Andy Ful

Level 48
Verified
Trusted
Content Creator
How the hell WD works on Windows Home & Pro?

There are several Microsoft documents and articles about how Windows Defender (WD) works on Windows 10. But most of them are related to Windows Enterprise editions, and usually, authors present the features which are available only on Windows E5. There is only one document I am aware of, which shows the differences between Home, Pro, E3 and E5 editions:
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv

The link to this document is added to most Microsoft documents about WD, and sometimes it seems to contradict what authors write about WD. From this document, it follows that some advanced WD features are available on Windows Home, even when most people think the opposite. Furthermore, there are no essential differences between Home and Pro versions in the Windows Defender Threat Protection, except: Hardware based isolation for Microsoft Edge, Application control powered by the Intelligent Security Graph (requires Microsoft paid software), and Device Control (e.g.: USB).

WD was tested on Malware Hub by Evjl's Rain and SeriousHoax on Windows 10 Pro:
https://malwaretips.com/search/119614/?q=Windows+Defender&t=post&c[child_nodes]=1&c[nodes][0]=104&c[users]=SeriousHoax&o=date

https://malwaretips.com/search/119657/?q=Windows+Defender&t=post&c[child_nodes]=1&c[nodes][0]=104&c[users]=Evjl's+Rain&o=date

In the following posts, I will try to present some conclusions about additional WD protection on Windows Home and Pro, which can be applied by using PowerShell or ConfigureDefender.

See my next posts in this thread:
Does WD use behavior blocking? https://malwaretips.com/threads/how-the-hell-wd-works-on-windows-home.95146/post-835847
Do AMSI, PUA protection, ASR rules, and Network Protection work in Windows Home & Pro? Discuss - How the hell WD works on Windows Home?

Is there any advantage of BAFS on Windows Home and Pro?https://malwaretips.com/threads/how-the-hell-wd-works-on-windows-home-pro.95146/post-836317


Post edited. Changed Title (added Pro).
 
Last edited:
9

93803123

Windows 10 Home doesn't get the ATP only the Pro and Enterprise versions do. I have Windows 10 Home so I use a third-party solution.
Windows 10 Pro gets ATP only if the user is part of a managed group that has a paid subscription to ATP. While there are many settings that can be enabled\disabled via a utility such as Hard_Configurator, none of them are ATP. They are standalone, individual protection items or features that are part of the entire Windows 10 Defender Security stack. ATP is a subscription service that offers primarily analytics and management capabilities.

Microsoft wants businesses to buy the add-on services such as ATP, Office 365, Azure, Intune, and so on. There are many additional Microsoft service subscriptions.
 
Last edited by a moderator:

Andy Ful

Level 48
Verified
Trusted
Content Creator
Windows 10 Home doesn't get the ATP only the Pro and Enterprise versions do. I have Windows 10 Home so I use a third-party solution.
Windows 10 Pro gets ATP only if the user is part of a managed group that has a paid subscription to ATP.
...
We do not talk on this thread about WD ATP, but about some advanced features which are a part of ATP and can be activated on Windows Home and Pro by using PowerShell or ConfigureDefender. These features are equally available for both Home and Pro editions.(y)
Please, wait until I post my conclusions which follows from the tests made on Malware Hub.
WD logs the information about blocked samples and usually shows what feature was applied.
 

plat1098

Level 9
Verified
You're the best thing to happen to Windows Defender users since...I don't know, Andy Ful. If others were only 1/2 as grateful as I am, your cup would be full as long for as there's a Microsoft Windows to play with. :)

Windows Defender logs are stored in Event Viewer? Which section? OK, will wait for the Hub results because often, it's uncertain whether any policies applied via gpedit.msc are actually successfully activated. Also, several times I get a "silent" block but would like to verify this via those logs you mentioned.
 

notabot

Level 11
Thanks @Andy Ful , it's great that you write about Defender and also you provide a tool to configure it.

In my view the biggest hole in home/pro is not security, with H_C tweaks (or equivalent ones via Group Policy) probably it's the best offering at the moment in terms of security model and naturally in terms of compatibility with host OS. The biggest hole is lack of a web dashboard/MDM offering that's aimed at families ( E3 clearly isn't priced for families nor is it a package which targets families ).
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
If you use current ConfigureDefender, there is a NirSoft event viewer incorporated. If not, you will need to import a custom view into Windows event viewer. The instructions for how to do this are in earlier pages of CD thread or you may search the relevant sections @M$ on the web.
The report about blocked events uses WevtUtil (Windows command line utility) and some code made by me in AutoIt.:giggle:
I did not use NirSoft tool, because then ConfigureDefender was not portable.
 

oldschool

Level 35
Verified
I wonder why @SeriousHoax testing results were better than earlier tests by @Evjl's Rain? I know both are qualified testers. Maybe some changes/improvements by M$? Maybe because some tests included less samples? or some that were less troublesome for WD? :emoji_thinking:


With configudefender home & pro users can get equal protection, ... right?
Correct. Otherwise via Powershell commandlets or GPO (W10 Pro).
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Does WD use behavior blocking?

It is funny, but many people think that WD cannot use behavior blocking. Yet, this is the most evident and sometimes annoying WD feature. If WD uses it, then the file execution is temporarily blocked and WD usually shows the alert:

BB.png


The time required for scanning is set by default to 10s and can be changed up to 60s. After finishing the scan WD takes the below actions:
  1. The file is allowed to run.
  2. The file is not allowed to run. WD removes or quarantines it.
  3. The file is allowed to run, but analysis in the cloud is continued. If the malware is recognized as malicious then WD tries to stop the malware. In some cases, the reboot is required to remove or quarantine the malware.
How does it work on Windows Home and Pro?
WD uses the local signatures and local Machine Learning (ML) models to find out if the file behavior can be malicious or suspicious. If it is suspicious, then the file metadata is sent to WD cloud for quick detection or analysis. This can take several milliseconds. If ML models in the cloud still cannot classify the sample, then it is uploaded to the cloud and analyzed by more comprehensive ML models - this can take several seconds.
Each suspicious action is scored and an overall score is computed for each process. High scoring will trigger the detection of the process as malicious. The threshold when the detection is triggered depends on WD setting (CloudBlockLevel).

On Windows E5 some more advanced features are available, which can take several minutes:
  • Advanced machine learning and AI based protection for apex level viruses and malware threats
  • Advanced cloud protection that includes deep inspection and detonation
  • Emergency outbreak protection from the Intelligent Security Graph
  • Monitoring, analytics and reporting for Next Generation Protection capabilities
Here are some examples of ML behavior-based detections on Windows Pro (default, high or max ConfigureDefender settings):
 
Last edited:

SeriousHoax

Level 9
Verified
Malware Tester
I wonder why @SeriousHoax testing results were better than earlier tests by @Evjl's Rain? I know both are qualified testers. Maybe some changes/improvements by M$? Maybe because some tests included less samples? or some that were less troublesome for WD?
One of the reason can be that I haven't really been able to test WD against large set of samples because for some unknown reason with Shadow defender in Shadow Mode WD's cloud protection often doesn't work. Sometimes it works and sometimes it doesn't even detect a known sample. Probably a compatibility issue or something. This is why I've usually tested WD when the number of samples are low. I'll try testing again next time with large number of samples.
 

oldschool

Level 35
Verified
One of the reason can be that I haven't really been able to test WD against large set of samples because for some unknown reason with Shadow defender in Shadow Mode WD's cloud protection often doesn't work. Sometimes it works and sometimes it doesn't even detect a known sample. Probably a compatibility issue or something. This is why I've usually tested WD when the number of samples are low. I'll try testing again next time with large number of samples.
I figured there was a good reason and this explains it. Not surprising since with all things M$ YMMV! :D
 

ticklemefeet

Level 22
Verified
One of the reason can be that I haven't really been able to test WD against large set of samples because for some unknown reason with Shadow defender in Shadow Mode WD's cloud protection often doesn't work. Sometimes it works and sometimes it doesn't even detect a known sample. Probably a compatibility issue or something. This is why I've usually tested WD when the number of samples are low. I'll try testing again next time with large number of samples.
You could run Shadowdefender on your host and run your tests in a VM. that is what I do.
 

blackice

Level 10
Verified
One of the reason can be that I haven't really been able to test WD against large set of samples because for some unknown reason with Shadow defender in Shadow Mode WD's cloud protection often doesn't work. Sometimes it works and sometimes it doesn't even detect a known sample. Probably a compatibility issue or something. This is why I've usually tested WD when the number of samples are low. I'll try testing again next time with large number of samples.
Good thing most people don’t run in to large packs of malware running around in the wild! :eek: