Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
How the hell WD works on Windows Home & Pro?
Message
<blockquote data-quote="Andy Ful" data-source="post: 836317" data-attributes="member: 32260"><p><strong>Is there any advantage of BAFS on Windows Home and Pro?</strong></p><p></p><p>Yes, it is, and this is a very important WD feature. BAFS is enabled by default in all Windows editions for all Windows 10 versions supported by Microsoft.</p><p>By design, it works only for files with MOTW. Furthermore, only PE executables (EXE, DLL, etc.) and some script types (JS, VBS, VBA macros, etc.) can be protected.</p><p>Usually, BAFS is automatically triggered when the file has been downloaded from the Internet via Edge or Chrome.</p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus[/URL]</p><p></p><p></p><p>What is the advantage of BAFS protection?</p><p></p><p>Without BAFS, the downloaded files are checked only against local signatures, which in the case of WD are optimized to minimize false positives. These signatures are only average for fighting new threats.</p><p>BAFS was introduced to cover new threats by applying additional protection:</p><ol> <li data-xf-list-type="ol">It forces scanning the file against fast signatures in the WD Cloud. Fast signatures are created when malicious files have been executed on any computer connected to the cloud. This also includes any computer which uses Windows E3 or E5. So, fast signatures can take advantage of advanced WD features like: "Advanced machine learning and AI based protection for apex level viruses and malware threats", and "Advanced cloud protection that includes deep inspection and detonation". All fast signatures ale available for any computer which uses the BAFS feature (also with installed Windows Home or Pro).</li> <li data-xf-list-type="ol">If the file is not known, then it is automatically blocked just as in the case of executing it. This prevents the user from running files after the download, until they are checked by behavior-based cloud features. The behavior-based features are activated just like in the case of file execution and the user can see the usual WD behavior block warning:<br /> <br /> [ATTACH=full]225518[/ATTACH]</li> </ol><p></p><p>So, for the unknown malware, BASF on Windows E5 is still stronger than on Windows Home and Pro.</p><p></p><p>In the Real world malware tests, the samples have MOTW attached, so BASF is triggered and the WD scoring is high.</p><p>In the video tests, BASF is usually inactive due to the test procedure. The tester unpacks the password-protected archive with malware samples by using 3rd party unpackers (like 7-ZIP). Most unpackers do not transfer the MOTW from archive to extracted samples. The malware samples do not have MOTW, so they are ignored by BASF.</p><p>The MOTW can be transferred from the archive downloaded from the Internet to extracted malware samples when using Bandizip.</p><p></p><p>Edit.</p><p>The conclusion that fast signatures are not used when the malware file without MOTW is executed, follows from some tests made on Malware Hub in this year. I do not understand the purpose of such counterintuitive behavior, except when it is for updating fast signatures. It should be confirmed by other tests, because Microsoft can allow fast signatures with any update also for files without MOTW.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 836317, member: 32260"] [B]Is there any advantage of BAFS on Windows Home and Pro?[/B] Yes, it is, and this is a very important WD feature. BAFS is enabled by default in all Windows editions for all Windows 10 versions supported by Microsoft. By design, it works only for files with MOTW. Furthermore, only PE executables (EXE, DLL, etc.) and some script types (JS, VBS, VBA macros, etc.) can be protected. Usually, BAFS is automatically triggered when the file has been downloaded from the Internet via Edge or Chrome. [URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus[/URL] What is the advantage of BAFS protection? Without BAFS, the downloaded files are checked only against local signatures, which in the case of WD are optimized to minimize false positives. These signatures are only average for fighting new threats. BAFS was introduced to cover new threats by applying additional protection: [LIST=1] [*]It forces scanning the file against fast signatures in the WD Cloud. Fast signatures are created when malicious files have been executed on any computer connected to the cloud. This also includes any computer which uses Windows E3 or E5. So, fast signatures can take advantage of advanced WD features like: "Advanced machine learning and AI based protection for apex level viruses and malware threats", and "Advanced cloud protection that includes deep inspection and detonation". All fast signatures ale available for any computer which uses the BAFS feature (also with installed Windows Home or Pro). [*]If the file is not known, then it is automatically blocked just as in the case of executing it. This prevents the user from running files after the download, until they are checked by behavior-based cloud features. The behavior-based features are activated just like in the case of file execution and the user can see the usual WD behavior block warning: [ATTACH type="full" alt="BB.png"]225518[/ATTACH] [/LIST] So, for the unknown malware, BASF on Windows E5 is still stronger than on Windows Home and Pro. In the Real world malware tests, the samples have MOTW attached, so BASF is triggered and the WD scoring is high. In the video tests, BASF is usually inactive due to the test procedure. The tester unpacks the password-protected archive with malware samples by using 3rd party unpackers (like 7-ZIP). Most unpackers do not transfer the MOTW from archive to extracted samples. The malware samples do not have MOTW, so they are ignored by BASF. The MOTW can be transferred from the archive downloaded from the Internet to extracted malware samples when using Bandizip. Edit. The conclusion that fast signatures are not used when the malware file without MOTW is executed, follows from some tests made on Malware Hub in this year. I do not understand the purpose of such counterintuitive behavior, except when it is for updating fast signatures. It should be confirmed by other tests, because Microsoft can allow fast signatures with any update also for files without MOTW. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
