Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
How the hell WD works on Windows Home & Pro?
Message
<blockquote data-quote="Andy Ful" data-source="post: 987533" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">Cloud Protection Levels</span></strong></p><p></p><p>There is a lot of misunderstanding about how Cloud delivered protection works. Here is a diagram from the Microsoft documentation:</p><p></p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide[/URL]</p><p></p><p>[ATTACH=full]266439[/ATTACH]</p><p><s>The </s><span style="color: rgb(184, 49, 47)"><s><strong>red arrow</strong></s></span><s> shows the moment when Cloud protection level "Zero tolerance" (Block setting in ConfigureDefender) will block the unknown file. The decision is made in the cloud after the analysis of telemetry (file metadata check). The file is not uploaded to the cloud. Some files can still infect the system if they are not recognized as suspicious by local protection layers - they are not checked by the cloud backend even on execution. Only when the file has got MOTW (file downloaded via web browser) it is obligatory checked by the cloud backend via BASF.</s></p><p></p><p>The <strong><span style="color: rgb(41, 105, 176)">blue arrow</span></strong> shows the moment when <s>the High and High+ (Highest setting in ConfigureDefender)</s> advanced Cloud protection levels are important. They work after uploading the file to the cloud. In this case, the analysis can last longer but we have a lower rate of false positives.</p><p></p><p>Examples of Metadata used by Defender:</p><p></p><table style='width: 100%'><tr><th>Type</th><th>Attribute</th></tr><tr><td>Machine attributes</td><td>OS version<br /> Processor<br /> Security settings</td></tr><tr><td>Dynamic and contextual attributes</td><td><strong>Process and installation</strong><br /> ProcessName<br /> ParentProcess<br /> TriggeringSignature<br /> TriggeringFile<br /> Download IP and url<br /> HashedFullPath<br /> Vpath<br /> RealPath<br /> Parent/child relationships<br /> <br /> <strong>Behavioral</strong><br /> Connection IPs<br /> System changes<br /> API calls<br /> Process injection<br /> <br /> <strong>Locale</strong><br /> Locale setting<br /> Geographical location</td></tr><tr><td>Static file attributes</td><td><strong>Partial and full hashes</strong><br /> ClusterHash<br /> Crc16<br /> Ctph<br /> ExtendedKcrcs<br /> ImpHash<br /> Kcrc3n<br /> Lshash<br /> LsHashs<br /> PartialCrc1<br /> PartialCrc2<br /> PartialCrc3<br /> Sha1<br /> Sha256<br /> <br /> <strong>File properties</strong><br /> FileName<br /> FileSize<br /> <br /> <strong>Signer information</strong><br /> AuthentiCodeHash<br /> Issuer<br /> IssuerHash<br /> Publisher<br /> Signer<br /> SignerHash</td></tr></table><p></p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide#examples-of-metadata-sent-to-the-cloud-protection-service[/URL]</p><p></p><p>Edit.</p><p>After some additional tests on Windows Server 2019 and Windows 10 Enterprise, I confirmed that files are submitted to the cloud backend also with the "Zero tolerance Block level". The post was edited to reflect this behavior.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 987533, member: 32260"] [B][SIZE=5]Cloud Protection Levels[/SIZE][/B] There is a lot of misunderstanding about how Cloud delivered protection works. Here is a diagram from the Microsoft documentation: [URL unfurl="true"]https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide[/URL] [ATTACH type="full" alt="1651941168529.png"]266439[/ATTACH] [S]The [/S][COLOR=rgb(184, 49, 47)][S][B]red arrow[/B][/S][/COLOR][S] shows the moment when Cloud protection level "Zero tolerance" (Block setting in ConfigureDefender) will block the unknown file. The decision is made in the cloud after the analysis of telemetry (file metadata check). The file is not uploaded to the cloud. Some files can still infect the system if they are not recognized as suspicious by local protection layers - they are not checked by the cloud backend even on execution. Only when the file has got MOTW (file downloaded via web browser) it is obligatory checked by the cloud backend via BASF.[/S] The [B][COLOR=rgb(41, 105, 176)]blue arrow[/COLOR][/B] shows the moment when [S]the High and High+ (Highest setting in ConfigureDefender)[/S] advanced Cloud protection levels are important. They work after uploading the file to the cloud. In this case, the analysis can last longer but we have a lower rate of false positives. Examples of Metadata used by Defender: [TABLE] [TR] [TH]Type[/TH] [TH]Attribute[/TH] [/TR] [TR] [TD]Machine attributes[/TD] [TD]OS version Processor Security settings[/TD] [/TR] [TR] [TD]Dynamic and contextual attributes[/TD] [TD][B]Process and installation[/B] ProcessName ParentProcess TriggeringSignature TriggeringFile Download IP and url HashedFullPath Vpath RealPath Parent/child relationships [B]Behavioral[/B] Connection IPs System changes API calls Process injection [B]Locale[/B] Locale setting Geographical location[/TD] [/TR] [TR] [TD]Static file attributes[/TD] [TD][B]Partial and full hashes[/B] ClusterHash Crc16 Ctph ExtendedKcrcs ImpHash Kcrc3n Lshash LsHashs PartialCrc1 PartialCrc2 PartialCrc3 Sha1 Sha256 [B]File properties[/B] FileName FileSize [B]Signer information[/B] AuthentiCodeHash Issuer IssuerHash Publisher Signer SignerHash[/TD] [/TR] [/TABLE] [URL unfurl="true"]https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide#examples-of-metadata-sent-to-the-cloud-protection-service[/URL] Edit. After some additional tests on Windows Server 2019 and Windows 10 Enterprise, I confirmed that files are submitted to the cloud backend also with the "Zero tolerance Block level". The post was edited to reflect this behavior. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
