Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Should I enable computing of files’ hash in Windows Defender ?
It is said everywhere that it can have an impact on perfs but as I understood from any other AVs, everyone does that to speed up later scans, comparing hashes to known/unknown files in databases to speed up processing and avoiding unnecessary scans.

 

Is there any effective way that actually cleans the Protection History of Windows Security?
I tried all methods described HERE without any result.
(Running Windows 11 23H2)

 

Sometimes those methods work, sometimes they don't. What always works for me is to install DefenderUI, find the setting to delete history, then uninstall it.

 

Same here. Tried ALL methods for years and none work! But, by magic, Protection History was cleared when I checked yesterday. Do not forget to undo everything you might have done in the Registry or GPEdit then try again or try as digmor posted.

Why Microsoft does not fix this is well, it's Microsoft.

Good luck.

 

Just got RAPID TCP queries of taskinput.exe to 13.170.246.53, port 443. , somethin related microsoft?

 

An unexpected journey into Microsoft Defender's signature World

An unexpected journey into Microsoft Defender's signature World — retooling

 

I don't know if you guys have seen the latest video on The PC Security Channel, most of his videos are boring as hell, but this one was interesting.

He basically ran a ransomware simulator, and Bitdefender and Sophos blocked it from encrypting files, while Windows Defender, SentinelOne and CrowdStrike failed. Which would mean that WD's behavior blocking module isn't exactly the most advanced.

Of course a simulator isn't real malware, but true zero day malware are often missed by AV's. That's why I also use AppCheck Anti-Ransomware, which wasn't tested, but should have better behavior blocking methods implemented. Which means it doesn't only rely on the cloud and signatures.

https://www.youtube.com/watch?v=2R033fex8D8

 

Come on now, you know better than to base any opinion of an AV on one test.

 

MS Defender with something like Defender UI set to aggressive most likely would've performed better. I've seen several tests of MSD under that configuration where it failed to stop magniber though

 

Take his testing of EDR software "with a grain of salt." Enough comments were made in that thread and other web sites that Leo didn't properly configure any of the EDR software.

The test of interest is for Sophos Home. It was a great example of HMP-A CryptoGuard in action. Of note is how it backs up files prior to access allowing for them to be fully restored if encrypted. Not a single file got permanently encrypted.

Remember that file encryption is only half the problem with ransomware. The other half is data stealing via file uploading. Leo has yet to test this.

 

That's why you need to use whitelisting to prevent the malware from running in the first place. HMP.A it good for stopping a lot of bad stuff, but not malware in the userspace

 

You're right, but like I said, in most other tests, those samples aren't probably truly zero day malware, so it's easy to block them for most AV's.

I don't know if he used DefenderUI, probably not. But apparently it still fails sometimes, which confirms what I've always already thought, namely that Win Defender's behavior blocking capabilities isn't all that.

 

OK I see, I will read the comments, there were quite many. But I wonder what's there to configure, shouldn't CrowdStrike and SentinelOne block stuff out of the box?

Yes my bad, I've edited my post. Only Bitdefender and Sophos could block the ransomware, and that is because of their advanced behavior blocker. You know that I still don't get how CryptoGuard works? I mean is it backing up ALL modified files on disk? If it didn't, then how would it be able to restore files?

Yes correct, but any decent firewall should be able to tackle this easily. And if an AV like Win Def can't stop this ransomware simulator from encrypting files, then I don't see why it would prevent the data stealing part.

 

Yes, but everytime you download some app, you still need to run (and whitelist) it right? So that's no solution for people who need to download and run/install software, it's only a good solution to protect against exploits.

HMPA was mostly designed to block malware that is delivered via exploits, but the other features should block certain malware behavior when it already bypassed AV.

That's why I always say you shouldn't rely solely on an AV like Win Defender. I combine it with AppCheck Anti-Ransomware, OSArmor and SpyShelter Firewall. HMPA was giving me too many troubles.

 

I pair up any AV with Comodo, using Defender set to high protection using the Defender hardening tool.

 

i am not sure if some of you mix up windows defender with some kind of firewall, or composite suites, or different.

Windows defender is antivirus (only) with signature scan, online check, anti-ransom (on boot), anti-exploit. and windows firewall is a different program. regular users don't have sufficient rights for both.

any free version is not that good, several tests proved this, you have to pay for equal protection!

its on you to handle your system, but don't try to blame if you work with admin rights where any protection is nullified. at least all antivirus work with kernel root rights and are vulnerable this way. bypassing user level is POC, but much harder than with user rights.

hmpa, comodo, eset, kaspersky, windows defender aso. - complete futile while working with admin rights. thats why i give a **** on tests to blame this or that software.

 

I also found DefenderUI the only way to clear it. Then i uninstall it. Why can't MS make it available for users? Are they that senseless? Pitiful

 

I think it's you who is confused? Who is talking about firewalls? This discussion is about that Win Defender couldn't block a ransomware simulator, and this is because the behavior blocker isn't that advanced.

Sophos and Bitdefender have more advanced behavior blockers, so they don't really care about if some simulator (or other app) is malware or not. When they see suspicious file system behavior they will block the process and rollback the encrypted files. I'm not sure why CrowdStrike and SentinelOne failed, perhaps they were wrongly configured but this would also mean that they are simply too complex.

 

BTW, this is an interesting article which may also explain why CrowdStrike and SentinelOne failed. Perhaps they look for other suspicious indications as well before the behavior blocker will kick in, probably to avoid false positives.

https://blog.barracuda.com/2024/08/21/threat-spotlight-ransomware-rent-threat-landscape

 

BTW, The PC Security Channel released another video of another ransomware simulator which was able to bypass WD's Controlled Folder access feature, see first link.

Not a surprise since we all know that with code injection, you can make a trusted process like explorer.exe do the file encryption for you. You can also bypass firewalls via code injection. But I don't know how many real life ransomware makes use of this code injection technique, I could only find stuff about Sorebrect, see second link.

https://www.youtube.com/watch?v=PEQ7G3XQsIA
https://thehackernews.com/2017/06/fileless-ransomware-code-injection.html

 

That was bypassed on day 1. It isn't even hard. Too many things on Windows can be bypassed with fake drivers, registry entries, and scheduled tasks. If you can slip any of those in you own the machine.

 

Exactly, it's nothing new, but a good reminder to not put your full trust into this file protection feature. But that's why I'm using a behavior blocker like SpyShelter which actually monitors the stuff that you mentioned.

And I have always said this, but it seems like an OS like Windows has been designed to make it as attractive as possible for malware. For example, I sometimes mock macOS, but from what I understood it has actually more protection against basic code injection attacks.

 

I'm sure Windows wasn't designed to make it attractive to malware. It was designed to be functional and easy to use. This was back in the days before the internet. Rather than reinventing the whole thing it has been slowly updated for compatibility reasons.
Also, macOS would look like Swiss cheese too if it had a larger market share. Hackers are going to focus their attention on the biggest payoff. Security by obscurity. Some say that isn't security. I disagree to a point. It does help.

 

My Kaspersky subscription just ended, Should i use MS Defender or turn on HMPA Anti Malware and Exploit Mitigation.

 

Use Defender and turn on HMPA if it makes you feel better, though it's not really needed.