executable suffix. Create a simple script that will first, use PowerShell to remove "The Mark of The Web" status: https://docs.microsoft.com/en-us/po...rshell.utility/unblock-file?view=powershell-6; bet you didn't know about that gem. Finally, rename your payload download to .exe.

    -EDIT- Forgot to mention if you are lazy and don't want to create your own hack certs., you can buy them here if operator is still in business: https://bitcointalk.org/index.php?topic=1927129.0
     
    Last edited: Feb 20, 2019
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    @itman we are lucky you are a white hat!
     
  23. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,933
    Location:
    UK
    Post removed.

    Please keep personal insults out of the thread.
     
  24. woodsy7909

    woodsy7909 Registered Member

    Joined:
    Jan 28, 2014
    Posts:
    7
    Location:
    United States
    I don't agree with that assumption. I have seen in both the business and home user world that Windows Defender on its own(even with SmartScreen) isn't enough.

    However, guest has pretty much covered what I wanted to say, so i'll just refer to his post. MS isn't a dedicated security company, 3rd party vendors seem to have much better response times to new threats, and more advanced features in their products. Everyone has to evaluate their own needs when it comes to their security.
     
  25. guest

    guest Guest

    it never was, will never be. Just look how Windows is designed:
    - admin account by default ! come on...Average Joe will give admin rights to everything...
    - over-exploited powershell and LOLbins which home users won't ever need...
    - network features (remote desktop, SMB v1 and co.) were enabled by default, wide open to exploitation (see EternalBlue/Doublepulsar/wannacry)
    - etc...etc...

    all this shouldn't be enabled for home users.

    This is the biggest BS ever seen in computing, sure MS just woke up and try to fix this, i give them credit, but the way they do it is ludicrous...adding more botched/half-baked features than need updates (as usual) to work properly instead of fixing what is already vulnerable by doing serious Q&A...

    Remember win98's 2-button user login bypass, WinXP and its weak firewall, Win7 ridiculous "Windows (antispyware) Defender" while malware writers feast on poor users; If security vendors weren't there (Norton, Avast, Kaspersky, etc...), i don't want imagine the catastrophe.

    I like Windows, it is my main OS since i first used a computer, was happy to see Windows Defender being a real antivirus in Win8, but more i know, more i see, more i'm disappointed; to the point i'm almost disgusted.
    Liking/using Windows doesn't mean i'm blind to the BS they do.

    Exact.
     
    Last edited by a moderator: Feb 21, 2019
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.