Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This is actually pretty cool, this shows the strength of so called EDR tools.
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I've been having a problem with Windows Defender on multiple PCs at work where it says it is disabled. I can enable it but the PC will start up again with it disabled. I have not done anything to the settings to make it do this. There is no 3rd party security software. Is anyone having this issue? It seems to have started in the last couple of weeks.
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    A partial uninstall of a 3rd party AV can cause this issue.
    https://www.thewindowsclub.com/windows-defender-is-turned-off
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Interesting issue. It obviously is not coming from Group Policy, because if it was, you would not be able to re-enable Windows Defender. It must be a faulty registry entry.
     
  6. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,936
    Location:
    UK
    Do they all have 1903?
    I've seen the Win Def warning on several 1903 machines that Tamper Protection is turned off. It wasn't this was it?
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    I re-registered the .dll files per that article and rebooted. It came up fine, but I'm not sure that it happens at every reboot. I've noticed it con a couple of other PCs. I'll try this and see how it goes. I'm pretty sure the ones with issues are on 1903. I don't know if something gets corrupted during the update or not. Time will tell and I will post a follow up if I am able to narrow it down.
     
  8. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    They do have 1903 as most of them do now. It does not seem to be that. When you open the Windows Security dialog it shows "Virus & threat protection" as disabled.
     
  9. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Upgraded from 1809 to 1903 or clean install? I have MBAM working in harmony with WD. So does all my security protocols . AppGuard works in Lock Down mode, OSArmour, MWFC, IVPN and Windows Sandbox...all works.

    In other words, I always clean install. Even gpedit has things missing, but though Power Shell or the Registry, it can be done; It's just Microsoft!

    It took me days to get it all to work, together.

    Robert
     
    Last edited: Jun 10, 2019
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Great whitepaper on bypassing WD ASR mitigations here: http://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    To succeed, the attack would need to be specially crafted to bypass ASR. This could be used in a targeted attack on a system that is known to use ASR. But most of the bypass methods need to run scripts, so they will fail on a system that has some kind of script protection.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I concur with the author's summary:
     
  13. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    310
    Location:
    USA
    Does Windows Defender have a behavior-based detection element?
     
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Yes.
    The screenshot, from the main window of ConfigureDefender, shows the main components of WD. I have it set to max settings, not to default, but the default settings of WD do have both Behavior monitoring and Script scanning enabled.

    Annotation 2019-06-18 212229.png
     
  15. nine9s

    nine9s Registered Member

    Joined:
    Feb 8, 2013
    Posts:
    310
    Location:
    USA
    Thanks.
     
  16. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    but at least it can't be disabled so easily, so perhaps as a post-exploit it can still do its thing at later stage
    anti-tamper was created (in 1903 ver.), "old" attacks would focus on disabling WD with few lines of code
     
    Last edited: Jun 19, 2019
  17. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Nice. I'm going to be using that. At work. Still using something 3rd party on my own PCs.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Before any verdict rendering on this, see if this reg key value can be modified:
    https://borncity.com/win/2019/03/29/windows-10-v1903-get-windows-defender-tamper-protection/
     
  19. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection.
    Much more in blog post here : https://www.microsoft.com/security/...soft-defender-atp-next-generation-protection/
     
  20. focus

    focus Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    503
    Location:
    USA
    Good link, thanks.
     
  21. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Not OT, I hope. If you have gpedit and have Clean Installed v1903, does Computer Configuration>Administrator Templates>Windows Components>Windows Defender Antivirus have Signature Updates? I have Clean Installed 3 times with different downloads for Media Creation Tool and none have it. v1809 always did (Signature Updates).

    I do not want to go the upgrade path...never do. But, if I were too, I know it will be there as it is present in v1809.

    Thanks,
    Robert
     
    Last edited: Jun 26, 2019
  22. galileo

    galileo Registered Member

    Joined:
    Dec 10, 2005
    Posts:
    72
    I have also clean installed W10 V1903. Is this what you are looking for...?

    2019-06-26_19h37_50.png
     
  23. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Thanks galileo, but no. It should have "Signature Updates". I guess I was right in assuming that stupid MS either forgot or took it out. Why, who knows! It only configures WDA sigs...we can do it through PowerShell or the Registry but...

    Now probably everyone who Clean Installed 1903 has it omitted. At least I know it's not just me. It's by design.:eek:

    Win 10 Pro x64 1903

    Thanks again,
    Robert
     
    Last edited: Jun 27, 2019
  24. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    @Roberteyewhy,

    Nobody forgot anything, nobody took out anything and nobody are stupid.

    Signatures has never been signatures.

    Windows Defender receives a ton of information. New/updated behavioral datasets, updates to Attack Surface Reduction rules, engine updates, retrained models, updates to memory scanning, updates to network monitoring, new/altered settings for Malware Protection Platform, Emerging threats updates, dynamic signatures pulled in as needed, signatures pushed out as needed and much, much more are included in the updates.

    Security Intelligence Updates are the correct term to use and therefore the change.
     
  25. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    "Signatures has never been signatures." Then why does even MS call it Signature updates https://docs.microsoft.com/en-us/wi...protection-updates-windows-defender-antivirus in Group Policy. In 1809 it was Signature updates not Security Intelligence Updates.

    "...nobody are stupid." You must have forgotten what happened when v1809 was first released to the public via WU.

    Anyway, not here to argue semantics. I didn't look closely enough to see the change...I just said where is Signature updates. You are correct. I can admit when I am mistaken.

    "I am not perfect; I do not live in a perfect world!"

    Sorry galileo and anyone else for the confusion.

    Robert
     
    Last edited: Jun 27, 2019
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.