Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Bunkhouse Buck

    Bunkhouse Buck Registered Member

    Joined:
    May 29, 2007
    Posts:
    1,142
    Location:
    Las Vegas
    Delete files? I have never seen that on any of my eight computers.
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,774
    Location:
    USA
    Nothing beats Norton for that but it comes closer than anything else I have used over the years. Software development and AV that deletes unknown files is a bad combination.
     
  3. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,378
    Location:
    Milan and Seoul
    Never happened to me either so far.
     
  4. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,934
    I agree. I just never had WD do that. But granted I never ran it for long periods of time.
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,863
    Windows 10: HOSTS file blocking telemetry is now flagged as a risk
    August 3, 2020
    https://www.bleepingcomputer.com/ne...-blocking-telemetry-is-now-flagged-as-a-risk/
     
  6. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    4,934
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,454
    Location:
    Slovenia
  8. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    1,231
    Location:
    Brooklyn, NY
    Thank you, Minimalist. I was getting a few of these errors mentioned in the above Ask Woody article per day. Just got a platform update via Windows Update so that the newest versions are here:

    defender version.PNG

    Should be good now. Should be....

    Edit: Sorry, I thought this was about a different error. The new platform version does not fix the "network inspection service failed to start" error if Memory Integrity is turned on. I still got the errors in Event Viewer/Application but all is serene again if I shut it off. Would rather have Nis.service running so I shut Memory Integrity off again in Device Health.
     
    Last edited: Aug 7, 2020
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    You can say that again. This makes Win Defender questionable. :confused:

    LOL good one. But it's very unclear to me how Win Def's behavior blocker exactly works, probably because they keep mentioning Win Def ATP. I would put more trust in third party tools like AppCheck and HitmanProAlert when it comes to behavior blocking. This cloud based stuff is way too vague.
     
  10. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    424
    Location:
    Milan, Italia
    A little reading and research would help with that.
    MS's documentation is not the best but cloud protection is not really vague since most of WD's protection comes via the cloud. Check out the threads at Malwaretips where you may also check test results too.
     
  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,774
    Location:
    USA
    I agree. HitmanPro.Alert is a great example of seeing such things in action. As we use Windows Defender at work (you get the budget you get) I am exposed to it on a daily basis. I've never seen it detect anything based on behavior.
     
  12. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    604
    Location:
    Wallachia
    This would make it even slooowwweer than it is :)


    Don t give them ideas, you never know what "behavior" is in the brains of the OS Defender AI (the telemetry thingy seems to be under protection too :) ) It defends the OS and it s purpose, no doubt about it.Users files and privacy protection is another story though.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,843
    Location:
    The Netherlands
    I have done some reading, and apparently, the behavior blocker from Win Def AV is quite advanced, would love to see it being tested. I actually forgot to save the link, will post it later. But from what I understood, it should be able to block malicious behavior post-execution, for example stuff like process hollowing. However, it relies on the cloud, probably to avoid false positives, but I rather see pure "local based" behavior blocking without any need for the cloud. So weird that I can't find the link anymore.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,402
    Location:
    U.S.A.
    As far as I am aware of, real behavior detection capability only exists in WD ATP Enterprise version: https://docs.microsoft.com/en-us/wi...microsoft-defender-advanced-threat-protection

    More detail here: https://www.microsoft.com/security/...ion-of-behavior-signals-for-threat-detection/

    As far as plain WD, ASR mitigations are pretty much it when it comes to behavior detection.
     
    Last edited: Aug 9, 2020
  15. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,774
    Location:
    USA
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,402
    Location:
    U.S.A.
  17. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    424
    Location:
    Milan, Italia
    Behavior blocker, behavior detection, behavior blocking, etc. are terms that are evolving.

    For example, see some of these:
    https://malwaretips.com/threads/what-behavior-blocker-is-and-what-it-is-not.93785/
    https://malwaretips.com/threads/what-is-behavior-blocker.12130/
    https://malwaretips.com/threads/wha...blocker-and-intrusion-detection-system.55501/
    https://malwaretips.com/threads/hids-hips-behavior-blockers-nids.11914/
    https://malwaretips.com/threads/antivirus-signatures-vs-behavior-blocker-heuristics.29747/
    https://malwaretips.com/threads/sui...-blockers-that-you-trust-and-recommend.91072/

    As for Windows Defender, some elements of WD ATP have been integrated into consumer versions of WD but it is difficult to tell from the documentation. It describes ATP but MS never clearly discusses the relationship to WD.

    Example #1:

    "From the below infection chain it follows that it should be detected by behavior-based and AMSI ML models. These models are trained and optimized on the very large sample of malware before they are included in WD. Many malware samples use similar infection chains.

    https://malwaretips.com/attachments/astaroth-png.225219/


    Please note, that the above picture is related to preventing the infection - not to detecting the final Astaroth payload, which is reflectively injected as DLL."

    Example #2:

    The WD offline/online detection (without BAFS and without proactive features, default settings applied) was tested in AV-Comparatives Malware Protection tests. The test-set used contained 10970 recent/prevalent samples from the last few weeks. So, this test was very different from Zero-Day Protection tests on Malware Hub (not comparable). The results here, are from the latest test:
    https://malwaretips.com/proxy.php?image=https%3A%2F%2Fwww.av-comparatives.org%2Fwp-content%2Fuploads%2F2018%2F04%2Ffeatured-image-malware_protection_test.png&hash=f029001c856542de9a7250b36250a6bd&return_error=1
    Malware Protection Test March 2019 - AV-Comparatives
    The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution.
    https://malwaretips.com/proxy.php?image=https%3A%2F%2Fwww.av-comparatives.org%2Fwp-content%2Fthemes%2Favc%2Ffavicon.ico&hash=292884a3fb1bacc607a57898e1ed7bad&return_error=1 www.av-comparatives.org
    WD Offline detection rate: 68.5%
    WD Online detection rate: 88.3%
    The results of detection based on signatures are significantly lower as compared to other AVs. The above results are related to on-access (on-demand) scans without executing the samples. Samples were scanned from USB and network drives (no BAFS).

    The comparison with other AVs:
    https://malwaretips.com/attachments/malwaretesst2019-png.226733/


    When the samples were executed while online (no BAFS but triggered proactive features), then the result was:
    WD Online Protection rate: 99.98% which was similar to other AVs.

    Edit.
    I would not take seriously the small differences among AVs in Online Protection Rate column. One could probably get the opposite scoring when choosing another pule containing 10970 samples from millions of in-the-wild samples."

    Example #3:

    "SUMMARY of WD offline non-signature detection/blocking on Windows Home and Pro.
    1. WD offline non-signature detection uses Machine Learning models, behavior-based algorithms, generics (based on similarities to known malware), and heuristics.
    2. AMSI is used to log/detect unobfuscated script actions.
    3. Most of these features apply to images in memory and are optimized to detect suspicious behavior and trigger the cloud backend.
    4. WD can be configured to use also ASR rules and Controlled Folder Access to block locally, malicious behaviors.
    It seems that WD main offline protection is based on malware signatures, and can be extended by using ASR rules and Controlled Folder Access. Other features are mostly the interlude to the cloud backend.
    Of course, in the home environment, offline protection is supported by cloud protection even when the user is offline! The main malware delivery is due to the Internet, so if the user is well protected online (web protection, BAFS, etc.), then there is usually no malware on disk when being offline. This may work well for many users, but there are some exceptions, for example when downloading/unpacking files without MOTW (like from USB drives, via 7-ZIP unpacker, etc.)"
    _______________________

    People will believe what they want to believe, but one cannot say that WD's only behavior detection is a result of ASR rules.

    Of course, this leaves aside entirely the question of WD's ability to protect, especially against unknown or zer0-day malware.
     
    Last edited: Aug 10, 2020
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,402
    Location:
    U.S.A.
    Malware Protection Test March 2020 - AV-Comparatives

    WD Offline detection rate: 70.5%
    WD Online detection rate: 85.3%

    https://www.av-comparatives.org/tests/malware-protection-test-march-2020/

    The thing to note is WD was the 4th lowest scoring in offline detection and lowest scoring in online detection.

    So what does this test really show?

    First, WD scored 99.88% in online protection. This illustrates WD is very much dependent upon its cloud block-at-first-sight sandbox scanning.

    The problem is any decent malware will try to disable the target's network connection prior to executing its dropped payload. This can easily be done for example but not exclusively via:
    or via PowerShell;
    https://winaero.com/blog/disable-network-adapter-windows-10/https://winaero.com/blog/disable-network-adapter-windows-10/

    It should be noted that the major AV vendors also employ cloud scanning for malware detection in some fashion. However, they don't rely on it for their primary malware detection method for this reason.

    -EDIT- What this test illustrates is an issue that has plague Microsoft since the Security Essential days. That is it's local real-time signature, hueristics, and behavior detection for that matter are deficient to that provided by the major AV solutions.

    Microsoft in its famous "public disclosure" postings points out that its emphasis is on detection of recently discovered malware. Hence WD's very decent scoring on the AV labs real-time protection tests. The problem here is "old malware never dies, it will just resurface in its original or a variant version."
     
    Last edited: Aug 10, 2020
  19. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,774
    Location:
    USA
    As you said, not exclusively. I am unsure if WD reaches its cloud by hostname or IP. If by hostname it would probably be just as easy to set an invalid IP for the connection to Microsoft while leaving the rest of the internet working, making it more difficult to determine that something is wrong until it is way too late.
     
  20. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,311
    Almost all antivirus solutions nowadays depends on the cloud for better coverage, this isnt Microsoft Defender exclusive issue/fault (imo it isnt a problem at all).


    This doesnt make sense, while there are many malwares that tries to disable network connection, there are much more that depends on it do its damage (trojans/spyware/adware/banking trojans/many ransomwares families).

    Block at first sight is totally adequate, not only that, it is pretty powerful, specially considering the volume of malware created each day, after all it can prevent the malware that tries to disable the target network and bla bla bla at first place; anyway those scenarios are totally irrelevant for home users, if you think otherwise you are just being paranoid and frankly I am tired of this after so many years visiting security forums. (true zero-day fileless malware with exploits against home users? ha-ha-ha ! )

    There are too much misinformation about Microsoft Defender capabilities and for this I have to thank @Bertazzone for that informative post above, it was very clarifying.

    In the real world, Windows 10 up-to-date users are pretty safe by default and this is something amazing, nowadays it is hard to find a infected machine, when in the past it was the norm.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,402
    Location:
    U.S.A.
    Or just disable Internet connectivity but leave the rest of the LAN alone: https://www.youtube.com/watch?v=OMQ49_PlLD0
     
    Last edited by a moderator: Aug 10, 2020
  22. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,774
    Location:
    USA
    That would be good for running an encryptor on the local network drives.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,402
    Location:
    U.S.A.
    Here's something to check out.

    Since WD is so dependent upon block-at-first-sight detection cloud scanning, does WD actually issue an alert if it can't connect to MS cloud servers as major AV solutions do?

    Now I did come across this:
    https://docs.microsoft.com/en-us/wi...k-at-first-sight-microsoft-defender-antivirus

    The first sentence implies that Mark-of-the-Web is the major trigger mechanism in the cloud scanning process. Since MOTW is actually a file NTFS ADS, we can strip that off the file prior to execution.

    The above quoted reference is for WD ATP ..... of course. But it very much appears WD cloud scanning is a two step process. The first cloud look up is to determine if the file has been previously scanned. I assume that some type of yes/no status value is being returned to the originating device. So all we have to do is intercept that transmission and always return a yes value.

    If not previously scanned, a second cloud look up occurs that uploads the file to MS servers for detailed analysis. Now for that file locking bit. Unless things have changed, the file is only locked for a set period of time on non-WD ATP versions; believe that is for a default of 10 seconds. Appears WD ATP provides for up to an additional 50 secs of cloud scan time. So I design my malware to perform a NOP loop to wait out the cloud scan time. Or just build in a required user input response in the process.
     
    Last edited: Aug 10, 2020
  24. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,774
    Location:
    USA
    You can also set a Group Policy to stop it from ever being written in the first place. If you were able to set that with a malicious script the end user would never notice the difference.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,402
    Location:
    U.S.A.
    Much easier is using PowerShell: https://winaero.com/blog/how-to-unblock-files-downloaded-from-internet-in-windows-10/

    Or:
    https://winaero.com/blog/alternative-ntfs-streams-in-windows-10/

    Or, just use a trusted alternate data stream utility if PowerShell use is blocked:

    Streams v1.6
    https://docs.microsoft.com/en-us/sysinternals/downloads/streams

    AlternateStreamView v1.56 - View/Copy/Delete NTFS Alternate Data Streams
    https://www.nirsoft.net/utils/alternate_data_streams.html

    Alternate Data Stream Manager (ADS Manager)
    https://dmitrybrant.com/adsmanager

    -EDIT- Based on this: https://www.winitor.com/pdf/NtfsAlternateDataStreams.pdf, SmartScreen is ADS aware which really somewhat obvious. It appears it can be configured; assume GP here, to generate a Win Event Audit log entry when ADS is accessed but that appears to be the extent of it.
     
    Last edited: Aug 10, 2020
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.