Freki123

Level 8
Verified
Its confusing to understand, if they have fixed WD engine being able to download malware files or not!.
If it's about the news from about last week read the follow up. (If not I understood you totally wrong, sorry :D)

Quote: "However, it was later discovered that Windows Defender will still detect malicious files downloads and the tool can’t be used to escalate privileges, which means this new feature is not a security threat."

 

Andy Ful

Level 63
Verified
Trusted
Content Creator
@Andy Ful I did find latest WD engine version but changelog isn't detailed Manage Microsoft Defender Antivirus updates and apply baselines - Windows security
Its confusing to understand, if they have fixed WD engine being able to download malware files or not!.
From what I know, Microsoft does not recognize it as a vulnerability and will probably do nothing.
MpCmdRun.exe is not a WD engine. It is an administrative command-line tool to automate some WD tasks.
  1. This tool is in the Windows system independently of installed AV, so the issue is not related to WD but to all AVs (and all security solutions).
  2. You can use it in the current version to download any file, but this file will be checked by an installed AV.
  3. MpCmdRun.exe is a kind of LOLBin and there are many LOLBins in Windows that can do the same or more - Microsoft does not recognize them as vulnerabilities, too.
Anyway, in my opinion, adding another LOLBin to tenths of already existing LOLBins is stupid. Furthermore, it would be easy for MS to check if the downloaded file is an update to remove the LOLBin feature.
 

Vasudev

Level 30
Verified
From what I know, Microsoft does not recognize it as a vulnerability and will probably do nothing.
MpCmdRun.exe is not a WD engine. It is an administrative command-line tool to automate some WD tasks.
  1. This tool is in the Windows system independently of installed AV, so the issue is not related to WD but to all AVs (and all security solutions).
  2. You can use it in the current version to download any file, but this file will be checked by an installed AV.
  3. MpCmdRun.exe is a kind of LOLBin and there are many LOLBins in Windows that can do the same or more - Microsoft does not recognize them as vulnerabilities, too.
Anyway, in my opinion, adding another LOLBin to tenths of already existing LOLBins is stupid. Furthermore, it would be easy for MS to check if the downloaded file is an update to remove the LOLBin feature.
Hmm... Thanks.
Meaning Even with 3rd party AVs malwares can be downloaded aka safe files that can tweak some files/folders here and there.
 

Kaze

New Member
Hi,

I just recently switched to Windows Defender + H_C from BTS since it's has expired.
I did a full scan and allowed some of the threats which are for PC troubleshooting.

May I know when the threat is allowed, is it ignoring the specific file only or it is ignoring the threat totally?


Thanks!
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
...
I did a full scan and allowed some of the threats which are for PC troubleshooting.

May I know when the threat is allowed, is it ignoring the specific file only or it is ignoring the threat totally?


Thanks!
If you allowed files due to full scan (quick scan or custom scan) then they will be allowed to run. If they will try to execute other threats then for these other threats WD will work as usual.
WD works in such cases just like most AVs do.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
ASR exclusions.
...
There is one ASR rule (eg. "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25) which highly depends on the cloud backend.
This rule is a valuable additional protection against malicious executables (EXE, SCR, DLL, etc.), but can produce false positives for not-popular applications. In such a case, WD blocks access to the executable so it cannot be executed, copied, or uploaded. This can be annoying because (rarely) some applications can be blocked for several days. Furthermore, after disabling this ASR rule and installing the application, it will be usually blocked after enabling the rule.

So, what to do?
1. One can disable this rule (like in ConfigureDefender HIGH Protection Level).
2. One can temporarily disable the rule, install (or update) an application, and add the ASR exclusion for the application folder.
...

Unfortunately, changing settings for this ASR rule in the sequence ON ---> Disabled ---> ON requires rebooting to fully apply the ON setting again and after that, the file is still blocked by WD.
I found out that rebooting or logging off the account is not necessary when one uses ON ---> Audit ---> ON sequence. Furthermore, when the program has been run once in ASR set to Audit, WD remembers on the computer (but not on other computers) that this program should not be blocked anymore.:)

So, the most convenient way to bypass this ASR rule is setting it temporarily to Audit and run/update/install the program. If the installed application is blocked, then it is easy to whitelist the application folder via the ConfigureDefender <Manage ASR Exclusions>. It is OK to whitelist the "Program Files" folder (and on Windows 64-bit also the "Program Files (x86)" folder).

Please, use this bypass with 24 hours delay (or more for suspicious files).
 
Last edited:

Kaze

New Member
If you allowed files due to full scan (quick scan or custom scan) then they will be allowed to run. If they will try to execute other threats then for these other threats WD will work as usual.
WD works in such cases just like most AVs do.

So to ensure I get it correctly..

"Threat A" which is found in "File A" will be allowed since I allowed it in WD..
If a new file "File B" is downloaded which also contained "Threat A", it will be blocked by WD unless I allowed it too.

Thanks so much for explaining :)
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
So to ensure I get it correctly..

"Threat A" which is found in "File A" will be allowed since I allowed it in WD..
If a new file "File B" is downloaded which also contained "Threat A", it will be blocked by WD unless I allowed it too.

Thanks so much for explaining :)
Yes, except when "File A" = "File B" (the same binary content).
Furthermore, if "File A/Threat A" will drop another "File B" to disk, then this file will not be excluded in WD. If the "File A" will try to execute scripts filelessly (no dropping to disk) then this also can be detected by WD (the scripts will not be excluded). There are probably some more examples when the "File A" starts the infection chain which can be broken by WD even when "File A" is excluded.
 
Last edited:

Andy Ful

Level 63
Verified
Trusted
Content Creator
For the home users, in the Real-world scenario, the "ConfigureDefender HIGH preset for WD + Edge Chromium (SmartScreen + Ad-blocker) + FirewallHardening" is as good as many commercial AVs (home versions). This can be seen in most of the professional tests.
But, the situation is not so good when the user often shares files via flash drives (and moves these files to non-USB drives, like HDD partitions). There are two reasons for that:
  1. Such files do not have MOTW, so their detection is slightly lower (no "Block At First Sight").
  2. The ASR protection of USB drives is not triggered if the file is copied from USB drive to non-USB drive and run from it.
If the user is a happy-clicker then in the above cases the standard AV protection can be insufficient. The solution is using the AV with Advanced Threat Protection (usually Business version). One can also use WD and extend the ConfigureDefender settings to include all ASR rules (also the rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria").

The interesting setup can be when using ASR rules with excluded "Program Files ...", "ProgramData", and user "AppData" folders. Such a setup will allow software updates even for the low prevalence applications, so can be used by inexperienced users. Furthermore, It will allow safely installing most applications and games.
Unfortunately, some ASR rules related to MS Office (especially to prevent creating executable content) will not work with full strength, so additional anti-script protection is required - something like Simple Windows Hardening.

The final setup based on Windows built-in features looks like:
WD (CD all ASR rules + additional exclusions) + SWH + Edge Chromium (SmartScreen + Ad-blocker) + FirewallHardening.
It can be used by inexperienced users in daily work. The initial configuration can be made by any semi-advanced user (no problem for many MT members).
Such a setup is similar to the Hard_Configurator Recommended Settings, but the user does not have to use the "Install by SmartScreen" entry from the Explorer context menu and can install applications from non-standalone installers (CD/DVD sources, ISO images, etc.).
Of course, one can equivalently use the H_C with Basic_Recommended_Settings (instead of SWH) and use the H_C built-in versions of ConfigureDefender and FirewallHardening.
 
Last edited:
Hard_Configurator is so problem-free ! and the ease of use is terrific.

My entire family uses it. For us youngsters we have no problems using it and the parents and grandparents don't even know H_C is there.

There are security software that I do like, but in the end they always cause problems in one form or another. Native Windows security is much less problem-prone than 3rd party security software.

Thank you @Andy Ful .
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Is disabling Windows Script Host (in the registry) an adequate solution?
It can be a step in a good direction. Unfortunately, there are several scripting attack vectors like: PowerShell (scripts and command-lines), Command Prompt (scripts and command-lines), shortcuts, files with unsafe extensions (embedded scripts, scriptlets, macros, Java scripts, etc.).
Anyway, such tight protection is necessary for happy-clickers or children in the first place. The average MT member has probably sufficient knowledge and safe habits to use WD ConfigureDefender HIGH preset or any standard AV (with some tweaks).
Some MT members can use more restrictive setups when their computer software does not require much exclusions/whitelisting.(y)
 
Last edited:

Andy Ful

Level 63
Verified
Trusted
Content Creator
Hard_Configurator is so problem-free ! and the ease of use is terrific.

My entire family uses it. For us youngsters we have no problems using it and the parents and grandparents don't even know H_C is there.

There are security software that I do like, but in the end they always cause problems in one form or another. Native Windows security is much less problem-prone than 3rd party security software.

Thank you @Andy Ful .
Thanks for your kind words. But anyway, any hardening software can sooner or later cause some problems. This is also true for AVs with Advanced Threat Protection. This can happen after a month, a year, or even several years depending on how complex is the user's setup and how restrictive is the H_C setup. I have tried to do my best to make the H_C settings flexible and non-destructive.:)(y)
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Three days ago I started a short test on the ASR rule " Block executable files from running unless they meet a prevalence, age, or trusted list criteria ".
I downloaded from Softpedia many fresh installers/updaters:

Some of executed files were blocked by this ASR rule.
three days ago: Valentina Studio 10.5.0 and ScummVM Snapshot 2.3.0
two days ago: Alternate Pic View Lite 2.750, Alternate Pic View 2.750, Alternate Exe
Slide, ZHPDiag 2020.9.11.230 (
signed).

All installers/updaters were blocked by SmartScreen and ASR rule because of low prevalence (about 10000 users). After two days all except one were allowed by ASR rule and all were still blocked by SmartScreen.
 

Kaze

New Member
For some reason, when I chose "Remove" or "Quarantine" for some of the files/threats detected.. nothing is done. Only when I chose "Allow on device" then the entry will be removed or else It just stays there. Did I miss out on some settings? I'm using SUA with ConfigureDefender @ High
 
Top