Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Well Cruelsister released this video today https://youtu.be/-4UeKLRIGZI Showing that MSD will detect simple scripts, but it seems as though MSD will treat things the user clicks on with a lot less scrutiny than most malware attacks that don't require the user to click anything.

This is why you should run some kind of anti-EXE along side MSD. I went with Catchpulse (with no scanners) and Voodooshield with allow by parent process turned off

 

Yes, yes it does.

 

Will watch it on my smart TV later, but what was the outcome, that WD once again couldn't block malware that is launched by scripts or what?

 

All the files were encrypted.

Assumed here is Controlled Folders protection was not setup? Believe the purpose of the test was to see if WD could detect ransomware behavior from the script.

 

OK thanks, I hate watching these videos on my computer. So WD is somehow still bad at detecting script based attacks, I honestly don't get this? So my advice is, use dedicated anti-ransomware protection as offered by AppCheck and HMPA, I assume they are better at catching this stuff, hopefully Cruelsister can test this too.

 

I would think that would be the desired behavior in most cases. You shouldn't be clicking a script if you haven't looked at it. Especially if you didn't write it yourself.

 

WD has an ASR mitigation for ransomware;

Use advanced protection against ransomware
​

I assume this wasn't enabled? Also, the question is what does this ASR mitigation provide over the ransomware protection enabled in WD by default?

​

 

This makes no sense. Ransomware is not the only malware that can be delivered via script. Your best protection is to block all unknown script execution. Or at a minimum, block any script execution spawned as a child process.

 

Perhaps Cruelsister should test it with DefenderUI installed and she should enable all settings in the ASR Rules and Advanced tabs and then see how WD fares. I have just disabled PUA protection because it quarentined YTD Video Downloader, annoying but at least you can restore it with a couple of clicks.

 

WD has two ASR rules in regards to scripts;

Block execution of potentially obfuscated scripts
Block JavaScript or VBScript from launching downloaded executable content.
​

I assume CR used a Python script that will "blow through" most AV's anti-script execution methods.

 

It's really the attack mechanism of which Defender is unaware rather than into which form (whether Python, Java, Rust. msi, exe, etc) the malware is woven that is the main issue. As to strengthening Defender with DUI or Configure Defender, that was already highlighted in the previous videos as was the inability of Controlled Folders to work.

As I didn't want to be redundant I didn't again highlight these things again.Thought minimal would be better- One explanatory Text Box, One malicious file, One guitar, One voice.

 

Set on Use advanced protection against ransomware ASR mitigation and see if it detects the script activity. If not which I assume will be the case, then we can chalk up that mitigation as worthless.

 

The ransomware ASR rules are ineffective. Previous videos enabled rules either through the Admin Template route or simply via Defender UI. Also, as (I would guess) Pro testing sites will have Defender protection at the default level, how does it fare so well so consistently?

 

Just got an update (which I forced) to the Antimalware platform. KB 4052623. Windows 10 19044.2130.

Spoiler

 

OK cool, so ASR rules and Controlled Folders didn't help. It makes me think a bit of an advanced ransomware attack on companies years ago that was only spotted by EDR, while AV's couldn't spot this fileless malware. And just recently, home user PC's were attacked with the Magniber ransomware, and it all started with a JS file, see link 2. So relying only on AV's to tackle ransomware is probably not a good idea.

https://www.cyberscoop.com/super-stealthy-attackers-used-nsa-exploit-weeks-wannacry/
https://threatresearch.ext.hp.com/m...geting-home-users-with-fake-software-updates/

 

BTW, perhaps it is my imagination or can Windows Defender slow down website loading? I sometimes have a feeling that imdb.com loads a bit slower in Vivaldi when WD's realtime protection is enabled, so does it perhaps perform networkscanning or webfiltering or whatever?

https://jeffreyappel.nl/enabling-an...ering-in-microsoft-defender-for-endpoint-mde/

 

Defender will be never enought good against viruses bc its default layer for security system
So if hacker write working virus dedicated on windows must be invisible, undetect able by defender other way write virus dont have sens.
For surę they test virus working before he will use it to atack.

Same as admin and limited account ( Sua & Lua) almost all virus can screw system from limited account.

All Hope is only in 3rd apps which put extra hardering and monitor system to make possibile block virus before infection, but even 3rd security app dont give you also 100% warranty. For example look on VMware every 1-2weeks they fix some vbullet issues.
And every time when this happen plz Ask myself how long this secure hole exist and how much bypass ways undetected exist yet..

And after it you can back to root discusion about dreaming how windows defender gonna be powerfull.
Answers is Simple: NEVER.

Other way you will never need instal any other extra security app. For make real protection for data.

 

While I don't use it myself, Microsoft Defender is on of the top antiviruses. If you don't keep Windows updated and open random files, then Defender is not enough. But the same is true for all antiviruses. If you aren't click happy, Microsoft Defender or any of other the big name antiviruses will provide very good protection. While I use another antivirus, in terms of protection I'd be quite happy to use Microsoft Defender.

 

Indeed, it is the same reason Windows is the most targeted OS. It is to be expected that people, who install 3rd party AV, actually do care, so they will most likely be security conscious as well.
Not to mention that Defender has one "flaw", it has to be able to be disabled, so people can install 3rd party AVs, which do not face the same issue and that alone makes it easier for malware.

 

It is wrong to assert/imply that people who use WD are not security conscious. I was a pioneer in computers and computer security, and I laugh at the negative attacks on WD. It has as good (or better) metrics than any of the other AVs. Yes, I do have two layers of defense in addition to WD- OSArmour and my totally reliable daily image backup. This is not because I find that WD is inherently weak, but because I don't trust any AV totally and neither should you- third party or otherwise.

 

Speaking of WD bypasses, add this one to the list:

Windows Mark of the Web bypass zero-day gets unofficial patch

https://www.bleepingcomputer.com/ne...he-web-bypass-zero-day-gets-unofficial-patch/

 

Once again, out of all those versions, Windows 8.1 shines brightly!

 

How did you reach that conclusion? It doesnt mean that Windows 8.1 isnt vulnerable, but that 0patch didnt care to make a patch for it.

The vulnerability lies in how NTFS Alternate Data Stream (ADS) is dealed by the system, no reason to Windows 8.1 to not be vulnerable.

 

Then they should make it a point to add it to the list. Because it will obviously be assumed 8.1 is immune.

 

It should not, that list is for compatible systems for the patch that 0patch created, they didnt care about Windows 8.1.

In theory it should fix the vulnerability in Windows 8.1 too, but they simple forgot about its existence.