What’s new in Windows Defender ATP Fall Creators Update

Discussion in 'other anti-malware software' started by ronjor, Jun 27, 2017.

  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,531
    Location:
    U.S.A. (South)
    Good and valid point to bring out front again especially as concerns WD APT API. Did some deep study this past week on that very method that's often used where it slips via a Suspended State and begins all sorts of probing to finalize the whole payload operations. Clever stuff.

    FWIW i not even begun to test malware/ransomware and/or their methods against WD as-is on Windows 10 yet. I suppose it will take some time putting testing how it stands up to current third party protections that are already solid against this and others but am sure expecting some reasonable results. Thinking Fall Creator's Update would be the ideal time to go into that.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    If you're referring to process hollowing, most are ineffective against it by default. Solutions like AppGuard only memory protect select processes by default for example. Emsisoft also is effective in that it will start monitoring any unknown process for code injection activities against another process whether that process is suspended or not.
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    Appears Microsoft added a new sub-process, EnableModuleTamperingProtection, to EPROCESS for Win 10 CE and added two API's for it, LdrpCheckPagesForTampering and LdrpMapCleanModuleView :
    http://www.codemachine.com/article_kernelstruct.html#EPROCESS

    For EnableModuleTamperingProtection to be effective, it would have to be set for every process since any theoretically could be used for process hollowing activities. Might be conditioned upon the creation of an existing Microsoft origin Windows or app process in a suspended state. Most likely will just be set when any of these modules load by virtue of a program loader option.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    I really don't think that process hollowing and atom bombing are used in a legitimate way, remember that both methods involve multiple steps. Just because some process runs a child process and modifies memory (injects code), doesn't mean that process hollowing/atom bombing is being used.

    My advice to the blog article writers is to make this more clear.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    That is what I pointed out previously; the problem of determining good code from bad code.

    Case in point is how CFG works in Win 10. If it detects a violation, it will just terminate the process. Ditto for DEP enhanced protection on Win 10. The only effective way of doing this is to auto sandbox the process and scan the code after it has been injected into memory and unpacked/decrypted. It might just be that this new EnableModuleTamperingProtection has such capability. It could do the sandboxing when the child process is loaded and then wait till the process is resumed to do the injected code scanning in the sandbox.

    I also strongly suspect that WD ATP will using a local behavioral engine versus the current cloud based one in WD.

    -EDIT- Another example is almost all the memory injection test utilities that currently exist. Most are packaged with a default .dll that will display a message box if the memory injection was successful. Is that .dll code malicious? No, it isn't. To effectively test your security solution's advanced memory scanning detection capability, you have to use a known malicious .dll.
     
    Last edited: Jul 25, 2017
  7. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,834
    Location:
    Nebraska, USA
    That would be a step backwards! Not good as it assumes and requires all the behavioral code necessary to detect all the latest zero-day, or rather zero-second threats already be downloaded on to the local client.

    WD already uses a local behavior engine, but as seen here (my bold emphasis added),
     
  8. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,712
    Agreed Bill. That would be a big step backwards. I hope that this is not the case when the Fall Creators Update comes out.
     
  9. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,834
    Location:
    Nebraska, USA
    Of course the Fall Creators Update will not remove that advanced protection. That link I just provided is barely a week old and tells how things are, and how things will be to come. Microsoft has and is making HUGE investments in Windows security and cloud protection - they have no intention of tossing all that down the drain. Again, why? Because bashers will blame Microsoft regardless. So Microsoft has moved to aggressive offense and is demonstrating their "commitment to providing unparalleled real-time defense against modern attacks."
    It already is very clear. From that same blog link I provided above, if the local definition or behavior engines cannot determine if some code or behavior is friend or foe,
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    Windows Defender local based behavior detection I assume parallels that of other AV vendors. That is, it is heuristic pattern based scanning. If no hit there is had on an unknown process, it will use the cloud for a final determination using Microsoft's Azure AI servers; the same ones Voodooshield uses. I see no evidence in WD of any continuous advanced memory scanning monitoring other than the above initial cloud scanning.

    If WD ATP is going to detect process hollowing and other memory based injection, it will have to employ a local based advanced memory scanner.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,531
    Location:
    U.S.A. (South)
    I can live with that.

    If it's implemented as well as let loose of some of the other security projects commissioned only to Enterprise/Education etc. series so far, heck ANYTHING extra to much better seal up the avenues of entry. And if an avenue happens to bypass, kick in a secondary check just to make things plain they mean business this go round.
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Seems like your misunderstanding. In the articles about various code injection methods, it would be nice if they clearly explained that Win Def could both block and detect malware that are using these techniques. Blocking means the malware immediately gets shutdown because of the suspicious behavior. Detecting means that it can spot malware that is already running in memory. Seems like Win Def ATP is mostly focus on post breach, which is cool, but this means the malware was allowed to run and to inject code. Blocking the malware from performing malicious activities is even better.
     
  13. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,834
    Location:
    Nebraska, USA
    Sorry, but it is you who are not understanding. They do clearly explain. The very purpose of WD ATP is as a "post-breach" solution. You are criticizing a program for not doing something it is not intended to do! That's like criticizing your spell checker for not stopping you from typing a misspelled word before you type it, or criticizing a Lexus RX450h for not being able to tow a 10,000 pound trailer.

    WD blocks malware and suspicious code it detects. If it does not recognize code that is behaving suspiciously, it blocks it while it investigates.

    NO SECURITY PROGRAM can stop or block code it does not understand or suspect without first seeing it and studying its behavior. That means it (the bad code) must first make it past any defenses on the way in. WD can and does analyze such code BEFORE that code can execute and do damage, but that code must still come within reach of WD first.

    You are suggesting WD allows the malicious code to execute and perform malicious activity before WD stops it. That is just not true of WD or of any decent anti-malware solution worth its salt.

    If you want "pre-breach" security, you are going to need to run something on your router or run everything through some proxy before it touches your computer.

    Is WD perfect? Of course not. NO SECURITY PROGRAM IS! But WD is pretty darn good and getting better all the time. That's why I use it all our systems here and do not hesitate recommending it for all of my children, grandchildren, friends, clients, colleagues and posters. And I have made such recommendations WITHOUT ANY REGRETS or system compromises since MSE became available for W7, or since WD was integrated into W8.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Actually, that is exactly what Win Def ATP does, it allows malware to run, perform malicious activity, and then alerts about it. At least, this impression do I get from the articles about code injection. What I'm saying is that the goal of HIPS/BB should be to shutdown malware that slipped pass AV. You don't allow malware to steal or encrypt data, even if it's only on machine, it can already cost you. And if Win Def ATP is indeed possible to block malware immediately, then it should be made clear, so I guess I'm not criticizing the product, but it's more about the article writers.
     
  15. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,834
    Location:
    Nebraska, USA
    No it doesn't. No security program will allow any malware to perform malicious activity - IF it can help it. That's exactly why ALL security programs that perform behavioral analysis (as WD does) look for "suspicious behavior", then, if necessary, stops that activity before any "malicious activity" can be performed, or any "payload" can be delivered.

    Suspicious does not mean malicious. A guy with a dark hoodie over his head in the summertime lurking around an ATM is suspicious. But just because he looks suspicious, that does not mean he has even a drop of evil intent in his blood. Nor does it mean he is doing, or is going to do anything illegal - but he still deserves watching. If he moves in closer when a little old lady starts to use the ATM, the cops need to move in and stop him and find out what he is up to BEFORE he might knock her down and snatches the money.

    At this point, we still don't know if this guy is a bad guy or not. He may be totally innocent and moving into the 2nd ATM next to hers to withdraw money from his own account.

    o_O I am sorry, but what's there not to understand? They have been perfectly clear (my BOLD UPPERCASE and UNDERLINE added
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Yes it does, why do you think it's called post-breach, just read the articles. Or better yet, look only at the screenshots, it basically records all of the suspicious behavior which has already occurred. What I'm saying is, it would make more sense to block the behavior from occurring, and to terminate the malicious process and to then generate an alert. I'm guessing WD-ATP is capable of doing this, but I would make this clear in each and every article.

    https://blogs.technet.microsoft.com...-process-injection-with-windows-defender-atp/
    https://blogs.technet.microsoft.com...ender-atp-process-hollowing-and-atom-bombing/

    That statement is from another article. My comments are about the code injection articles, how many time do I need to explain this? And AFAIK there is a difference between Win Def and Win Def ATP, they are two separate products. Win Def takes care of pre-breach and WD-ATP takes care of post-breach. This means that if WD is somehow bypassed, WD-ATP steps in if it detects suspicious behavior.

    https://blogs.technet.microsoft.com...me-defense-against-never-before-seen-malware/
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    Based on the following, appears WD ATP is using it AI/ML algorithms to detect like activity. Will be interesting to see its effectiveness over time and in AV Lab tests against other comparative AI/ML solutions:
     
  18. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,834
    Location:
    Nebraska, USA
    I give up. My advice to you, Rasheed, is to use another program.
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    61,563
    Location:
    Texas
    Windows Defender ATP machine learning: Detecting new and unusual breach activity
     
  20. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,712
    How do you know WD ATP does this? Have you personally tested it? All I can say is that I have had tested WD just this past week against ransomware received via email at my job. Each time, when I would attempt to download the file, WD would pick it up, block, and quarantine it. Even against Globelmposter.

    Nothing is perfect and will be 100% If you want that, then each and every end user will need an IT guy or gal standing over his/her shoulder to point out to them that they are about to download and run the wrong file. E.G. Ransomware etc.
     
  21. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,834
    Location:
    Nebraska, USA
    That won't work either. IT guys and gals are great, but they are still human. If you want to ensure 100% protection from malware, unplug the computer from the Internet and the wall, pack the computer into box and lock it in a secure closet. ;)
     
  22. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,712
    Ahh touche Bill! Agree!
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,531
    Location:
    U.S.A. (South)
    I think it's safe to reserve final pro vs cons to it's improved ability when the thing is finally released, implemented and tested to full degree.

    Then as an aforementioned bias critic against Microsoft some, as in yours truly, can have at it or eat a little crow. :isay:

    Either way it turns out for Windows Defender APT Fall Creators Update just remember there will still be even more improvements integrated into it as time moves on ahead, so with that expectation in mind it can only get better right?
     
  24. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,834
    Location:
    Nebraska, USA
    I think that is a fair assumption. It is at the very least, a fair expectation. Of course, the bad guys may have something different to say about it! They aren't exactly stupid people.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    I believe WD ATP isn't even available to consumers. And what I'm saying is that most code injection methods are NOT used by legitimate apps. So if you see certain techniques being used, a good HIPS/BB should be able to block the malware in an earlier stage.

    https://www.endgame.com/blog/techni...-technical-survey-common-and-trending-process

    You can read about it in the articles, I'm not making this up. It would make sense to let malware complete almost all of its malicious actions in a sand-boxed environment, but not on the real network.
     
Loading...