Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    Here's a ref. on Explorer: http://www.geoffchappell.com/studies/windows/shell/explorer/index.htm?tx=27

    Of note:
    This above mode is a bugger to detect.

    Also of interest:
     
  3. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    It appears that you misunderstood what @xxJackxx originally posted.
    He did not complain about not having explorer.exe blocked.
    He answered @CoolWebSearch, and told that he didn't experience having to manually whitelist explorer.exe when using Controlled Folder Access.
    Something @CoolWebSearch posted he was worried about. :)

    Also, FCU brought Exploit Protection as one of the four features in Windows Defender Exploit Guard.
    Things change.
    Defaults as well as the ability to enforce further mitigations.

    Take a look here for one of many reasons why Windows 10 FCU are a lot safer than anything previous.

    Obsessing about how things where instead of looking at what are currently available on latest branch, are a waste of time.

    Spend time in Exploit Protection section.
    You will find your worries are not an issue.

    Like said yesterday, there's a reason why the four features are introduced together.
    Each of them are powerful on their own, but when combined they are really great. :thumb:
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    Great as far as svchost.exe goes, but in reality it is the least targeted process by malware for code injection:
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,282
    Location:
    Among the gum trees
    Thanks guys. I think I'll leave WD at default for now. I'm not a high risk user so upping the protection level would most likely only brings some false positives.
     
  6. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Sounds very reasonable, Krusty.

    And combined with Attack Surface Reduction rules and Controlled Folders Access as you have activated, you have a great combination.

    In case you want to add the new Network Protection to your setup, then you can enable it with this PowerShell cmdlet :
    Code:
    Set-MpPreference -EnableNetworkProtection Enabled
    It expands SmartScreen to every single process that tries to connect out.
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,282
    Location:
    Among the gum trees
    Already activated Network Protection not long after the clean install of 1709. ;)

    Thanks.
     
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,226
    Location:
    Italy
    A codec (ffmpeg.exe) used by Screenpresso in hidden folders:

    1.jpg

    does not work "add to list".
    I search the file ffmpeg.exe:


    2.jpg

    I add:

    3.jpg

    it's easy.;)
     
  9. TheMalwareMaster

    TheMalwareMaster Registered Member

    Joined:
    Jan 11, 2017
    Posts:
    25
    Location:
    Italy
    Controlled folders access.... Issues again with pickerhost.exe. After whitelisting it it works at the first system reboot. But, after few reboots, it will be blocked even if it whitelisted
     
  10. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Did you try to run system without third-party security applications ?
    Something is causing it to not align with whitelist.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Interesting, perhaps that's how it can block ransomware from getting access to protected files, even if explorer.exe is hijacked by ransomware?
     
  12. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    windows defender advanced threat protection services is not working, it's set to manual and if i try to change that I got error

    Clipboard01.jpg Clipboard02.jpg

    Also, I'm not sure if this is connected, but Win Defender can't update

    Clipboard03.jpg

    Try to run sfc /scannow but no problem found

    Clipboard04.jpg
     
  13. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    6,754
    Location:
    USA
    I can't find any info to back that idea up but it makes sense to me. If they're not already doing it, they can feel free to steal my idea. :D
     
  15. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    So this all OK and normal?

    Tnx
     
  16. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Yes. You absolutely can not activate without Enterprise E5.
    Better revert any changes made in GPO or services while you tried to get ATP running.
     
  17. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    This is all I have set in GPE:

    gpe.jpg

    I can't find "windows defender advanced threat protection"
     
  18. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Hi Djigi,

    Everything in your Group Policy settings looks fine.
    All of those (except Cortana) are related to the Windows Defender and Windows Defender Exploit Guard configurations we have talked about.
    So no worries.
     
  19. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,370
    @Martin_C

    I want to ask you something if you don't mind. It was my understanding that Windows 10 always had exploit protection built-in and that the recent exploit guard simply allows users now to modify it to how they want, correct?
     
  20. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    As far as I'm aware, Windows 10 hasn't had exploit protection built-in until the Fall Creators Update. However, users have been able to use the Enhanced Mitigation Experience Toolkit (EMET) if they so chose. EMET is coming to an end in July 2018 so Microsoft have now included many of the features from EMET into exploit protection. Existing users of EMET can convert and import existing EMET configuration profiles into Exploit protection. Hope that makes sense.
     
  21. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Mitigations has gradually been implemented across branches.
    With Fall Creators Update yet another batch got implemented and together with the Exploit Protection UI in Exploit Guard now being available, this means EMET can now retire.
    And as @TonyW mentions above, you can import your EMET profile to make migrating easy.
     
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,226
    Location:
    Italy
    Hi all.
    I suspect that Chrome profile in EMET malfunctions if transported without editing in Windows Defender.
    Please check.:thumb:
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,226
    Location:
    Italy
  24. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,181
    Location:
    Slovakia
    Thanks for link for the test, but I guess I broke it. Install and run without admin rights did nothing. Install and run with admin rights had the same result.
     

    Attached Files:

  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,399
    Location:
    U.S.A.
    Appears WD Controlled Folders is blocking access to same by browser.exe. Check your event logs for any WD events.

    -EDIT- I will also add that if one wants to test WD using RanSim, they will have to disable Controlled Folders. This is because RanSin installs itself in and runs from the My Documents directory. It appears to me from the posted screen shots, Ransim was installed OK but WD is blocking browser.exe from running. Suspect WD is either blocking it by blacklist or sig. as some other AV vendors do. It is also possible that WD's cloud scanning detected the encryption activities from it and blocked it for that reason. Below is a link to RanSim use:
    https://support.knowbe4.com/hc/en-us/articles/229040167-RanSim
     
    Last edited: Nov 5, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.