Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

That is why a few posts up I stated when I test, I leave these enabled, and it was rare but did happen when samples bypassed both SS and UAC.

Testing samples on a daily basis I did not have that happen as often as you would think, matter of fact when I did post videos to YouTube to present to certain forums, many users complained about me leaving SS on and having to allow for almost all samples I tested.

 

I'm glad to hear that... while 'haters' reappear trying hard to bring the tall tree down

 

Does windows defender detect html malware? Ignoring firefox warning I visited a compromised website using sandboxed firefox but there was no alert from Defender. But Kaspersky identified as trojan script generic and F-Secure identified it as JS:Trojan.Agent.CIXV.
Website analysis: -https://rescan.pro/result.php?2cdb37c8d7547df6d2f44668c29fde5a-

 

I do not see anyone hating Defender. I do see users smart enough to know the samples used in all these AV tests are not exactly fresh, and they understand these detection rates are skewed because of, not accurate, and at this point, is not just about WD, it's about all products tested that way in those places.

Don't want to believe what you hear or read from other users, well then visit me via PM I will give you a link to a website where you can collect fresher samples and try them on your machine if your that confident that those of us which actually test ourselves are wrong.

While I can attest to being able to walk right past WD with fresh samples, I can also attest to the strength of all MS modules combined, as I stated in my last few posts. Even then, this is definitely not bullet proof, and personally I think MS is on the right track, but has a way to go yet before I will drop 3rd party and rely fully on them.

 

I think it is fairly obvious why AV Labs need to disable native SmartScreen in their comparative tests but I will elaborate the point.

If the AV Lab is doing its job properly, a portion of the recent malware samples should be in the "unknown" category. As such, it would impossible to test individual security software detection capability since native SmartScreen would intercept the malware first. The same would be applicable for native SS blacklisted executables.

Then there is the fact that the AV Labs adhere to the established AMTSO policy that user interaction in regards to determining software malicious status is a no-no. Whereas this policy has been loosened to allow for behavior detection that informs the user of the "likelihood" of malicious status, a user decision based solely on unknown reputational status is unacceptable.

 

AV vendors such as the ones mentioned plus a few others like Eset, set a hook in the browser to monitor javacript execution. Additionally, most use web filters that allow them to examine web traffic at the network or Windows Filtering Platform(WFP) level before it is loaded into the browser.

 

No wonder because those apps are not white-listed. I would test it myself, but I can't get SmartScreen to work anymore, I guess I blocked something. I do remember that on Win XP I disabled it, because it warned about at least 80% of all the apps I was trying to run, way too annoying.

Thanks for testing. I now remember that on a friend's laptop, I did see it blocking a legitimate key-logger even when WD was disabled, so it's likely it's using the same signatures as Win Def.

That's the thing, there isn't anything to test, if SmartScreen blocks all malware. As itman pointed out, it will alert about known malware, same as Win Def. But it will also alert about legitimate apps that are unknown.

 

It doesn't perform any signature analysis; that's Windows Defender job. All native SmartScreen is doing is comparing the hash and possibly the signing status against a corresponding good and bad list stored on its cloud servers. If no match is found, it classifies the process as unknown.

The outstanding question is what processes are being checked? I assume it does not do any lookup for anything stored in the Windows directories. As far as the Program directories go, I assume those are also excluded since they were "installed" and lack the "Mark of Web" identification for their executables. Fair to assume that PUA/PUP executables created via trusted installer mode are not checked. Etc., etc..

 

It's unacceptable to me. Everything shouldn't have to be in a whitelist. If so it's not actually an AV. If they want to just dump this for a whitelist only solution but allow an admin to add their own apps to the whitelist, I would actually find it more useful. Nothing we produce writes to any directory other than its own, or does anything that should be considered suspicious activity. They're not even trying when they do this. They're just saying "We don't know what this is, it must be bad. Let's just delete it without asking. We did good. ".

 

I assume your internal apps are installed in the program directories which like I said previously, I don't believe native SS scans. In any case, they wouldn't have "the Mark of The Web" if the apps were just installed locally and native SS wouldn't scan them.

 

Windows Defender on track to become the first fully sandboxed AV?

Source: https://twitter.com/epakskape/status/892852063650029569

 

Wow. This is getting interesting.

 

Just sandbox all software developed by Microsoft; especially MS Office modules - Word, Excel, etc.. Then Windows will be the secure OS its propaganda claims it is.

 

Very cool if true.

EDIT: Speaking of Windows Defender, is the same version installed on both the current CU and LTSB? I am looking at you @NormanF

 

My current version is 4.10.14393.1198

 

Ok different version on CU. I guess I was wondering because I am in the middle of testing things at my job for an upcoming Windows 10 rollout. So far, even though it may not be a popular decision, I am leaning towards LTSB. I have version 4.11.15063.447 (on CU Ent).

I guess the question is, do they both have the same protection? Assuming no since CU has some more security built into the OS correct?

 

They have the same protection. LTSB though does not get new features; just security updates and bug fixes. Since you're testing for your company - depends on whether staying current is more important than long-term stability. In the former case, either Pro or just plain ol' Enterprise should suffice.

 

I must say, while a sandbox will be cool, I'd rather see them optimize it to make it lighter weight.

 

Thanks I was not sure on this. Reason I ask is because I have been having issues with our current AV solution and Windows 10. I need to do some research and likely open up a ticket with them, but the RAM and CPU cycles it uses even at idle is unacceptable. No such issues with Windows 7 Ent however.

New features would be awesome (especially with the Fall Creators Update) so we shall see. The thing is there is so much extra stuff that I do not need end users messing around with like the Windows Store, Cortana, etc. Not to mention the ton of default firewall rules for xBox and everything else. That said, I don't really want to waste time on setting up GPO's to block everything or uninstall a ton of apps that are not really necessary for the average user. I have shown the results of regular Enterprise CU and LTSB to my boss and we are both on the same page. That is, leaning towards LTSB.

I don't think that will be updated again until what, 2019 right? As long as security updates keep on rolling out, and with WD getting better and better, it seems like a winner to me.

 

Yup. Next LTSB build due in 2019.

 

Anti-exploit baked in, now sandboxing ... @guest, looks like your third party security list may get even shorter .

Though I suppose AppGuard will remain .

 

This might be interesting. It will probably be hard to accomplish it, though.

 

Therein like the conundrum. Seems to far out for me to wait. However, the more I think about it, could be less headaches for me and the rest of the IT staff. Looks like there is no way to install MS Edge right? Perhaps I will just roll it out with IE and possibly Google Chrome since I can control that with group policy.

 

Yes. Thank God for third party standalones. All these new Defender features ain't even been rolled out yet. I'd like to see how they actually operate on my machine in practice (not theory) before going into paroxysms of joy about it. Won't have to wait too much longer, though, Fall is around the corner.

 

LTSB only comes with IE 11; Edge is not installed because its a universal windows app and is frequently updated. Highly recommend Chrome for Business for this version of Windows 10.