Advice Request Is the improved performance of Microsoft Defender a myth? Should we necessarily be using a 3rd party AV?

[danb]

Yes, I am aware. The SRP was also tested with Recommended Settings + Forced SmartScreen. From the point of view of the user, these setups are similar. The Forced SmartScreen in the SRP test did a similar thing as VirusTotal (and AI lookup) in the VS test. If VS was tested in "Always ON" mode and SRP with All_ON setup, then one could probably test them over a year without any misses.



It is nice that we can agree on something.
But, it seems that we differently understand modern threats. I understand them as in the Microsoft documentation, and that means the lateral movement especially with using .NET DLLs and kernel-based malware (Bad USB, kernel exploits, etc.). For fighting such threads you need the "Modern SRP" which is Microsoft Defender Application Control (a mix of the classic SRP idea with Application Guard).

The VS test was performed mainly with signed and verified malware, at my request. SmartScreen on its own will not fair nearly as well if only signed and verified malware is used in the test. The reason I know this is because SS is implemented into WLC / VoodooAi as feature. We should test in the MH using the same malware to be sure .

You cannot equate user-mode SRP with kernel-mode mechanisms. As much as you a few other people wish for this to be the case, it simply will never be.

 

[danb]

None of the ConfigureDefender profiles (DEFAULT, HIGH, INTERACTIVE, and MAX) need to disable Tamper Protection.

In the interest of clarity, can ConfigureDefender toggle Behavior Monitoring, Scan all downloaded files and attachments or Script scanning when Tamper Protection is enabled, yes or no?

 

[VecchioScarpone]

You can use this one. Disable Tamper protection and run this.

AdvancedRun-MD Protection History Remover.7z

drive.google.com

Thanks, it looks similar with what @oldschool suggested. @danb DefenderUI did the trick in a super simple way. I'll bookmarks those links though, you never know.

 

[Andy Ful]

You cannot equate user-mode SRP with kernel-mode mechanisms. As much as you a few other people wish for this to be the case, it simply will never be.

The kernel-mode mechanism has nothing to do with these tests. It seems that you have a problem with understanding my clear statements about (classic) SRP's inability to fight kernel-based threats (I mentioned this inability in several posts on this thread). Should I repeat this in any of my posts or you finally can remember this?

 

[Andy Ful]

In the interest of clarity, can ConfigureDefender toggle Behavior Monitoring, Scan all downloaded files and attachments or Script scanning when Tamper Protection is enabled, yes or no?

No. You can read it in the ConfigureDefender help (PDF file).

 

[ForgottenSeer 92963]

@danb and @ScandinavianFish I worded that wrong, Yes Dan I have 2 questions

DUI asks the user to disable MD tamper protection last time I tried it (which was also the reason for de-installing it again)

1. Can I use DUI PRO advanced features (like the really great context aware anti exploit protection) with MD tamper protection enabled when I don't "toggle Behavior Monitoring, Scan all downloaded files and attachments or Script scanning" and disable MD through security center in the rare and unusual occasion that would be needed (so not using the features which Dan mentioned why user had to disable tamper protection)?

2. I have MD running in a sandbox, is DUI PRO able to protect and restart MD also in that use case?

 

[ForgottenSeer 92963]

The kernel-mode mechanism has nothing to do with these tests. It seems that you have a problem with understanding my clear statements about (classic) SRP's inability to fight kernel-based threats (I mentioned this inability in several posts on this thread).

Agree I also mentioned that SRP lives in the wrong ring, see my earlier post, but that does not makes it useless.

Anti-virus companies like to refer to real virus infections for comparison, but a vaccine passes medical certification when it protects for 50% or more (not 100%). Yesterday I got my Covid booster, it probably protects only for 30% to 50% against latest Omicron variant (and 50% to 80% against hospitalization), so not bulletproof, but still useful IMO.

 

[Local Host]

So why not use ConfigureDefender or Group Policy Editor to harden it so you dont have to worry about your family running it?

Cause as stated, Windows Defender fails to protect them even with those settings, not to mention the useability that is lost, I would get constant calls to solve issues cause of Windows Defender.

Last time I had an uncle arguing he didn't want to install anything, I used ConfigureDefender on it, and I had constant calls due to Windows Defender bugs and false positives, not to mention restrictive measures, so I set the settings to High instead and he got his browser hijacked in less than a week.

He stopped arguing since I installed Kaspersky, and hasn't call me once in months about having issues with his PC.

 

[ScandinavianFish]

Cause as stated, Windows Defender fails to protect them even with those settings, not to mention the useability that is lost, I would get constant calls to solve issues cause of Windows Defender.

Last time I had an uncle arguing he didn't want to install anything, I used ConfigureDefender on it, and I had constant calls due to Windows Defender bugs and false positives, not to mention restrictive measures, so I set the settings to High instead and he got his browser hijacked in less than a week.

He stopped arguing since I installed Kaspersky, and hasn't call me once in months about having issues with his PC.

Sounds a lot like overreaction on his part, I have used Windows Defender for 3 years now, while going back and forwards with different AV's, it has most of the time ive just ran it a alone and I have not encountered a single false positive on High protection level using ConfigureDefender, and while yes, it has some visual bugs, but its never anything serious.

Expecting an antivirus to do all the dirty work is fooling yourself into an false sense of security, if your uncle cant avoid malware and PUP's then thats on his part, not the security software, and there are many things AV's cant really protect you against, like scams involving tech support, snake oil, etc.

 

[wat0114]

Agree I also mentioned that SRP lives in the wrong ring,...

Assuming you are talking about ring 0, this should not matter if SRP prevents the malware gaining a foothold at this low level in the first place. If the initial and first one or two links in the infection chain are prevented at, let's say ring 3, then ring 0 becomes a moot point anyway. The goal, I believe, is to stop the infection process in the very early stages so as not to allow a malicious process to proceed to the ring 0 attack stage level.

 

[wat0114]

Cause as stated, Windows Defender fails to protect them even with those settings, not to mention the useability that is lost, I would get constant calls to solve issues cause of Windows Defender.

With absolutely no malice intended, It seems to me your relatives are conducting "high risk" web activities.

 

[Digmor Crusher]

Cause as stated, Windows Defender fails to protect them even with those settings, not to mention the useability that is lost, I would get constant calls to solve issues cause of Windows Defender.

Last time I had an uncle arguing he didn't want to install anything, I used ConfigureDefender on it, and I had constant calls due to Windows Defender bugs and false positives, not to mention restrictive measures, so I set the settings to High instead and he got his browser hijacked in less than a week.

He stopped arguing since I installed Kaspersky, and hasn't call me once in months about having issues with his PC.

I've been using Configure Defender for over a year and Defender is so quite its becoming boring, so me thinks the problem is not WD.

 

[Deletedmessiah]

This thread right now

 

[monkeylove]

In such a situation, the preferred Windows built-in setup would be Defender with ConfigureDefender HIGH settings + Simple Windows Hardening. This config is very silent. You probably used ConfigureDefender MAX settings that apply some noisy ASR rules and can block non-prevalent applications/updates.



It is also a good setup for adults. You can try Simple Windows Hardening to strengthen the protection against scripting/fileless attacks. Nowadays, the applications use scripting methods extremely rare, so this setup should be also silent. On the contrary, cybercriminals like scripting malware very much.

Thanks! I'll give it another shot.

 

[ForgottenSeer 92963]

Assuming you are talking about ring 0, this should not matter if SRP prevents the malware gaining a foothold at this low level in the first place. If the initial and first one or two links in the infection chain are prevented at, let's say ring 3, then ring 0 becomes a moot point anyway. The goal, I believe, is to stop the infection process in the very early stages so as not to allow a malicious process to proceed to the ring 0 attack stage level.

That is my point also but nearly everything you download from the internet or mail lands in user land. User land processes are allowed to modify other user land processes (called a side by side infection*). Therefor it is better for a security program to have higher rights, because lower rights objects can't modify higher rights objects.

After XPoff (forgot his exact nickname) made behavioral protection program Cyberhawk blind (decades ago in a Poc) by unhooking its userland controls, the general consensus is that security should be enforced at kernel level (DanB has a point with his critism). it is not the fact that it is "game over" when intrusions reach system level, but lower rights objects can not touch higher level objects and more important can't disable them (with a side-by-side attack in user land).

* This is why Microsoft and Google started to render webpages in untrusted processes (pushing them to lower rights processes and preventing them to infect processes running with medium rights). Same applies for opening PDF's in the the browsers and running Windows mail app in a lower rights sandbox.

 

[ForgottenSeer 69673]

That is my point also but nearly everything you download from the internet or mall lands in user land. User land processes are allowed to modify other user land processes (called a side by side infection*). Therefor it is better for a security program to have higher rights, because lower rights objects can't modify higher rights objects.

After XPoff (forgot his exact nickname) made behavioral protection program Cyberhawk blind (decades ago in a Poc) by unhooking its userland controls, the general consensus is that security should be enforced at kernel level (DanB has a point with his critism). it is not the fact that it is "game over" when intrusions reach system level, but lower rights objects can not touch higher level objects and more important can't disable them (with a side-by-side attck in user land).

* This is why Microsoft and Google started to render webpages in untrusted processes (pushing them to lower rights processes and preventing them to infect processes running with medium rights). Same applies for opening PDF's in the the browsers and running Windows mail app in a lower rights sandbox.

If I remember correct, XP_Xoff went to work for Microsoft. That sure brings back old memories Kees. The days of Rootkit.com, Holyfather (RIP), wave, 29a, Russ R's Rootkit Revealer from Sysinternals, now also with Microsoft. Thanks for the trip down memory lane Kees.

 

[Andy Ful]

That is my point also but nearly everything you download from the internet or mall lands in user land. User land processes are allowed to modify other user land processes (called a side by side infection*). Therefor it is better for a security program to have higher rights, because lower rights objects can't modify higher rights objects.
...

It does not really matter for home users. When SRP is not running in Ring 0, then the malware running with Admin privileges must bypass fewer obstacles to dismantle the SRP protection, compared to the security running in Ring 0.
But this also assumes that:

1. Malware knows that the home user applied SRP (hardly possible).
2. Malware has to infect/exploit the system (hardly possible with SRP on Windows 10).
3. Malware has to elevate (hardly possible with SRP on Windows 10, especially with Defender).

All of this can matter only with highly targeted attacks that can happen in Enterprises via lateral movement. Diplomats and dissidents can also consider this danger.
It is worth knowing that running a security program in Ring 0 does not mean that it can protect against kernel-based malware (like for example WannaCry worm). Also, running the security program in Ring 0 can be rather easily bypassed in highly targeted attacks. Furthermore, most security programs do not run fully in Ring 0, so they can be exploited/bypassed by processes from the userland.

Endpoint Detection and Response: How Hackers Have Evolved (part 1)

By: Matthew Eidelberg " Endpoint Detection and Response: How Hackers Have Evolved PART 1 OF A SERIES. The primary goal of an attacker is to achieve a specific objective without being detected. This often involves establishing a foothold in an environment and then moving laterally. In a...

malwaretips.com

Dell Windows drivers still vulnerable to kernel attacks

Users of Dell systems are still at risk of having their Windows systems compromised via Dell drivers through kernel attacks. The problem was supposed to be fixed by updates as early as May 2021. However, security researchers from Rapid7 are now sounding the alarm that these security updates have...

malwaretips.com

The true security boundary has to be run in Ring -1 (Virtualisation-based Security). Such security was already adopted by some AV vendors. The Windows built-in Microsoft Defender Application Guard ("Modern SRP" model) uses it too.

 

[ForgottenSeer 92963]

It is worth knowing that running a security program in Ring 0 does not mean that it can protect against kernel-based malware

That is what I tried to explain

"it is "game over" when intrusions reach system level"

This argument often clouds the discussion about system level vs user land protection (to your irritation as I noticed from your responses to DanB )

 

[Andy Ful]

This argument often clouds the discussion about system level vs user land protection (to your irritation as I noticed from your responses to DanB )

I am irritated when people try to incorrectly interpret my posts. So, if I state something clearly several times and next I see the post that clearly suggests that I stated the opposite, I am irritated.
Of course, I would like when the (classic) SRP could run in Ring 0, but this would not improve much its protection for home users. Simply, the attackers do not even try to dismantle it, because it is so rarely used at home. I did not see any anti-SRP modules in any exploit kit. Furthermore, I did not see any malware in the wild (in the last few years) which would try to dismantle SRP.
So, I will worry only when half of the home users will start using SRP (which will never happen).

 

[upnorth]

I am irritated

Hey, I got 10 pages to try catch up so welcome to the club!