Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    482
    Slides and video from John Lambert's presentation "The New Paradigm of Security Controls" at BlueHat IL 2018 are available :

    Slides :
    Code:
    http://www.bluehatil.com/files/The%20New%20Paradigm%20of%20Security%20Controls.pdf
    Video :
    Code:
    https://youtu.be/OpTGFcJXL8g
    Fantastic deep dive into Microsoft's Machine Learning systems - using data to improve security.

    Crash reports revealing zero-days. Great insights to how valuable telemetry are to security. Finding the root cause and fixing it.

    The massive data pumps driving Office 365 ATP and Windows Defender Antivirus.
    Self-tuning, cross-checking and self-correcting Machine Learning in cloud at massive scale.

    Extremely impressive. :thumb:
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,904

    Sounds good. Just don't want my data included in their learning.
     
  3. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    499
    Location:
    Member state of European Union
    There is no simple decision that Microsoft can make to satisfy everybody at this point. There can be and probably are programs developed for companies to do useful things leveraging this feature. Complete removal of this feature would break these programs. On the other hand leaving this feature "as is" is going to irritate people requiring security.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,904
    I absolutely agree. But then they shouldn't force their solution on people. Make it optional, and don't hide the options to the point of obscurity.
     
  5. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,482
    Woops! So that registry hack is no relevant to this bypass, I completely misunderstood, sorry @Sampei Nihira !
    I ran that script and confirmed that test.docx was encrypted regardless of registry setting.
    So the question: are there any way to disable that feature, or block this bypass other than blocking an executable or script first?
    Well, actually I don't care much. I still keep my belief of taking redundant backups (system and data) which are separated each other will be enough protection against ransomware. Has situation changed?
     
  6. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,482
    Agreed. Although I feel MS may be better than Google, still quite many data will be sent even on 'basic' telemetry setting. The problem is that not only we don't know what can be done with those data, but probably MS too, until some clever guy (either white hat or black) find a way to abuse them. Not collecting PII and transparency is good start, but never enough.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    9,194
    Location:
    Slovenia
    IMO it's enough if you want to restore data after encryption. It's not enough if you don't want bad guys to upload your data to their servers.
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,482
    Ah, I remember some malware who took porn photo as hostage and scared the owner. Then I just hope my malware protection stops them and hope I don't do sth stupid. Still I may get infected through supply chain...(sigh)
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,507
    Location:
    The Netherlands
    Yes good point, didn't think about that. What I'm basically looking for is that processes can not be modified, and that they can't modify other processes. So this means that DLL/code injection can be blocked completely. Windows should provide a way for this.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,444
    Location:
    U.S.A.
    .
    Of note is that AppContainer does not prevent .dll injection into IE11 or Edge. It does prevent executable files from being run from the injected .dll. Additionally, this action is user controlled in that a pop-up will be generated whereby either "allow" or "deny" must be selected which is problematic in itself.
    http://blog.jpcert.or.jp/2016/08/appcontainers-p-d296.html

    -EDIT- I also should add that .dll injection is much more difficult on Edge running Win 10 1709 due to WDEG. All .dlls must be MS code signed via the Code Integrity Guard mitigation. Whereas this mitigation could be enabled for IE11, it will bust in all likelihood your third party AV .dll/s injection since most of those are not MS code signed. Ditto for Edge although you can't disable AIG in Edge at the WDEG app level.
     
    Last edited: Feb 11, 2018
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    64,258
    Location:
    Texas
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    5,961
    Windows Defender ATP support in Windows 7 and 8.1
    February 13, 2018
    https://www.ghacks.net/2018/02/13/windows-defender-atp-comes-to-windows-7-and-8-1/
     
  13. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    482
    How artificial intelligence stopped an Emotet outbreak
    More in blog post here :
    https://cloudblogs.microsoft.com/mi...icial-intelligence-stopped-an-emotet-outbreak
     
    Last edited: Feb 14, 2018
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,507
    Location:
    The Netherlands
    Interesting link, but AppContainer will indeed not stop code injection, you need the "Protected Process" feature for this. But it will make it harder for exploits to succeed. But anyway, this thread is about Win Def, so I will stop about it.
     
  15. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,482
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,834
    Location:
    Among the gum trees
    @Martin_C ,

    Any idea why Network Protection has stopped working for some of us?
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,834
    Location:
    Among the gum trees
  18. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    977
    What kind of test it failed? The URL Rep Demos?

    You need to use Edge for SmartScreen URL Reputation.
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,834
    Location:
    Among the gum trees
    I used Edge.
     
  20. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    977
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,834
    Location:
    Among the gum trees
  22. bidd

    bidd Registered Member

    Joined:
    Jul 10, 2013
    Posts:
    140
    Location:
    Australia
    All tests were blocked/behaved as they were supposed to with Edge browser and Defender for me Krusty
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,444
    Location:
    U.S.A.
    Try the test using IE11. Make sure SmartScreen is enabled in it.

    There might be an issue with your Edge installation. Make sure SmartScreen is enabled in Edge.
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    5,834
    Location:
    Among the gum trees
    A bit late for me to test now guys, as I'm in the process of cloning my original Win7 HDD to a SSD, just for fun. Can't wait to see if I can get that to work.

    I've never been very patient. :ninja:
     
  25. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    977
    I tested everything and everything was blocked, I posted only the exploit one (look at the adress bar) just to show how it worked at my end.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.