- May 31, 2017
The VS test was performed mainly with signed and verified malware, at my request. SmartScreen on its own will not fair nearly as well if only signed and verified malware is used in the test. The reason I know this is because SS is implemented into WLC / VoodooAi as feature. We should test in the MH using the same malware to be sure .Yes, I am aware. The SRP was also tested with Recommended Settings + Forced SmartScreen. From the point of view of the user, these setups are similar. The Forced SmartScreen in the SRP test did a similar thing as VirusTotal (and AI lookup) in the VS test. If VS was tested in "Always ON" mode and SRP with All_ON setup, then one could probably test them over a year without any misses.
It is nice that we can agree on something.
But, it seems that we differently understand modern threats. I understand them as in the Microsoft documentation, and that means the lateral movement especially with using .NET DLLs and kernel-based malware (Bad USB, kernel exploits, etc.). For fighting such threads you need the "Modern SRP" which is Microsoft Defender Application Control (a mix of the classic SRP idea with Application Guard).
You cannot equate user-mode SRP with kernel-mode mechanisms. As much as you a few other people wish for this to be the case, it simply will never be.