Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,044
    Location:
    Baden Germany
    Right, no need to manually check for updates.
    No need for increasing the frequency of check for updates, as there are usually only signature updates every 8 hours.
    WD does its job mostly in the cloud.
     
  2. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    148
    But it seems it's not updating automatically, last update was about 12 hours ago...

    I have the Cloud-delivered protection disabled (MAPS disabled in the GP). Could that be the cause of not getting automatic updates?
     
  3. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    424
    Location:
    Milan, Italia
    1. As stated in post #2469 above, WD only updates once, maybe twice a day on average. It is not a continuous stream of updates.

    2. You have disabled the most important protection module of WD - cloud protection.

    3. Please enable cloud protection and quit worrying about how many signature updates you are receiving. Otherwise, you should find another AV.
     
  4. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,044
    Location:
    Baden Germany
    Doesn't matter, because WD is not recommended, with cloud disabled.
     
  5. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    950
    Location:
    Canada
    https://avlab.pl/PDF_avlab/AVLab-Test-of-software-for-online-banking-protection.pdf

    Defender did horrible here, wonder if using Configure Defender would make any difference?
     
    Last edited by a moderator: Nov 1, 2019
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,292
    Location:
    Among the gum trees
    Apparently not.
     
  7. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,376
    Does WD even have any dedicated banking protection?
     
  8. Brocke

    Brocke Registered Member

    Joined:
    Mar 16, 2008
    Posts:
    2,292
    Location:
    USA,IA
    It does not.
     
  9. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    569
    Location:
    Belgium
    This test is from feb 2019, MS already fixed and added other stuff in the cloud to break the chain for banking malware

    https://www.microsoft.com/security/...based-blocking-stops-attacks-in-their-tracks/

    If you would apply ConfigureDefender settings for WD, then in most cases the infection chain in the wild will be broken before the Banking payload could enter the system.
     
  10. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,044
    Location:
    Baden Germany
    All tested product stopped 13/13 of in the wild banking trojans.
    So no download, no payload, no exploit either...
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,402
    Location:
    U.S.A.
    If that was the case, there would be no need to perform the other tests of which WD scored 2/11.

    Likewise, WD wasn't certified for banking use by MRG since it consistently fails the Botnet test: https://www.mrg-effitas.com/wp-content/uploads/2019/08/2019Q2-Online-Banking.pdf
     
    Last edited: Nov 2, 2019
  12. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,044
    Location:
    Baden Germany
    Indeed.
    If a trojan is stopped in the first place, there is no need to "test", what could happen.
    If malware makes it to the machine, the AV has failed.

    BTW:
    All successful banking fraud I have seen, was done by social engineering.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    I think it's best to end this discussion, because I have no idea what you're talking about. Process hollowing is simply one way to perform code injection, nothing more and nothing less. You can even read about it in the link that you posted, and here is another one:

    https://www.endgame.com/blog/techni...-technical-survey-common-and-trending-process

    What doesn't make sense? Fact is that malware writers came up with process hollowing because a lot of security solutions didn't monitor for code injection from parent to child process. Also, EDR is simply a way of recording behavior that may be suspicious, it watches for thing like process hollowing, process execution, file modification et cetera. So yes, it's based on behavior monitoring.
     
  14. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    569
    Location:
    Belgium
    @Rasheed187 have read this article in my previous post ?

    https://www.microsoft.com/security/...based-blocking-stops-attacks-in-their-tracks/

    Since deployment, the behavior-based machine learning models have blocked attacker techniques like the following used by attacks in the wild:

    • Credential dumping from LSASS
    • Cross-process injection
    • Process hollowing
    • UAC bypass
    • Tampering with antivirus (such as disabling it or adding the malware as exclusion)
    • Contacting C&C to download payloads
    • Coin mining
    • Boot record modification
    • Pass-the-hash attacks
    • Installation of root certificate
    • Exploitation attempt for various vulnerabilities

    It also states WD protects against proces hollowing......
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
  16. Pat MacKnife

    Pat MacKnife Registered Member

    Joined:
    Mar 31, 2014
    Posts:
    569
    Location:
    Belgium
    Last edited: Nov 3, 2019
  17. 142395

    142395 Guest

    @Rasheed187
    TL; DR BB & ML are fundamentally different. What I say inferior (but only against sophisticated targeted attack) is BB from the beginning.

    PH & EDR are much more than that - your oversimplified description ignores some impo aspects so fails to explain diff w/ similar terms such as PD or NGAV. Okay, I just hope you don't lose willingness to understand how attack & detection works internally. At least remember one thing: what BB monitors are sequences of API calls & resource accesses, NOTHING ELSE! So there's no such thing like "monitoring code injection to child", even the elementary article you linked is enough to understand this (1). There are already numerous ways to be EVENTUALLY called "injection to child" BY HUMAN, some HAPPENED to be called PH, others got other or none names. It's trivial to block the basic PH technique, real challenge is nobody knows how many diff ways there are. I doubt you know there have been ITW techniques LATER classified to PH by researchers - can you see why I exampled PH w/out hollowing (2)? Only existence who can analyze behavior and who have sense of suspicious is human, tho ML is getting closer (3). Security industry now publicly admits past solution haven't analyzed behavior in the true sense - the fact you don't understand technical details doesn't make fundamentally diff techs the same (4), actually anti-exploit is closer to BB than ML from technical stand point (5).

    If you understand these, you'll see your last question was already answered by MS - if you're the 1st victim you're not protected w/out WD-ATP, because the PH technique used was new one which bypassed the behavior sig of WDAV (the detection source was EDR). But if you're hit later, probably protected because ML had made sig of the technique and it could be distributed to home WDAV too.

    (1) Still don't get it? Try to translate your vague words to programmable words like "If a call of NtCreateUserProcess was followed by...". You can build a hierarchical model and call an union of some sequences "injecting into child", but then question becomes if the lower-level model is comprehensive. A program can "monitor injection to child" only if there are only known finite # of ways to do that.
    (2) In case you have no idea about hollowing, it's the 3rd item of the slide #20. One example used this was a variant of QtLoader.
    (3) Almost all EDR assume manual inspection by human, this is why it's usually packaged w/ advanced support. The role of ML is to reduce that burden.
    (4) There are too many diff btwn BB & ML, one example is data poisoning which doesn't matter to BB. Another is privacy, most ML solution take various contexts into account. There are already "tailored protection" for corporate which learn their computer & network use to make more accurate decision. Furthermore, BB is prompt to react as it doesn't analyze behavior while ML takes time. It's possible some early statistical models such as HMM have been implemented in BB, but that's not comparable to modern ML.
    (5) They are similar in many aspects. Off-the-shelf attack & ROP are based on the same idea of using trusted code, so the similarity is not a coincidence. Moreover, ROP often uses heavily monitored (by BB) APIs such as VirtualAlloc, WriteProcessMemory, etc. while AtomBombing usually requires ROP, and PH using shared memory is similar to exploit in manipulating return address. As a result, the boundary is becoming less clear. It's not surprising some AV vendor place AE as a part/extension of BB. Contrary, ML has involved & changed all protection layers.



    [EDIT] As you don't know (a) most researchers don't give a special name like PH to a technique he found, (b) attacker have nearly infinite ways to achive their goal if they don't care doing advanced sfaff, and (c) the boundary of AE & BB is becoming less clear, I've found an expert's article written in plain English.
    Also as you confuse BB & ML, this paper will be the best to understand what BB does. It briefly mention ML too as an auto-generation tool for behavior sig, tho modern ML is much more than that. There are also other papers & patent description by security vendors, all support BB is for known patterns exhibited by at least one known malware.
     
    Last edited by a moderator: Nov 6, 2019
  18. 142395

    142395 Guest

    Everyone can claim his product protects from PH (or any other techniques), what matters is how far it covers & how it doesn't cause FPs. Like UAC bypass, PH is no more specific techniques. E.g. if a product blocks VirtualAllocEx→WriteProcessMemory way of injection but misses techniques using NtMapViewOfSection (an example that criminals simply shift to another way once sth became being monitored), it means the claim was actually "it blocks the very basic PH only". ML guys at MS are excellent, but note these articles only report successful cases, they don't advertise failure ofc.
     
  19. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    148
    What exactly does WD's "Cloud-delivered protection" do? I've been using WD for the last couple of days now and sometimes it updates twice a day and one time it didn't update for 2 days. But I've checked and it that time, there was a couple of definitions released. So maybe running a manual update every 2 hours wouldn't really hurt anything.

    Is it possible that it updates rarely because of the disabled Cloud protection?
     
  20. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    424
    Location:
    Milan, Italia
    See Posts #2653, #2654
     
  21. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    148
    Those posts don't explain what exactly WD's "Cloud-delivered protection" does but thanx anyway.
     
  22. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    424
    Location:
    Milan, Italia
    The cited posts are about not disabling cloud protection. Defender relies on the cloud for most of its protection so having it disabled makes absolutely no sense - as mentioned in the posts above. Again, if you don't enable cloud protection you should find a different AV because you have virtually no protection otherwise.
     
  23. Bellzemos

    Bellzemos Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    148
    I see. But what exactly is that "most of protection"? I mean, AVs in their basic functionality daily download virus definitions and then scan for them upon running/opening files. If I understand correctly, the could service uploads suspicous but not defined files online and there determines if the file is clean or not. Then it probably adds that code to the next definition? Does it do anything else (the cloud protection I mean)? Does the cloud service work without auto sample submission? Thank you.
     
  24. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    424
    Location:
    Milan, Italia
    Local signatures are sub-par. Signatures in cloud are updated continuously.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    Why so much text? I think probaly no-one understands exactly what you're trying to say. So don't waste your time any longer. I mean who cares about the difference between ML and behavior blockers? Fact is that EDR's are meant to be a fail safe solution in case AV gets bypassed.

    For example, I remember reading an article about how SECDO (now owned by Palo Alto Networks) managed to spot a file-less ransomware attack. Most AV's couldn't spot it, because svchost.exe was hijacked via some OS exploit, but SECDO saw the file modification that was being performed and could block the process or isolate the infected machine from the rest of the network. So that's pure behavior blocking, that's all I'm saying.

    OK, so seems it doesn't detect this stuff locally, it will always ask the cloud for help. Cool, but I'm not really impressed with this. On the other hand, they are trying to limit false positives, so it's understandable.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.