Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    259
    Location:
    Wonderland
    This: "ConfigureDefender will alert if any of your changes have been blocked." To double-check it took your chosen settings. I always review them before I re-boot, Also,the UI is a little bit fidgety when making selections.
     
  2. clocks

    clocks Registered Member

    Joined:
    Aug 25, 2007
    Posts:
    2,745
    Ok, so the refresh thing isn't needed when changing settings?
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    You can test the functionality of WD ASR rules here: https://demo.wd.microsoft.com/?ocid=cx-wddocs-testground

    My understanding is there is full ASR functionality on all Win 10 Pro+ versions. Such capability on the Home versions is suspect and really needs to be tested by someone.
     
  4. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,082
  5. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    520
    All ASR rules are available and fully functional on all SKUs and has been available ever since ASR was introduced with the 1709 branch. :)

    It's one of the additional WD features that users really ought to enable. :thumb:
     
  6. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    259
    Location:
    Wonderland
    Correct. And definitely.
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,738
    Location:
    Canada
    I've enabled several ASR rules in Group Policy instead of using ConfigureDefender, and they seem to work as intended. One test, for example, from the site:

    resulted in it being blocked with the Event Viewer entry under Applications and Services Logs >> Microsoft >> Windows >> Windows Defender >> Operational:

    Code:
    Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
    
     For more information please contact your IT administrator.
    
     ID: 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
    
     Detection time: 2019-09-06T22:36:33.307Z
    
     User: LENOVO-E580\MY USER ACCOUNT
    
     Path: C:\Users\MY USER ACCOUNT\Downloads\Block_Win32_imports_from_Macro_code_in_Office_92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B.docm
    
                    Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    
                    Security intelligence Version: 1.301.677.0
    
                    Engine Version: 1.1.16300.1
    
                    Product Version: 4.18.1907.4
    This is promising.
     
  8. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    300
    Location:
    Brooklyn, NY
    This is very good to know, that these rules can be implemented across the board Windows-wise. I used ghacks.net to configure several rules, one of which is to block (potentially) obfuscated scripts, another to impede VBS and JavaScript to launch executables. Wish AMTSO had the means to test some of these rules. If anyone knows where I can get a fake "obfuscated" script, please let me know. :)

    gpedit.PNG
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,738
    Location:
    Canada
    Another block on "Block Office apps from spawning child processes":

    Code:
    Windows Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
    
     For more information please contact your IT administrator.
    
                    ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
    
                    Detection time: 2019-09-06T22:02:33.109Z
    
                    User: LENOVO-E580\MY USER ACCOUNT
    
                    Path: F:\Downloads\TestFile_OfficeChildProcess_D4F940AB-401B-4EFC-AADC-AD5F3C50688A.docm
    
                    Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    
                    Security intelligence Version: 1.301.677.0
    
                    Engine Version: 1.1.16300.1
    
                    Product Version: 4.18.1907.4
    so I'm rather convinced these ASR rules work. Thank you to everyone who posted about this, with a special thank you going to @Azure Phoenix who compelled me to dig deeper into this feature.
     
  10. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    263
    Location:
    Island of Woman
    it works exept for the fact the gpo in home version is a huge pain since u can't manage rules like you would in a pro+ config, gpo manager can be enabled via some hacks though or else using an external manager (it is obvious that some protection will be missing since some features are prerogative of the pro version). Also at first glance these configuredenfender rules are very limited to the core and its redundant to check for changes in configure defender since u can set in 1903 "disallow any changes to wd", you would probably see if so tried to make changes (it would be cool if so tested its functionality and how it can be bypassed)
    so=someone

    some more WD rules to consider:
    1. Block executable files from running unless they meet a prevalence, age, or trusted list criteria: 01443614-cd74-433a-b99e-2ecdc07bfc25

    2. Use advanced protection against ransomware:
    c1db55ab-c21a-4637-bb3f-a12568109d35

    3. Block credential stealing from the Windows local security authority subsystem (lsass.exe):
    9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2

    4. Block process creations originating from PSExec and WMI commands:
    d1e49aac-8f56-4280-b9ba-993a6d77406c

    5. Block untrusted and unsigned processes that run from USB.
    b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4

    6. Block Adobe Reader from creating child processes.
    7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c

    and ofc u can prevent any process from creating child processes with the following rules:
    7. Set-ProcessMitigation -Name C:\Apps\evil.exe -Enable
    DEP, EmulateAtlThunks,
    DisallowChildProcessCreation

    I wonder how u can enable "prevent any changes to WD" via cmd-lets as this rule exist in the WD settings
     
    Last edited: Sep 7, 2019
  11. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,892
    At least some of them are working in Home, but there's not always a clear sign. In case of "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" rule, the sign was only that you cannot open an exe file until you see protection history to find what happened and temporarily disable the rule via Powershell. As is often the case w/ MS, poor UI.

    Also what is happening in the exploit protection is not always transparent. An app is apparently working, but some functionality are restricted yet not all of them may be recorded in event viewer. A few examples: strict CFI for Firefox caused a problem when printing with some drivers, strict CFI for Adobe Reader blocked in-file search, child process restriction for SumatraPDF caused inverse search in sync-TeX doesn't work, and some mitigation for spoolsv, spolwow64, and/or PrintIsolationHost blocked advanced dialog for printing. All of them will be no problem for those who know what you're doing, but will be problem for most others and this is why I don't apply any of them to others' PC (only exception was forcing ACG for MSEdge & EdgeCP when graphic driver was WDDM1.1).

    I also believe some Windows' processes should be whitelisted by default in Controlled Folder Access tho they may potentially be abused.
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,738
    Location:
    Canada
    I'm using Win 10 Pro and have these rules set in Group Policy. The rule for blocking Block Execution of untrusted or unsigned executables inside removable USB media (B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4) seems not to be enforced by this value. The test file I downloaded (I had to temporarily exclude the download path in Windows Defender first) and attempted to launch from my USB drive was blocked by my SRP policy. No surprise so I temporarily disabled SRP and tried again. This time Smart screen blocked it. So I temporarily disabled smartscreen and tried again. The file launched with no warning from the ASR rule, so clearly it's not working as expected. Other rules as I mentioned above are working fine so not all is meaningless with these rules. Still, I get the feeling Enterprise E5, as noted by Microsoft, is likely the most reliable way of utilizing ASR policies.
     
    Last edited by a moderator: Sep 7, 2019
  13. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    263
    Location:
    Island of Woman
    thats sad, usb malware (ie worms) is what worries me the most, Microsoft should do something about it, especially against bad usb type of attacks
     
    Last edited: Sep 7, 2019
  14. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,738
    Location:
    Canada
    It's not all that bad. SRP stopped it, and when I disabled that, Smartscreen stopped it. Also Windows Defender AV prevented the download until I excluded the download path. I also have autoplay disabled for all drives in Group Policy. There are lots of ways to defend against USB malware.

    Edit

    my apologies to the mods for my post #2462. The post didn't seem to have any enabled link in it before I posted. I've been aware of that lately. I guess I missed it.
     
    Last edited: Sep 7, 2019
  15. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    263
    Location:
    Island of Woman
    I know about those but a powershell rule should work as expected, unless that malicious file was considered trusted and signed

    all seams great but there are thousand of articles on how a newly feature can be bypassed (revolving around WD)
    in my experience against real attacks WD was weak (disregard its just my opinion, some malware samples were not fully stopped like vbs malware, and it was a dangerous and effective site not bs for testing purposes, those bad bad ppl owned me if not for the VM)

    also alot of confusion around versions, windows ATP works only on:
    Windows 10 Enterprise E5
    Windows 10 Education E5
    Microsoft 365 E5

    Windows Defender Application Guard (isolates browser sessions from the local device by running those sessions in a VM)
    only on:
    64-bit version of Windows 10 Enterprise, Education, or Professional.

    so proper OP title should be
    "Windows Defender for Enterprise E5 Is Becoming the Powerful Antivirus That Windows 10 Needs"
    to that, I agree
     
    Last edited: Sep 7, 2019
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,366
    Location:
    Among the gum trees
    Tried the same test on another machine and this time (after disabling two extensions) WD did block the test site. Not sure why it didn't work on my first machine but it is running another AV for now (for reasons not related to this test).
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    Suspect this:
    Is condition upon this:
    That is; "untrusted or unsigned executables."
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,738
    Location:
    Canada
    I'm not sure. I would have expected the ASR rule to block the executable from the USB drive after I disabled Smartscreen in Group Policy. After each GP edit, I run from elevated command: gpupdate /force

    The Microsoft link I posted in #2437 clearly states that ASR rules can only be used in Enterprise E3 & E5, but I've had success with several of them working in Pro and others in this thread are successful with Andy Ful's ConfigureDefender utility on Home versions.
     
    Last edited: Sep 7, 2019
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    Process trust status has always been determined by SmartScreen. The problem with native SmartScreen processing in Win 10 is it is conditioned upon "mark of the web" status; i.e. process was previously downloaded from the Internet. Since executable's stored on a USB drive would in all likelihood would not have MOTW present, these zipped past default SmartScreen checking. All this ASR mitigation is doing is basically telling SmartScreen to scan all execs on the drive at execution time regardless of MOTW status.
     
    Last edited: Sep 8, 2019
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    One other thing about native SmartScreen. I certainly wouldn't rely on it as detecting anything in regards to malware. Running as a medium integrity process, it can be easily suspended by malware. If you have doubts about this, open Process Explorer and do likewise. Windows will auto un-suspended it after a while, but malware would already be running by that time.
     
    Last edited: Sep 8, 2019
  21. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,407
    Location:
    USA
    Yes, I'm pretty sure this mark is only tagged on NTFS drives. I just downloaded a file directly to a FAT32 formatted flash drive for a test to make sure that is still the case and it was not marked.
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,738
    Location:
    Canada
    Thank you @itman for clarifying how smartscreen factors into the ASR rule for blocking untrusted/unsigned executables from USB drives.

    Smartscreen's purpose, the way I understand it, is too warn the end user of potentially harmful websites they are attempting to visit or to warn against the downloading of potentially harmful files or apps. It's not meant to be a safeguard after malware is already "live" on the device.

    Anyway, I do not rely on Smartscreen as my main defense arsenal on my device. Not even close. SRP, OSArmor, my software firewall, hardened browser, LUA with UAC and Windows Defender, including the ASR rules that I know work, form my main security setup. Of course recent images of the entire O/S is the safety net if something does compromise me.
     
  23. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,892
    At least "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" (01443614-cd74-433a-2ecdc07bfc25) seems to work independently to execution once evoked (tho the first attempt to execute will be required to evoke the rule), because when it's working you can't even view the file property with right click. You just get the you-can't-open-the-file dialogue. It is also independent from WD's exclusion ofc. Indeed, once evoked you can't even add the file to exclusion until the rule is disabled.
     
    Last edited: Sep 8, 2019
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,857
    Location:
    U.S.A.
    Do you know how this works? It did catch my interest a while back.

    Do you have to build a whitelist for it? How does it determine what is a trusted process? Ditto for age and prevalence. Is it using SmartScreen to determine all the aforementioned?

    -EDIT- This pretty much explains how it is done:
    https://github.com/MicrosoftDocs/windows-itpro-docs/issues/1593#issuecomment-443309686

    Now the question is where is this MS cloud update coming from? I can see no problems with WD ATP. But with plain WD, I am suspicious that an internal trust list even exists or this cloud updating is occuring.
     
    Last edited: Sep 8, 2019
  25. plat1098

    plat1098 Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    300
    Location:
    Brooklyn, NY
    Anyone noticing the "quick scan" is taking a much longer time to complete? It was taking 30 seconds up to maybe a minute; just now, it took 6 minutes 46 seconds for 32,853 items. Haven't cleared the cache either.

    Have been noticing an increased scan duration over the past couple of days. There are no other processes running in the background, not even a browser open.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.