Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    I assure you I'm not misunderstanding. If I allow malware to run (highly unlikely), my layers of security will alert me at the different stages the malware is trying to accomplish. With the level of experience and expertise I have (not even claiming to be expert, but at least quite savvy) I should be able to recognize that "something doesn't look right" and I will stop it from progressing.

    EDIT

    it's also highly unlikely I'm going to allow a malicious process to run in the first place. I take measures and precautions to minimize the risk. I know you say: "what if this" and "what if that". Sorry, that's not a consideration for me.
     
  2. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387

    https://www.microsoft.com/security/...ith-behavior-monitoring-amsi-and-next-gen-av/
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What I meant is that it's not about you and me. Most people only use AV for protection. So if AV says file is clean it will be allowed to run, especially if people trust it. And then it's game over for them. But people like us use multiple layers, so it's harder for malware to succeed on our systems.

    Seems like this article is about Win Def ATP, and not about Win Def AV. When I speak about behavioral monitoring, I'm talking about tools that can block malware based on their behavior. For example, a tool like HMPA will block malware from performing process hollowing. And SpyShelter will block keyloggers from logging keystrokes. Most AV's don't monitor this stuff.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Well, this is a security forum where the members discuss the security measure they have in place. I've never really considered those who use only AV for protection. It's the typical, mainstream approach used by millions, especially non-security enthusiasts.
     
  5. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    The behavior monitoring is a Windows Defender AV feature, the ATP component is independent of it.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    WD behavior blocking is nothing more than a myth.

    If you doubt that refer to the latest MRG Real-time test here: https://www.mrg-effitas.com/wp-content/uploads/2019/08/MRG_Effitas_2019Q2_360.pdf. Scroll down to the Exploit/Fileless Malware test section. WD missed a whopping 80% of the test samples. The only reason WD scored well on the test overall is the Exploit/Fileless Malware test is for informational purposes.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    So a Windows 7 VM was used? Please correct me if I'm missing something, but it appears Windows 10 was not used?
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Re-read the document again. Win 7 Enterprise was installed on the physical device with Win 7/10 virtual machines installed for testing.

    I assume MRG being an AV lab knows how to properly test software.
     
  9. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    620
    Location:
    Belgium
    Windows defender on win 7 is weaker thats for sure.... they have to do a test with windows 10 :)
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Okay, it's just that point 1. mentions: "One default install Windows 7 hardened virtual machine endpoint is created" is used in the exploit/fileless test. I did, however, see where a couple of the test cases for this were run on Windows 10, so fair enough.

    At any rate, Defender did receive a Level 1 certification. Also, I would never count on one security solution in my security approach. I've long considered antivirus and behavior blocking as somewhat inferior security solutions, although I do recognize they have a place in securing devices.
     
  11. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    I read the document (again) and it is clearly stated that the Exploit/Fileless malware test was done in a Windows 7 virtual machine:


    Considering that Windows Defender running in Windows 7 doesnt have properly AMSI support, we can easily conclude that this test wasnt fair about WD protection.
     
    Last edited: Sep 21, 2019
  12. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    All Exploit/fileless tests were done in a Windows 7 hardened virtual machine, so this test is pretty unfair and unrealistically considering AMSI and Windows Exploit Guard present in the Windows 10 version.

    Your security approach is spot on :thumb:
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Then your eyesight needs to be checked. It clearly stares at the end of the test scenarios that Win 7 and Win 10 virtual machines were employed in this test.

    You quoted copyrighted material which is a violation of this forums rules. Your quoted reference is for one specific test. Each test will reference what OS ver. it applied to. Assumed if no specific OS is referenced, the test applies to both Win 7 and 10. Finally and most important, you infer that MRG would run a test for WD on Win 7. Just how would it do that since WD cannot be installed on Win 7? Bottom line - tests applicable to WD were performed on the Win 10 virtual machine since in this testing scenario is the only OS capable of running WD; and only those tests applicable to Win 10 were performed.
     
  14. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Of course it is for one specific test, the exploit/fileless test and it is running on Windows 7, the discussion wasnt about other tests.

    Please read the methodology for EXPLOIT/FILELESS TEST again and stop making a fool of yourself, your biased remarks are annoying.


    microsoft.com/en-us/microsoft-365/blog/2018/02/12/announcing-windows-defender-atp-support-for-windows-7-and-windows-8-1/
     
    Last edited: Sep 21, 2019
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    There are 10 specific exploit/fileless tests.

    -EDIT- I will repeat what I posted previously:
    Belaboring, the other AV's in the test would have been subjected to the Win 7 tests. Windows Defender would not be subjected to those tests since it does not run on Win 7.
     
    Last edited: Sep 21, 2019
  16. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    Exploit/Fileless cases, test #10, bottom of the page: Virtual machine specs - OS W10 x64/W7 x64
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    They used incredibly outdated software for the tests. Up to five years old in some cases. Actually Silverlight was seven years out of date! I realize they wanted to weaken the O/S this way to fully stress the security products, but software that outdated can hardly count as a "real world" O/S test platform. Their test O/S platform would be that of a completely careless and irresponsible end user. Probably a far more realistic test scenario would be an O/S with software six months-one year out of date.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Remember this is a test of commercial security products; not the consumer versions.

    As incredible as it may sound and regrettable so, I suspect there are still a number of SMB installations that have not patched their network endpoint devices against the test exploits used. Case in point is there are still thousands of endpoint, and possibly consumer installations, that still haven't applied the WannaCry OS patch.

    Ad hoc Win 7 exploit testing can be done from this web site: https://www.wicar.org/test-malware.html . If using a browser with SmartScreen enabled, it must be disabled since it has blacklisted all the test downloads. Ditto with FireFox and Chrome that do likewise. And again unless you were running WD ATP on Pro or Enterprise vers., testing would be pointless since you would be running MSE.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Last year, MRG performed an exploit protection comparative here: https://www.mrg-effitas.com/wp-content/uploads/2018/05/MRG_Exploit_Protection.pdf .

    Appears MRG used a "rebagged" version of the Hitman Pro-Alert test tool for its tests/methodology. In this test, WD was run on Win 10 1709. Also, additional customized WD Exploit Guard mitigations were employed for select apps being exploited. WD only detected 12 out of 35 exploit tests w/o Exploit Guard mitigations for an effective score of 34%; the second lowest score. With customized app Exploit Guard mitigations employed, WD scored 19/35 or 54%.
     
    Last edited: Sep 22, 2019
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    For those putting forth the effort to configuring and implement WD's Advanced Surface Reduction rules as a means to protect you, this article is definitely worth a read:

    Bypass Windows Defender Attack Surface Reduction
    https://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf
     
  22. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    Your point being ... ?
     
  23. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    I read the article. Thanks @itman . I think the point being, for anyone wondering, ASR is clearly not perfect. I'm not sure if an attacker would write malicious code to specifically bypass ASR, but Microsoft needs to address this weakness to make it harder to bypass its defenses.
     
  24. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    With AndyFul's ConfigureDefender is so easy to implement ASR rules that I dont see any reason to not do so, anyway those rules dont need to be perfect to be useful.

    The article itself concludes that ASR is effective against common Office and scripts malwares, so why not use it?

    I dont understand why itman demands flawless performance of Windows Defender protection mechanisms, it is just a very good free integrated anti-malware solution, not the panacea.

    Btw, Microsoft is doing some very interesting advances in the deep learning area:

    https://www.microsoft.com/security/...w-methods-for-detecting-malicious-powershell/
     
  25. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    No one believes WD is perfect. Nothing is. Anything can be bypassed. Finding other such WD bypasses is not difficult, and upon reading this test or others like it one can see that WD is no different than other vendors. And furthermore, one might say these tests are evidence that WD has gained street cred and is targeted more as a result. Like here @ eightchteeteepeees //i.blackhat.com/us-18/Thu-August-9/us-18-Bulazel-Windows-Offender-Reverse-Engineering-Windows-Defenders-Antivirus-Emulator.pdf :isay:

    ASR consisted of 9 rules at the time of the sevagas test and now there are 15. I'd say that is progress. It actually offers quite a bit of protection for a free application.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.