Latest changes
Jul 18, 2020
Daily driver
My Primary device
Operating system
Windows 10 Pro
OS version
2004
System type
64-bit operating system; x64-based processor
Security updates
Automatically allow security and feature updates
Windows UAC
Always notify
Firewall protection
Microsoft Defender Firewall
Account privileges
Administrator account
Account type
Sign in with local account
Account log-in
  • Windows Hello PIN
  • Account Password
  • Exposure to malware
    Malware samples are downloaded on a Virtual machine
    Real-time Malware protection
    Windows Defender only
    RTP configuration
    ConfigureDefender HIGH with NP disabled
    Periodic scanners
    EEK, HitmanPro and NPE
    Browser and Add-ons
    Firefox:
    • Bitwarden browser extension
    • uBlock Origin with CNAME uncloaking (block WebRTC & CSP)
    Edge Chromium:
    • uBlock Origin
    • Bitwarden
    Privacy tools and VPN
    WPD, Windscribe and ProtonVPN
    Password manager
    Bitwarden
    Search engine
    Google and Duckduckgo
    Maintenance tools
    Throttlestop, built-in defrag, portable CCleaner and Sysinternals Suite
    Photos and Files backup
    Google Drive
    File Backup schedule
    Automatically sync to the cloud
    Backup and Restore
    Macrium Reflect
    Backup schedule
    Once or more per week
    Computer Activity
  • Playing computer games
  • Browsing the web and checking emails
  • Regularly installing new software every week
  • Streaming movies, TV shows and music from the Internet
  • Testing security software using malware samples
  • Downloading files from different websites
  • Office and other work-related software (Work from Home)
  • Recording and editing video or photos
  • Learning computer languages or creating apps
  • Computer Specifications
    Acer Predator Helios 300 (G3-571-77QK):
    • i7-7700HQ
    • GTX 1060 6GB
    • 16GB DDR4
    • 256GB SSD
    • 1TB HDD

    Andy Ful

    Level 60
    Verified
    Trusted
    Content Creator
    @Andy Ful is it possible to perform BONUS (behavior blocker) tests with WD?
    Most of the behavior detections are made in the cloud backend. That is true for most AVs, so the offline behavior blocking is usually weaker.
    When considering the Bonus tests, I think that the idea is related to the proactive (non-signature) part of protection, even when the cloud backend is used. Such tests can be done for WD on files with MOTW. You can use RunBySmartscreen to run the sample and next ignore the SmartScreen alert. Many samples will be first detected by WD BAFS feature and for such samples, the Bonus tests cannot be done. But, If you will see the alert that WD blocks the file for 20 s, then it means that WD behavior detection against the cloud backend was started.
     

    SeriousHoax

    Level 29
    Verified
    Malware Tester
    Chrome

    • Trash software, I just use it when a website doesn't works on another browser.
    😂😂

    But, If you will see the alert that WD blocks the file for 20 s, then it means that WD behavior detection against the cloud backend was started.
    I see this happening for new exe files everytime. So, it's related to the cloud backend behavior blocker! Great. It often triggers before any direct execution attempt is made. Yesterday, I downloaded a malware which had a .bin extension upon extraction but it was an exe malware. So, I renamed it to .exe and immediately received that 20 sec (60 sec in my case) timeout notification and 10 sec later it was detected and removed by WD.
     

    Andy Ful

    Level 60
    Verified
    Trusted
    Content Creator
    😂😂


    I see this happening for new exe files everytime. So, it's related to the cloud backend behavior blocker! Great. It often triggers before any direct execution attempt is made. Yesterday, I downloaded a malware which had a .bin extension upon extraction but it was an exe malware. So, I renamed it to .exe and immediately received that 20 sec (60 sec in my case) timeout notification and 10 sec later it was detected and removed by WD.
    We probably should not use the term "Behavior blocker". WD and other advanced AVs do not use a separate module which could be called a "Behavior blocker". They use behavior monitoring (locally and in the cloud) together with advanced heuristics and file reputation - the output of all of this makes behavior-based detection. If the file is running, then the detection is extended to parent and child processes (postexecution detection). The closer to the "Behavior blocker" would be WD ASR rules or Kaspersky's HIPS.

    The malwares in the wild often use a multi-stage infection chain, to avoid behavior-based detection. So, the infection is often stopped not on the first chain link, but on the subsequent link. Of course, this cannot sometimes prevent the infection of the first victim.
    A good example would be advanced multistage malware started by the Java (.jar) file.
    I observed on Malware Hub how WD fights such attacks (in your tests) - some payloads were detected by behavior-based detections, some were blocked by ASR rules, etc.
     

    geminis3

    Level 13
    Verified
    Malware Tester
    07/06/2020

    • Cleanly installed my homebrew updated LTSC ISO, after boot I ran a script to install MS Store and installed basic UWP apps like photos, movies, camera, calculator, voice recorder, etc).
    • Latest Nvidia and Intel drivers
    • Latest Office 365 provided by my uni
    • Installed Redistributable C++ AIO
    • Removed Chrome, Brave and Vivaldi

    (IDLE) RAM consumption, 2004 idled at 3.1GB

    1591547634571.png


    Windows Update went painlessly since my ISO already contained all the cumulative updates, so it just downloaded drivers, Intel microcode, MRT and WD updates.

    ConfigureDefender worked without problems :cool:

    EDIT: I forgot to say that I set telemetry level to 0 in gpedit which according to MS only sends information that’s required for Malicious Software Removal Tool, and Windows Defender. (source)

    1591548287207.png
     
    Last edited:

    Vitali Ortzi

    Level 19
    Verified
    07/06/2020

    • Cleanly installed my homebrew updated LTSC ISO, after boot I ran a script to install MS Store and installed basic UWP apps like photos, movies, camera, calculator, voice recorder, etc).
    • Latest Nvidia and Intel drivers
    • Latest Office 365 provided by my uni
    • Installed Redistributable C++ AIO
    • Removed Chrome, Brave and Vivaldi

    (IDLE) RAM consumption, 2004 idled at 3.1GB

    View attachment 242335

    Windows Update went painlessly since my ISO already contained all the cumulative updates, so it just downloaded drivers, Intel microcode, MRT and WD updates.

    ConfigureDefender worked without problems :cool:

    EDIT: I forgot to say that I set telemetry level to 0 in gpedit which according to MS only sends information that’s required for Malicious Software Removal Tool, and Windows Defender. (source)

    View attachment 242342
    Nice.
    LTSC has no feature updates that reduce stability /increase attack surface.
    Only security updates are present .
    I done other things in my build like replacing built in tools with ones who have better functionality or security .
    Unfortunately ones that have better functionality increase my attack surface but it's more convenient for usability like replacing notepad with notepad++.
     
    Top