Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

I see/ As another extreme 8.1 long time very satisfied user as many others, seems that 8.1 is frequently overlooked and gets the nod (maybe more) as an easily dismissed version which doesn't quite add up. Then again perhaps it's viewed as not relevant to expectations or importance even to it's nearest predecessor.

Point taken though that they 'simply forgot' and doesn't outright dismiss a possibility that this particular vulnerability might exist within it too. So much for 0Patch if it does.

 

What exactly does this mean, that WD doesn't scan certain ZIP files? But no big deal as long as it scans the unzipped content, which is normally some .exe file, right?

 

Err ........ That is exactly the problem. The files when extracted are missing the MotW ADS identifier. Hence, none of these files would have been submitted to the MS Cloud for scanning.

 

OK, so no cloud scanning, but it would still be scanned via signatures and heuristics, I assume. And of course I agree that this is another major blunder from M$.

 

The MotW bypass vulnerability is much worse than originally disclosed:https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/ . Addendums at the end of the article show how any file can be bypassed including .exe's.

 

Also remember this identifier will never exist if a file is saved to a network drive, or a flash drive or SD card if they are not formatted NTFS. Or copied to any of those. Or transferred through Skype. That mark should not be as critical to security as they are making it. Too many opportunities for it to not exist at all.

 

To save myself useless spent time unblocking (since i scrutinize better than MS$ what comes onboard this ship i use sStreamsRemover
https://www.sordum.org/11263/streams-remover-v1-0/

Now looking at the opposite and negative side of things, how do we know a downloaded file couldn't been fashioned with a stripper of ZoneIdenitifier (alternate data stream). Of course grasping at straws but you know how an unsafe file purveyor will pull every trick out of the hat.

 

You can save the effort and just disable the setting in Attachment Manager for preserving zone information. Then there will be nothing to remove.
More info:
https://support.microsoft.com/en-us...-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738

 

I believe it only applies to:

 

It applies to everything that is downloaded from any browser (Download managers don't have the issue they don't set a blocked status on files they download only browsers such as Edge, Chrome, Firefox, etc)

That is the first tweak I do when I install Windows.

For people who are using Home editions of Windows with no Group Policy Editor, this is the registry tweak to achieve the same thing:

Disable File Protection for downloaded files

Code:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]
"CheckExeSignatures"="no"
"RunInvalidSignatures"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.msu;.wav;.img;"

 

Nope, I have done it in the past. Nothing gets tagged anymore. Unless they have changed something. I have not tried it with Windows 11.

 

I see. Okay then.

 

I am using this:

Code:

rem 1808 - Disable the warning The Publisher could not be verified
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "1808" /f

rem Disable Security warning to unblock the downloaded file
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f

 

I actually hate those stupid warnings that you get to see. As long as WD can block it then I see no problem even if Smartscreen doesn't warn about it either.

 

Isn’t that problem that it might not get blocked?
https://twitter.com/wdormann/status/1582466468968792064?s=20&t=Fd9igjCEGyj4Qkws5ZA34Q

 

Yes, the script warning doesn't pop up and most likely SmartScreen won't pop up either, however I didn't read anything about Win Defender not being able to block the malware from running?

 

Well, WD always worked for me without any tweaking since its release as a full AV within Windows 10.

I don't need anything else.

Good luck with your search of your perfect security setup.

 

Hallelujah, brother! Defender works for me.

Ah yes, the search for the perfect, multi-layered security setup never ends for some folks.

 

This forum is largely about trying to find the "perfect" security setup which doesn't exist and never will. Defender is all you need and a daily image backup- just in case. Paranoia runs deep here and you know that because some people have 3 or 4 programs at work to allegedly secure their machines. A total waste of time, effort and money in my view.

Occams' Razor baby.

 

Don’t forget security is a hobby for many members here

 

It's no waste of time for me though, you never know when disaster might strike and I think it's likely that these 3 or 4 programs might save me when Win Defender fails.

But of course as a normal home user who only downloads well known software from trusted sources, the chance of encountering malware isn't that big. Unless you somehow get tricked via fake pop ups or phishing email.

But anyway, when it comes to securing companies, then this whole ''Defender is all you need'' mantra definitely doesn't fly. Check out this article about how hackers infected banking networks, and I'm guessing all of these malware samples bypassed AV's easily.

https://www.bleepingcomputer.com/ne...-steal-over-11-million-from-banks-and-telcos/

 

Defender Fun Fact- There has been a nasty data stealer showing up everywhere the past week that targets Defender, and it works like this:

The issue for whatever data stealer is that although it may be zero-day when first released, to be an effective stealer it has to be zero-day every day (the longer active on the system more stuff can be acquired). The malware should also try to hide itself so it can't be readily detected.

That being said, this strain of malware (which is actually a carrier for the stealer) will:
1). create a hidden system directory (usually in Program Data)
2). drop the actual stealer into this directory
3). adds a scheduled task for the malware (for persistence)
4). create an exclusion in Windows Defender to trust the directory (and its contents)
5). the now excluded malware can connect out and deliver acquired data package to the bad guys.

The issue here is an exclusion makes a malware file zero-day everyday.

 

So something like Defender's tamper protection couldn't do anything to stop the exclusion from being added by the stealer?

 

I assume this is something that has to be executed with admin privileges at some point to do all of that?

 

No (and Tamper Protection wouldn't matter with this).