Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    No. Again you misunderstand what Ryan Cobb writes.

    Dear @itman, no offense but sooner or later you have to overcome this obsession of yours about thinking that everything is bad, flawed or broken.
    You are putting obstacles in your way when you try to interpret everything you read in a negative way. :)

    Ryan Cobb is not listing errors in Win10 1709 Fall Creators Update.
    He is listing what the challenges are in general when dealing with script based attacks.
    The reason he mentions 1709 Fall Creators Update, are because Microsoft has massively increased the defenses with this branch.
    One of these are the Attack Surface Reduction rules and that is why he mentions 1709 Fall Creators Update.

    All the challenges on his list are exactly what Microsoft are putting pressure on with 1709 Fall Creators Update.

    Read the Microsoft blog post.
    Read what for example Lee Holmes recommends.

    There's a reason why Microsoft has added deep behavioral instrumentation to the Windows script interpreters.
    And there's a reason why Microsoft has added machine learning algorithms in Windows Defender and Windows Defender ATP to process these improved optics.

    Script based attacks are extremely challenging. But the reason that the window of opportunity to do damage unnoticed are shrinking, are thanks to the fact that these teams constantly monitors what are actually being done in real world attacks, that these teams constantly improves defenses available and that these researchers are constantly poking at the defenses which gives ideas for even further improvements.

    This is not a destination you can arrive at, tick off on a list and say - that was that.
     
  2. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    A : Yes, the Attack Surface Reduction rules are an extremely powerful addition to Windows Defenders capabilities.

    B : No. Attack Surface Reduction rules covers three areas - Microsoft Office applications, scripts and mail/webmail.

    (and C : I already mentioned that to you halfway down in this post. :))
     
  3. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Those settings in the UI are for IE, Edge and UWP applications.

    To expand SmartScreen to cover outbound from all processes, you need to activate Network Protection.

    Use this in admin PowerShell :
    Code:
    Set-MpPreference -EnableNetworkProtection Enabled
     
  4. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    Update for Windows Defender antimalware platform.

    As Amitai Rottem tweets :
    https://mobile.twitter.com/AmitaiTechie/status/938936846809153536

    and continues here :
    https://mobile.twitter.com/AmitaiTechie/status/938936895169368064

    The entire Windows Defender antimalware platform now updated regularly !
    It used to be monthly engine updates and then the major platform updates with each new Windows 10 branch.
    Now, no more waiting.
    This is fantastic news !! :thumb::thumb:

    First build is 4.12.17007.17123.
    And these monthly updates apply to Windows 10 Version 1703 and Version 1709.

    More here : https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    162,650
    Location:
    Texas
  6. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    My question is why after this latest MPE update are there now two versions of Windows Defender installed in Win 10 ver. 1709? There is a Windows Defender directory in both the ProgramData and Program Files directories containing what appear to be identical entries. Also based on the Eset HIPS alerts I have been receiving and what Process Explorer shows, WD's MDE is running from the ProgramData directory. Prior to this latest MPE update, it appears WD was running from the Program Files directory.

    Note: I have WD set for periodic scanning.
     
  8. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    The update are in ProgramData. This is your active installation with the new platform.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Appears if you have MS Office installed, rules for Office child processes and creation of executables are created by default.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Question. If the obfuscated script block rule is enabled, will AMSI detect and block it or WD? Specifically, if you are using a third party AV, is this protection applicable?
     
  11. guest

    guest Guest

    Unless im wrong, this is AMSI doing the job so the 3rd party AV need to implement it (which i heard is very pricey) so few use it, ESET is one of them if i recall well.
     
  12. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    525
    WD. Attack Surface Reduction rules are part of defensive tools available when WD are active.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Yes. Eset does use AMSI. However as @Martin_C replied, ASR rules only apply to WD. Each AV vendor creates their own amsi.dll equivalent. So it would be up to them to create the corresponding blocking of partially obfuscated scripts ASR capability that WD has. Would be great if @Zoltan_MRG would retest WD using Mimikatz - Invoke-Obfuscation to determine if the ASR rule blocks it.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Pertaining to the lastest WD patch, it is the fourth one issued this year:
    https://www.bleepingcomputer.com/ne...ngine-bug-discovered-by-british-intelligence/

    This does call into question the security integrity of WD. If the AV engine is riddled with vulnerabilities, it really doesn't matter what "new and improved" malware detection capability it is offering.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I'm sure that most AV engines have flaws in their code. As long as they are patched before exploited, I don't see a problem. If you want to avoid them, don't use an AV.
     
  16. Special

    Special Registered Member

    Joined:
    Mar 23, 2016
    Posts:
    454
    Location:
    .

    I have this question too, I've had to update my firewall rules because of this change and I'm guessing I'll have to keep updating them, over and over again, when new versions are released such as "C:\ProgramData\Microsoft\Windows Defender\Platform\4.12.17XXXX.1XXXX-0", etc. becase the paths will change.

    What the heck is the point of "C:\Program Files\Windows Defender" then if it's not used?
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Here's another ad hoc test in regards to WD's ASR rule for obfuscated script detection capability: https://www.darkoperator.com/blog/2...nder-exploit-guard-asr-obfuscated-script-rule

    For a control test, the author using the MS's Windows Defender Exploit Guard evaluation package in audit mode noted the following:
    He then enabled the following ASR rule:
    As somewhat expected, the MS provided test scripts were blocked.

    He then proceeded to create and execute his own obfuscated scripts. None were detected by WD's ASR obfuscated script detection. Bottom line - never ever rely on a vendor provided tool to verify protection capability.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Perhaps the best way to resolve this ASR obfuscated script issue is to do your own testing. Here is an article on how to use Invoke-Obfuscation: http://pentestit.com/invoke-obfuscation-powershell-command-script-obfuscator/ .

    Using the following Out-SecureStringCommand option w/AES encryption for example:
    Yields the following encrypted obfuscated Powershell script. It failed to run on my Win 10 1709 build due to Powershell being set to Constrained Language mode; what I believe is your best option against advanced malware Powershell use:

    PS_Encypted_Script.png
     
  19. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    848
    Doesn't seem to work either... :/
     
  20. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    105
    This latest update to Windows defender causes problems if you have have a software restriction policy. I suddenly could not download anything using chrome, the virus check failed and the file was deleted or not there. I have added the path C:\ProgramData\Microsoft\Windows Defender\Platform as unrestricted to the software policy and can download files again. This may have happened because I have DLL blocking on.

    I have also added a new firewall rule. This is going to be another annoying firewall rule that need regular updating as WIndows firewall does not support wildcards.

    Microsoft seems to love causing problems for its users.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes this is pretty bad stuff, that probably affects all big AV's. Let's hope they are only being used in targeted attacks, and not on us home users.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    I believe folks are misinterpreting WD's SmartScreen Network Protection feature. The following is the ref. for the below posted quotes: https://blogs.technet.microsoft.com...tack-surface-against-next-generation-malware/

    First up is what is this feature:
    Simply put, all outbound connection activity is being monitored; not just browser outbound activity.

    How is the filtering done:
    The cloud lookup statement needs a bit of explanation. Win 10 native SmartScreen always had this capability and it was triggered when an unknown process with the MOTW identifier attempted execution. The primary outbound network connection reputation determination is done using SmartScreen local device resident IP/URL blacklists which are updated periodic basis. To date, I have never seen any outbound connection activity from SmartScreen other than when checking reputation at process startup time. Below is a Winobj screen shot of these new WD SmartScreen Network Protection filters:

    WD_Network_Filter_Port.png

    Finally, this new SmartScreen Network Protection feature is browser independent and works if using a third party AV/IS solution. I will say this capability, if proven effective over time, is a "one up" over most third party IS firewall solutions. These solutions will allow all outbound connections by default and can only monitor outbound network traffic if outbound firewall monitoring is enabled. As anyone that has tried to do so can attest to, monitoring Win 10 outbound firewall traffic is a real "pain in the butt."

    -EDIT Third party AV/IS solutions do have web filters that include blacklist blocking of malicious URL's. Some also allow IP address notation. Most of these filters though only monitor Internet facing apps such as browsers, PDF readers, and e-mail clients.
     
    Last edited: Dec 9, 2017
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    There is also something strange going on with Windows Defender SmartScreen running on ver. 1709 I haven't been able to "get a handle on." With Process Exploring running, it periodically disappears from the active tasks display? At first I believed it was for some reason terminating and then restarting itself since when it reappears, it does so with a different PID. However with it not visibly running in PE, I started a test malware I have that I knew WD SmartScreen detected as malicious. Low and behold, it did detect this malware indicating that somehow it was running but hidden from PE active process display status. :doubt:

    -EDIT- I did a test since WD SmartScreen was still running as an unprotected medium integrity process. I could still easily suspend using PE but with some interesting results. Appears the internal ver. of it used by IE11 was unaffected. Also while it was in suspended status, I could no longer open PE. Nor could I open Task Manger, at least from the desktop toolbar. With some "finagling" I was able to access Task Manager and terminate WD SmartScreen. It immediately restarted itself. So the above described behavior, might be by design to prevent malware from killing it off. There still might be issues when WD SmartScreen is suspended although it appears there is some internal defense mechanism to prevent processes from tampering with it while in a suspended state. Most interesting was no OS notification was received that it was in a suspended status.
     
    Last edited: Dec 9, 2017
  24. guest

    guest Guest

    yep noticed that.
     
  25. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    105
    I can confirm DLL blocking in SRP blocks the updating of Windows Defender. I had nothing logged as blocked so I suspect it it the general bugginess of the feature.

    I have now turned off the DLL blocking. Since the first Creator's update is has stopped Edge from running (which I don't use) and since the Autumn update it has also stopped Windows defender from updating properly (which I am using).

    I am now trying Bouncer as a better alternative.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.