Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

This: "ConfigureDefender will alert if any of your changes have been blocked." To double-check it took your chosen settings. I always review them before I re-boot, Also,the UI is a little bit fidgety when making selections.

 

Ok, so the refresh thing isn't needed when changing settings?

 

You can test the functionality of WD ASR rules here: https://demo.wd.microsoft.com/?ocid=cx-wddocs-testground

My understanding is there is full ASR functionality on all Win 10 Pro+ versions. Such capability on the Home versions is suspect and really needs to be tested by someone.

 

Based on Andy's reply
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-832987

It would appear that they are all available in Home.

 

All ASR rules are available and fully functional on all SKUs and has been available ever since ASR was introduced with the 1709 branch.

It's one of the additional WD features that users really ought to enable.

 

Correct. And definitely.

 

I've enabled several ASR rules in Group Policy instead of using ConfigureDefender, and they seem to work as intended. One test, for example, from the site:

resulted in it being blocked with the Event Viewer entry under Applications and Services Logs >> Microsoft >> Windows >> Windows Defender >> Operational:

Code:

Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

 For more information please contact your IT administrator.

 ID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

 Detection time: 2019-09-06T22:36:33.307Z

 User: LENOVO-E580\MY USER ACCOUNT

 Path: C:\Users\MY USER ACCOUNT\Downloads\Block_Win32_imports_from_Macro_code_in_Office_92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B.docm

                Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

                Security intelligence Version: 1.301.677.0

                Engine Version: 1.1.16300.1

                Product Version: 4.18.1907.4

This is promising.

 

This is very good to know, that these rules can be implemented across the board Windows-wise. I used ghacks.net to configure several rules, one of which is to block (potentially) obfuscated scripts, another to impede VBS and JavaScript to launch executables. Wish AMTSO had the means to test some of these rules. If anyone knows where I can get a fake "obfuscated" script, please let me know.

Spoiler: gpedit.msc

 

Another block on "Block Office apps from spawning child processes":

Code:

Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.

 For more information please contact your IT administrator.

                ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

                Detection time: 2019-09-06T22:02:33.109Z

                User: LENOVO-E580\MY USER ACCOUNT

                Path: F:\Downloads\TestFile_OfficeChildProcess_D4F940AB-401B-4EFC-AADC-AD5F3C50688A.docm

                Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

                Security intelligence Version: 1.301.677.0

                Engine Version: 1.1.16300.1

                Product Version: 4.18.1907.4

so I'm rather convinced these ASR rules work. Thank you to everyone who posted about this, with a special thank you going to @Azure Phoenix who compelled me to dig deeper into this feature.

 

it works exept for the fact the gpo in home version is a huge pain since u can't manage rules like you would in a pro+ config, gpo manager can be enabled via some hacks though or else using an external manager (it is obvious that some protection will be missing since some features are prerogative of the pro version). Also at first glance these configuredenfender rules are very limited to the core and its redundant to check for changes in configure defender since u can set in 1903 "disallow any changes to wd", you would probably see if so tried to make changes (it would be cool if so tested its functionality and how it can be bypassed)
so=someone

some more WD rules to consider:
1. Block executable files from running unless they meet a prevalence, age, or trusted list criteria: 01443614-cd74-433a-b99e-2ecdc07bfc25

2. Use advanced protection against ransomware:
c1db55ab-c21a-4637-bb3f-a12568109d35

3. Block credential stealing from the Windows local security authority subsystem (lsass.exe):
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

4. Block process creations originating from PSExec and WMI commands:
d1e49aac-8f56-4280-b9ba-993a6d77406c

5. Block untrusted and unsigned processes that run from USB.
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

6. Block Adobe Reader from creating child processes.
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

and ofc u can prevent any process from creating child processes with the following rules:
7. Set-ProcessMitigation -Name C:\Apps\evil.exe -Enable
DEP, EmulateAtlThunks,
DisallowChildProcessCreation

I wonder how u can enable "prevent any changes to WD" via cmd-lets as this rule exist in the WD settings

 

At least some of them are working in Home, but there's not always a clear sign. In case of "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" rule, the sign was only that you cannot open an exe file until you see protection history to find what happened and temporarily disable the rule via Powershell. As is often the case w/ MS, poor UI.

Also what is happening in the exploit protection is not always transparent. An app is apparently working, but some functionality are restricted yet not all of them may be recorded in event viewer. A few examples: strict CFI for Firefox caused a problem when printing with some drivers, strict CFI for Adobe Reader blocked in-file search, child process restriction for SumatraPDF caused inverse search in sync-TeX doesn't work, and some mitigation for spoolsv, spolwow64, and/or PrintIsolationHost blocked advanced dialog for printing. All of them will be no problem for those who know what you're doing, but will be problem for most others and this is why I don't apply any of them to others' PC (only exception was forcing ACG for MSEdge & EdgeCP when graphic driver was WDDM1.1).

I also believe some Windows' processes should be whitelisted by default in Controlled Folder Access tho they may potentially be abused.

 

I'm using Win 10 Pro and have these rules set in Group Policy. The rule for blocking Block Execution of untrusted or unsigned executables inside removable USB media (B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4) seems not to be enforced by this value. The test file I downloaded (I had to temporarily exclude the download path in Windows Defender first) and attempted to launch from my USB drive was blocked by my SRP policy. No surprise so I temporarily disabled SRP and tried again. This time Smart screen blocked it. So I temporarily disabled smartscreen and tried again. The file launched with no warning from the ASR rule, so clearly it's not working as expected. Other rules as I mentioned above are working fine so not all is meaningless with these rules. Still, I get the feeling Enterprise E5, as noted by Microsoft, is likely the most reliable way of utilizing ASR policies.

 

thats sad, usb malware (ie worms) is what worries me the most, Microsoft should do something about it, especially against bad usb type of attacks

 

It's not all that bad. SRP stopped it, and when I disabled that, Smartscreen stopped it. Also Windows Defender AV prevented the download until I excluded the download path. I also have autoplay disabled for all drives in Group Policy. There are lots of ways to defend against USB malware.

Edit

my apologies to the mods for my post #2462. The post didn't seem to have any enabled link in it before I posted. I've been aware of that lately. I guess I missed it.

 

I know about those but a powershell rule should work as expected, unless that malicious file was considered trusted and signed

all seams great but there are thousand of articles on how a newly feature can be bypassed (revolving around WD)
in my experience against real attacks WD was weak (disregard its just my opinion, some malware samples were not fully stopped like vbs malware, and it was a dangerous and effective site not bs for testing purposes, those bad bad ppl owned me if not for the VM)

also alot of confusion around versions, windows ATP works only on:
Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 E5

Windows Defender Application Guard (isolates browser sessions from the local device by running those sessions in a VM)
only on:
64-bit version of Windows 10 Enterprise, Education, or Professional.

so proper OP title should be
"Windows Defender for Enterprise E5 Is Becoming the Powerful Antivirus That Windows 10 Needs"
to that, I agree

 

Tried the same test on another machine and this time (after disabling two extensions) WD did block the test site. Not sure why it didn't work on my first machine but it is running another AV for now (for reasons not related to this test).

 

Suspect this:

Is condition upon this:

That is; "untrusted or unsigned executables."

 

I'm not sure. I would have expected the ASR rule to block the executable from the USB drive after I disabled Smartscreen in Group Policy. After each GP edit, I run from elevated command: gpupdate /force

The Microsoft link I posted in #2437 clearly states that ASR rules can only be used in Enterprise E3 & E5, but I've had success with several of them working in Pro and others in this thread are successful with Andy Ful's ConfigureDefender utility on Home versions.

 

Process trust status has always been determined by SmartScreen. The problem with native SmartScreen processing in Win 10 is it is conditioned upon "mark of the web" status; i.e. process was previously downloaded from the Internet. Since executable's stored on a USB drive would in all likelihood would not have MOTW present, these zipped past default SmartScreen checking. All this ASR mitigation is doing is basically telling SmartScreen to scan all execs on the drive at execution time regardless of MOTW status.

 

One other thing about native SmartScreen. I certainly wouldn't rely on it as detecting anything in regards to malware. Running as a medium integrity process, it can be easily suspended by malware. If you have doubts about this, open Process Explorer and do likewise. Windows will auto un-suspended it after a while, but malware would already be running by that time.

 

Yes, I'm pretty sure this mark is only tagged on NTFS drives. I just downloaded a file directly to a FAT32 formatted flash drive for a test to make sure that is still the case and it was not marked.

 

Thank you @itman for clarifying how smartscreen factors into the ASR rule for blocking untrusted/unsigned executables from USB drives.

Smartscreen's purpose, the way I understand it, is too warn the end user of potentially harmful websites they are attempting to visit or to warn against the downloading of potentially harmful files or apps. It's not meant to be a safeguard after malware is already "live" on the device.

Anyway, I do not rely on Smartscreen as my main defense arsenal on my device. Not even close. SRP, OSArmor, my software firewall, hardened browser, LUA with UAC and Windows Defender, including the ASR rules that I know work, form my main security setup. Of course recent images of the entire O/S is the safety net if something does compromise me.

 

At least "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" (01443614-cd74-433a-2ecdc07bfc25) seems to work independently to execution once evoked (tho the first attempt to execute will be required to evoke the rule), because when it's working you can't even view the file property with right click. You just get the you-can't-open-the-file dialogue. It is also independent from WD's exclusion ofc. Indeed, once evoked you can't even add the file to exclusion until the rule is disabled.

 

Do you know how this works? It did catch my interest a while back.

Do you have to build a whitelist for it? How does it determine what is a trusted process? Ditto for age and prevalence. Is it using SmartScreen to determine all the aforementioned?

-EDIT- This pretty much explains how it is done:

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/1593#issuecomment-443309686

Now the question is where is this MS cloud update coming from? I can see no problems with WD ATP. But with plain WD, I am suspicious that an internal trust list even exists or this cloud updating is occuring.

 

Anyone noticing the "quick scan" is taking a much longer time to complete? It was taking 30 seconds up to maybe a minute; just now, it took 6 minutes 46 seconds for 32,853 items. Haven't cleared the cache either.

Have been noticing an increased scan duration over the past couple of days. There are no other processes running in the background, not even a browser open.