Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,235
    Location:
    Italy
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,235
    Location:
    Italy
    Windows 10, version 1803 has five new Attack surface reduction rules:

    • Block executable files from running unless they meet a prevalence, age, or trusted list criteria
    • Use advanced protection against ransomware
    • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    • Block process creations originating from PSExec and WMI commands
    • Block untrusted and unsigned processes that run from USB
    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard

    Example:

    Set to rule "Block untrusted and unsigned processes that run from USB" with powershell:

    Set-MpPreference -AttackSurfaceReductionRules_Ids b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -AttackSurfaceReductionRules_Actions Enabled

    To insert other rules use the command below:

    Add-MpPreference

    Verify:

    Get-MpPreference

    The Set command will always overwrite the existing set of rules while the Add command adds to it without overwriting existing rules.


    :thumb::thumb::thumb::thumb:

    The rule "Block untrusted and unsigned processes that run from USB" in action:

    Immagine.jpg

    ConfigureDefender is not signed.
     
    Last edited: May 7, 2018
  3. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    551
    Location:
    Croatia
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,235
    Location:
    Italy
    :thumb:;):)
     
  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,235
    Location:
    Italy
    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus

    Has anyone enable e-mail scanning?

     
  6. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    5,317
  7. Ford Prefect

    Ford Prefect Registered Member

    Joined:
    Oct 31, 2008
    Posts:
    108
    Location:
    Germany, Ruhrpott
    Running w10x64 1803 (17134.48 ) .
    When trying to open defender UI or WDSC the wait cursor starts flashing and MsMpEng.exe is consuming a lot of memory.
    First observed after installing definitions 1.267.1203.0.

    Anyone else facing this issue?
     
    Last edited: May 11, 2018
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,306
    Location:
    The Netherlands
    OK my bad, must have missed this, thanks. But it seems like a must have feature for security tools, so if it's easy to implement for third parties, I doubt they won't do it.

    Quite clever attack.
     
  9. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    461
    Microsoft uses Windows Defender Antivirus to boost malware protection.
    Much more in blog post here : https://www.microsoft.com/itshowcas...efender-Antivirus-to-boost-malware-protection
     
  10. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    461
    AV-Comparatives has published chart and report with their results for April 2018 Real-World Protection Test :

    Testing are on Windows 10 1709 Fall Creators Update 64bit.

    Chart : http://chart.av-comparatives.org/chart1.php?chart=chart2&year=2018&month=4&sort=1&zoom=3

    Full report : https://www.av-comparatives.org/wp-content/uploads/2018/05/avc_factsheet2018_04.pdf

    Microsoft doing very well. Zero malicious samples managed to compromise the test system.
    8 user-dependent samples and everything else auto-blocked.
    :thumb:
     
  11. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    461
    Video from Microsoft with demonstration of how OneDrive Files Restore and Windows Defender takes ransomware protection one step further :

    The video - Ransomware Protection with Windows Defender and OneDrive - are found here :
    Code:
    https://m.youtube.com/watch?v=QRb4bKUwoB8
    (link to blog post about this feature are posted here)

    Excellent integration between the products. :thumb:
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    8,749
    Location:
    Slovenia
  13. Sudeepa Galahad

    Sudeepa Galahad Registered Member

    Joined:
    May 15, 2018
    Posts:
    1
    Location:
    Sri Lanka
    Well I've been using windows 10 for the past 3 years and 8.1 for 2 years and during the use of windows 8.1 i had to use several antiviruses mainly avast and the then i came to know about the bit defender. Bitdefender was a good anti virus, since it did not slow done my pc performance at all but was a powerful malware detector. It was a fee software, well an update cam during my use and thereafter i couldn't use it any more. Then only i started to install windows 10 , this had the in built windows defender initially it was not good but the recent versions are much better, it can detect vast areas of malware and best thing is that it doesn't slow down the pc when it runs background .Hope it will grow well in the future.
     
  14. hstrent

    hstrent Registered Member

    Joined:
    Jan 20, 2018
    Posts:
    15
    Location:
    southwest Washington state
    Question. Is the improvement in performance in Windows Defender AV applicable only to the Windows 10 environment or would that also be as true for Windows 8.1? I know that Windows Defender in Windows 7 is an entirely different animal, being just a rebrand of Security Esssentials which was never very good. I have a client that I am reinstalling Windows 8.1 for on an HP AIO. They had been using Kaspersky but they don't have the product key anymore to be able to reinstall it. So I'm looking for something free and effective that doesn't nag.
     
    Last edited: May 16, 2018 at 11:54 AM
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    10,306
    Location:
    The Netherlands
    Cool, but what about the SE Labs test where Win Def performed poorly together with Webroot? Do you have any comments on this?

    https://www.wilderssecurity.com/threads/se-labs-home-anti-malware-protection-q1-2018.403678/

    Cool, but it's time to put Win Def ATP to the test! I would like to seem them participate in tests done by NSS Labs and MRG for example.

    It's crap on Win 8.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,196
    Location:
    U.S.A.
    Notable point you bring up. NSS Labs specializes in Endpoint testing. As such, one would assume that at least Win 10 Pro would be employed as the host OS.

    Until WD ATP effectiveness can be verified through independent lab testing, Microsoft's statements about it amount to nothing more than marketing "hype."
     
  17. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    461
    Hi Rasheed,

    I see that you got response from the usual drama seeking crowd across several other threads.

    A friendly advice, don't waste too much time on them. :rolleyes:
     
  18. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    461
    The latest MRG Effitas test has been published - the MRG Effitas 360 Degree Assessment & Certification Q1 2018.

    Microsoft doing very well.

    In the "Q1 2018 In the Wild 360 / Full Spectrum Test", Microsoft successfully auto-blocked 99.1% of malicious samples and additionally 0.3% behavior block, bringing Microsofts combined block rate to 99.4%
    One additional sample was blocked within 24 hours.
    And only one single sample was missed.

    In the PUA test, 32 samples was tested.
    With 31 auto-blocks and 1 behavior-block, Microsoft blocked all test samples.

    Full report : https://www.mrg-effitas.com/wp-content/uploads/2018/05/MRG-Effitas-2018Q1-360-Assessment.pdf

    :thumb::thumb:
     
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,235
    Location:
    Italy
    @Martin_C

    The document date is now 05/17/2018:


    Immagine.jpg

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction

    Why the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" was not deleted?

    https://www.wilderssecurity.com/threads/dll-injection-methods-test-apps-discussion.400434/page-5#post-2755832
     
    Last edited: May 21, 2018 at 6:26 AM
  20. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    461
    Hi Sampei Nihira,

    Yes, I know specific pages has been updated. That doesn't mean everything are fully updated.
    Microsoft Docs are huge. Tons of pages needs updating, as you can see when looking through various sections.

    Rapid rolling releases like Windows 10 are great for developers but nightmare for those doing the documentation.
    Tons of developers across every aspect of Windows improving and changing existing code while also implementing new features.
    The Docs team can't be ahead of time, because features change frequently during insider builds.
    When new branch are declared stable and released, then developers are already full speed working on features for next series of insider builds for next upcoming branch.

    Some features works differently on different SKUs.
    Some features are documented for everybody, some features only for partners and some only for internal use.
    And in an ideal world, all documentation should be fully updated every six months.

    Give them time. It's an insane amount of work, keeping documentation of this size updated.
     
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,235
    Location:
    Italy
    Thanks for your explanation.:thumb:
     
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    773
    Windows 10 x64 1803
    The last couple days I am getting lots of blocks from Windows Defender, all related to lsass.exe

    For instance:
    Windows Defender Antivirus has blocked an operation that is not allowed by your IT administrator.
    For more information please contact your IT administrator.
    ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
    Detection time: 2018-05-21T15:27:25.803Z
    User: NT AUTHORITY\SYSTEM
    Path: C:\Windows\System32\lsass.exe
    Process Name: C:\Program Files\Macrium\Common\MacriumService.exe

    Signature Version: 1.267.1712.0
    Engine Version: 1.1.14901.4
    Product Version: 4.16.17656.18051

    I get similar blocks for VMware and other programs.

    Why is this happening, and what to do?
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,235
    Location:
    Italy
    You have the ASR rule active and then it seems working.:confused:

    The ID confirms it.

    This seems in contrast to what Martin_C writes.

    Help !!!

    P.S.

     
    Last edited: May 21, 2018 at 12:39 PM
  24. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    461
    It just means that the rule has now been activated by Microsoft.
    ASR changes are pushed out with signatures.

    So Docs was in fact spot on with the update. :thumb:
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,235
    Location:
    Italy
    I enabled the ASR rule with Powershell.
    Important.
    Exclusions do not apply to this rule.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.