Andy Ful

Level 48
Verified
Trusted
Content Creator
Isn't machine learning part of ATP only ?
No, Machine Learning models are also a part of WD default protection. The local ML models are updated via WD updates. From Microsoft documentation, it follows that it should be the same for Windows Home, Pro, and E3. The E5 edition has some additional AI protection ("Advanced machine learning and AI based protection for apex level viruses and malware threats"). Furthermore, E5 editions can use "Behavioral-based detection for advanced and targeted attacks (post-breach)".
 

notabot

Level 11
Microsoft's foggy technical literature make it difficult to determine exactly which features of ATP make it into WD. @Nightwalker posted this @ Wilders: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV - Microsoft Security
Thanks, this was actually a very interesting read. It almost sounds like enterprise grade WD is almost as good with fileless as consumer antimalware are with normal/non-fileless malware. It's just that these techniques haven't yet percolated down to consumer-grade products and remains in enterprise realm, even the article near the bottom for consumer suggests Windows-S is the way to go, with only microsoft (counter)signed binaries, no scripting engines etc.

Oh well, in a few years time consumer products will have these techniques too and then fileless will be less scary than it is today.
 
  • Like
Reactions: oldschool

oldschool

Level 35
Verified
No, Machine Learning models are also a part of WD default protection. The local ML models are updated via WD updates. From Microsoft documentation, it follows that it should be the same for Windows Home, Pro, and E3. The E5 edition has some additional AI protection ("Advanced machine learning and AI based protection for apex level viruses and malware threats"). Furthermore, E5 editions can use "Behavioral-based detection for advanced and targeted attacks (post-breach)".
And Enterprise has cloud or sandbox detonation of suspicious files, not mentioned in that reference, if I remember correctly.
 
Last edited:

notabot

Level 11
No, Machine Learning models are also a part of WD default protection. The local ML models are updated via WD updates. From Microsoft documentation, it follows that it should be the same for Windows Home, Pro, and E3. The E5 edition has some additional AI protection ("Advanced machine learning and AI based protection for apex level viruses and malware threats"). Furthermore, E5 editions can use "Behavioral-based detection for advanced and targeted attacks (post-breach)".
Thanks @Andy Ful ! That's actually great, though it's not clear from MS' document if the models for home/pro are sufficient to stop most fileless or the "advanced ML" is what's needed. Still good news, I guess a few days after something hits enterprises home uses receive a trained model to catch it, so as long as it's not innovative 0day malware, home users should be ok.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Microsoft's foggy technical literature make it difficult to determine exactly which features of ATP make it into WD. @Nightwalker posted this @ Wilders: Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV - Microsoft Security
This one and many more articles are related to the full WD ATP used in Windows E5 editions. Some features like AMSI ML models are included in default WD protection.

And Enterprise has cloud or sandbox detonation of suspicious files, not mentioned in that reference, if I remember correctly.
It is available for Windows E5.

Post edited.

Thanks @Andy Ful ! That's actually great, though it's not clear from MS' document if the models for home/pro are sufficient to stop most fileless or the "advanced ML" is what's needed.
...
The ML models + ASR are available for Windows Home. They are sufficient to stop most fileless malware based on Windows scripts (PowerShell, Windows Scripts Host, VBA macros).
 

notabot

Level 11
It is mentioned and available for Windows E5.
Shame that E5 costs so much, even E3 which effectively just an MDM service is not reasonably priced for personal use. The biggest hole in MS' defender at the moment is probably the lack of a web dashboard to manage all family computers at group policy level

The ML models + ASR are available for Windows Home. They are sufficient to stop most fileless malware based on Windows scripts (PowerShell, Windows Scripts Host, VBA macros).
To put a benchmark on how effective the models are for home users, do you know if the ML models for home would had blocked Astaroth when it was fresh ( ie before models had been trained with Astharoth in their training set )
 
  • Like
Reactions: oldschool

Andy Ful

Level 48
Verified
Trusted
Content Creator
To put a benchmark on how effective the models are for home users, do you know if the ML models for home would had blocked Astaroth when it was fresh ( ie before models had been trained with Astharoth in their training set )
From the below infection chain it follows that it should be detected by behavior-based and AMSI ML models. These models are trained and optimized on the very large sample of malware before they are included in WD. Many malware samples use similar infection chains.

Astaroth.png


Please note, that the above picture is related to preventing the infection - not to detecting the final Astaroth payload, which is reflectively injected as DLL.
 
Last edited:

Nightwalker

Level 17
Verified
Content Creator
@oldschool @Andy Ful

I really dont know why Windows Defender is a target of so much hate and biased remarks:


I guess some people need to justify their financial and emotional efforts in third party security solutions.
 

notabot

Level 11
From the below infection chain it follows that it should be detected by behavior-based and AMSI ML models. These models are trained and optimized on the very large sample of malware before they are included in WD. Many malware samples use similar infection chains.

View attachment 225219

Please note, that the above picture is related to preventing the infection - not to detecting the final Astaroth payload, which is reflectively injected as DLL.
But were these the ML models for home/pro (*) or the "advanced ML" ones which are used in E5.

(*) referring to the time when Astaroth was a 0day, a few days later I'd expect home/pro to detect it as well
 

notabot

Level 11
@oldschool @Andy Ful

I really dont know why Windows Defender is a target of so much hate and biased remarks:


I guess some people need to justify their financial and emotional efforts in third party security solutions.
+people love dissing Microsoft, even after 20 years since it was the old powerful Borg empire and massive org changes, people still hold a grudge

Edit: it doesn't look like Exploit Guard was used on that test, to be fair with the Wilders poster, the WD result would had been worrying if Exploit Guard was on though.
 
Last edited:

Andy Ful

Level 48
Verified
Trusted
Content Creator
@oldschool @Andy Ful

I really dont know why Windows Defender is a target of so much hate and biased remarks:


I guess some people need to justify their financial and emotional efforts in third party security solutions.
People just like to theorize but do not bother to read carefully the test methodology.(n)

But were these the ML models for home/pro (*) or the "advanced ML" ones which are used in E5.

(*) referring to the time when Astaroth was a 0day, a few days later I'd expect home/pro to detect it as well
I do not think that the Astaroth infection chain (points 1-4) is an apex malware infection chain (these points are pretty common).
So, yes - these ML models should be included in Windows Home, Pro, and E3.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
There is no doubt that WD uses pre-execution behavior monitoring/blocking. It can be seen when WD blocks execution for 10s (up to 60s, depending on settings) and analyses the file in the cloud. After this, the file execution can be:
  1. blocked,
  2. allowed,
  3. allowed and blocked after several seconds/minutes.
There is a question on how effective are ML models without an Internet connection and if it can depend on WD settings.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
What's the difference between selecting "Warn" for SmartScreen from WSC and from Configure Defender? I haven't seen SmartScreen in action when "Warn" is selected from WSC.
Any SmartScreen settings in WSC or ConfigureDefender (except Disabled setting) have no influence to SmartScreen check.
The "Warn" setting simply allows the user to run the application.
The "Block" setting does not allow the user to run the application.
The "User" setting in ConfigureDefender applies the setting from WSC
The "Warn" and "Block" settings in ConfigureDefender forces WSC to apply these settings and they cannot be changed by the user from WSC.

If you do not see the SmartScreen alert then there are some possibilities, for example:
  1. SmartScreen is Disabled.
  2. The file extension is ignored by design - SmartScreen is triggered only for some executables, like EXE, MSI, COM, SCR, BAT, JSE, VBE, etc.
  3. The file has not MOTW attached.
It is easy to check (before execution) if the file has MOTW:

MOTW.png


Without MOTW, the Unblock option is absent. The MOTW is skipped for files stored on flash drives or unpacked by many unpackers.