What’s new in Windows Defender ATP Fall Creators Update

Discussion in 'other anti-malware software' started by ronjor, Jun 27, 2017.

  1. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,831
    Location:
    Nebraska, USA
    Not the point! You are complaining about ATP because it does not do what it was not designed to do! o_O

    This was designed to detect threats "post" breach, not "pre". That is, it was designed to detect threats that have made it past other defenses, providing [for now] corporate customers with tools to investigate breaches. It was NOT designed to detect threats before they enter the network so it is just total nonsense for you to keep complaining about it.

    My 1/2 ton F150 pickup truck was designed to haul a maximum of 2,329 pounds and only tow a trailer with a maximum weight of 10,500 pounds. It cannot carry 5,000 pounds of gravel or tow a 40,000 pound trailer. It must be a lousy, poorly designed pickup truck. :rolleyes:

    :( ATP is currently available to enterprise e5 subscribers and will [hopefully soon] be available to all. So, "You can read about it in the articles, I'm not making this up." :rolleyes:
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    I'm not complaining, I'm saying it would make sense to do certain stuff in a different way. I hope you now finally get it. But yes, as a pure malware monitoring/detection tool, WD ATP seems to be pretty decent. If they would implement this in perhaps a bit of a dumbed down version in WD for consumers, it would make Win 10 slightly more attractive for me as a big fan of HIPS/BB.
     
  3. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,711
    You can't believe everything you read on the internet. Like I mentioned, WD stopped ransomware from running on my network at work in a test. Unfortunately, our real av that we have did not. Damage ensued. FYI this was a recent variant of Globelmposter as well.
     
  4. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,831
    Location:
    Nebraska, USA
    :( Are you a world-class security expert? I sure am not! But they have whole teams of them at, and working for Microsoft!

    Whether you want to call it "complaining" or not, you are still "saying" ATP should do something it intentionally was not designed to do. And in my opinion, that does not make sense at all! That's like complaining... err... sorry... "saying" your monitor should accept touchscreen input even though it is not a touchscreen monitor.

    There are other anti-malware solutions designed to detect and stop threats "pre-breach". But because no single solution is, or ever can be perfect 100% of the time, ATP is hoping to defend against "post-breach" threats, should they occur.

    Sorry, but that makes no sense to me either. First, why would anyone want a dumbed down version? But more importantly, since this is not currently in W10, therefore making W10 less attractive for you, what's your better alternative? No other version of Windows is as secure as W10 is right now!
     
    Last edited: Aug 5, 2017
  5. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,711
    Well said Bill. Totally agree.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    Yes, perhaps it was not designed to do so. But I'm saying it would make sense to add least give the option to block certain behavior right away. You don't have to be a "world-class" security expert to understand why I think this is so important. At the end of the day people care about their systems being free of infections. Monitoring is cool, blocking is even better, if possible.

    Come on Bill, do I really need to explain everything. I'm sure they can't just port the exact same product to a consumer version. Actually, that's exactly what this discussion is about, consumers don't need a malware monitoring tool, they need malware to be blocked, if AV is somehow bypassed. You can probably already do both with WD ATP, but it's not really clear.

    You already know what makes Win 10 less attractive to me, it's all of the tracking. But at the moment there are only a few standalone HIPS for consumers and none of them are good enough. So Win Def getting HIPS/BB capabilities would make it more interesting. And BTW, Win 8 is already pretty secure under the hood.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    What do you mean? I was talking about the blog posts about WD ATP. And you keep mentioning about how Win Def blocked ransomware, that's cool and all, but this thread is about another product. The discussion is about if it makes sense to let malware run and to record all of the steps (post breach), before blocking it from infecting the rest of the network. I say: no it doesn't, because you don't let malware steal or encrypt data, and then cry foul. Unless you're trying to analyze malware, but you don't do that kind of stuff on the real network.
     
  8. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421

    From the Microsoft blog post that @ronjor already posted in post #119 on page 5 in this thread, where Microsoft clearly states :
    More info in the link in post #119 : https://www.wilderssecurity.com/thr...ll-creators-update.395046/page-5#post-2696489

    Microsoft has already made everything perfectly clear. :thumb:
     
  9. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,831
    Location:
    Nebraska, USA
    Wow! You just don't get it. No Rasheed. It would NOT make sense to add that option. That's what other security products in the Windows threat protection stack were specifically designed for.

    Tracking? I think you need to learn the difference between "privacy" and "security". And you also need to learn what it is Windows 10 is actually tracking.

    Due to the wildly exaggerated and often totally inaccurate accusations that Windows was spying on users (it is not!) Microsoft still cut the amount of telemetry data it collects in half. And it published a complete, detailed list of the data it collects for transparency. And most importantly, as ZDNet noted just 3 days ago (my bold added),
    Again, Microsoft, with W10, is NOT trying to steal our passwords, they are NOT trying to learn our real names, street addresses, billing information, bank accounts, or our personal contacts. In fact, they are actively working (and successfully too) at protecting that data. I trust Microsoft way more than I trust ISPs and cell phone carriers as they already know our real names, street addresses and billing information. And cell phone carriers do track our physical locations, where we've been, the direction we are heading, and who we have talked to and texted. And you are worried about W10? Geesh! :rolleyes:

    And I trust Microsoft with my security because they are the only, ONLY company making security software with no conflict of interest or financial incentive for malware to succeed. Regardless how sincere 3rd party security program developers are, if malware went away, those companies would go out of business.

    I'm done here.
     
  10. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,711
    How it this about a different product? In the title is Windows Defender. I don't care if this is about ATP or not. What I am saying is I have seen WD block ransomware from even downloading let alone run. You keep repeating that it lets it download, start to run and then blocks it. I do agree with you that it should stop it and not let it run. Malware testing should never be done on a real network. So agree there as well.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,481
    Location:
    U.S.A.
    As noted here: http://www.securityweek.com/windows-10-can-detect-powershell-attacks-microsoft with fall Win 10 CE release, WD ATP will block PowerShell attacks. This implies plain WD does not. Furthermore, many ransomware attacks are PowerShell based. Therefore we can conclude that plain WD ransomware protection is lacking.
    https://blogs.technet.microsoft.com...ng-detecting-new-and-unusual-breach-activity/
     
    Last edited: Aug 6, 2017
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,531
    Location:
    U.S.A. (South)
    This is vitally important for Microsoft to finally reign in that particularly notorious entry + attack vector, PowerShell.

    Relieved to see that it's being addressed in the upcoming release. PowerShell commands/malicious, can zip through at lightning speed and filter all sorts of other landing zones and grow malware connectivity internally like a weed.

    It's a big deal more will be done about that soon.
     
  13. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,831
    Location:
    Nebraska, USA
    That is an invalid conclusion! All you have to do is look at the recent WannaCry ransomware attack. WannaCry was ineffective on the vast majority of Windows systems. Those affected were, for the most part, those systems where users dinked with Windows Update. Microsoft pushed out the essential patch code months before Wannabe hit. So those who let Windows keep Windows (and therefore, Windows Defender) updated were not even threatened. And that has nothing to do with ATP. See: May 15, 2017 Windows Report: Windows Defender can block WannaCry ransomware.

    The other primary group of affected systems were those where the users were "click-happy" on unsolicited downloads, attachments, links and popups. No security program can protect a computer 100% of the time if the user carelessly opens the door and invites the bad guy in.

    Another point that seems to be repeatedly ignored or just not understood is while malicious code may be downloaded on to our systems, that IN NO WAY means that code is being executed (run). Code read into memory is NOT automatically executed. So regardless how many times it is repeated, the malicious code may download, but it is then analyzed BEFORE it is allowed to execute (run). Reading code into memory is NOT running the code. If the code is not recognized and/or behaves suspiciously, WD will block execution while it queries the cloud for any information on the code, then act accordingly from there.
     
  14. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    1,101
    Location:
    Da mean streets of Brooklyn
    I don't understand why this "discussion" about WCry is in a Windows 10 context. The vast majority of machines were running Windows 7, and of those machines running it, Windows' resident security was reportedly not effective against the exploit (due to no patch), backdoor or payload.. Detections were created after the fact and now it's moot. Time to move along.

    http://www.computerworld.com/articl...es-not-defend-windows-7-against-wannacry.html

    I'm asking the more experienced members for confirmation: can we home/pro users expect the built-in mitigations via EMET with the upcoming new build? I know some of the more advanced features like sandboxing are only offered to enterprise versions, or am I mistaken?
     
  15. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,831
    Location:
    Nebraska, USA
    You are right - it is a bit OT. But the point is, out of date W10 systems were vulnerable too. But since, by default, W10 includes WD and by default WU in W10 automatically keeps W10 and WD current, those systems were not affected by WannaCry.
     
  16. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    1,101
    Location:
    Da mean streets of Brooklyn
  17. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,831
    Location:
    Nebraska, USA
    I am not sure such details will, or should be published. No need to provide a road map detailing how things work giving the bad guys the path to follow to avoid detection.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,481
    Location:
    U.S.A.
    This has nothing to do with Powershell mitigation:
    https://technet.microsoft.com/en-us/library/security/4022344.aspx

    As far a WD detecting WannaCry which BTW was not Powershell based but delivered via a SMB vulnerability, it detected the ransomware portion by signature after it had been discovered in the wild..
     
  19. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,831
    Location:
    Nebraska, USA
    Actually, it was not after it was discovered in the wild. Microsoft patched the vulnerability and ensured WD addressed the threat after a scumbag traitor stole then exposed classified data he took an oath to protect.:mad: This was several weeks or months before WannaCry went "wild".

    And note I was referring to the incorrect "blanket statement" claim that "plain WD ransomware protection is lacking".

    No doubt, with anyone who says something positive about WD, there will be someone stepping in with something negative. I am convinced, however, the negative inputs would not come with such vigor if WD did not have the Microsoft brand name behind it. :(

    Once again, I am not pretending or trying to convince anyone that WD is, or ever will be perfect 100% of the time. I just want everyone to understand and accept that no solution is perfect and regardless what "synthetic" and "artificial" laboratory tests say, Windows Defender is quite capable of protecting its users from the "real-world" threats of today - IF users keep Windows and WD current - quickly adding that keeping Windows and their security apps current is essential regardless the security provider of choice.

    And just because WD for most Windows users today does not include this new advanced feature, that does not imply WD is ineffective, or that some other program can today ensure protection WD can't.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,481
    Location:
    U.S.A.
    To set the record straight on WD's effectiveness against PowerShell script execution on Win 10, MRG actually performed some recent ad hoc testing in regards to AV effectiveness when used if combination with Win 10's AMS interface. You can read about that here: https://www.mrg-effitas.com/current-state-of-malicious-powershell-script-blocking/ . Note: I wasn't aware of this test till now.

    To summarize, three tests were performed; each with increasing detection difficulty. WD successfully blocked the script for both disk and memory based execution. The last test involved a a recent malware script obfuscation technique. The only products to block this was Avast/AVG and HMP-A(beta).

    So in this regard, WD held its own against the major AV vendors and actually beat the performance of many of those vendors for fileless script execution test. Note: This only applies to Win 10 that uses the AMS interface.
     
  21. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    2,831
    Location:
    Nebraska, USA
    That test perfectly illustrates my point about all the bias there is out there against Microsoft - especially by test labs who are supposed to be unbiased. :(

    The test revealed that Avira, Bitdefender, ESET, F-Secure, GData, Kaspersky Lab, McAfee, Microsoft Defender (AMSI), Norton, and Trend Micro "all" failed to block the "Invoke-Obfuscation" attack. But in his conclusion, what product is the only product he singled out for failing? Microsoft's - the ONLY company that does not charge, or try to suck users into expensive recurring renewal fees.
     
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,531
    Location:
    U.S.A. (South)
    https://github.com/danielbohannon/Invoke-Obfuscation

    Purpose

     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    Well, you should care, because then you would know that WD stopping ransomware isn't relevant in this thread. WD's job is to block malware, Win ATP's job is to monitor and eventually block malware. It's more of a forensic tool, they call this EDR software, others also offer this, I'm just saying focus should always be on blocking. If blocking fails, you can always use the monitoring function to see where things went wrong.

    Exactly, my point. If you read the article, it looks like it will allow malware to perform suspicious stuff like running powershell.exe, deleting system restore points and most likely it would also allow process hollowing. To make things even worse, it's not even clear if eventually it will block the file encrypting part.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
  25. TheMalwareMaster

    TheMalwareMaster Registered Member

    Joined:
    Jan 11, 2017
    Posts:
    25
    Location:
    Italy
    Will this be available also for Windows 10 Home?
     
Loading...