Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    865
    Location:
    Italy
    A small test:

    http://sendvid.com/59z4eald
     
    Last edited by a moderator: Dec 4, 2017
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,478
    Location:
    U.S.A.
    You need to check this out. Eset detected a PUA. Upon blocking, I then get redirected to a porn web site. At least that woke me up this morning .............
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    61,516
    Location:
    Texas
    Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,478
    Location:
    U.S.A.
    I wouldn't put a lot of weight on AMSI protection combined with WD. MRG did an ad hoc test a while back and WD failed miserably: https://www.mrg-effitas.com/current-state-of-malicious-powershell-script-blocking/ . The problem is WD and most of the AVs tested have issues with obfuscated scripts. Appears AMSI is effective unpacking scripts but if they are also obfuscated, that detection is left to the AV engine to unobfuscate.
     
    Last edited: Dec 4, 2017
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    865
    Location:
    Italy
    UBO blocks the redirect.
    The problem only occurs when the browser is first opened.
    The scan at VT is clean.
     
    Last edited: Dec 4, 2017
  6. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421
    Absolutely nothing of that are correct.

    The OS, interpreters, AMSI, Windows Defender and Windows Defender ATP does not work the way you claim.

    Reading the blogs that the various teams write, following for example the flow of information from key PowerShell developers and keeping an eye on builds would have been great if wanting to comment on AMSI.

    Allow me to quote from article :
    Above from blogpost linked to here

    About the test you reference. Yes, MRG did a test of AMSI on Windows 10 - 1511.

    Windows 10 - 1511
    Windows 10 - 1607 Anniversary Update.
    Windows 10 - 1703 Creators Update.
    Windows 10 - 1709 Fall Creators Update.

    MRG test are of a two year old and four branches old Windows edition.
    The test has ZERO value in december 2017.

    Even when MRG tested a two year old and four branches old Windows edition, Windows Defender and AMSI did very well and was one of the few vendors capable of blocking test 1 and 2.

    But now fast forward to December 2017. Two years later and four Windows 10 branches later.
    So much has happened with AMSI across the four branches.
    So much has happened to Windows Defender and Windows Defender ATP across the four branches.

    Doing your Bing or Google trip and digging up tests of antique builds or even months old reports of this or that findings are worthless in todays development cycle.
    With Windows-as-a-Service we have two new branches every year and 1-2 new stable public builds every month on each branch.

    Forget the history books. They can't keep up with todays development pace. Always stay informed on latest builds instead. :)
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,478
    Location:
    U.S.A.
    Show some proof to this statement. I have seen no evidence that AMSI has changed since its initial Win 10 release. I believe you are confusing this with the fact that the MS products that interface with AMSI have changed.

    Microsoft states that AMSI de-obfuscates scripts. If it actually did, every AV vendor that uses the AMSI interface including WD would have been able to pass the Mimikatz tests.
     
    Last edited: Dec 5, 2017
  8. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421
    So much documentation on this over the years. Much of it already in this very thread.
    Furthermore a good starting point is reading the latest blog post linked to a little higher up on this page. That will highlight some of the important changes in FCU. :)
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,478
    Location:
    U.S.A.
  10. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,846
    Location:
    Among the gum trees
    Does the PUA / PUP Registry key work in Win8.1?
     
  11. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421
    You misunderstood what Ryan Cobb writes and who he is.

    Research like this from Ryan Cobb, Daniel Bohannon, Matt Graeber, Jared Haight, Lee Holmes and many more extremely talented researchers are exactly what the Microsoft blog post is about.

    All of them pro-AMSI people. :thumb:
     
  12. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    421
    Yes, it does. :)

    (and I will not ask what you are doing back on Win 8.1, since I have seen your posts about your update nightmare elsewhere on forum :(. Hope everything works out for you.)
     
  13. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,846
    Location:
    Among the gum trees
    Well, the upgrade problem isn't really it - different machine.

    My little second hand laptop came with Win8.1 installed and I upgraded it immediately to Win10 for the activation, then replaced the HDD with a SSD and upped the RAM to 8GB. I just thought I'd give Win8.1 a try to see what I've been missing. After a bit of a learning curve and uninstalling most of the OEM bloat I am surprised that this machine seems to run quicker than with Win10 on the SSD. Weird!
     
  14. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    711
    Location:
    Baden Germany
    Yes it does,
    and my impression is that WD is more aggressive against PUPs, than it was a few month ago.
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,846
    Location:
    Among the gum trees
    It looks like your not alone.

    #1445
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,478
    Location:
    U.S.A.
    What he states is first and foremost AMSI un-obfuscation methods are in inadequate and can be bypassed. He states:
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,478
    Location:
    U.S.A.
    This is a great idea but I believe this only applies to Office apps as far as WD goes?
     
  18. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    607
    Location:
    Surabaya Indonesia
    does anyone ever test Network protection feature ? i activated it but failed when try to tested via MS website
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,846
    Location:
    Among the gum trees
    It worked fine here last time I tested using Firefox.
     
  20. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    607
    Location:
    Surabaya Indonesia
    when i tried it never blocked by WD.
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    4,846
    Location:
    Among the gum trees
    Here's a few to try. Start at this post and read on.

    #1365
     
  22. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    788
    I'm in the same boat as cupez80. The remaining functional link opens without a warning from WD (ignoring the FF warning). I've even tried in a clean VM 1709 with only this setting changed and still nothing:
    Prevent users and apps from accessing dangerous websites; Enabled; Block
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,478
    Location:
    U.S.A.
    As far as this link goes: http://cxoficialnet.com/home/pages/inter/ , SmartScreen will block it if you are using IE or Edge. None of those other links were functional for me. Appears my DNS provider is blocking them.
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,520
    Location:
    Slovenia
    https://wccftech.com/microsoft-emergency-patch-fix-rce-malware-engine/
     
  25. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,047
    Location:
    Europe then Asia
Loading...