Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,287
    For testing the functionality, there is a SmartScreen Demo Page from M$:
    http://demo.smartscreen.msft.net/
     
  2. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    @Hiltihome :
    Fully updated 1607 branch with Block at First Sight active ?
    Did the customer ignore SmartScreen in case of a Unknown-warning (or higher) ?
    SmartScreen testsite here : http://demo.smartscreen.msft.net/

    EDIT: @mood types faster than me :)
     
  3. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,352
    Location:
    Milan and Seoul
    http://demo.smartscreen.msft.net/
    It is just a test to check whether it works, but without malicious files. Interestingly, I thought SmartScreen worked even with Chrome but it doesn't, only with Edge and Internet Explorer...

    This as well: http://winsupersite.com/windows-10/how-test-smartscreen-filter-and-windows-defender-detection-scenarios

    Martin_c and Mood were very fast!
     
  4. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,266
    Location:
    UK
    It's a pity that Smart Screen doesn't do logging by default.

    https://technet.microsoft.com/en-us/library/jj618329.aspx
     
  5. waters

    waters Registered Member

    Joined:
    Nov 8, 2004
    Posts:
    958
    Smart Screen blocked the tests using chrome.
     
  6. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    The SmartScreen application reputation filter is system wide, but what you're referring to is the SmartScreen URL filter which is opt-in. Chrome (and Firefox) uses it's own list (Google SafeBrowsing) and thus has no need to opt-in.

    It's the exact same thing though, just a different vendor.
     
  7. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Does Smartscreen even apply to scripts and dlls? I am sure it does not cover everything.
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
  9. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I don't mean scripts on websites, but scripts in e-mail attachments which are saved on and launched from the host computer. Many ransomwares come in this variety.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    I just completed some testing against Win 10 native SmartSceen protections.

    I wanted to see how it performed against a malicious .exe known to its rep database that had not been detected at download time. I ran two tests in this regard; one with the .exe in the Downloads folder and one in the User Temp folder. Both tests were direct execution attempts via file manager. Screen shots below:

    SmartScreen_Download.png

    SmartScreen_Temp.png

    Next I created a simple .bat script in the User Temp directory to run the .exe located there. I then ran the script directly and then via command line so I could post a screen shot of the bypass:

    SmartScreen_Script.png

    Bottom line - if malware is not detected at download time, you're "dead meat."
     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,513
    Location:
    Texas
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,287
    As long as the file has the "Mark of the Web" it is checked from SmartScreen, even if the file is somewhere in "Program Files".
    If a .bat-file is being downloaded, it will get the "Mark of the Web" and the user will see a SmartScreen-Message for it. Further execution of the script (and execution of malware) can be prevented.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Advanced malware scripts today are packed and obfuscated and decrypt in memory. Sorry, don't buy Smartscreen is remotely capable of detecting these.
     
  14. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    What was the contents of the bat script?
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Sent you a PM.
     
  16. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    39,287
    I only said a .bat-file download from the browser gets a "Mark of the Web", i have not spoken of "advanced malware scripts which are decrypted in memory", etc.
    That's a different story and SmartScreen doesn't prevent this.
     
  17. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    About a few things on this page of this thread -

    A file entering system from internet will be marked with Mark of the Web.
    All of the following will carry the mark : BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR, VBE.

    There's a claim of a security bypass a little further up on this page that simplifies matters way to much.

    In real world anything malicious would on a fully updated Windows 10 x64 1607 branch with ALL native security FULLY active, have to bypass SmartScreen browser implementation, breach Edge or rely on social engineering, bypass SmartScreen system wide implementation, bypass Windows Defender that has both Cloud Protection, Automatic sample submission and Block at First Sight active and are tightly connected to AMSI.
    All of that while also flying past every mitigation Windows 10 holds.

    It makes no sense to focus on just one specific feature and not include every other part of the native security that would complement each other in actual real world use.

    Also a little further up in thread there's mentioning of obfuscated scripts.
    This are in Windows 10 dealt with through AMSI as noted here : https://blogs.technet.microsoft.com...-application-developers-new-malware-defenses/

    One have to look at the complete picture. Depending on type of malicious action and entry point, it will be different parts of the native security that reacts.

    Recent example of Windows Defender in combination with AMSI making the block : https://blogs.technet.microsoft.com...iles-now-deliver-kovter-in-addition-to-locky/

    Recent example of SmartScreen doing the block : https://blogs.technet.microsoft.com...engineering-techniques-using-pdf-attachments/

    To the end user, the important thing is that the malicious item was blocked.
    It's not really important which exact part of the OS that did it.
     
  18. guest

    guest Guest

    exact, it is why i laugh at those stupid test labs which don't mind using the full features of a suite but when it comes to Windows they discard its full potential by just testing Win Def...

    exact again, nobody complains about (let say) comodo AV module, if the HIPS or auto-sandbox did the job.

    using a car analogy, in a accident, i dont care if my life was saved by the seatbelt, the airbag, the reinforced chassis or whatever security system was added . im just happy that im alive because they worked.
     
  19. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,352
    Location:
    Milan and Seoul
    Thanks, it makes sense now.
     
  20. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Thank you Martin_C for the detailed explanation as to what filetypes are covered by SmartScreen.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,394
    Location:
    U.S.A.
    Glad you posted this since I was under the impression this was indeed the policy.

    However, there have been multiple recent postings by Wilders members of their individual tests of security products in regards to their effectiveness against various types of malware. I will add most were generalized statements as to effectiveness without any supporting evidence to validate such claims.

    So please do excuse me in that I had mistakenly interpreted that this previous policy had been superseded.
     
  22. plat1098

    plat1098 Guest

    I'm reading this thread with interest, I'm trying to picture just having the full Microsoft suite, everything enabled and with SUA, a few decent browser extensions, and that's it. No, not happening. Does anyone here dare to have a purely Microsoft security setup--no third party anything, no VM, no sandbox? What if something gets disabled or altered after one of those infernal updates? Must you continuously check everything?

    Looking forward to the upcoming Creators Build for further developments.
     
  23. guest

    guest Guest

    i do; because one of my machines is not powerful enough to handle 3rd party softwares; and i never get any infections on it.
     
  24. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    6,746
    .....in a similar case like yours, the solution which I found was the light WSA, not the heavy WD.

    ----------------------
    Not for guest:
    The well known MS advocate will appear in a minute to tell me [with a post one page long] that I'm wrong.
     
    Last edited: Feb 4, 2017
  25. guest

    guest Guest

    WSA doesn't do much better, i tried already.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.