Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Tyreman

    Tyreman Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    145
    Location:
    Cambridge Ontario,Canada
    Only thing I find a pita on Windows Security / Antivirus is the ransomware protection
    Otherwise not bad so far
     
  2. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    yes thats one of them layers, the second one, they advertize 4 layers which are described on their website

    Attack Surface Reduction (ASR) is a set of controls that blocks common ransomware entry points: Office-, script-, and email-based threats that download and install ransomware;
    ASR can also protect from emerging exploits like DDEDownloader, which has been used to distribute ransomware
    Network protection uses Windows Defender SmartScreen to block outbound connections to untrusted hosts, such as when trojan downloaders connect to a malicious server to obtain ransomware payloads
    Controlled folder access blocks ransomware and other untrusted processes from accessing protected folders and encrypting files in those folders
    Exploit protection (replacing EMET) provides mitigation against a broad set of exploit techniques that are now being used by ransomware authors
    https://www.microsoft.com/security/blog/2018/01/10/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017/
     
  3. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    The exploit protection, yeah that's another layer, but the controlled folder access is more of a hindrance than something helpful.

    The attack surface reduction must be something new, but every honest test I've seen of WD on windows 10 shows WD failing against every unknown malware it encounters.
     
  4. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    Actually, ASR rules have been part of WD for quite some time. A new rule, "Block persistence through WMI event subscription", was added recently. I don't know what tests you're looking at but WD is doing quite well, especially against known malware. Any AV can be breached, so it's not alone on that score.
     
  5. GrDukeMalden

    GrDukeMalden Registered Member

    Joined:
    Jun 16, 2016
    Posts:
    487
    Location:
    VPN city
    Well, of course. Nothing is infallible. Comodo was one of the AV products that was affected by the double agent ransomware. That's why a lot of computer security techs recommend that you use a supplementary product along with your standalone.
     
  6. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    ASR rules each need to be enable by the user. Typically testers don't know about it and/or don't bother to enable them.

    Security experts should be able to enable them.
    However for those who want to do it easily, the software ConfigureDefender by AndyFul is a great tool to tweak Windows Defender and enable those rules.

    As for how long the feature has been there. I'm not sure. But there was an article from 2017 talking about them
    https://www.thewindowsclub.com/attack-surface-reduction-windows-defender
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Was reading about this over at bleepingcompter. Assumed this will now enable WD to stop highly obfuscated Powershell scripts which was their and a number of other AV vendors "Achilles heel" in the past. Personally, I would just enable the like ASR mitigation and be done with it.
     
  9. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    I've been using Controlled Folders for a few days and find it is a PITA so disabled it again.
     
  10. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    ASR is only available on Windows 10 Enterprise E3 or E5.
     
  11. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    It's available for Window 10 Home users as well.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Well I hope you're right, but according to this Microsoft article:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction

    Enterprose E3 or E5 is needed to use ASR rules.

    I have Win 10 Pro and I can enable ASR in Group Policy, but I don't think it does anything. I had several rules enabled in "Audit" mode from here:

    https://www.ghacks.net/2017/10/23/configure-attack-surface-reduction-in-windows-10/

    ...but not once over several days use did I see anything ASR-related in the logs.

    EDIT

    dumb question: how can I post links like above and make them "Unlinkable"? I used the Unlink button but that doesn't work for me
     
  13. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    @wat0114

    I use ConfigureDefender to enable ASR rules. And in the logs I see "Block credential stealing from the Window local security authority subsystem (lsass.exe)"
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,090
    Location:
    Texas
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    On my Win10 x64 1903 Home Edition I have enabled ASR using PowerShell and I tested Network Protection in Firefox on the Microsoft test site and it failed. I was able to access the site without a block, unlike when I tried the same in Edge.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
  17. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    I haven't tried on Firefox. But I do get a WD alert when going to the test site on Brave (chromium browser)
    https://demo.wd.microsoft.com/
     
  18. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    On Brave Beta I get a "This is a Smartscreen test site" notice in the upper corner of page, otherwise it's blank. :doubt:
     
  19. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    Do you have Network Protection enabled?

    Like I said in another post, I use Configure Degender from Andy to enable those settings.
     
  20. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    Yes, I use ConfigureDegender too! ^ ^ ;)
     
  21. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    782
    Location:
    Island of Woman
    its an added micromanagement which I really like, similar to registry guard protection from NVT (ie based around blocking something),
    sure more of a hindrance but once everything is set it is an added protection on top of SRP\GPO, the more options we have the better and i was happy it was introduced

    anyway u can quickly extend its functionality with
    Add-MpPreference -ControlledFolderAccessProtectedFolders
    "C:\MyDATA" (type folder name)
     
    Last edited: Sep 7, 2019
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    I'll give ConfigureDefender a try this weekend. Thanks!
     
  23. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    620
    Location:
    Belgium
  24. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,787
    What does the refresh button do? Do I have to "refresh" after selecting my choice, before rebooting?
     
  25. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    In the Help screen it states,

    "How to apply settings
    Select a Protection Level or custom configuration, press the Refresh green button and let ConfigureDefender confirm the changes. ConfigureDefender will alert if any of your changes have been blocked. Reboot to apply chosen protection"
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.