Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,776
    I added a bunch of ASR rules in gpedit in Sept.2019. I think based on info on page 99 of this thread. And completely forgot about it.
    Until now when I enabled security app&browser setting.
     
  2. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    434
    Location:
    Milan, Italia
    I suggest you add an ASR exclusion via gpedit or remove it altogether and use ConfigureDefender instead, the latter recommended if you want easy access to advanced settings.
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,654
    Location:
    Outer space
    I have enabled the Windows Defender process sandbox for a while now and everything seems fine, though there is a little higher CPU usage. That may not be notable on a fast modern cpu, but on this slow first gen i3 CPU it is notable.
     
  4. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,049
    Location:
    Baden Germany
    +1
     
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,493
    Location:
    Canada
    I'm trying out ConfigureDefender. Can anyone recommend settings for MS Office apps? I've enabled "Audit" on several of them now, but wondering if I can enable some of them without too much breakage.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
    Refer to this:
    https://github.com/MicrosoftDocs/wi...iles/6c520d261f39ef3fd6ece81a4138bea1a4cff851

    Unless things that changed since this posting, an ASR exclusion for the app would be N/A.

    Further confirmed here:
    https://docs.microsoft.com/en-us/wi...et-a-prevalence-age-or-trusted-list-criterion

    In other words, this is an internal and reserved by Microsoft exploit protection. There is no way exclusions be applied to the protection. However, it appears you can specify which files and folders this mitigation applies to. If not specified, it applies to all files and folders. In other words, typical convoluted MS protection logic.

    Have you tried to just exclude your app via normal WD exclusion method: https://www.howtogeek.com/671233/how-to-add-exclusions-in-windows-defender-on-windows-10/
     
  7. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    434
    Location:
    Milan, Italia
    @itman Only 3 ASR rules are "non-excludable" via ConfigureDefender and the rule we are discussing is not one of them:
    Capture.PNG
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Thanks, totally forgot about this Dutch website LOL.

    Yes, but I was a bit shocked about how clumsy Windows Update actually works. I enabled it, and then it found all kinds of updates, luckily the one from Win Defender was listed at the top and now I run the latest version. However, it looks like Win Update wanted to download all of the updates at once, is M$ kidding me? It should give you an option to select which update you want to download and install.

    But anyway, when you update the signatures from WD, is the AV engine also being updated? If true, then you don't even need Win Update, because it's a mess, I will probably look for a third party tool to download updates in the future. It's not even clear which updates are important or not.

    BTW, I forgot to ask if "Controlled Folder'' access was enabled. This should in theory also protect against ransomware.
     
  9. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    Dont think so. But is ok now, nothing of value was lost, I reinstalled windows 10 and put kaspersky now, I think its the best av altho I havent used av since a loooooong time (and dont plan on doing so) so I wouldnt know but at least from malware tests and stuff it does well, so it was my first bet. I cant trust defender with how the windows updates randomly stop working making defender useless. Was wondering about voodooshield but the free version cant change settings and stuff so thats a bummer, also it lacks the whitecloud ai, only in paid version. Kaspersky on the other hand can reset trial for free with a quick regedit every 30 days so thats nice. But if u got more suggestions for smth that is set up and leave for my grandma feel free to share.
     
  10. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,776
    I did add the exclusion via gpedit last night, failed on MY error then when fixed it's been working fine (see the bottom of previous page if you wish, but that story is over now). And thanks for your very helpful posts :)

    Question, hopefully final on the FastStone mishap:
    Should I now go into gpedit and delete BOTH that one exclusion AND a bunch of ASR rules BEFORE I start using ConfigDefender? I just want to minimize confusion of where things are.
     
  11. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,776
    Thanks for the explanation. I think what you're explaining is that WD is a mess in that when I enabled App&Browser it was actually looking into its sigs and not the ASR rules. Did I understand it correctly?
    The Howtogeek link is cool. Yes I do now see Exclusions at the bettom. I sure hate those invisible scroll bars. I may have been there before and forgot. And then didn't connect the ASR stuff to the virus settings.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,410
    Location:
    U.S.A.
    I was referring to this:
    from the Microsoft documentation. Probably one of the most poorly worded statements I have seen.

    I am interpreting this to mean that when specifying individual file or folder exclusions for this ASR rule, you are in effect also negating all other existing ASR mitigations for the folder or file. In other words, the exclusion is fully trusted as far as exploits go.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,500
    Location:
    Slovenia
    Microsoft Defender to enable full auto-remediation by default
    https://www.bleepingcomputer.com/ne...r-to-enable-full-auto-remediation-by-default/
     
  14. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    Idk if it's just me, but on my grandma's pc that I downloaded and installed windows 10 with the media creation tool, it downloaded the newest 20H2 version (the one after 2004), while my pc is still 1909 (the one before 2004), and I'm not having any updates, but Im not in a rush anyway, the time will come, I trust microsoft with what they're doing. If they're not rolling over the update, there must be a good reason. I mean 20H2 is still kinda beta but 2004 shooould be ready but Im still not getting it from windows update so who knows. But anyway, I noticed that on 20H2 they removed the system properties (right click this pc -> properties), now u need a special shell shortcut for it, and the real big deal: windows defender's files are now undeleatable, at least not without messing with the permissions. BUT, here's the kicker: if C is boot drive ssd, C:\Program Files\Windows Defender\* is now undeletable because it says lack of permissions. But it always said that. But now YOU CANNOT CHANGE Trusted Installer owner https://i.imgur.com/nfWwO16.png

    On my pc (1909), if I click change permissions it just becomes gray. But if I click Change on the Owner field, I can change it to me, then I can change permissions to add myself or administrator with full control, and then I can delete it: https://i.imgur.com/Ud0h9T6.png

    But on her pc (20H2), if you click Change, the change button just becomes gray, just like the change permissions button, so now you cannot change Owner anymore. In fact I couldnt do this with the Windows Defender folder either, I had to go all the way back to Program Files folder and only there I could change the Owner, I assume I would have to set it to all subfolders and files in order for the Owner to change. Ofc I did not test it because that would ruin all the other programs' permissions, and maybe some of them did not have TI owner to begin with, so just goin back to TI owner after Im done is not guaranteed to restore em to how they were before I start the test, so thats why I didnt test it. But thats certainly a nice improvement in terms of defense, now it takes me 30 more seconds to delete MsMpEng.exe and NisSrv.exe if I want (I did not cuz when kaspersky is installed they don't start, but I would if it was on my pc since I dont use av).

    Also on a side note, ExecTI https://winaero.com/execti/ no longer works. In the past, I didnt have to do anything with all this permission stuff, not for registry keys, not for folders, not for services, not for anything. I would just run ExecTI and use cmd.exe or explorer.exe and regedit.exe and be able to modify anything without having to change permissions. But now it's broken, it runs us as SYSTEM, which is lower ranked than TrustedInstaller, so it gives us access denied (same as running as normal admin). https://i.imgur.com/zIaEQwV.png
    When this was working properly, it used to say nt service\trusted installer, but now it's just useless system. If anyone knows for a workaround would be great if u could share, would make my .bat config when installing windows much faster. Also Nsudo is broken too, in case anyone used that.
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,365
    Location:
    Among the gum trees
    That's probably because Microsoft Defender now has Tamper Protection.
     
  16. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    Well I turned it off but I didnt reboot so actually its possible but I think it should turn off immediately as I click the toggle no?

    Also I have tamper protection on 1909 too (I think? Cant check cuz services are off)
     
  17. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    1,049
    Location:
    Baden Germany
  18. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,776
    Questions about ConfigureDefender:
    - In the zip 3001 version is NotificationAreaReset.exe. What is it?
    - In ConfigureDefender I got this in the log file when I restarted after setting it to MAX, and logged into my admin account. HDSentinel was running at startup. That event talks about sectors and memory. I understand the sectors part. Can someone explain the memory part?
    2021-01-19_162134-HDSentinelBlock.jpg
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,365
    Location:
    Among the gum trees
    Yeah, Controlled Folders is a headache. I couldn't deal with the constant blocks so I disabled it.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    Well Kaspersky isn't perfect either just like any other AV, I suggest to also install dedicated anti-ransomware like AppCheck. BTW, it's weird but once again Win Defender blocked some app from modifying the hosts-file, but it doesn't tell me which process/app is trying to do so, now how dumb is that? The only good thing is that it doesn't try to auto-quarantine the process.
     
  21. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,314
    I think Microsoft Defender isnt blocking any program, it is just detecting that the host files were tampered (by some software that you are still using, Spybot Anti-Beacon?), I dont think it is a real time behavior blocker detection.

    IMO they are much better alternatives to Spybot Anti-Beacon out there like WindowsSpyBlocker rules, Pi-hole, NextDNS ...

    Ps: I really dont like any software that modifies the Hosts file, it is such an old fashionable and problematic approach.
     
    Last edited: Jan 20, 2021
  22. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    No this is correct, it's not blocking any app from running, it's simply blocking a certain behavior but doesn't let you know which process/app is responsible, now this is the dumbest thing ever. They rather stop with this silly behavior blocking stuff if they can't do it in the right way.

    And I don't believe it's triggered by Spybot AB anymore, since I already allowed this action, unless Win Defender doesn't care and is still acting funny. Also, there is no way to disable this, so if WD keeps this up I will have to replace it. Too bad because I did kinda like it, except for that it makes app icons to render a bit slowly, when you open a folder.
     
  23. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,314
    It doesnt matter that you allowed because it isnt detecting the behavior of an app, it is detecting the modified host file itself via file scanning.

    Are you still running Spybot in your system? If positive, you will still experience this "problem" unless you uninstall it.

    Between a modified Hosts file and Microsoft Defender I would choose the latter.

    You can always exclude the Hosts file from scanning if you still want to use Spybot ...


    Reference: https://support.microsoft.com/en-us/help/2764944/hosts-file-is-detected-as-malware-in-windows-defender#:~:text=This issue occurs because Windows,file as a security threat.
     
  24. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    1,234
    Location:
    Europe
    Kaspersky has system watcher, appcheck is overkill. In fact I would have gone with VS cuz I dislike avs with how slow they are scanning everything left and right and messing with stuff, but I didnt only cuz the free version cant edit settings and no whitecloud ai. But if there was something as light as it while still offering the same protection, I would use it. I know there's AVs faster than kaspersky, but if it's gonna be an AV that slows down, might as well be a good one

    Also there are plenty of programs to detect what is happening with a file
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    To be honest I think most of big names antivirus with all the extra unnecessary feature will make them bloated and feature problems.some security sites even include vpns and for me is a no no it makes my internet speed very slow
    Also firewall in my own opinion is not necessary when you have a router/ modem firewall plus windows firewall and then antivirus with a firewall is too much,) dont kill me please I just wanted to coment
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.