Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

So this GPU memory scanning is only for those with Intel CPUs?

 

Yes, Intel CPUs:

 

Yeah but... I wouldn't think an integrated Intel graphics processor would be powerful enough to make a huge difference. Not like a high end NVidia GPU or something similar. Maybe I underestimate them.

 

I have three PCs, all Ryzen. But I guess the extra cores I have versus most Intel cpus makes GPU scanning less necessary anyway.

 

Introducing Windows Defender System Guard runtime attestation.

Much more in blog post : https://cloudblogs.microsoft.com/mi...ws-defender-system-guard-runtime-attestation/

 

Add file or folder exclusions to Windows Defender with Defender Injector
April 22, 2018
https://www.ghacks.net/2018/04/22/a...s-to-windows-defender-with-defender-injector/

Defender Injector v1.0: https://www.sordum.org/10636/defender-injector-v1-0/

 

Interesting tool. Thanks, mood.

 

False positives don't necessarily have to be a deal breaker for me, I rather have this than false negatives. But too much will make you lose faith of course.

Cool and all, but will other third party security tools also be able to make use of this?

 

Anyone know if this ASR feature will block process hollowing?
If I understand right, process hollowing involves the spawning of a child process, which is then suspended prior to the code injection.

 

This question has got my curiosity. However, unfortunately I do not know that answer. I haven't played around much with ASR rules since it relies on having Windows Defender enabled and I simply refuse to use AV regardless. So in my own testing, I play around more with the Process Mitigations via WDEG to enable on a per-process basis.

With WDEG (or manually in registry), you can still enabled the Child Process Policy on a per-process basis instead of having to rely on ASR rules and have the same effect. The ASR rule and/or Child Process Policy should block process hollowing since it does effectively block the creation of child processes, however I cannot confirm unless someone has tested this and reported on it. Also, I would think that the Arbitrary Code Guard (ACG) should also be effective in blocking this since it blocks any kind of dynamic code alterations. I'm having a look around Github to see if there are any good tools for testing process hollowing.

Do you have any reputable tools to use for testing Process Hollowing? Much of what I have found recently have been much older tools and nothing really new.

EDIT: I would like to test this (http://riscy.business/2017/11/bypassing-modern-process-hollowing-detection/) later on when I have more time since it has code on Github to compile and test. This looks more modern compared to some other tools.

EDIT2: I just tested the stealth process hollowing tool (above) with MemProtect so far in MemProtect was able to block this stealthy process hollowing technique with both the memory protection and the module protection as well, each on their own. I will have to test WDEG process mitigations later and possibly ASR rules but I hate AV.

 

Thanks so many time over @WildByDesign. Appreciate all the thought and effort you put into detailing as much as available to ensure enough security measures are within reach and possibility for users to better prevent an ever evolving landscape of new techniques as well as old one's modified to try to work their way through Windows basic defense grid.

 

Does any know why Windows doesn't clean up old Windows Defender versions? Is there a way to force a cleanup?

https://i.imgur.com/SddUpMV.png

 

Does this option not clean up older versions of Wdefender files ?

 

+1
The detailed answer is much appreciated.
Sounds like ASR is still pretty much uncharted territory.

 

Nope, first thing I've tried was using Disk Cleanup ran as admin, I'm not sure what those few MBs actually are for, but the folders in my picture still remain.

 

i believe it cleans the "history" of scans; so if you select it, WD will not remember it has done a scan and ask to do one. Same when you use the option in Ccleaner and others.

 

You're welcome, my pleasure. That comment from you made my day and I appreciate that. This community at Wilders' had given me so much knowledge in the past (possibly up to 10 years prior to my current account) and so I can't just take information and run. It's time for me to give back now whenever I possibly can.

 

OneDrive Files Restore and Windows Defender takes ransomware protection one step further.

More in blog post here : https://techcommunity.microsoft.com...Windows-Defender-takes-ransomware/ba-p/188001

 

So although offering some relief of mind or confidence for customer's data, which when once mangled, will/can be assuredly restored, by the same token, couldn't this be interpreted also as an admission that ransomware attacks (successful ones) are still inevitable?

Given Microsoft's current code that supports these programs and more, and the even with rapid positive advancement of Windows Defender, it's agreed customer's data might be "safer" than before. But I suppose the real proof is in the pudding. Time will tell but anything extra like this has to be considered a plus given their track record to date.

 

Can you perhaps answer this one, seems like you are some kind of M$ insider, and I really wonder about it.

https://www.wilderssecurity.com/thr...-windows-10-needs.383448/page-70#post-2752784

 

W.10 Home 1803

The W.D. Network protection on Chrome work again:

http://cxoficialnet.com/home/pages/inter/

http://paypay.com.traversecityart.com/


https://smartscreentestratings2.net/

 

You mean, the Windows Defender System Guard runtime attestation ?

Microsoft stated in the blog, that there will be a API that third-parties can use. As always it will be for those who fulfill the requirements for being granted access.

That's one side of the story.

The other side of the story is that consumers, SMBs and enterprises who use Windows Defender AV and Windows Defender ATP, they will benefit from the fact that these new capabilities will be incorporated and actually used, thereby taking security to a whole new level.

With third-party solutions ? Well, if things goes as usual, then if you ask around in 5 years if they have implemented it - then 99% of third-party vendors will say "whaaaat ?? "

 

Seems to work on Firefox too now