New Update DefenderUI by VoodooShield - Turn on Hidden Security Features of Microsoft Defender

[cruelsister]

Just a fun fact regarding how DefenderUIPro 1.07 (installed with Recommended Profile) will now handle signed malware. As we know, malware can either be unsigned (most common), signed but certificate revoked, or signed with valid certificate but without countersignature. DefenderUIPro gives alerts for each as follows:

1). Unsigned (common):

2). Signed but certificate revoked (unusual):

3). Signed, certificate valid but without countersignature (fortunately quite rare):

Note that when these files are initially executed one can see the WhiteCloud entry showing "analyzing" prior to a judgement being made. I'm certainly not aware of any other security product that differentiates a signed baddies like this.

Really nice work, Dan!

 

[fredvries]

Don't know in which version it first happened, but somehow 'Update signatures' doesn't update. I need to hit the button to update my signatures. If I wait, they simply do not update.

 

[Freki123]

@cruelsister If the third file is malware could you run it with VS on default settings please (the one with the whitelist cloud verdict "safe")? I'm interested what the result would be.

 

[danb]

Don't know in which version it first happened, but somehow 'Update signatures' doesn't update. I need to hit the button to update my signatures. If I wait, they simply do not update.

That's odd. Have you tried to reset the signatures?

 

[danb]

@cruelsister If the third file is malware could you run it with VS on default settings please (the one with the whitelist cloud verdict "safe")? I'm interested what the result would be.

Whenever there is an issue with the sig, VS and DefenderUI Pro should block the file. And actually VS would have a better description on why it blocked the file and better user recommendations. At some point we probably should build out the user prompt in DefenderUI more, to provide more file insight and better user recommendations.

 

[Freki123]

Whenever there is an issue with the sig, VS and DefenderUI Pro should block the file. And actually VS would have a better description on why it blocked the file and better user recommendations. At some point we probably should build out the user prompt in DefenderUI more, to provide more file insight and better user recommendations.

Thanks Dan. I was curious what would happen with VS and the WLC default "Allow Safe WhitelistCloud items when OFF or AutoPilot". Because for me it seemed like WLC said file 3 is safe (if it was malware).

 

[danb]

Thanks Dan. I was curious what would happen with VS and the WLC default "Allow Safe WhitelistCloud items when OFF or AutoPilot". Because for me it seemed like WLC said file 3 is safe (if it was malware).

Yeah, if there is an issue with the sig, VS and DefenderUI Pro should both block the file, even if WLC returns a Safe verdict.

If CS has time to test VS as well, that would be great just to confirm, but we know DefenderUI Pro blocked all three because CS said "DefenderUIPro gives alerts for each as follows:". Either way, that last sample is certainly a tricky sample .

 

[fredvries]

That's odd. Have you tried to reset the signatures?

I didn't, but I just did. Hope it stops the problem from occurring.

 

[cruelsister]

As I was also interested in how VS would handle things I went into the Magniber annex of my Zoo and plucked out 20 samples (some validly signed, some signed with the certificate revoked, some regular riff-raff and a few slightly modded). Of these 20 VS immediately (kinds-sorta immediately as for a few it took some extra seconds to "think") detected 15 as malware; the remaining 5 resulted in a couldn't identify popup (which had to be over-ridden in order to execute, which is not an optimal decision to make)). I then rebooted the system and ran those 5 again- this time they were recognized as malware with identical alerts to the pre-boot 15..

Anyway, that Malware item that I noted earlier for DefenderUI Pro (valid signature but no counter) resulted in this:

And as a change of pace I tried out a Strrat signed by Microsoft (Countersigned but revoked a bit ago):

But in short, VS protects as should be expected.

M

 

[Freki123]

Thanks a lot @cruelsister for your time to make the test and post the results
Thanks @danb for your kind answer.

 

[Shadowra]

I confirm the words of @cruelsister
Same thing here with a Nanocore rat that I modified by stealing the signature from Google Chrome => VS blocks it in Not Safe

 

[Shadowra]

On the other hand @danb is it possible to put "tips" or an analysis for JS and VBS attacks? VS blocks them, but it's not very explicit for a novice :/

Spoiler: VBS attack

Spoiler: Exploit Powershell (FormBook)

 

[oldschool]

On the other hand @danb is it possible to put "tips" or an analysis for JS and VBS attacks? VS blocks them, but it's not very explicit for a novice :/

Upvote on this feature request.

 

[danb]

On the other hand @danb is it possible to put "tips" or an analysis for JS and VBS attacks? VS blocks them, but it's not very explicit for a novice :/

You know, I have never thought about that before, but it would make a lot of sense to include info for the end user based on file type, thank you for the suggestion! And actually, I have been wanting to tweak the prompts a little anyway, to make them even more clear to the user, so now would be a good time. Maybe we can start with some photoshop mockups and once we have the design just right I will implement the changes. If anyone has any suggestions on how we can optimize the prompts, please let me know! Maybe we can have a button that says something like "Should I allow or block this?" or "Help me decide", and that would initiate a wizard similar to the VS Rules Wizard?

 

[fredvries]

I didn't, but I just did. Hope it stops the problem from occurring.

 

[danb]

So did it work? If not, I am sure there is a fix out there somewhere.

 

[fredvries]

So did it work? If not, I am sure there is a fix out there somewhere.

No. Sorry to mention that it didn't.

 

[filx]

Hello, i have a question. does ASR rules works if I have another antivirus installed? all ASR settings in DefenderUI are on as I want. On microsoft doc they say that i need live protection for ASR, but putting on the setting ' Limited periodic scanning (LPS)' in microsoft Defender i managed to change DefenderUI setting. How can i see if it worked or it is a bug?

Microsoft Defender for Endpoint attack surface reduction rules deployment overview - Microsoft Defender for Endpoint

Provides overview and prerequisite guidance about deploying Microsoft Defender for Endpoint attack surface reduction rules. Links to articles that show how to plan and ASR deployment, test ASR rules, configure ASR rules, and enable ASR rules.

docs.microsoft.com

ASR rules dependencies​

Microsoft Defender Antivirus must be enabled and configured as primary anti-virus solution, and must be in the following mode:

• Primary antivirus/antimalware solution
• State: Active mode

Microsoft Defender Antivirus must not be in any of the following modes:

• Passive
• Passive Mode with Endpoint detection and response (EDR) in Block Mode
• Limited periodic scanning (LPS)
• Off

Thanks in advance and excuse for my odd question

 

[danb]

No. Sorry to mention that it didn't.

Are you talking about manual or automatic signature updates?

Have you tried this? Troubleshoot Definition update issues for Microsoft Defender in Windows 11/10

Thank you!

 

[danb]

Hello, i have a question. does ASR rules works if I have another antivirus installed? all ASR settings in DefenderUI are on as I want. On microsoft doc they say that i need live protection for ASR, but putting on the setting ' Limited periodic scanning (LPS)' in microsoft Defender i managed to change DefenderUI setting. How can i see if it worked or it is a bug?

Microsoft Defender for Endpoint attack surface reduction rules deployment overview - Microsoft Defender for Endpoint

Provides overview and prerequisite guidance about deploying Microsoft Defender for Endpoint attack surface reduction rules. Links to articles that show how to plan and ASR deployment, test ASR rules, configure ASR rules, and enable ASR rules.

docs.microsoft.com

ASR rules dependencies​

Microsoft Defender Antivirus must be enabled and configured as primary anti-virus solution, and must be in the following mode:

• Primary antivirus/antimalware solution
• State: Active mode

Microsoft Defender Antivirus must not be in any of the following modes:

• Passive
• Passive Mode with Endpoint detection and response (EDR) in Block Mode
• Limited periodic scanning (LPS)
• Off

Thanks in advance and excuse for my odd question

If you have a third party AV installed and it is set to be your primary security provider, when you install DefenderUI you will see this prompt...

As you pointed out, if a third party AV is set to be your primary security provider, then MD will disable itself.

In short, if you are using a third party AV as your primary security provider, you do not need DefenderUI. For more info, please click the following link, thank you!

Enable the limited periodic Microsoft Defender Antivirus scanning feature

Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers

docs.microsoft.com