Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

I was thinking that it maybe wouldn't be able to see everything - at least right now when it isn't mainstream - or some things won't work.

 

This is quite an interesting development. Wonder how it will play out.

 

Low Privilege AppContainer too which is more secure and more granular capability control in comparison to traditional AppContainer. Very impressive news.

 

Turned on Sandbox thingie here and restarted will see how its goes

 

From reading the blog post, it seems that MS invested a lot of time and effort - carefully taking everything into consideration - in ensuring detection rates and other important technical requirements of the antivirus would not suffer with the sandbox enabled. Time will tell, of course, but I'm sure *hope* they'll promptly address any issues discovered.

 

LOL, to me it's definitely funny. No wonder they score so bad in false positives tests.

Wow, this is pretty impressive.

 

Question to those who tried out WD sandboxing; does it affect system responsiveness? Does it slow system startup, or launching of programs?

 

So far after a few hours enabled, I haven't noticed any hit on system performance.

 

Just set and running fine

 

It seems they're going in the right direction tho a bit late. How about other major players? Despite they have been making serious blunder repeatedly (some of them are rediculously elementary), most of them yet haven't utilized PPL nor CFG, and last I checked, they have more priv than unsandboxed WD. I don't name them but it's easy for anyone to confirm.
Tavis Ormandy, who have found a number of vuln in AVs including WD is known to be a strong opponent to AV, yet only AV he has reluctantly recommended twice is WD. For those of us who adopted tight ctrl AV is nothing more than Additional Vuln. Yet, attack against AV will probably seen in targeted attack which most of us won't encounter at least as a personal user.

 

What do you mean by that? Apparently they're the first to harness this capability, and if it makes the product better then it's never too late.

 

Apparently not.

https://malwaretips.com/threads/win...us-can-now-run-in-a-sandbox.87669/post-773161

 

To be fair, is Falcon Prevent really a complete av solution with a fully functional emulator and virus disinfection capability? Even if positive, it doesnt take Microsoft merit.


Ps: I think Falcon Prevent is somewhat similar to Cylance Protect, so I dont think it is a complete av solution.

 

https://twitter.com/taviso/status/1055876544768425985

 

WD needed it more badly than the other AVs. It was an urgent issue for WD.

 

Hi.
Is the "MsMpEng.exe" process protected as in the image below?



The same protection is applied to the Network Realtime Service "NisSrv.exe".

 

First question: yes
Second question: no

 

Unusual:

 

Since my last post turning on the sandbox in 10 its been very good
Can't really tell its affecting performance yet it is there
All Good So Far

 

No doubt about that, its was something critical for Windows security.

 

That's network protection indeed, but not sandboxed, otherwise you'd see "AppContainer" instead of "System level"

 

So it looks like the sandbox does not impair system performance, and that's good.
The only remaining question in my mind is whether WD actually works as intended...

 

I was referring to the "PsProtectedSignerAntimalware-Light" protection of the MsMpEng.exe process.

 

If anyone is curious to know which processes are protected by regular AppContainer sandbox or the latest Low Privilege AppContainer (LP-AC), I only know of one program so far that can show this. Process Explorer and other programs don't define it yet.

NtObjectManager by Google Project Zero's James Forshaw (Chrome's sandboxing wizard) is a PowerShell script which is powerful beyond words. You can view details on the PowerShell Gallery page: https://docs.microsoft.com/en-us/powershell/module/powershellget/install-module?view=powershell-6

However, for this latest capability, you need the latest compiled version which is not yet uploaded to the gallery. You would need to grab the latest script from here (NtObjectManager.psm1): https://github.com/googleprojectzer...ce-analysis-tools/tree/master/NtObjectManager

You have to do the typical permission changes to allow PowerShell scripts to run (temporarily, change back after using). If you have got that far and have the script working, all you need to do is this:

Spoiler: Permission Details

Code:

PS> # Save the current execution policy so it can be reset
PS> $SaveExecutionPolicy = Get-ExecutionPolicy
PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser
PS> Import-Module NtObjectManager
PS> Get-NtProcessMitigations -Name MsMpEngCP.exe
PS> # Reset the execution policy to the original state
PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser

Code:

Get-NtProcessMitigations -Name MsMpEngCP.exe

You can try this on other processes as well. For example, the latest Chrome GPU AppContainer process is LP-AC as well. Although the chrome.exe renderer processes and PPAPI process are all still regular AppContainer. Upcoming chrome.exe utility processes will be LP-AC too.

Example output:




There are a ridiculous amount of Process Mitigations and other protection mechanisms as well that show in the full output. So many mitigations which I am not even familiar with entirely.

You can always count on James Forshaw when it comes to Windows sandboxing and mitigations. His blog, his research, his open source tools, the Chrome sandbox, etc.

 

I believe any AppContainer process using SID, S-1-16-4096, is using low-level: