Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. 142395

    142395 Guest

    @itman You know, as it's Home version only possible paths are either WD cloud protection or SmartScreen. I have currently no time to test, maybe someone can?
    In my case the file seemed to be whitelisted after 10 days or so (ofc IDK how many ppl had downloaded the file during this).

    Now seeing protection history, my guess of independence was wrong. The reason that trying to add the file to exclusion was blocked seems to be that ASR regarded this as an execution attempt by PickerHost.exe, because protection history says PickerHost.exe was blocked by "user ASR" for the exe file. Similarly, right-click to view file property was regarded as the attempt by explorer.exe. There're also similar records for svchost.exe, but I don't remember what operation it corresponds.
     
  2. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    735
    Location:
    South Park, CO
    Yes, I've noticed the quick scan time is around 4.5 minutes for me now, but used to take around 2 minutes before. It shows around 22,000 files scanned, about double what it used to be. (I use a .bat file to update and quick scan once per day, on an i3 laptop w/ 1 TB mechanical disk drive.)
     
  3. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    Seems to me like it's a huge missed opportunity - whitelist only, and CFA not done on a per-app basis. Also, I want to be able to control application internet access separately from network shares for a given application, to allow file access but not exfiltration.
     
  4. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Thank you for confirming you have the scan slow-down also, SouthPark. Just as well, I'll use another, faster scanner for now. It seems, from what I've just read here, that Windows 10 1909 is going to show up in the next few weeks. Let's see what happens.
     
  5. 142395

    142395 Guest

    CFA works smoothly once you have whitelisted all apps that need to modify your docs etc. Yet, sure, MS should whitelist some Win processes such as Pickerhost, explorer, svchost etc. Maybe they should expand the list more to include some popular software including Chrome's updater (setup.exe). To my surprise, Visual Studio Code is whitelisted by default, looks like MS-signed products are favored by CFA.
     
  6. 142395

    142395 Guest

    Apparently the ASR "Block executable" rule blocks not only CreateProcess but also CreateFile API. I wonder if there's a way to abuse this to execute sth or it's simply a mistake of MS.
     
  7. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Good article. Thanks @Martin_C . It just goes to show it's highly worthwhile enabling ASR rules.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I also believe that a lot of people don't realize that file-less malware will always need to run inside a process. This means process-monitoring done by behavior blockers is very important. The tricky part is when fileless malware manages to run inside a process with high privileges.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  11. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Well the Gootkit banking trojan's infection vector appears to be email with a .js attachment.

    Don't open the attachment and the threat is a non-factor right from the get go.

    If the attachment is open, in my case SRP will not allow .js scripts to run. Another non factor

    If the script is successfully run the malicious executable is dropped into a Temp folder and extracted, then somehow executes. They talk about process hollowing in a suspended state and some other technical buzzwords that look as though they're inspired by a sci-fi thriller. At any rate, I've no interest whatsoever in what damage malware can do once it's run. I'm only interested in simply not allowing it to run in the first place, and this particular trojan, like so many others, seems like a complete non-factor if some default-deny security strategy and a dose of common sense is applied.
     
  12. 142395

    142395 Guest

    An anonymous alleged insider of AV industry admitted the BB is still a signature-based technology (yes, they mostly rely on behavior signature) and thus can easily be bypassed. Only really proactive solution is locking down apps to allow minimal capabilities, which is achieved by e.g. sandbox, ASR, or AppArmor/SELinux.
     
  13. 142395

    142395 Guest

    IIRC, setting UAC to max should also foil the technique.
     
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Right I had forgotten about that one. Thanks.
     
  15. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Just curious: Where do the hex keys come from as seen in the ghacks list and in post#2460 by lucd.
    I put both lists into ASR settings via gpedit. Time will tell how it'll work with OSA on board (so far with only default settings).
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    AFAIK they are Microsoft derived.

    https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction
     
  17. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Thanks. Ghacks had the same gpedit instructions I used on my Windows10-pro-1809. The link you gave me is interesting - just more info than I read about before. This thread is very useful to me. Thanks to all :)
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Someone on another forum related to me that with WD self-sandboxing feature enabled, a lot of his test malware samples weren't being detected. Anyone else have like findings/experiences?
     
  19. guest

    guest Guest

    How to Enable Ransomware Protection in Windows 10
    September 16, 2019
    https://www.bleepingcomputer.com/news/microsoft/how-to-enable-ransomware-protection-in-windows-10/
     
  20. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Windows Defender Antimalware v4.18.1908.7 released. As so often now, has some issues.

    https://www.howto-connect.com/windows-defender-antimalware-version-4-18-1908-7-released/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+howtoconnect+(How+to+Connect)

    Do not plan to use WU to get it though. If you do not want to use WU, then go here and download all 3 exe's then see each one's Properties and install your version.

    https://www.catalog.update.microsoft.com/Search.aspx?q=defender

    Mine is this one e0d751e5dc67f08a4e41798457480bc8810c679b.exe (Win 10 Pro x64 1903).

    Robert
     
    Last edited: Sep 16, 2019
  21. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Thanks for the notification and the catalog links, Roberteyewhy! I did, in fact, go and install the latest Defender version via Windows Update. Zip, zip and it was done. I've noticed an increasing intolerance on Microsoft's part with third party tweaks to its various apps (Edge.old, Store, etc). Once I undid some of mine, I've had no additional issue with updates (yet). Expecting a smooth transition to 1909 (I hope).:thumb:
     
  22. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    You are welcome, plat1098.

    Well, v1908 still does not fix the sfc errors. Had to use the DISM commands to fix it. Everything else fine.

    Robert
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    One of the issues is when Applocker is enabled (same applies to Software Restriction Policies), the downloads may get blocked, so they advise a Path rule as follows:

    Code:
    %OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\*
    A stronger rule would be:

    Code:
    C:\\ProgramData\Microsoft\Windows Defender\platform\*.*.*.*\*.dll
    and
    Code:
      C:\ProgramData\Microsoft\Windows Defender\platform\*.*.*.*\*.exe
    Even stronger yet:

    Code:
    C:\ProgramData\Microsoft\Windows Defender\Platform\?.??.????.?-?\*.dll
    and
    Code:
    C:\ProgramData\Microsoft\Windows Defender\Platform\?.??.????.?-?\*.exe
    The last set of Path rules would be for the more paranoid, and probably unnecessary, but they are indisputably stronger none the less.
     
  24. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Well, a week ago, I complained about Defender taking way longer than usual (over 7 minutes) for a routine "quick" scan. Now it's the other extreme. Check this (edit: did sfc /scannow, no integrity violations):

    defender really quick scan.PNG

    Mind you, if this is legit, I'll take it (yep, right) but I read around like on the Microsoft forum and this appears to be an anomaly. Anyone else?
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    It's strange that only 8 files got scanned so I would say it's an anomaly.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.