Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. fmon

    fmon Registered Member

    Joined:
    May 5, 2013
    Posts:
    1,155
    Microsoft should really improve controlled folder access: Malware could simply add an infected .exe file in whitelist and run it. However, if I install a programm which creates an icon on desktop it will be blocked, it's annoying to add every single file to whiteliste before executing. Sometimes I think this version of controlled folder access makes no sense at all, it's like HIPS with auto-blacklist and without any intelligent program decision. Very simple to code but nearly useless for the average user.
     
  2. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,046
    Location:
    Europe then Asia
    it works like a basic SRP without any whitelist at all, so users have to setup everything if they want to use the feature, which is basically pointless on a home version OS made for Average Joes...if it was Pro or Enterprise, it would make more sense.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    61,512
    Location:
    Texas
    Windows Defender Immune to AVGater Quarantine Flaw: Microsoft
     
  4. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421
    There's a world of difference between you doing that to yourself and someone doing that to you. :)

    But I think you knew that very well, because if it was that easy to halt WD or any other AV for that matter, then it would be everywhere in the wild. And it is not.

    Security can't be evaluated with a tunnelvision approach. You need to embrace the full protection stack.

    What I see with each branch are progress - new features implemented and existing features enhanced.
    And I see possibilities when putting them to use. Even more so, when you start combining them.

    On a out-of-the-box Win10 1709 branch, start by raising all the SmartScreen settings to Block.
    Make sure Windows Defender are active. On default this means all cloud features are active, Block at First Sight are active and also Behavioral Analysis are active which also include the memory scanner that I see you noticed in another thread.

    Overview of Windows 10 1709 Fall Creators Update as presented at Microsoft Ignite 2017 :
    Windows 10 1709 Fall Creators Update.png

    Now evaluate if you use default block level in Windows Defender, or want to raise it. In addition to default block level, there's High, High+ or if mission critical, then raise to Zero Tolerance that blocks everything unknown.
    And activate PUA detection, no matter which block level you decide on.
    Now activate Network Protection, that expands SmartScreen to every single process on pc that tries to connect out.
    Then activate Controlled Folder Access to only allow vetted processes access to your protected data.
    Next activate Attack Surface Reduction rules, to effectively block the vectors an attacker would need.
    The Attack Surface Reduction rules has proven to be extremely effective, but since I know you pay extra attention to PowerShell I will quote this part in particular :
    Full blog post here : https://blogs.technet.microsoft.com...tack-surface-against-next-generation-malware/
    Then start looking at Exploit Protection. The default settings provides good protection without breaking anything in general mass use, but a specific setup might allow for further tightening of mitigations since now you only need to care about the specific applications and workflows relevant to you. Especially if rare/legacy applications present.
    All app-level mitigations can be used in audit mode and there's extensive logging in Event Viewer, to make it easier to dail in while you evaluate.
    Do all of the above on a clean installation of Win10 1709 Fall Creators Update and then use SUA for all daily activities afterwards, and it becomes clear how well these features all work together.

    Then you will have embraced a huge part of the protection stack available on Windows 10 Pro and Home.

    The changes Microsoft has made with 1709 Fall Creators Update are massive. All these features are available and ready to use.

    Bottom line - there will be two groups of users.
    Those who still looks at Windows through Win98->WinXP glasses, and insist on adding and replacing with third-party code. A subset of these will complain about Windows evolving.
    And those who are open to the fact that Windows has evolved a lot since then and who evaluate what is actually available now. They will typically enjoy that all the features mentioned above are available and work so well together. :thumb:
     
  5. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421
  6. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,046
    Location:
    Europe then Asia
    then comes the third and biggest group, the Average Joes which can't deploy the tight setup you mentioned above either because their lack of skills or because they don't want go through the hassle or just prefer/are used to 3rd party AVs .
     
    Last edited: Nov 15, 2017
  7. amico81

    amico81 Registered Member

    Joined:
    Oct 18, 2017
    Posts:
    20
    Location:
    Germany
    Panda again better than emsisoft and Kaspersky? :thumbd: the test samples are 100 days old or what....but definitely not zero day
     
  8. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421
    The same can be said about every single HIPS, application-whitelisting, anti-exe, behavior blocker or AV out there from every single vendor.

    In theory "all" you have to do to bypass them, are to shut them down or allow yourself through them.

    But in practice, the entire protection stack stand between the wish to bypass and actually being able to bypass.
     
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    865
    Location:
    Italy
    To enable PUA protection even in Windows 10 Home * with Powershell:

    Get-MpPreference

    search "PUAProtection" if the numeric value is 0, is disable.

    To enable it to use the command:

    Set-MpPreference -PUAProtection enabled
     
    Last edited: Nov 19, 2017
  10. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421
    None of that is correct.

    All four features in Windows Defender Exploit Guard are tightly integrated with the Microsoft Intelligent Security Graph.

    On clean systems without excessive third-party add-on security, the end user do not have to do anything except activate the Controlled Folder Access feature and add any additional folders they want protected.

    That is all they need to do.

    The features local logic combined with insight from Microsoft Intelligent Security Graph will take care of everything else.

    This is implemented in such a elegant way, that the feature are easier to use then it is to boil eggs.

    The only users that has issues are those who have third-party security installed which insist on altering things those third-party applications shouldn't touch.

    Excellent example if one look one page back in this thread.
    A user have two systems.
    System A with a not so intrusive third-party add-on security application have zero problems with Controlled Folder Access.
    System B with a very intrusive third-party add-on security application has issues.
     
  11. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421
    None of that makes any sense what so ever.

    This "Average Joe" you always bring up will on a plain out-of-the-box Windows 10 installation running its default native security have protection as seen if one follow the link in this post

    And that test is not even on 1709 Fall Creators Update. That test are with the native security that are active by default on 1703 Creators Update.

    Users on 1709 Fall Creators Update can then additionally activate the features I mentioned in this post to enjoy even more of the protection stack available in Windows 10 Fall Creators Update.

    This thread proves that it is easy.

    Several users posted that they activated all the features they needed without any problems.
    Some users had a few questions and then activated all the features they needed without any problems.

    Absolutely nobody has been scratching their head.

    It's a few clicks in the UI and then a few clicks in GPOs or a few PowerShell cmdlets - depending on if user are on Pro or Home.
    That's all.

    Everybody that wants to set up the additional native security features available in Windows 10 can handle this. :thumb:
     
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,046
    Location:
    Europe then Asia
    maybe for you, but you are clearly not representative of the masses, you understand and know how to use all the built-in features, but many don't...and it is what you seem to miss.

    Note: i don't talk about efficiency, only usability, and it is clearly at the moment not user-friendly especially when it is strangely tied to WD which has no real interactions to the Controlled Folder mechanisms.

    Anyway, i didn't planned to do a deep debate about it, i just gave my opinion.
     
  13. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    501
    The average Joe wouldn't even have Controlled Folders enabled since it is disabled by default.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,477
    Location:
    U.S.A.
    :thumb::thumb:
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,559
    Location:
    The etherlands
    Agree.

    But shortly taking delivery of a new machine so may give this a go first on clean Win 10 Pro ...
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,477
    Location:
    U.S.A.
    I just installed ver. 1709 yesterday via Win Update. Average user is not going to play around with security settings nor should they be required to "tweak" his security settings for max. security protection. Add to that, SmartScreen is "notorious" for alerting on downloads that are in reality safe. Setting action default to block would prevent this software from downloading:

    WD_App_Control.png
     
    Last edited: Nov 15, 2017
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,295
    I would never use the secured folder feature since it allows all trusted MS programs access. To me that is almost a waste. I want it much tighter then that.
     
  18. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    501
    Did you test it?
     
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    865
    Location:
    Italy
    Or later:

    https://www.amtso.org/feature-settings-check-potentially-unwanted-applications/
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,295
    No, I read about it. I use Pumpernickel so I have no need for it
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    I would love to learn a bit more about Win Def's behavior blocker, weird that I can't find any info about it.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,477
    Location:
    U.S.A.
    It is cloud based using MS's Azure AI servers. Note: that it is time dependent although the delay to determination can be slightly increased. Also, the process is actually suspended while this is going on. Obviously, "sleeper" malware will be able to evade it.

    WD's scanning ability in the cloud was impressive based on the AV Labs - Poland fileless malware test. It was able to detect all processes used including a .bat script which was a Powershell dropper. This contrasts with the majority of AVs detecting by outbound network connections.
     
  23. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421
    That is not correct.

    You are mixing up three very powerful, but different parts.
    Block at First Sight, Behavioral Analysis engine and memory scanner.
    Three different parts of Windows Defender.
    There's time and entry constraints on Block at First Sight. Not on Behavioral Analysis or memory scanner.

    But you are correct that Windows Defender did very well in the fileless malware test that AV Labs - Poland recently published. The combined feature set in Windows Defender are proving to be effective.
     
  24. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,649
    Since it seems they added a bunch of new protection, I figured I'd try WD again. The protected folder access is crap at this point. Blocks just about everything, so way too many false positives.

    Also, protection isn't really my concern with WD, but rather the CPU usage of the main module. Still surprises me that the built in protection is heavier than third party programs.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,477
    Location:
    U.S.A.
    Below is MS's description of "Block at First Sight." In typical MS "security techno-babble," it is WD's local based non-signature analysis which is equivalent to that performed in other third party AV solutions. Bottom line - there is nothing "ground breaking" security-wise in WD's new protections. They are just finally making WD on par to what the third party AV's have had for some time. The only thing really "leading edge" is the use of the cloud AI scanning.
    https://docs.microsoft.com/en-us/wi...ock-at-first-sight-windows-defender-antivirus
     
Loading...