Advice Request Is the improved performance of Microsoft Defender a myth? Should we necessarily be using a 3rd party AV?

[Andy Ful]

Hey, I got 10 pages to try catch up so welcome to the club!

I feel like inside the magic circle. When I try to explain something then I see the post which suggests that I wrote something else. I tried to jump out from this circle but such posts pull me back again. I am afraid that some discussions can be felt by me like talking about sex with a child. No matter what you say, the child is not able to understand you.
It can be also that the reason is my poor English.

 

[monkeylove]

I tried Andy's advice, and also given ShadowRa's latest list of results where Windows Security does better, and I have two questions:

1. What's the anti-ransomware ability of Defender with ConfigureDefender tweaked in high, and Simple Windows Hardening on? (Aside: I could not run one old program, Cinemania, unless I turned off Software Restriction Policy.)

2. What's the web protection like? I use Firefox, so I don't think Smart Screen works with it, and I visit sites that are blocked by Kaspersky, Avast, or Adguard. Can an addon or extension serve in place of Smart Screen?

 

[ScandinavianFish]

I tried Andy's advice, and also given ShadowRa's latest list of results where Windows Security does better, and I have two questions:

1. What's the anti-ransomware ability of Defender with ConfigureDefender tweaked in high, and Simple Windows Hardening on? (Aside: I could not run one old program, Cinemania, unless I turned off Software Restriction Policy.)

2. What's the web protection like? I use Firefox, so I don't think Smart Screen works with it, and I visit sites that are blocked by Kaspersky, Avast, or Adguard. Can an addon or extension serve in place of Smart Screen?

At default settings it only has Controlled Folder Access, while simple, its extremely effective and will always defend protected folders form modification, though it will block both legitimate and malicious attempts to do so and it may cause alert fatigue, with ConfigureDefender on High, Advanced Ransomware Protection will be enabled, which uses Heuristics and reputation based analysis to constantly monitor files for signs of ransomware, though ive found it to sometimes cause false positives with documents

If you use Edge, Smartscreen and Network Protection, the web protection is as good as paid solutions.

 

[ForgottenSeer 69673]

I do not know about you guys, but I cannot wait for the new Metaverse Protection Setting MS is adding to Defender.

 

[Andy Ful]

I have two questions:

1. What's the anti-ransomware ability of Defender with ConfigureDefender tweaked in high, and Simple Windows Hardening on?

<Cloud Protection Level> = Highest, is a strong anti-ransomware protection. It is a simplified version of the "AI-driven adaptive protection" implemented in the Microsoft Defender for Endpoint. The full feature can use normally the low aggressiveness level and can make it higher when suspicious processes are detected.

AI-driven adaptive protection against human-operated ransomware | Microsoft Security Blog

We developed a cloud-based machine learning system that, when queried by a device, intelligently predicts if it is at risk, then automatically issues a more aggressive blocking verdict to protect the device, thwarting an attacker’s next steps.

www.microsoft.com

Other anti-ransomware features come from ASR rules and Network Protection. They can prevent the delivery of ransomware and one ASR rule is strictly related to block ransomware techniques.

The last feature is Controlled Folder Access that is intended to protect the user-selected folders (some folders are protected by default).

(Aside: I could not run one old program, Cinemania, unless I turned off Software Restriction Policy.)

Use <View Blocked Events> to identify what is blocked. Use <Manage the Whitelist> to allow the application in SRP. You can post about problems to the SWH forum.

2. What's the web protection like? I use Firefox, so I don't think Smart Screen works with it, and I visit sites that are blocked by Kaspersky, Avast, or Adguard. Can an addon or extension serve in place of Smart Screen?

I do not know. But, some MT members know it for sure.
Anyway, if you enable Network Protection, then the SmartScreen should be extended also to Firefox and any other web-based application. You can use this link in Firefox to see how it works:

SmartScreen Test

 

[wat0114]

I know this is a super simplistic example of stopping an infection before the malicious process can even infect, reaching ring zero, assuming it's created to do so, and this is also my layman's way of setting up my security approach in dealing with malicious content that may find it's way onto my device, which is to prevent it from even launching in the first place:

Analysis of the Locky infection process

In recent months, there has been a significant increase in the number of networks and users affected by ransomware known as Locky, discusses ESET's Diego Perez.

www.welivesecurity.com

Let's say AV fails to detect it as malicious, well then the next steps could be as follows:

1. My brain needs to determine if I think it's safe to open. Yes or No. If No, then I delete it and all is over. if Yes, then step 2.
2. I click on the attachment.
3. SRP will stop it, because it is setup to block scripts with, among other types, .BAT or .VBS extensions. No harm done.
4. If I'm really being stupid and I decide to disable SRP to launch it, then OSArmor will block, giving me more details in that the .BAT script is attempting to launch the asddddd.exe payload. Well hopefully I'm smart enough (I know I would be ) to keep this attempt blocked.

Again, this is very simple and perhaps I haven't even described the process accurately enough, but I perceive several steps in blocking the malware before it gets a firm foothold in ring 0, and of course more importantly, no infection occurs.

BTW, this "example case" also supports the assertions made in this thread that it is the user's fault when they get infected.
It is also just one example of why I will never fully depend on AV in my security setup , because it is not 100% reliable.

 

[Andy Ful]

Let's say AV fails to detect it as malicious, well then the next steps could be as follows:

1. My brain needs to determine if I think it's safe to open. Yes or No. If No, then I delete it and all is over. if Yes, then step 2.
2. I click on the attachment.
3. SRP will stop it, because it is setup to block scripts with, among other types, .BAT or .VBS extensions. No harm done.
4. If I'm really being stupid and I decide to disable SRP to launch it, then OSArmor will block, giving me more details in that the .BAT script is attempting to launch the asddddd.exe payload. Well hopefully I'm smart enough (I know I would be ) to keep this attempt blocked.

You can simplify this method and make it even stronger, by stopping before the last point and waiting one day. Then most people will have much more chances for detecting the threat by the AV than making the right decision based on OSA.
By the way, when the office document runs the script, then it is 99,9% malicious. So, do not rely on any rule, just do not execute it.

 

[wat0114]

By the way, when the office document runs the script, then it is 99,9% malicious. So, do not rely on any rule, just do not execute it.

Agreed, but (and I hope I'm not mistaken on this) the OSA alerts or even the one before with SRP could allow one to make an informed decision before allowing it to run the .BAT->asddddd.exe payload. Essentially i'm not relying only on AV and my brain to prevent the threat. But again, my main point was an attempt to illustrate that ring 0 is a non factor if the malware isn't allowed to launch.

Edit
there's also an agenda to indirectly provide some "feedback" for the second question of the thread title: Should we necessarily be using a 3rd party AV?

 

[Andy Ful]

It is OK. OSA is very good software.

 

[wat0114]

It is OK. OSA is very good software.

Thanks. I just also want to clarify I'm not a shill for the developer of OSA

 

[Templarware]

@danb and @ScandinavianFish I worded that wrong, Yes Dan I have 2 questions

DUI asks the user to disable MD tamper protection last time I tried it (which was also the reason for de-installing it again)

I've started using DefenderUI today and it didn't ask me that, I'm using it with tamper protection anabled.

 

[ForgottenSeer 92963]

I've started using DefenderUI today and it didn't ask me that, I'm using it with tamper protection anabled.

See the earlier programmer's response in this thread post number #161

Great to hear that you can use the pro features without disabling MD tamper protection, well done.

 

[SeriousHoax]

<Cloud Protection Level> = Highest, is a strong anti-ransomware protection. It is a simplified version of the "AI-driven adaptive protection" implemented in the Microsoft Defender for Endpoint. The full feature can use normally the low aggressiveness level and can make it higher when suspicious processes are detected.

AI-driven adaptive protection against human-operated ransomware | Microsoft Security Blog

We developed a cloud-based machine learning system that, when queried by a device, intelligently predicts if it is at risk, then automatically issues a more aggressive blocking verdict to protect the device, thwarting an attacker’s next steps.

www.microsoft.com

I actually wanted to ask you this but forgot and now remembered after you mentioned this MS blog post.
Maybe I'm wrong but to me, it looks like MS is kind of saying that it's not necessary to tweak the cloud protection level anymore. It's AI-driven adaptive protection is now smart enough to automatically change its aggressiveness when required.

The adaptive protection feature works on top of the existing robust cloud protection, which defends against threats through different next-generation technologies. Compared to the existing cloud protection level feature, which relies on admins to manually adjust the cloud protection level, the adaptive protection is smarter and faster. It can, when queried by a device, automatically ramp the aggressiveness of cloud-delivered blocking verdicts up or down based on real-time machine learning predictions, thus proactively protecting the device.

Also in AV-Comparative's business test, MS used to make two changes to the default settings, one is installing “Windows Defender Browser Protection” extension on Google Chrome and the other one “CloudBlockLevel” set to “High”. Not even Highest aka High+.
But in the latest Business AVC test, CloudBlockLevel wasn't modified. So it was kept on Default.
So because of the MS blog post and the AVC test, it seems Microsoft is now confident on their "Default" cloud protection level.

 

[Andy Ful]

... it looks like MS is kind of saying that it's not necessary to tweak the cloud protection level anymore. It's AI-driven adaptive protection is now smart enough to automatically change its aggressiveness when required.

It is available only in the paid versions.

But in the latest Business AVC test, CloudBlockLevel wasn't modified. So it was kept on Default.
So because of the MS blog post and the AVC test, it seems Microsoft is now confident on their "Default" cloud protection level.

This test is for a paid Defender which includes Microsoft Endpoint Manager.

 

[VecchioScarpone]

I've started using DefenderUI today and it didn't ask me that, I'm using it with tamper protection anabled.

Dan may correct me but last time I enquired from him, DefenderUI pro is on beta. And If Tamper Protection is enabled features that require it to be disabled, though On they are not actually working.

DefenderUI 100 should be fine.

 

[SeriousHoax]

It is available only in the paid versions.

The base AV is still the same, so maybe home users will benefit from it a bit as well. I hate how MS always talks about the Endpoint product's features without mentioning whether that's available on home products or not. If I wasn't a member of any forums, I probably wouldn't have known about the extra features like ASR rules, cloud protection level, etc. we can enable on Microsoft Defender Free.

 

[ScandinavianFish]

The base AV is still the same, so maybe home users will benefit from it a bit as well. I hate how MS always talks about the Endpoint product's features without mentioning whether that's available on home products or not. If I wasn't a member of any forums, I probably wouldn't have known about the extra features like ASR rules, cloud protection level, etc. we can enable on Microsoft Defender Free.

Windows Defender for Home has all features except expert written rules and file detonation (sandbox), most of it just isnt enabled by default, technically also includes Block at first sight, which requires tuning the settings to be more aggressive.

 

[SeriousHoax]

Windows Defender for Home has all features except expert written rules and file detonation (sandbox), most of it just isnt enabled by default, technically also includes Block at first sight, which requires tuning the settings to be more aggressive.

Yeah, that's what I'm saying. It has these great extra features but average users don't know about any of these because they're not accessible from the UI. Also, as I said, Microsoft's documentation doesn't make it any easier.
One little example, the cloud protection level "Block/Zero tolerance blocking level" doesn't work as expected in home products but you wouldn't know why because MS doesn't tell us why. So some confusion remains.

 

[Andy Ful]

Windows Defender for Home has all features except expert written rules and file detonation (sandbox),

There are some more too. Also, the paid versions have different abilities depending on the chosen subscription.

 

[monkeylove]

I tried the advice and encountered problems, e.g., apps that had to be whitelisted, programs like Adguard that began to malfunction and could not be installed or uninstalled properly, etc. Given that, I decided to do a system restore and go back to the point before I made the tweaks. And since I want to avoid using Edge I will have to use a third-party AV.

I will do the same for family members because I don't think they'll know or have the time to figure out reconfiguring tweaks.