Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    1,113
    Location:
    Da mean streets of Brooklyn
    Has anyone seen this definition update failure before? A cursory check of the error code yielded nothing. This is a Fall CU thing, right? I ran some scans out of paranoia and they were clean. :isay:

    update fail.PNG

    windef fail.PNG
     
  2. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    422
    Faulty download being rejected.
    Not to worry. WD will pull in anything needed dynamically, if and when needed.
     
  3. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    1,113
    Location:
    Da mean streets of Brooklyn
    OK, you are right, the new definitions haven't come yet, but trying to check doesn't give the error either, so it seems OK. A little too much information in the error message there. OK, thank you.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,565
    Location:
    Slovenia
    https://blog.emsisoft.com/2017/11/08/windows-10-ransomware-protection-good-enough/
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    Great article that sums up things nicely. Personally, I believe its just a matter of time till someone bypasses CF. The problem with the "vault" approach is someone is always finding a way to breach it whether it is software or a steel bank vault. One existing scenario is simply "taking out" Windows Defender.
     
  6. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    422
    The feature still doesn't work that way. :)
    As mentioned 8-10 times by now - the feature runs Default-deny.
    If you blind the vetting, then nothing new is granted access.
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,410
    Location:
    USA
    Unfortunately it does work that way. I just took an empty VM with Windows 10 and turned on controlled folder access. I then proceeded to install software that I knew would be blocked by it. It was. I then disabled Windows Defender without having turned the Controlled folders back off. I can now run the installer with no issues and nothing blocked. So "taking out" Windows Defender will bypass the Controlled folders. I know, you already have bigger problems at that point, but I expect it will be a matter of when and not if and at that sooner than later that someone will bypass the Controlled folders, so I am just not going to bother with them in the first place.
     
  8. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    422
    That is not what I said. :)
    I said if you blind it, then nothing new is granted access.
    That WD needs to be activated are part of requirements as mentioned in Microsoft documentation. See link on page 45.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
  10. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    422
    Requires physical hands-on access to the single machine you target as well as access to desktop.

    Try it through external means and you will find there's a reason why there's four features in Exploit Guard.

    And there's a reason why all the many features in the Windows 10 protection stack overlap the way they do. Protection in layers. :)
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    Disabling WD's realtime protection is as trivial as creating a Powershell script and the running the script.

    For example, create a script named and stored here: C:/disable.ps1. The script contains this:

    Set-MpPreference -DisableRealtimeMonitoring $true
    Then run this; powershell.exe -ExecutionPolicy Bypass -File "C:/disable.ps1"

    Since there are all kinds of stealthy ways malware can run PowerShell and it's scripts including registry and memory, a WD bypass is a foregone conclusion.
     
  12. ViVek

    ViVek Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    559
    Location:
    Moon
    ESET with no FP, great :)
     
  13. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,410
    Location:
    USA
    Ok, sorry, I misunderstood what you meant. o_O
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    We're testing that one presently. A number of interesting possibilities to do so.
     
  15. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    870
    Location:
    Italy
    Last edited: Nov 12, 2017
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,888
    Location:
    Among the gum trees
  17. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    870
    Location:
    Italy
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,888
    Location:
    Among the gum trees
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    870
    Location:
    Italy
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,888
    Location:
    Among the gum trees
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    870
    Location:
    Italy
  22. fmon

    fmon Registered Member

    Joined:
    May 5, 2013
    Posts:
    1,163
    Is it possible to remove "desktop" folder from protected folders?
     
    Last edited: Nov 12, 2017
  23. TheMalwareMaster

    TheMalwareMaster Registered Member

    Joined:
    Jan 11, 2017
    Posts:
    25
    Location:
    Italy
    I still encounter issues: pickerhost.exe is blocked even if whitelisted after multiple reboots (running CFW with WD). On my desktop, in which I don't use CFW but VoodooShield, I didn't have to whitelist anything and everything is working properly. Probably a conflict with COMODO Firewall
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    Last edited: Nov 12, 2017
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    870
    Location:
    Italy
Loading...