Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,782
    This will be my last post but don't take it bad, I just have impo things in real life.
    #2618 OK, you said it might be your imagination. BTW are you aware there's no general consensus on what the PH exactly means? So let's try to define it as:
    1. evoke a legit process by CreateProcess w/ CREATE_SUSPENDED,
    2. find the base address by NtQueryProcessInformation & ReadProcessMemory or ReadRemotePEB & ReadRemoteImage,
    3. from the address unmap its memory by NtUnmapViewOfSection,
    4. calculate diff w/ the base address of your code, then allocate RWX by VirtualAllocEx,
    5. write the code by WriteProcessMemory,
    6. relocate the base of your code,
    7. reset the thread context by GetThreadContext & SetThreadContext,
    8. resume the thread by ResumeThread.
    You can make a behavior sig which matches this sequence w/ validation of parent, but a problem is such sig will miss all the similar techniques. The opposite extreme is blocking any CreateProcess w/ CREATE_SUSPENDED, but this will cause many FPs. I believe most solutions go somewhere in-btwn, but it depends totally on the rule coder's heuristic decision. We know HMPA PH protection has caused FPs - I only found a explicit mention for VMware ThinApp, but IIRC there was another case in past. Note it's not BB but a partial HIPS so FPs will be less problematic, as BB usually removes the exe, meaning rules for BB must be more carefully written.
    IDK if the alleged AV insider was real, but it seems it's becoming a common sense that traditional BB can't catch 0day malware used in real targeted attacks (tho "0day malware" is becoming a buzzword), 'cause it can only block known patterns - criminals just need to find another, this is why BB sig is updated every week. Note I distinguish HIPS & ML from BB, and your understanding is not 100% correct. Not all AV upload files and sandbox is not directly relevant to cloud ML analysis. ML doesn't care where data came from and local BB component is a good source of the data(*). Many MLs extract & compress some characteristics and map them into high-dimensional grid, then depending on the algorithm they can either group, separate, or grade the source. Despite it would have been trained w/ known data, it's agnostic about if the source is known or unknown, so can detect unseen malware and miss known one probabilisticaly, but intentionally bypass it is hard thx to its abstract nature, contrary to traditional BB. I warn not to use another blanket term like "learning malicious behavior", such thing doesn't actually happen and is only useful as an interface language.

    (*) A well-known technique to bypass sandbox analysis is simply to wait before doing a malicious act, but it can't deceive ML if this info was sent by local AV.
     
    Last edited: Oct 20, 2019
  2. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    610
    Location:
    USA
    As can be seen in my sig, I have been relying on WSA for malware protection. That may no longer be a 'safe bet' (based on what I'm reading on Wilders). So can I layer WD with WSA so that they both provide real-time protection? Suggestions would be most appreciated.
     
    Last edited: Oct 22, 2019
  3. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    521
    Location:
    Belgium
    You don't need WSA , WD is 10 times better and you can tweak it with ConfigureDefender on High settings.
     
  4. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    610
    Location:
    USA
    Thanks, however I would prefer having both of them active, unless there's good reason that I can't (or shouldn't)!
     
    Last edited: Oct 23, 2019
  5. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    7,355
    You should be able to run them both together without any issues. But it is questionable if Webroot is going to add much protection, as WD provides very good protection and Webroot, not so much.
     
    Last edited: Oct 23, 2019
  6. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    610
    Location:
    USA
    I'm sure you meant 'and WSA, not so much'. Well, even if WSA doesn't add any threat detection/protection benefit to WD, I really like WSA's alert (and temporary block) whenever a program first attempts "calling home", giving me the choice to either allow it or block it. :doubt:
     
    Last edited: Oct 23, 2019
  7. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    7,355
    Yes, I just edited my post. WSA's firewall is good. I just don't like that it automatically allows connections after two minutes, which would be an issue if an untrusted process connects to the internet while you are away from your computer.
     
  8. Scott W

    Scott W Registered Member

    Joined:
    Sep 21, 2008
    Posts:
    610
    Location:
    USA
    I never thought of that - very good point.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,156
    Location:
    The Netherlands
    I really don't have a clue what you mean. The only thing I'm saying is that your statement about "BB's being inferior" doesn't make any sense. All of the next gen AV and EDR solutions (a multi-billion industry) are based on behavior blocking. It's simply a matter of looking at malicious behaviors that malware often use.

    And process hollowing in general is always about infecting another process that's normally trusted by AV, but instead of using direct code injection, they inject code into a child process, because that's harder to spot. What I would like to see is a more advanced behavior blocker in Win Def, perhaps geared to power users that can handle false positives.
     
  10. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    208
    Location:
    Wonderland
    M$ will never make WD options available for power users, that's one reason why only default settings are available in the UI. They don't want to "confuse" their common users.
     
  11. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,401
    Location:
    California - USA
    Last edited: Oct 26, 2019
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,793
    How to Perform Windows Defender Offline Scan on Windows 10
    October 27, 2019
    https://www.bleepingcomputer.com/ne...-windows-defender-offline-scan-on-windows-10/
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    79,965
    Location:
    Texas
  14. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,782
    All answers were strictly along w/ the question and I exampled PH because you're somehow obsessed w/ this but seem to misunderstand as if it has an entity. Search how many techniques called PH actually "hollow" a process. PH is nothing more than an interface language and criminals are not restricted by such nonsense. What really don't make sense are your statements about EDR & PH. EDR is effective not because of BB, but because it combines whitelist, forensic analyses, and ML. It focuses on post-infection and its raison d'etre is that NGAV was not effective enough against targeted attack because criminals have nearly infinite ways to intrude. Injecting into a child 'cause it's harder to spot? Every new techniques can't be caught by old sig (& engine), but there's nothing inherently harder to spot in your description.

    No security vendor now advertises traditional BB, they advertise ML which uses the BB as a data source and execution engine. Real behavior analysis is usually done on cloud, tho it's possible to be done on local. IDK what advanced BB you mean but there's ASR which occasionally causes FP, while WD-ATP is NOT sth you may want. It will be beneficial if MS opens system-call control up to us like seccomp-bpf, but it will never happen as @Bertazzone said.

    [EDIT]
    IDK any good recap of various PH techniques, but the slide #20 of PD will be closest. Note some families such as "PH w/out hollowing" consist of a few fundamentally different techniques. And this seemingly amateur write looks like a good introduction to get a rough sense of how BB works, tho his def of PH is the oldest one so we have various ways to bypass - MITRE carefully added "may" as not all PH uses all of them. Criminals don't care how his technique will be called, some were still called PH, others got none name. If you still don't understand the simple fact there's no such thing like "blocking PH" and meaning of the authors' (and many experts) saying "the impossibility to discern benign from malicious behavior" (these APIs are used by legit programs & debuggers), I really have nothing to say. I don't take it much, but the past AVC proactive tests had shown no BB could block even common malware perfectly - how that can block carefully crafted malware which criminals can test until it bypass the product in isolated env? There's a reason vendors don't push BB but do ML. It's logically true ML has long been in use, but practically false.
     
    Last edited: Oct 30, 2019
  15. Gapliin

    Gapliin Registered Member

    Joined:
    Feb 12, 2012
    Posts:
    81
    Just for completeness reasons since that chart is for v1809 - here's the one for v1903:
    https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2PBG7

    Not much changed though secure-wise (at least in that chart...):
    • Added to Win 10 E3:
      • Credential Protection - Hardware isolation of single sign-in tokens
      • Security Score - Assess and improve your organization security posture using Microsoft Secure Score for Windows
      • Security Score - Threat Analytics shows your organizations exposure to threats
    • Added to Win 10 Pro:
      • Credential Protection - Hardware isolation of single sign-in tokens
     
  16. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    83
    Hi,

    I'm thinking of switching from Avast (Free) which I've been using for about 15 years now to the Windows Defender. I have disabled the automatic Windows Updates though. Will I still be able to get Windows Defender Updates?

    I'm running Windows 10 Pro (x64).

    Thanx.
     
  17. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    208
    Location:
    Wonderland
    Not automatically. You would need to manually update. Not necessarily a good idea if you use WD.
     
  18. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    83
    I've read an article on the webs about creating a task in Windows, which automates the manual update of Windows Defender. Is anyone practicing it? Any issues at all, maybe after installing major Windows updates?
     
  19. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    521
    Location:
    Belgium
    Hi Bellzemos,
    There is a much easier way,
    Windows Powershell (administrator) : this command

    Set-MpPreference -SignatureUpdateInterval 1

    To check every hour = 1
    2 every two hours
    I myself use this command, no problems with it... but keep in mind there is not every hour an update, this command checks every hour ( 1 ) for signatures.... you are also connected with WD cloud when you use it.

    But i don't know if it works when windows updates are disabled (why would anyone disable that)
     
  20. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,291
    Location:
    USA
  21. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    83
    Hi,

    I don't have the Windows Updates disabled but I have them set to ask before download and install (something along those lines) so they just wait until I let them install. Why? Cause I use programs that can be broken by Windows Updates and also because I like to have control over my Windows 10 OS installation.

    I haven't dabbled in the PowerShell yet. I only used Bash. If you care, please elaborate a bit on how to set that it would chech for updates every 2 hours or so. :)

    Thanx.
     
  22. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    521
    Location:
    Belgium
    Ok windows updates are not completly disabled :)
    On your pc search for windows powershell and right click - > choose administrator or admin
    then do a copy - paste from here

    Set-MpPreference -SignatureUpdateInterval 2

    WD will now check every 2 hours for updates.

    Regards
     
  23. FiOS Dan

    FiOS Dan Registered Member

    Joined:
    May 24, 2006
    Posts:
    89
    Location:
    Boynton Beach. FL
    I just delay my Windows Updates and the Defender Updates are not disabled.
     
  24. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    208
    Location:
    Wonderland
    Pausing updates is much different than disabling, as stated in your OP. You will have no problems with definition updates by pausing Windows Updates.

    BTW, setting frequent definition updates does not gain you any real advantage because M$ doesn't push new sigs often throughout the day. The main protection is from WD's cloud component.
     
  25. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    83
    So just adding the line "Set-MpPreference -SignatureUpdateInterval 2" in PS command line will then make Windows check for updates every 2 hours? No need to save anyting anywhere?

    @ all - so, having Windows Update set as I have, I should still be getting Defender updates regularly, without need for manual checks?

    Again, thank you.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.