Andy Ful

Level 63
Verified
Trusted
Content Creator
Is there any advantage of BAFS on Windows Home and Pro?

Yes, it is, and this is a very important WD feature. BAFS is enabled by default in all Windows editions for all Windows 10 versions supported by Microsoft.
By design, it works only for files with MOTW. Furthermore, only PE executables (EXE, DLL, etc.) and some script types (JS, VBS, VBA macros, etc.) can be protected.
Usually, BAFS is automatically triggered when the file has been downloaded from the Internet via Edge or Chrome.


What is the advantage of BAFS protection?

Without BAFS, the downloaded files are checked only against local signatures, which in the case of WD are optimized to minimize false positives. These signatures are only average for fighting new threats.
BAFS was introduced to cover new threats by applying additional protection:
  1. It forces scanning the file against fast signatures in the WD Cloud. Fast signatures are created when malicious files have been executed on any computer connected to the cloud. This also includes any computer which uses Windows E3 or E5. So, fast signatures can take advantage of advanced WD features like: "Advanced machine learning and AI based protection for apex level viruses and malware threats", and "Advanced cloud protection that includes deep inspection and detonation". All fast signatures ale available for any computer which uses the BAFS feature (also with installed Windows Home or Pro).
  2. If the file is not known, then it is automatically blocked just as in the case of executing it. This prevents the user from running files after the download, until they are checked by behavior-based cloud features. The behavior-based features are activated just like in the case of file execution and the user can see the usual WD behavior block warning:

    BB.png

So, for the unknown malware, BASF on Windows E5 is still stronger than on Windows Home and Pro.

In the Real world malware tests, the samples have MOTW attached, so BASF is triggered and the WD scoring is high.
In the video tests, BASF is usually inactive due to the test procedure. The tester unpacks the password-protected archive with malware samples by using 3rd party unpackers (like 7-ZIP). Most unpackers do not transfer the MOTW from archive to extracted samples. The malware samples do not have MOTW, so they are ignored by BASF.
The MOTW can be transferred from the archive downloaded from the Internet to extracted malware samples when using Bandizip.

Edit.
The conclusion that fast signatures are not used when the malware file without MOTW is executed, follows from some tests made on Malware Hub in this year. I do not understand the purpose of such counterintuitive behavior, except when it is for updating fast signatures. It should be confirmed by other tests, because Microsoft can allow fast signatures with any update also for files without MOTW.
 
Last edited:

oldschool

Level 55
Verified
In the Real world malware tests, the samples have MOTW attached, so BASF is triggered and the WD scoring is high.
In the video tests, BASF is usually inactive due to the test procedure. The tester unpacks the password-protected archive with malware samples by using 3rd party unpackers (like 7-ZIP). Most unpackers do not transfer the MOTW from archive to extracted samples. The malware samples do not have MOTW, so they are ignored by BASF.

Yes, I think this is what we see in YouTube tests like TPSC, etc. when testing WD and thus the poor results. Leo @TPSC apparently doesn't understand how WD features work so he can continually advertise its "horrible" protection.
 

Moonhorse

Level 29
Verified
Content Creator
Yes, I think this is what we see in YouTube tests like TPSC, etc. when testing WD and thus the poor results. Leo @TPSC apparently doesn't understand how WD features work so he can continually advertise its "horrible" protection.
guy works for emsisoft, few last hub results;
emsisoft on default settings = infected
Windows defender + configurefender = Protected

Make video about above, and the odds change , cheeky :alien:
 

shmu26

Level 85
Verified
Trusted
Content Creator
The YouTube testers do reflect a certain segment of the population, and that is the pirates who download their stuff in rar files and then unpack them. Their unpacked stuff doesn't have MOTW. But that's irrelevant, because even if every AV in the world would detect it as malware, they would turn off their AV anyways, so they can run their crack. People who do that have forfeited their right to complain.
 

blackice

Level 27
Verified
The YouTube testers do reflect a certain segment of the population, and that is the pirates who download their stuff in rar files and then unpack them. Their unpacked stuff doesn't have MOTW. But that's irrelevant, because even if every AV in the world would detect it as malware, they would turn off their AV anyways, so they can run their crack. People who do that have forfeited their right to complain.
Amen to that! I don’t think people who work around their AV when it’s inconvenient count as security conscious people.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Some precautions can be made to maximize protection for files shared via USB sources and files extracted from archives:
  1. The ASR rule "Block untrusted and unsigned processes that run from USB" should be activated. This rule works also for files which were blocked when executed from the USB source and next copied to hard disk. The protection is removed after renaming the file on the hard disk.
  2. The user should install Bandizip if he/she needs something more that is available via Windows built-in ZIP unpacker.
 
Last edited:
9

93803123

I found this graphic...is it current?
should we upgrade to Windows 10 pro?


View attachment 225821

This table is accurate, but what they do not explain in it is that the ASR features for E3 and E5 are not simply settings in the GUI, GPO or AppLocker. All those additional items shown for E3 and E5 have to be manually configured individually on a policy which resides on an Enterprise master configuration system. Then that policy needs to be pushed and installed to the other systems that comprise the group or domain. How the policy gets configured and then pushed (e.g. via subscription Insight service or one's own policy server) is flexible and up to a company to configure.

In other words, @Andy Ful just cannot decide that he wants to enable ASR HIPS rules and then make them work on Home or Pro via Hard Configurator.

To be honest, not even I am sure how it all works because getting access to a fully functioning setup is difficult and expensive. I've had to do just like most people - which is to piece together little tidbits of infos that are available here and there.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
...
In other words, @Andy Ful just cannot decide that he wants to enable ASR HIPS rules and then make them work on Home or Pro via Hard Configurator.
...
That is right. The situation is rather complicated and dimmed by Microsoft. In fact, first I discovered that some advanced rules work, because they blocked a few of my scripts. Next, I found this document, which shows that really some advanced features should work on Windows Home and Pro.
 
Last edited:
9

93803123

That is right. The situation is rather complicated and dimmed by Microsoft. In fact, first I discovered that some advanced rules work, because they blocked a few of my scripts. Next, I found this document, which shows that really some advanced features should work on Windows Home and Pro.

To complicate matters further there is also the problem of Microsoft changing (tweaking) ASR rules as they go along. The Windows security division is actually small. It's not as if there are literally thousands of people sitting there just waiting for reports to come in from the field and then they pound-out fixes. It's just a guess, but I'm thinking the main players in the Microsoft Windows security division totals 50 or less. What I do know is that whatever the actual number is, it is a very small number relative to the entire organization.

So what. We just deal with it. As if we have any real choice in the matter except to switch to another operating system - and we all know that isn't a practical solution for many people.
 
Last edited by a moderator:

Andy Ful

Level 63
Verified
Trusted
Content Creator
Does WD use behavior blocking?

It is funny, but many people think that WD cannot use behavior blocking. Yet, this is the most evident and sometimes annoying WD feature. If WD uses it, then the file execution is temporarily blocked and WD usually shows the alert:

View attachment 225230

The time required for scanning is set by default to 10s and can be changed up to 60s. After finishing the scan WD takes the below actions:
  1. The file is allowed to run.
  2. The file is not allowed to run. WD removes or quarantines it.
  3. The file is allowed to run, but analysis in the cloud is continued. If the malware is recognized as malicious then WD tries to stop the malware. In some cases, the reboot is required to remove or quarantine the malware.
How does it work on Windows Home and Pro?
WD uses the local signatures and local Machine Learning (ML) models to find out if the file behavior can be malicious or suspicious. If it is suspicious, then the file metadata is sent to WD cloud for quick detection or analysis. This can take several milliseconds. If ML models in the cloud still cannot classify the sample, then it is uploaded to the cloud and analyzed by more comprehensive ML models - this can take several seconds.
Each suspicious action is scored and an overall score is computed for each process. High scoring will trigger the detection of the process as malicious. The threshold when the detection is triggered depends on WD setting (CloudBlockLevel).

On Windows E5 some more advanced features are available, which can take several minutes:
  • Advanced machine learning and AI based protection for apex level viruses and malware threats
  • Advanced cloud protection that includes deep inspection and detonation
  • Emergency outbreak protection from the Intelligent Security Graph
  • Monitoring, analytics and reporting for Next Generation Protection capabilities
Here are some examples of ML behavior-based detections on Windows Pro (default, high or max ConfigureDefender settings):
The update about behavior blocking:
"Components of behavioral blocking and containment
  • On-client, policy-driven attack surface reduction rules Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center https://securitycenter.windows.com as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
  • Client behavioral blocking Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
  • Feedback-loop blocking (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
  • Endpoint detection and response (EDR) in block mode Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)"

From the tests on Malware Hub it follows that the first two components work on any Windows edition (also Windows Home and Pro). The last component seems to work only on Windows E5 (also Microsoft 365 E3 with the Identity & Threat Protection offering subscription). I am not sure about feedback-loop blocking, but this component should work (at least) via "Block At First Sight" feature.

The behavior-based detections related to Client behavior blocking (Behavior:Win32/Persistence.*!ml , Behavior:Win32/Generic.*!ml, ... ) can be seen in the tests made by @SeriousHoax. Also, the behavior blocks related to the ASR rules can be easily recognized in these tests.
In addition to ASR rules, the below techniques should be detected on Windows 10 Home and Pro:


TacticDetection threat name
Initial AccessBehavior:Win32/InitialAccess.*!ml
ExecutionBehavior:Win32/Execution.*!ml
PersistenceBehavior:Win32/Persistence.*!ml
Privilege EscalationBehavior:Win32/PrivilegeEscalation.*!ml
Defense EvasionBehavior:Win32/DefenseEvasion.*!ml
Credential AccessBehavior:Win32/CredentialAccess.*!ml
DiscoveryBehavior:Win32/Discovery.*!ml
Lateral MovementBehavior:Win32/LateralMovement.*!ml
CollectionBehavior:Win32/Collection.*!ml
Command and ControlBehavior:Win32/CommandAndControl.*!ml
ExfiltrationBehavior:Win32/Exfiltration.*!ml
ImpactBehavior:Win32/Impact.*!ml
UncategorizedBehavior:Win32/Generic.*!ml
 
Last edited:
The update about behavior blocking:
"Components of behavioral blocking and containment
  • On-client, policy-driven attack surface reduction rules Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center https://securitycenter.windows.com as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
  • Client behavioral blocking Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
  • Feedback-loop blocking (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
  • Endpoint detection and response (EDR) in block mode Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)"

From the tests on Malware Hub it follows that the first two components work on any Windows edition (also Windows Home and Pro). The last component seems to work only on Windows E5 (also Microsoft 365 E3 with the Identity & Threat Protection offering subscription). I am not sure about feedback-loop blocking, but this component should work (at least) via "Block At First Sight" feature.

The behavior-based detections related to Client behavior blocking (Behavior:Win32/Persistence.*!ml , Behavior:Win32/Generic.*!ml, ... ) can be seen in the tests made by @SeriousHoax. Also, the behavior blocks related to the ASR rules can be easily recognized in these tests.
In addition to ASR rules, the below techniques should be detected on Windows 10 Home and Pro:


TacticDetection threat name
Initial AccessBehavior:Win32/InitialAccess.*!ml
ExecutionBehavior:Win32/Execution.*!ml
PersistenceBehavior:Win32/Persistence.*!ml
Privilege EscalationBehavior:Win32/PrivilegeEscalation.*!ml
Defense EvasionBehavior:Win32/DefenseEvasion.*!ml
Credential AccessBehavior:Win32/CredentialAccess.*!ml
DiscoveryBehavior:Win32/Discovery.*!ml
Lateral MovementBehavior:Win32/LateralMovement.*!ml
CollectionBehavior:Win32/Collection.*!ml
Command and ControlBehavior:Win32/CommandAndControl.*!ml
ExfiltrationBehavior:Win32/Exfiltration.*!ml
ImpactBehavior:Win32/Impact.*!ml
UncategorizedBehavior:Win32/Generic.*!ml

MS is using MITRE ATTACK IQ matrix Tactic names.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
1597908317044.png

There are also other partners:

The integration with MITRE ATTACK IQ can be visible via Microsoft Defender Security Center with the paid ATP subscription.
 
Last edited:
Top