Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Confirmed. I disabled the rule by powershell, and now I don't see those error messages.
I recommend not to enable it, because it conflicts with too many applications.

 

Yes, now it did perform well, but I did notice that SmartScreen was enabled. I consider SmartScreen to be a white-list, but I may be wrong because Win Def still failed a couple of samples. I have never really understood this. And this would also mean that the cloud failed?

 

At this point anyone testing Defender without SmartScreen is simply doing it wrong. It does not reflect real world usage if you skip SmartScreen.

 

Adding transparency and context into industry AV test results.

Much more in blog post here : https://cloudblogs.microsoft.com/mi...cy-and-context-into-industry-av-test-results/

And, as mentioned in the blog post, in addition to the blog post also make sure to read the detailed complete transparency report on January-February 2018 test results.

It can be downloaded from Microsoft here (PDF) :

Code:

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-blog-mmpc

 

Has there been any testing of Core isolation, or any reports on how well it works or what types of attacks it actually blocks?

 

Microsoft: Here's why Windows Defender AV isn't ranked higher in new antivirus tests
Windows Defender trails third-party antivirus in tests, but Microsoft says you should still use it over other products.
May 25, 2018
https://www.zdnet.com/article/micro...av-isnt-ranked-higher-in-new-antivirus-tests/

 

As far as making "informed decisions' about WD ATP protections, this Blackhat 2017 - Europe presentation is definitely worth a read: https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-Analytics.pdf

Since most here don't use WD ATP, the section in the presentation titled 'Windows Defender Is Not Windows Defender ATP' should be reviewed in detail.

 

Related to the report, i will say that in my opinion it's great to see Microsoft do analysis like this and then publish such detailed reports.

For a long time we have seen all the native security in Windows 10 do very well in independent testing.
Even more so when we follow the improvements with each new branch.

We see well-known independent researchers posting about the strong defense available when the features in the native protection stack on Windows 10 are put to use and complement each other.

And now with reports like the fresh report from Microsoft, all Microsoft users can gain insight into what security all the additional features in Windows 10 provides.

The report are thorough and precise and shows exactly which features blocks what.
Everybody - both enterprise, SMB and home users - can clearly recognize the individual additional security features in Windows 10 that they use and see that the sum of what's available to them in the OS will protect them.

There are so many benefits in reports like this.

It will drive testing in general across test labs towards more realistic testing and more realistic results, when features available in the real world are also fully active during testing.

And additionally it will put an effective end to the army of trolls with an agenda, who float around forums and comment sections, trying to plant fear and doubt about this or that product with strange fictional claims about how this or that feature works or doesn't work.
Getting rid of that, will be a gift from above to every forum on the planet.

I very much like this new "straight to the hard, cold facts" approach from Microsoft.

 

Sure that may be so Martin, but legitimate discussion is welcome. We don't all share your boundless enthusiasm for MS.

Maybe my many years as an employee with a (larger) US IT company has made me somewhat sceptical about claimed transparency.

 

There's a looooong way from legitimate discussion to the trolling every single IT forum suffers from, when it comes to security solutions, their functionality and their effectiveness.

 

AV-Test has published their test results for March-April 2018.

Windows Home User category :
https://www.av-test.org/en/antiviru...-2018/microsoft-windows-defender-4.12-181447/

Windows Client Business User :
https://www.av-test.org/en/antiviru...osoft-windows-defender-antivirus-4.12-181574/

Microsoft doing very well.

 

MRG Effitas has just released their latest Online Banking / Browser Security test - the "MRG Effitas Online Banking / Browser Security Certification Project – Q4 2017" report.

The report holds three tests.
The "In-the-Wild real financial malware test", the "Real Botnet test" and the "Simulator test".

In the "In-the-Wild real financial malware test", Microsoft got a combined protection score of 100% (97.9% auto-blocks and 2.1% behavior blocks)
The "Real Botnet test" was also blocked by Microsoft.

Only in the "Simulator test" didn't Microsoft block the test.
The Simulator test has always been controversial. A vendor will either target this specifically or not.
The test targets "Internet Explorer or the Safe Browser if available". IE has never been the Safe Browser on Windows 10. Edge are the safe browser with all mitigations enabled - and with 1803 branch, then Edge running in Windows Defender Application Guard are the Safe Browser.

If a third-party vendor includes a Safe Browser of their choice, then of course - that browser should be tested.
There are third-party vendors that advice against Edge because they can't mess with it. With those vendors - fine, test IE with them.
But with Microsoft, then the Safe Browser on Win10 are Edge. Edge in WDAG, if on 1803 or newer.
Same goes for third-party vendors who do not include a browser of their own choice or do not tell their users not to use Edge. One must assume that these vendors expect their users to use the Safe Browser naturally available.

Hopefully MRG could make such changes going forward.
There's just not much point in testing some vendors according to their recommendations, and other vendors against their recommendations.

Link to report : https://www.mrg-effitas.com/wp-content/uploads/2018/05/MRG-Effitas-Online-Banking-Certification-2017Q4_wm.pdf

EDIT - I see MRG has now updated the methodology section of the report related to the Simulator test.
The Simulator test are now listed to target "Mozilla Firefox or the Safe Browser" instead of IE.

So wherever I wrote IE above, just replace with Mozilla Firefox.

I still hope MRG will use Edge in WDAG going forward, as default Safe Browser as suggested above.
That is after all the included Safe Browser, for vendors that do not insist on something they branded themselves.

 

Link: https://twitter.com/WDSecurity/status/1002254895989346304




EDIT: I believe some of this was likely already mentioned so I apologize for any duplication.

 

This has already been discussed before. The goal of these tests is to see how good AV solutions are in stopping malware, both pre and post execution. SmartScreen is probably using the same blacklist as Win Def, and on top of that it's a white-list , which means it will block software no matter if it's malware or not.

To be fair, most of the tools that didn't use a safe browser failed this test, and I also thought this simulator was very exotic, I would like to see them use simulators that are more close to real malware.

 

This is some interesting stuff, would like to see Win Def ATP being tested. Although it's still not clear to me if it's more geared to monitoring instead of blocking attacks.

 

I believe the answer to this is fairly obvious. Microsoft doesn't believe its ready "for prime time" advanced endpoint protection AV Lab testing.

 

Virtualization-based security (VBS) memory enclaves: Data protection through isolation.

Much more in blog post here : https://cloudblogs.microsoft.com/mi...ry-enclaves-data-protection-through-isolation

 

Well, you would think otherwise if you read all of those articles that M$ wrote about WD ATP. But like I said before, these tests are about blocking attacks, not about monitoring.

For example, tools like Secdo and Red Canary are more about monitoring, but I see that Secdo has now added a new tool called Defender which is supposed to block attacks before they can even start. I'm still not sure if WD ATP has got the same capability.

https://redcanary.com/blog/detecting-ransomware/
https://blog.secdo.com/multiple-groups-exploiting-eternalblue-weeks-before-wannacry
https://secdo.com/defender/

 

As far as verification of the multitude of these enterprise products go, your AV Lab testing comments are also applicable. I have never seen them tested outside of stand-alone testing by NSS Labs and the like.

 

Actually, I did find one certification for Windows Defender ATP:

https://cloudblogs.microsoft.com/mi...protection-iso-27001-audit-assessment-report/

 

I'm not sure if I understand you correctly, but what I'm saying that is these tools are meant to alert about an ongoing attack. So if some malware manages to bypass AV, it will alert about about suspicious behavior with the goal to stop spreading it from infecting other PC's in the network.

So it's the job of Win Def AV to block malware, but if it fails then Win Def ATP should alert about it, but only after a PC is already infected, and that's not the goal of these tests. So perhaps they should also test the ability to monitor an ongoing attack. BTW, it's comparable with Cb Defense + Cb Response.

https://www.carbonblack.com/products/cb-defense/
https://www.carbonblack.com/products/cb-response/

 

(+1) I was just reading through this thread to see if there was any discussion on this. Also, any compatibility issues anyone has come across other then VMs. I haven't tried out controlled folders yet either - anyone test it out?

 

Controlled folders is very problematic. Too many blocks, and some of them are without clear error messages indicating the true conflict.

Core isolation conflicts with many security products. Among them are Comodo Firewall, Zemana, and a partial conflict with Kaspersky Internet Security.