Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
How the hell WD works on Windows Home & Pro?
Message
<blockquote data-quote="Andy Ful" data-source="post: 900437" data-attributes="member: 32260"><p>The update about behavior blocking:</p><p>"<span style="font-size: 22px"><strong>Components of behavioral blocking and containment</strong></span></p><ul> <li data-xf-list-type="ul"><strong>On-client, policy-driven <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction" target="_blank">attack surface reduction rules</a></strong> Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center <a href="https://securitycenter.windows.com/" target="_blank">https://securitycenter.windows.com</a> as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)</li> <li data-xf-list-type="ul"><strong><a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking" target="_blank">Client behavioral blocking</a></strong> Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)</li> <li data-xf-list-type="ul"><strong><a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking" target="_blank">Feedback-loop blocking</a></strong> (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)</li> <li data-xf-list-type="ul"><strong><a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode" target="_blank">Endpoint detection and response (EDR) in block mode</a></strong> Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)"</li> </ul><p></p><p>From the tests on Malware Hub it follows that the first two components work on any Windows edition (also Windows Home and Pro). The last component seems to work only on Windows E5 (also Microsoft 365 E3 with the Identity & Threat Protection offering subscription). I am not sure about feedback-loop blocking, but this component should work (at least) via "Block At First Sight" feature.</p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment[/URL]</p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking[/URL]</p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking[/URL]</p><p></p><p>The behavior-based detections related to Client behavior blocking (Behavior:Win32/Persistence.*!ml , Behavior:Win32/Generic.*!ml, ... ) can be seen in the tests made by [USER=78686]@SeriousHoax[/USER]. Also, the behavior blocks related to the ASR rules can be easily recognized in these tests.</p><p>In addition to ASR rules, the below techniques should be detected on Windows 10 Home and Pro:</p><p></p><p></p><table style='width: 100%'><tr><th>Tactic</th><th>Detection threat name</th></tr><tr><td>Initial Access</td><td>Behavior:Win32/InitialAccess.*!ml</td></tr><tr><td>Execution</td><td>Behavior:Win32/Execution.*!ml</td></tr><tr><td>Persistence</td><td>Behavior:Win32/Persistence.*!ml</td></tr><tr><td>Privilege Escalation</td><td>Behavior:Win32/PrivilegeEscalation.*!ml</td></tr><tr><td>Defense Evasion</td><td>Behavior:Win32/DefenseEvasion.*!ml</td></tr><tr><td>Credential Access</td><td>Behavior:Win32/CredentialAccess.*!ml</td></tr><tr><td>Discovery</td><td>Behavior:Win32/Discovery.*!ml</td></tr><tr><td>Lateral Movement</td><td>Behavior:Win32/LateralMovement.*!ml</td></tr><tr><td>Collection</td><td>Behavior:Win32/Collection.*!ml</td></tr><tr><td>Command and Control</td><td>Behavior:Win32/CommandAndControl.*!ml</td></tr><tr><td>Exfiltration</td><td>Behavior:Win32/Exfiltration.*!ml</td></tr><tr><td>Impact</td><td>Behavior:Win32/Impact.*!ml</td></tr><tr><td>Uncategorized</td><td>Behavior:Win32/Generic.*!ml</td></tr></table></blockquote><p></p>
[QUOTE="Andy Ful, post: 900437, member: 32260"] The update about behavior blocking: "[SIZE=6][B]Components of behavioral blocking and containment[/B][/SIZE] [LIST] [*][B]On-client, policy-driven [URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction']attack surface reduction rules[/URL][/B] Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [URL='https://securitycenter.windows.com/']https://securitycenter.windows.com[/URL] as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.) [*][B][URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking']Client behavioral blocking[/URL][/B] Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) [*][B][URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking']Feedback-loop blocking[/URL][/B] (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) [*][B][URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode']Endpoint detection and response (EDR) in block mode[/URL][/B] Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)" [/LIST] From the tests on Malware Hub it follows that the first two components work on any Windows edition (also Windows Home and Pro). The last component seems to work only on Windows E5 (also Microsoft 365 E3 with the Identity & Threat Protection offering subscription). I am not sure about feedback-loop blocking, but this component should work (at least) via "Block At First Sight" feature. [URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment[/URL] [URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking[/URL] [URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking[/URL] The behavior-based detections related to Client behavior blocking (Behavior:Win32/Persistence.*!ml , Behavior:Win32/Generic.*!ml, ... ) can be seen in the tests made by [USER=78686]@SeriousHoax[/USER]. Also, the behavior blocks related to the ASR rules can be easily recognized in these tests. In addition to ASR rules, the below techniques should be detected on Windows 10 Home and Pro: [TABLE] [TR] [TH]Tactic[/TH] [TH]Detection threat name[/TH] [/TR] [TR] [TD]Initial Access[/TD] [TD]Behavior:Win32/InitialAccess.*!ml[/TD] [/TR] [TR] [TD]Execution[/TD] [TD]Behavior:Win32/Execution.*!ml[/TD] [/TR] [TR] [TD]Persistence[/TD] [TD]Behavior:Win32/Persistence.*!ml[/TD] [/TR] [TR] [TD]Privilege Escalation[/TD] [TD]Behavior:Win32/PrivilegeEscalation.*!ml[/TD] [/TR] [TR] [TD]Defense Evasion[/TD] [TD]Behavior:Win32/DefenseEvasion.*!ml[/TD] [/TR] [TR] [TD]Credential Access[/TD] [TD]Behavior:Win32/CredentialAccess.*!ml[/TD] [/TR] [TR] [TD]Discovery[/TD] [TD]Behavior:Win32/Discovery.*!ml[/TD] [/TR] [TR] [TD]Lateral Movement[/TD] [TD]Behavior:Win32/LateralMovement.*!ml[/TD] [/TR] [TR] [TD]Collection[/TD] [TD]Behavior:Win32/Collection.*!ml[/TD] [/TR] [TR] [TD]Command and Control[/TD] [TD]Behavior:Win32/CommandAndControl.*!ml[/TD] [/TR] [TR] [TD]Exfiltration[/TD] [TD]Behavior:Win32/Exfiltration.*!ml[/TD] [/TR] [TR] [TD]Impact[/TD] [TD]Behavior:Win32/Impact.*!ml[/TD] [/TR] [TR] [TD]Uncategorized[/TD] [TD]Behavior:Win32/Generic.*!ml[/TD] [/TR] [/TABLE] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
