Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, I was thinking about this issue. And I wonder why WD blocked Spybot from modifying the hostsfile, after all it didn't flag it as malware, so it shouldn't interfere with it. It basically acted like a ''dumb'' behavior blocker and I wonder what else it monitors. Keep in mind that "cloud protection'' wasn't enabled. Also, I didn't get any notification, is this perhaps because I have disabled notifications in the taskbar? But other apps like SpyShelter still notify me via tray-icon, so seems like this also needs to be improved in WD.

    https://www.groovypost.com/howto/configure-windows-10-system-notifications/
     
  2. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Microsoft "bootstrapped" existing Windows mechanisms when developing WD. As such, sounds reasonable to assume WD alerts are dependent on Win system notifications.
     
  6. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    620
    Location:
    Belgium
    Its patched in latest cumulative update
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    In other words, it's not a separate update, so you also get other fixes? I've looked it up, seems like it's this one.

    EDIT: yes, it seems like you will also get fixes for Edge and MS Office.

    https://www.catalog.update.microsof...updateid=97169e13-5dbd-4119-b878-0867d6e8bbfb

    Yes it seems like it. The trayicon does change when something is being blocked, that's how I eventually noticed it. But I assume when malware is being blocked it will give a normal alert, at least I hope so.
     
  8. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    620
    Location:
    Belgium
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    I created a serious problem. I have Windows10, upgraded to 2004 last September. Everything was fine until I screwed up yesterday.
    I was in Win security center and saw that "App & Browser control" was not checked.
    So I checked it to be enabled. And now I cannot disable it.
    Problem is that it is blocking FastStone Viewer which is my lifeline.
    FastStoneViewerBlocked-.jpg
    I played with the individual settings such as Reputation, PUA, few others - no effect.
    Searched group policies, registry and I cannot find a way to get back short of restoring a 2 weeks old image.

    What can I do?
     
  10. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    Use ConfigureDefender and disable that ASR rule below:

    Capturar.JPG
     
  11. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Thank you, Nightwalker.
    So MS turns it on with no way to turn off?!
    I read few/many posts about Configure Defender. And every time I go to github, I can't figure out what do download. Can you help me, please?

    I think in the previous version of Win10 there was an ASR entry, but I maybe wrong. I recall setting something about it once maybe in gpedit.
     
  12. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    620
    Location:
    Belgium
    ConfigureDefender/ConfigureDefender3001.zip at master · AndyFul/ConfigureDefender · GitHub
    Best choice is High profile, these rules marked by nightwalker are off right away (with high)
    Than click resfresh and you have to restart windows
     
  13. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    It's a log list there. Is it what I just checked in blue? plus the help file?
    ConfigDefender-.jpg
     
  14. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    620
    Location:
    Belgium
    Yes click on 3001zip , helpfile not needed.
    Choose High, wait a little till dialog closes... click refresh
     
  15. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    OK. Done. After installing do I reboot?
    Also I have 2 users me and admin user. Do it just in one place in admin account or me?
     
  16. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    620
    Location:
    Belgium
    After you click refresh you will be asked to restart windows to activate High settings
     
  17. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    @act8192 you can see in the WD notification the name of the ASR rule which is blocking the app you're trying to run. In cases like this:
    1. Run ConfigureDefender and set the ASR rule "Block executable files from running unless they meet a
      prevalence, age, or trusted list criteria" to Audit (do not choose Disabled).
    2. Run the blocked application. If it is an installer then run the installer and next run the installed application.
    3. Set the ASR rule to ON. WD will automatically remember that the application has to be allowed locally, so it will not be blocked again by this ASR rule on this particular computer.
    A similar thing cannot be done by disabling the ASR rule, because after enabling this rule the file will be blocked again. When disabling the rule the application executable has to be additionally excluded by using <Manage ASR Exclusions> in ConfigureDefender and Windows has to be also restarted (changing ON<--->Audit does not require restarting). This procedure is more complicated than the procedure described in points 1-3. upload_2021-1-16_13-47-56.gif upload_2021-1-16_13-47-56.gif
     
  18. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  20. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    @act8192 :
    Out of curiosity I downloaded , installed an ran Faststone Image Viewer.
    WD didn't block it, although I have activated the ASR rule.
     
  21. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    It's all so confusing. FS viewer was totally fine until I made the change in WD. And the thing that bugs me is that I cannot find the ASR rules. I haven't yet install ConfigureDefender, whic I gather from your sig you're using. Where are the ASR rules visible in the Windows Defender GUI o_O??
     
  22. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,131
    Location:
    Baden Germany
    @act8192 :
    ASR rules don't have a specific GUI.
    The settings are sub settings in windows security/app & browser control.
    Not as detailed, as in Configure Defender.
    I highly recommend, to follow @Bertazzone , and use Configure Defender.
    You don't have to install it, it runs portable, and is basically an extended UI for WD settings.

    (You certainly made sure, that FS-Image Viewer was downloaded from developer site, did you?)

    One thing I noticed: FS Image Viewer is not digitally signed.
    That could have triggert WD.
     
  23. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Hey, Rasheed, did you end up getting the update? It seemed you were on the right track! Mine got updated in the background/automagically. The engine version should now be 1.1.17700.4. :thumb:
     
  24. Bertazzoni

    Bertazzoni Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    652
    Location:
    Milan, Italia
    Then how did you add the ASR rule? :confused:Your post implies that you used some other method to add the rule, like powershell or GPO.
     
  25. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    I'm leaving this post, but just added that adding EXCLUSION now works fine.

    FS Viewer is definitely from the developers site. I've been using it unsigned for the past 10 years or so I guess.
    And it was working fine without needing to be excluded when I made ASR rules.

    Still no Configure used. I will soon, thanks to all for pitching in.
    I followed the path Itman gave in post 3144. Thank you. I now found my ASR rules I put in via gpedit over a year ago.
    Just added the exclusion, full path to the exe file, value 0, OK.
    2021-01-16_210621-ExcludeFSViewer.jpg
    Rebooted. Logged in as me. It's still not working. EDIT-USER ERROR - IT NOW WORKS.
    And as before, post 3134, I also get an alert in addition to what they notify me as Risky behavior. It's been like this since yesterday.
    2021-01-16_21-38-42-AlertExcludeFailed.jpg
    2021-01-16_21-43-34-EccludeFailed.jpg
    It's odd that the alert talks about cannot access yet the notification is about ASR. Might it be some conflict with MBAE or OSArmor? Neither complained about FS Viewer.
     
    Last edited: Jan 16, 2021
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.