Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Right, no need to manually check for updates.
No need for increasing the frequency of check for updates, as there are usually only signature updates every 8 hours.
WD does its job mostly in the cloud.

 

But it seems it's not updating automatically, last update was about 12 hours ago...

I have the Cloud-delivered protection disabled (MAPS disabled in the GP). Could that be the cause of not getting automatic updates?

 

1. As stated in post #2469 above, WD only updates once, maybe twice a day on average. It is not a continuous stream of updates.

2. You have disabled the most important protection module of WD - cloud protection.

3. Please enable cloud protection and quit worrying about how many signature updates you are receiving. Otherwise, you should find another AV.

 

Doesn't matter, because WD is not recommended, with cloud disabled.

 

https://avlab.pl/PDF_avlab/AVLab-Test-of-software-for-online-banking-protection.pdf

Defender did horrible here, wonder if using Configure Defender would make any difference?

 

Apparently not.

 

Does WD even have any dedicated banking protection?

 

It does not.

 

This test is from feb 2019, MS already fixed and added other stuff in the cloud to break the chain for banking malware

https://www.microsoft.com/security/...based-blocking-stops-attacks-in-their-tracks/

If you would apply ConfigureDefender settings for WD, then in most cases the infection chain in the wild will be broken before the Banking payload could enter the system.

 

All tested product stopped 13/13 of in the wild banking trojans.
So no download, no payload, no exploit either...

 

If that was the case, there would be no need to perform the other tests of which WD scored 2/11.

Likewise, WD wasn't certified for banking use by MRG since it consistently fails the Botnet test: https://www.mrg-effitas.com/wp-content/uploads/2019/08/2019Q2-Online-Banking.pdf

 

Indeed.
If a trojan is stopped in the first place, there is no need to "test", what could happen.
If malware makes it to the machine, the AV has failed.

BTW:
All successful banking fraud I have seen, was done by social engineering.

 

I think it's best to end this discussion, because I have no idea what you're talking about. Process hollowing is simply one way to perform code injection, nothing more and nothing less. You can even read about it in the link that you posted, and here is another one:

https://www.endgame.com/blog/techni...-technical-survey-common-and-trending-process

What doesn't make sense? Fact is that malware writers came up with process hollowing because a lot of security solutions didn't monitor for code injection from parent to child process. Also, EDR is simply a way of recording behavior that may be suspicious, it watches for thing like process hollowing, process execution, file modification et cetera. So yes, it's based on behavior monitoring.

 

@Rasheed187 have read this article in my previous post ?

https://www.microsoft.com/security/...based-blocking-stops-attacks-in-their-tracks/

Since deployment, the behavior-based machine learning models have blocked attacker techniques like the following used by attacks in the wild:

• Credential dumping from LSASS
• Cross-process injection
• Process hollowing
• UAC bypass
• Tampering with antivirus (such as disabling it or adding the malware as exclusion)
• Contacting C&C to download payloads
• Coin mining
• Boot record modification
• Pass-the-hash attacks
• Installation of root certificate
• Exploitation attempt for various vulnerabilities

It also states WD protects against proces hollowing......

 

Yes, but the confusion is about if you need Win Def ATP in order to get alerts about this stuff. Or is Win Def AV capable to spot the "attacker techniques" on its own, or perhaps with the help of the cloud?

 

One link from 2017 : MS adds Protection to ATP

https://www.bleepingcomputer.com/ne...n-against-process-hollowing-and-atom-bombing/

Another one : It seems WD AV also detects it (from the cloud)

https://www.microsoft.com/security/...spoils-a-massive-dofoil-coin-mining-campaign/

 

@Rasheed187
TL; DR BB & ML are fundamentally different. What I say inferior (but only against sophisticated targeted attack) is BB from the beginning.

PH & EDR are much more than that - your oversimplified description ignores some impo aspects so fails to explain diff w/ similar terms such as PD or NGAV. Okay, I just hope you don't lose willingness to understand how attack & detection works internally. At least remember one thing: what BB monitors are sequences of API calls & resource accesses, NOTHING ELSE! So there's no such thing like "monitoring code injection to child", even the elementary article you linked is enough to understand this (1). There are already numerous ways to be EVENTUALLY called "injection to child" BY HUMAN, some HAPPENED to be called PH, others got other or none names. It's trivial to block the basic PH technique, real challenge is nobody knows how many diff ways there are. I doubt you know there have been ITW techniques LATER classified to PH by researchers - can you see why I exampled PH w/out hollowing (2)? Only existence who can analyze behavior and who have sense of suspicious is human, tho ML is getting closer (3). Security industry now publicly admits past solution haven't analyzed behavior in the true sense - the fact you don't understand technical details doesn't make fundamentally diff techs the same (4), actually anti-exploit is closer to BB than ML from technical stand point (5).

If you understand these, you'll see your last question was already answered by MS - if you're the 1st victim you're not protected w/out WD-ATP, because the PH technique used was new one which bypassed the behavior sig of WDAV (the detection source was EDR). But if you're hit later, probably protected because ML had made sig of the technique and it could be distributed to home WDAV too.

(1) Still don't get it? Try to translate your vague words to programmable words like "If a call of NtCreateUserProcess was followed by...". You can build a hierarchical model and call an union of some sequences "injecting into child", but then question becomes if the lower-level model is comprehensive. A program can "monitor injection to child" only if there are only known finite # of ways to do that.
(2) In case you have no idea about hollowing, it's the 3rd item of the slide #20. One example used this was a variant of QtLoader.
(3) Almost all EDR assume manual inspection by human, this is why it's usually packaged w/ advanced support. The role of ML is to reduce that burden.
(4) There are too many diff btwn BB & ML, one example is data poisoning which doesn't matter to BB. Another is privacy, most ML solution take various contexts into account. There are already "tailored protection" for corporate which learn their computer & network use to make more accurate decision. Furthermore, BB is prompt to react as it doesn't analyze behavior while ML takes time. It's possible some early statistical models such as HMM have been implemented in BB, but that's not comparable to modern ML.
(5) They are similar in many aspects. Off-the-shelf attack & ROP are based on the same idea of using trusted code, so the similarity is not a coincidence. Moreover, ROP often uses heavily monitored (by BB) APIs such as VirtualAlloc, WriteProcessMemory, etc. while AtomBombing usually requires ROP, and PH using shared memory is similar to exploit in manipulating return address. As a result, the boundary is becoming less clear. It's not surprising some AV vendor place AE as a part/extension of BB. Contrary, ML has involved & changed all protection layers.


[EDIT] As you don't know (a) most researchers don't give a special name like PH to a technique he found, (b) attacker have nearly infinite ways to achive their goal if they don't care doing advanced sfaff, and (c) the boundary of AE & BB is becoming less clear, I've found an expert's article written in plain English.

Also as you confuse BB & ML, this paper will be the best to understand what BB does. It briefly mention ML too as an auto-generation tool for behavior sig, tho modern ML is much more than that. There are also other papers & patent description by security vendors, all support BB is for known patterns exhibited by at least one known malware.

 

Everyone can claim his product protects from PH (or any other techniques), what matters is how far it covers & how it doesn't cause FPs. Like UAC bypass, PH is no more specific techniques. E.g. if a product blocks VirtualAllocEx→WriteProcessMemory way of injection but misses techniques using NtMapViewOfSection (an example that criminals simply shift to another way once sth became being monitored), it means the claim was actually "it blocks the very basic PH only". ML guys at MS are excellent, but note these articles only report successful cases, they don't advertise failure ofc.

 

What exactly does WD's "Cloud-delivered protection" do? I've been using WD for the last couple of days now and sometimes it updates twice a day and one time it didn't update for 2 days. But I've checked and it that time, there was a couple of definitions released. So maybe running a manual update every 2 hours wouldn't really hurt anything.

Is it possible that it updates rarely because of the disabled Cloud protection?

 

See Posts #2653, #2654

 

Those posts don't explain what exactly WD's "Cloud-delivered protection" does but thanx anyway.

 

The cited posts are about not disabling cloud protection. Defender relies on the cloud for most of its protection so having it disabled makes absolutely no sense - as mentioned in the posts above. Again, if you don't enable cloud protection you should find a different AV because you have virtually no protection otherwise.

 

I see. But what exactly is that "most of protection"? I mean, AVs in their basic functionality daily download virus definitions and then scan for them upon running/opening files. If I understand correctly, the could service uploads suspicous but not defined files online and there determines if the file is clean or not. Then it probably adds that code to the next definition? Does it do anything else (the cloud protection I mean)? Does the cloud service work without auto sample submission? Thank you.

 

Local signatures are sub-par. Signatures in cloud are updated continuously.

 

Why so much text? I think probaly no-one understands exactly what you're trying to say. So don't waste your time any longer. I mean who cares about the difference between ML and behavior blockers? Fact is that EDR's are meant to be a fail safe solution in case AV gets bypassed.

For example, I remember reading an article about how SECDO (now owned by Palo Alto Networks) managed to spot a file-less ransomware attack. Most AV's couldn't spot it, because svchost.exe was hijacked via some OS exploit, but SECDO saw the file modification that was being performed and could block the process or isolate the infected machine from the rest of the network. So that's pure behavior blocking, that's all I'm saying.

OK, so seems it doesn't detect this stuff locally, it will always ask the cloud for help. Cool, but I'm not really impressed with this. On the other hand, they are trying to limit false positives, so it's understandable.