ConfigureDefender utility for Windows 10/11

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
notabot said:
Isn't machine learning part of ATP only ?
Click to expand...
No, Machine Learning models are also a part of WD default protection. The local ML models are updated via WD updates. From Microsoft documentation, it follows that it should be the same for Windows Home, Pro, and E3. The E5 edition has some additional AI protection ("Advanced machine learning and AI based protection for apex level viruses and malware threats"). Furthermore, E5 editions can use "Behavioral-based detection for advanced and targeted attacks (post-breach)".
 
  • Like
Reactions: ForgottenSeer 85179, woodrowbone, simmerskool and 3 others
N

notabot

Level 15
Verified
Oct 31, 2018
703
oldschool said:
Microsoft's foggy technical literature make it difficult to determine exactly which features of ATP make it into WD. @Nightwalker posted this @ Wilders: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV - Microsoft Security
Click to expand...

Thanks, this was actually a very interesting read. It almost sounds like enterprise grade WD is almost as good with fileless as consumer antimalware are with normal/non-fileless malware. It's just that these techniques haven't yet percolated down to consumer-grade products and remains in enterprise realm, even the article near the bottom for consumer suggests Windows-S is the way to go, with only microsoft (counter)signed binaries, no scripting engines etc.

Oh well, in a few years time consumer products will have these techniques too and then fileless will be less scary than it is today.
 
  • Like
Reactions: oldschool
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
Andy Ful said:
No, Machine Learning models are also a part of WD default protection. The local ML models are updated via WD updates. From Microsoft documentation, it follows that it should be the same for Windows Home, Pro, and E3. The E5 edition has some additional AI protection ("Advanced machine learning and AI based protection for apex level viruses and malware threats"). Furthermore, E5 editions can use "Behavioral-based detection for advanced and targeted attacks (post-breach)".
Click to expand...

And Enterprise has cloud or sandbox detonation of suspicious files, not mentioned in that reference, if I remember correctly.
 
Last edited:
  • Like
Reactions: stefanos, simmerskool, harlan4096 and 2 others
N

notabot

Level 15
Verified
Oct 31, 2018
703
Andy Ful said:
No, Machine Learning models are also a part of WD default protection. The local ML models are updated via WD updates. From Microsoft documentation, it follows that it should be the same for Windows Home, Pro, and E3. The E5 edition has some additional AI protection ("Advanced machine learning and AI based protection for apex level viruses and malware threats"). Furthermore, E5 editions can use "Behavioral-based detection for advanced and targeted attacks (post-breach)".
Click to expand...

Thanks @Andy Ful ! That's actually great, though it's not clear from MS' document if the models for home/pro are sufficient to stop most fileless or the "advanced ML" is what's needed. Still good news, I guess a few days after something hits enterprises home uses receive a trained model to catch it, so as long as it's not innovative 0day malware, home users should be ok.
 
  • Like
Reactions: Andy Ful and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
oldschool said:
Microsoft's foggy technical literature make it difficult to determine exactly which features of ATP make it into WD. @Nightwalker posted this @ Wilders: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV - Microsoft Security
Click to expand...
This one and many more articles are related to the full WD ATP used in Windows E5 editions. Some features like AMSI ML models are included in default WD protection.

oldschool said:
And Enterprise has cloud or sandbox detonation of suspicious files, not mentioned in that reference, if I remember correctly.
Click to expand...
It is available for Windows E5.

Post edited.

notabot said:
Thanks @Andy Ful ! That's actually great, though it's not clear from MS' document if the models for home/pro are sufficient to stop most fileless or the "advanced ML" is what's needed.
...
Click to expand...
The ML models + ASR are available for Windows Home. They are sufficient to stop most fileless malware based on Windows scripts (PowerShell, Windows Scripts Host, VBA macros).
 
  • Like
Reactions: simmerskool, harlan4096 and oldschool
N

notabot

Level 15
Verified
Oct 31, 2018
703
Andy Ful said:
It is mentioned and available for Windows E5.
Click to expand...

Shame that E5 costs so much, even E3 which effectively just an MDM service is not reasonably priced for personal use. The biggest hole in MS' defender at the moment is probably the lack of a web dashboard to manage all family computers at group policy level

Andy Ful said:
The ML models + ASR are available for Windows Home. They are sufficient to stop most fileless malware based on Windows scripts (PowerShell, Windows Scripts Host, VBA macros).
Click to expand...

To put a benchmark on how effective the models are for home users, do you know if the ML models for home would had blocked Astaroth when it was fresh ( ie before models had been trained with Astharoth in their training set )
 
  • Like
Reactions: oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
notabot said:
To put a benchmark on how effective the models are for home users, do you know if the ML models for home would had blocked Astaroth when it was fresh ( ie before models had been trained with Astharoth in their training set )
Click to expand...
From the below infection chain it follows that it should be detected by behavior-based and AMSI ML models. These models are trained and optimized on the very large sample of malware before they are included in WD. Many malware samples use similar infection chains.

Astaroth.png


Please note, that the above picture is related to preventing the infection - not to detecting the final Astaroth payload, which is reflectively injected as DLL.
 
Last edited:
  • Like
Reactions: simmerskool, harlan4096, notabot and 1 other person
Nightwalker

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
@oldschool @Andy Ful

I really dont know why Windows Defender is a target of so much hate and biased remarks:

www.wilderssecurity.com

Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

I'm afraid you're misunderstanding. I'm talking about a scenario where you allow the malware to run because you trust it, and AV keeps quit. If you...
www.wilderssecurity.com www.wilderssecurity.com

I guess some people need to justify their financial and emotional efforts in third party security solutions.
 
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, harlan4096, oldschool and 4 others
N

notabot

Level 15
Verified
Oct 31, 2018
703
Andy Ful said:
From the below infection chain it follows that it should be detected by behavior-based and AMSI ML models. These models are trained and optimized on the very large sample of malware before they are included in WD. Many malware samples use similar infection chains.

View attachment 225219

Please note, that the above picture is related to preventing the infection - not to detecting the final Astaroth payload, which is reflectively injected as DLL.
Click to expand...

But were these the ML models for home/pro (*) or the "advanced ML" ones which are used in E5.

(*) referring to the time when Astaroth was a 0day, a few days later I'd expect home/pro to detect it as well
 
  • Like
Reactions: oldschool and Andy Ful
N

notabot

Level 15
Verified
Oct 31, 2018
703
Nightwalker said:
@oldschool @Andy Ful

I really dont know why Windows Defender is a target of so much hate and biased remarks:

www.wilderssecurity.com

Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

I'm afraid you're misunderstanding. I'm talking about a scenario where you allow the malware to run because you trust it, and AV keeps quit. If you...
www.wilderssecurity.com www.wilderssecurity.com

I guess some people need to justify their financial and emotional efforts in third party security solutions.
Click to expand...

+people love dissing Microsoft, even after 20 years since it was the old powerful Borg empire and massive org changes, people still hold a grudge

Edit: it doesn't look like Exploit Guard was used on that test, to be fair with the Wilders poster, the WD result would had been worrying if Exploit Guard was on though.
 
Last edited:
  • Like
Reactions: oldschool, Andy Ful and Nightwalker
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Nightwalker said:
@oldschool @Andy Ful

I really dont know why Windows Defender is a target of so much hate and biased remarks:

www.wilderssecurity.com

Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

I'm afraid you're misunderstanding. I'm talking about a scenario where you allow the malware to run because you trust it, and AV keeps quit. If you...
www.wilderssecurity.com www.wilderssecurity.com

I guess some people need to justify their financial and emotional efforts in third party security solutions.
Click to expand...
People just like to theorize but do not bother to read carefully the test methodology.(n)

notabot said:
But were these the ML models for home/pro (*) or the "advanced ML" ones which are used in E5.

(*) referring to the time when Astaroth was a 0day, a few days later I'd expect home/pro to detect it as well
Click to expand...
I do not think that the Astaroth infection chain (points 1-4) is an apex malware infection chain (these points are pretty common).
So, yes - these ML models should be included in Windows Home, Pro, and E3.
 
  • Like
Reactions: harlan4096, oldschool, simmerskool and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
There is no doubt that WD uses pre-execution behavior monitoring/blocking. It can be seen when WD blocks execution for 10s (up to 60s, depending on settings) and analyses the file in the cloud. After this, the file execution can be:
  1. blocked,
  2. allowed,
  3. allowed and blocked after several seconds/minutes.
There is a question on how effective are ML models without an Internet connection and if it can depend on WD settings.
 
  • Like
  • +Reputation
Reactions: simmerskool, oldschool, notabot and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Here are some examples of ML behavior-based detections on Windows Pro (default, high or max ConfigureDefender settings):
 
Last edited:
  • Like
Reactions: SeriousHoax, simmerskool, oldschool and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
SeriousHoax said:
What's the difference between selecting "Warn" for SmartScreen from WSC and from Configure Defender? I haven't seen SmartScreen in action when "Warn" is selected from WSC.
Click to expand...
Any SmartScreen settings in WSC or ConfigureDefender (except Disabled setting) have no influence to SmartScreen check.
The "Warn" setting simply allows the user to run the application.
The "Block" setting does not allow the user to run the application.
The "User" setting in ConfigureDefender applies the setting from WSC
The "Warn" and "Block" settings in ConfigureDefender forces WSC to apply these settings and they cannot be changed by the user from WSC.

If you do not see the SmartScreen alert then there are some possibilities, for example:
  1. SmartScreen is Disabled.
  2. The file extension is ignored by design - SmartScreen is triggered only for some executables, like EXE, MSI, COM, SCR, BAT, JSE, VBE, etc.
  3. The file has not MOTW attached.
It is easy to check (before execution) if the file has MOTW:

MOTW.png


Without MOTW, the Unblock option is absent. The MOTW is skipped for files stored on flash drives or unpacked by many unpackers.
 
  • Like
Reactions: simmerskool, SeriousHoax, oldschool and 3 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,091
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,414
Hard_Configurator Tools
South Park
South Park
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,227
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top