Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
How the hell WD works on Windows Home & Pro?
Message
<blockquote data-quote="Andy Ful" data-source="post: 911902" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">Windows Defender Ransomware Protection on Windows Home and Pro.</span></strong></p><p></p><p>WD can prevent/fight ransomware by using several features:</p><ol> <li data-xf-list-type="ol">Deep Learning and heuristic-based behavior detections. This is a common way of detecting ransomware by modern AVs. Unsupervised Deep Learning is used to detect totally unknown ransomware families.</li> <li data-xf-list-type="ol">ASR rule "Use advanced protection against ransomware". This works as a behavior blocker.</li> <li data-xf-list-type="ol">Other ASR rules prevent popular scripting attacks and other attacks used to finally execute the ransomware payload.</li> <li data-xf-list-type="ol">"Ransomware Protection" feature available via Security Center. It enables Controlled Folder Access, which is smart-default-deny for applications/processes that want to access the protected folders and system protected disk areas.</li> </ol><p>The article about Deep Learning:</p><p>[URL unfurl="true"]https://www.microsoft.com/security/blog/2020/07/23/seeing-the-big-picture-deep-learning-based-fusion-of-behavior-signals-for-threat-detection/[/URL]</p><p></p><p>The articles about ASR rules:</p><p>[URL unfurl="true"]https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/Demystifying%20ASR%20rules[/URL]</p><p>[URL unfurl="true"]https://docs.microsoft.com/pl-pl/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction[/URL]</p><p></p><p>The articles about Controlled Folder Access:</p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/controlled-folders[/URL]</p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders[/URL]</p><p></p><p>When using Controlled Folder Access (CFA) the user should bear in mind some inconvenience. The 3rd party applications like: system optimizers, backup software, disk management software, media management applications, document editors, etc. will be usually blocked from accessing the protected folders and system protected disk areas. So, the user has to have some skills to identify access issues and exclude the right executables in CFA.</p><p></p><p>One can use Windows Event Log or use ConfigureDefender to create the Log of events related to Windows Defender. The events related to CFA starts with:</p><ul> <li data-xf-list-type="ul">Event ID: 1123<br /> (Blocked by Controlled Folder Access)</li> <li data-xf-list-type="ul">Event ID: 1127<br /> (Blocked by Controlled Folder Access - sector write block event)</li> </ul><p>The first event is a typical block when the application is blocked from accessing a file in the protected folder.</p><p>The second event is not related to protected folders, but to blocked processes when they try to access system protected disk areas.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 911902, member: 32260"] [B][SIZE=5]Windows Defender Ransomware Protection on Windows Home and Pro.[/SIZE][/B] WD can prevent/fight ransomware by using several features: [LIST=1] [*]Deep Learning and heuristic-based behavior detections. This is a common way of detecting ransomware by modern AVs. Unsupervised Deep Learning is used to detect totally unknown ransomware families. [*]ASR rule "Use advanced protection against ransomware". This works as a behavior blocker. [*]Other ASR rules prevent popular scripting attacks and other attacks used to finally execute the ransomware payload. [*]"Ransomware Protection" feature available via Security Center. It enables Controlled Folder Access, which is smart-default-deny for applications/processes that want to access the protected folders and system protected disk areas. [/LIST] The article about Deep Learning: [URL unfurl="true"]https://www.microsoft.com/security/blog/2020/07/23/seeing-the-big-picture-deep-learning-based-fusion-of-behavior-signals-for-threat-detection/[/URL] The articles about ASR rules: [URL unfurl="true"]https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/Demystifying%20ASR%20rules[/URL] [URL unfurl="true"]https://docs.microsoft.com/pl-pl/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction[/URL] The articles about Controlled Folder Access: [URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/controlled-folders[/URL] [URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders[/URL] When using Controlled Folder Access (CFA) the user should bear in mind some inconvenience. The 3rd party applications like: system optimizers, backup software, disk management software, media management applications, document editors, etc. will be usually blocked from accessing the protected folders and system protected disk areas. So, the user has to have some skills to identify access issues and exclude the right executables in CFA. One can use Windows Event Log or use ConfigureDefender to create the Log of events related to Windows Defender. The events related to CFA starts with: [LIST] [*]Event ID: 1123 (Blocked by Controlled Folder Access) [*]Event ID: 1127 (Blocked by Controlled Folder Access - sector write block event) [/LIST] The first event is a typical block when the application is blocked from accessing a file in the protected folder. The second event is not related to protected folders, but to blocked processes when they try to access system protected disk areas. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
