Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

How did I manage to stay uninfected for years?
Ok, I do run WiseVector along with WD, but never got a true warning from either.
Ok, I run µBlock Origin in Chrome,
but hey, where to get infected?

~ Remarks Removed As Per Policy ~

 

How indeed? I have never had malware in over 40 years of using PCs. There are people on this site that want to make you think you will get infected at some point. After all, this is a security site right?

 

In her video from December 26, CS has proven that malware can make an exclusion in MS Defender behind your back. Of course this is an undesirable situation. But the question is, does this really offend the home user in daily life? I tend to agree whith mr. Andy Ful, who wrote (in that other security forum): "I can see the "exclusion vulnerability" as an unpleasant possibility, but currently not a danger for home users. Of course, it is still "fruit" so may be used in the attacks. I wish that Microsoft will close this vulnerability until it will hurt home users."

 

Also about 40 years without infection.

 

Exactly, well said! WD fanboys need to take a chill pill. I don't see why they are getting so upset, in fact they should be happy that people are pointing out the weak parts in WD's protection. And that's why I will keep using my extra protection tools, just in case I do ever encounter AV evading malware.

 

No, that's what you make of it. I already explained that I use Win Defender myself and that I haven't had an infection in 25 years. However, this is probably because I simply didn't download malware. In fact, I didn't even use an AV for 14 years, I only scanned files with VirusTotal. And of course my HIPS/behavior blocker might have saved me a couple of times.

But when I read stuff about AV bypasses, I find it interesting from a technical point of view. It's not that I can't sleep at night, thinking that I'm going to get infected the next day, know what I mean? So when someone like Cruelsister brings this stuff to the attention, I don't see this as bashing. In fact it's quite helpful, hopefully M$ will soon close this loophole.

 

OK cool thanks. I'm just trying to figure out how this stuff works. I did read about the ''exclusions loophole'' in WD earlier this year, which was apparently only present in Win 10 and not in Win 11, see first link. But I have found some more info about the bypass technique that you're probably talking about. It's kinda ridiculous if you can bypass WD like this, see second link.

https://www.bleepingcomputer.com/ne...akness-lets-hackers-bypass-malware-detection/
https://www.neowin.net/news/beware-...ually-a-deadly-bitrat-that-bypasses-defender/

 

A little off-topic. But I want to mention an old test series Cruelsister did.

The test was about how effective AVs are at protecting users at boot up/log-in

The results was that even if an AV can detect G-malware normally, they could fail if the malware is run at log-in (before the AVs could properly detect/stop it)

The good thing about this is that some (don’t remember if it was all of them) took note of that and actually improve their products to better protect users.

If Microsoft, could do the same it would be great for all its users.

 

Interesting to me as well, and you're right, it's not bashing, especially when she provides indisputable evidence to back her claims.

Microsoft might be too arrogant for this

 

said the "Vivaldi fanboy". sorry, could not resist. ^^
i do not defend the defender, but at least its integration is the smallest issue instead licensing a product which is (also) vulnerable in its basics. moreover, the overtaken products include now code from its buyer. so if one product is vulnerable there is more likelihood that other products are same vulnerable. and the norton security list tells me so about its portfolio.

dont know, maybe same way i do and did.
as always said - most times it needs manual interaction to get infected.

 

The links you provide are the same bypass. Although not really seen much, currently malware is being furiously written using Stealers as the payload. Only a matter of time before nastier folk soon use Ransomware, Wipers and Worms dropped by the same method.Also, the video used updated Win11 (21H2).

I am surprised that instead of concern some have blown it off in various ways instead of being outraged and pressuring Microsoft to fix this, which was my hope.

(ps: Azure Phoenix: Kaspersky fixed things first with their next build).

 

Case in point per malwaretips.com;

https://malwaretips.com/threads/infected-by-loki-ransomware.119581/

 

And pray tell, how are users supposed to pressure MS?

 

Here's a posting dating to 2018 about the Defender exclusions issue: https://www.avira.com/en/blog/windows-defender-exclusions-reek-of-malware . So the issue is far from a new tactic as one would be led to believe by the recent web postings.

 

Good question.

Just my 2 cents on this: for those of us using Defender, and who have never had a single infection under it's protection, the outrage really doesn't manifest itself within - at least in my case - therefore the motivation may not be there to feel compelled toward pressuring Microsoft to fix the issues. Also, they are unlikely to pay much attention to those of us typical home pc users with no expertise and experience in malware testing. They are after all going to ask for evidence and professional credentials. They are more likely to listen to you and others who can provide the evidence, like Andy Ful and Shadowra from another forum for instance, with similar expertise in that area. Maybe I'm wrong, but that's just my humble opinion.

Interesting, thanks

 

I agree with you. Furthermore I let me lull into a feeling of security when I view testresults like this from a year ago: https://www.av-test.org/en/news/29-...ata-stealers-and-ransomware-under-windows-10/

 

Exactly. I'm complacent here and what's more: it's going to get robustly ignored if I sent a boring message to Microsoft with a link no one would touch with a barge pole.

They want the goods from professional pen testers. Now if Microsoft got wind of Home users getting infected en masse from some common Windows vector, that would be a whole different animal. I wonder if Microsoft prioritizes Enterprise over Home in certain areas anyway.

 

Good or bad for the products tested, I don't let the results influence my decision on what to use, because the only one I've used for years is Defender. I use it because it's already baked into the OS and, admittedly, because it's free. I'm from the old school mindset of "you get what you pay for", so I don't expect protection from it to be on par with paid subscription industry standard products such as from Kaspersky, ESET and other well known reputable brands. Defender is "good enough" for me because I augment it with H_C and OSArmor, a browser ad blocker, a recent backup image just-in-case, as well as utilizing as much common sense and whatever level of smarts I have when venturing into the cyber world.

 

My bad, then I somehow misunderstood. So it's the exact same technique? But I did read that this loophole isn't supposed to work anymore on Win 11, very weird.

https://www.neowin.net/news/microso...ans-harder-by-changing-exclusions-permission/

What a joke, you're right. This Win Def loophole has been known for years. Aren't companies like Microsoft and Apple supposed to have the most smart software developers onboard? Very weird that it took so long to fix this, even more weird that this loophole exists in the first place.

 

Same over here, but to me it's shocking to see how easy it is to bypass WD. Sure, more tech savvy folks like ourself will probably not get into trouble, but a lot of people may get tricked into installing malware, see third link. And we must not forget that WD is installed on millions of business PC's. Seems like this loophole has already been used to infect certain companies, see first two links. So this is quite serious stuff and shouldn't be brushed off like it's not a big deal.

https://paraflare.com/blackcat-dete...lusion-of-exe-in-microsoft-defender-endpoint/
https://symantec-enterprise-blogs.s...igence/noberus-blackcat-alphv-rust-ransomware
https://www.wilderssecurity.com/thr...s-to-spread-malware-in-legit-software.449530/

 

There is nothing wrong with being a fanboy unless being an extreme fanboy is blinding you to the fact that there may also be serious issues with your beloved software. Also, this isn't about WD vs third party AV's. Yes they all have their flaws, but that doesn't make this WD flaw any less important.

 

BTW, who saw the latest Win Def vs Kaspersky video on the PC Security Channel? Both performed pretty good, but somehow WD did fail to protect against the Black Claw ransomware and the system got encrypted.

A couple of weeks ago I also saw another video how Malwarebytes was simply terminated by the Ryuk ransomware, even when tamper protection was turned. So end conclusion is not to rely only on your AV, it doesn't hurt to use exta protection tools.

 

BTW, what was the name of the stealer in the "Defender vs a Novel Stealer" video? In this article this ''exclusion'' attack method is mentioned again. I'm really quite disappointed with WD, I'm thinking about switching to a third party AV. Problem is, I don't trust them. On the other hand, tools like AppCheck, SpyShelter and OSArmor should already stop quite a lot in case AV fails.

https://thehackernews.com/2021/07/this-new-malware-hides-itself-among.html

 

Precisely

 

So this also settles the ''WD is all you need'' argument. It's better to say, ''WD is all you need, if you are lucky.''