Advice Request Is the improved performance of Microsoft Defender a myth? Should we necessarily be using a 3rd party AV?

[danb]

You have never been to this theater.
If you are looking for evidence then look at the tests on Malware Hub. Even without any AV (only properly configured SRP) the results were like in (almost) perfect theater. You can compare them with the test results of VS, if you need a reference point.

Anyway, you are right that classic SRP was not designed to mitigate modern threats in the business environment. The danger comes from the attacks with admin rights via lateral movement. Furthermore, SRP and Windows policies are not well designed to stop the highly targeted attacks. Lastly, most people do not know how to configure SRP for optimal protection (you are not the only one).

Properly configured SRP + simple hardening (like blocking SMB protocols and remote features) is still very efficient when a few computers are connected to the home router (no lateral movement).

You are aware that VS was tested in AutoPilot mode, so your comment is quite disingenuous. This is the exact kind of security theater that I am talking about.

Software Restriction Policy was designed to stop the user from running user mode software. It was not designed as a sophisticated anti-malware mechanism that blocks modern threats. In other words, you can use a screwdriver to drive a nail, but it is best to use the right tool for the job (a hammer).

 

[danb]

SRP has its flaws (like living in the wrong ring), but Andy has tackled some known problems of SRP (the UAC user access holes in Windows folder and LNK troubles) in the predefined settings, but .....

... with Andy' s predefined SRP rules blocking file extensions misusing the windows build-in command execution binary's (LoLbins) AND
... Simple Windows and Firewall Hardening adding some additional hurdles to misuse LolBins AND
... Controlled folder acces blocking write access to user land folders AND
... Configure Defender adding ASR and stronger cloud protection AND
... Windows Smart Screen blocking unknown executables with MOTW AND
... Edge Smart Screen having the best Malware and URL protection AND
... Edge Browser having the strongest sandbox of all Chromium browsers on Windows AND
... simple router partitioning and hardening (all IOT devices in Guest Network, phones and visitors in 2.4 network and only trusted devices in 5Ghz) AND
... using a DNS which also blocks Malware and an ISP which also checks my e-mail on malware AND
... common sense safehex practices

I am not using a HIPS and Outbound FireWall anymore, because I am confident those additional hurdles are good enough protection for the average home use (I am also not wearing a bullet proof vest when I do my shopping, better use this great advice for life: link)

At the end of the day, SRP is still SRP, with all of its known limitations.

As Neil DeGrasse Tyson said... "The good thing about science is that it’s true whether or not you believe in it."

 

[wat0114]

Actually, just taking the title of this thread at absolute face value, the first of the two questions is easy to answer:

Is the improved performance of Microsoft Defender a myth?

No, it's not a myth. It was introduced with Windows Vista and 7, and has since indisputably improved with Windows 10/11. I'm pretty sure there's plenty of evidence available to support this claim.

Should we necessarily be using a 3rd party AV?

This one obviously has no one one-size-fits-all answer. Amongst the many millions worldwide who use a computer, there is such a vast range of unique variables, that some will do better with 3rd party AV, while others will do fine with Defender, and others with even no AV at all.

 

[ForgottenSeer 92963]

At the end of the day, SRP is still SRP, with all of its known limitations.

As Neil DeGrasse Tyson said... "The good thing about science is that it’s true whether or not you believe in it."

First. what part of "SRP has its limitations" did you not understand? I agreed with you that SRP is not the answer for all malware intrusions, but in combination with other off-the-shelve security mechanisms it helps to reduce the risk of malware to acceptable levels for me. SRP is just one of the players in my security team. When one player in my team has been passed by an opponent, it does nat mean that the opponent scored a goal or won the game. That is the benefit of using multiple levels of security IMO.

Secondly: the truth of science has shifted over time when better observations lead to other conclusions (like the earth is flat evolved to earth is round and the evolution theory) and scientific studies leading to ambiguous conclusions (link). So for what I know now, SRP as used in SWH helps to make MD (probably all AV's) stronger.

In other words, you can use a screwdriver to drive a nail, but it is best to use the right tool for the job (a hammer).

So its makes sense to disable Microsoft Defender tamper protection to enable DUI's (tamper) protection for Microsoft Defender?

 

[ScandinavianFish]

What part of "SRP has its limitations" did you not understand?

So its makes sense to disable Microsoft Defender tamper protection to enable DUI's (tamper) protection for Microsoft Defender?

DUI's tamper protection IS Microsoft Defender's tamper protection, majority of the settings you see are the "hidden" and advanced settings of WD that are not available out of the box.

 

[wat0114]

At the end of the day, SRP is still SRP, with all of its known limitations.

Dan,

with all due respect, and my following comments are based on me being nothing more than a home computer security enthusiast with limited understanding of the subject, but I feel pretty confident in saying:

in the right hands and configured as such SRP is a very powerful tool against many threats, in particular those that use obfuscation to avoid AV, as well as scripting methods to execute their payloads in userspace directories.

One example of Ransomware I can think of where SRP could play a role in stopping:

REvil / Sodinokibi: The Crown Prince of Ransomware

Cybereason has been tracking a new type of ransomware dubbed REvil / Sodinokibi - the Cybereason Defense Platform detects and blocks this nasty ransomware that struck meatpacker JBS.

www.cybereason.com

My apologies for bringing up SRP, but I couldn't help myself in this case.

 

[ForgottenSeer 92963]

DUI's tamper protection IS Microsoft Defender's tamper protection, majority of the settings you see are the "hidden" and advanced settings of WD that are not available out of the box.

Tamper protection is part of Security Center (not hidden). DUI Pro has a process running checking whether MD is disabled. It is something different. Why use a screw driver (DUI's tamper protection) when I got a build-in hammer (MD's tamper protection in Security Center) to protect MD against tampering? Why do I have to disable the build-in tamper protection?

It is the same discussion when Microsoft introduced kernel patching protection. Years after we can conclude that it made the Windows kernel stronger. By the way it is also possible to run MD in a sandbox (link) and enable virtualization based code integrity (link). IMO disabling build-in security for third-party software to provide similar protection is putting the horse behind the cart.

 

[danb]

Tamper protection is part of Security Center (not hidden). DUI Pro has a process running checking whether MD is disabled. It is something different. Why use a screw driver (DUI's tamper protection) when I got a build-in hammer (MD's tamper protection in Security Center) to protect MD against tampering? Why do I have to disable the build-in tamper protection?

It is the same discussion when Microsoft introduced kernel patching protection. Years after we can conclude that it made the Windows kernel stronger. By the way it is also possible to run MD in a sandbox (link) and enable virtualization based code integrity (link). IMO disabling build-in security for third-party software to provide similar protection is putting the horse behind the cart.

As @ScandinavianFish said... "DUI's tamper protection IS Microsoft Defender's tamper protection".

MD requires TP to be disabled in order to adjust some of the settings. This applies to any product that controls MD, including ConfigureDefender and DefenderUI.

 

[ScandinavianFish]

Tamper protection is part of Security Center (not hidden). DUI Pro has a process running checking whether MD is disabled. It is something different. Why use a screw driver (DUI's tamper protection) when I got a build-in hammer (MD's tamper protection in Security Center) to protect MD against tampering? Why do I have to disable the build-in tamper protection?

It is the same discussion when Microsoft introduced kernel patching protection. Years after we can conclude that it made the Windows kernel stronger. By the way it is also possible to run MD in a sandbox (link) and enable virtualization based code integrity (link). IMO disabling build-in security for third-party software to provide similar protection is putting the horse behind the cart.

Tamper protection in MD defends itself from getting disabled in the first place, while DUI's DefenderGuard continuously monitors the RTP settings to ensure it isnt disabled, they are compatible because they work in completely different ways.

 

[danb]

Dan,

with all due respect, and my following comments are based on me being nothing more than a home computer security enthusiast with limited understanding of the subject, but I feel pretty confident in saying:

in the right hands and configured as such SRP is a very powerful tool against many threats, in particular those that use obfuscation to avoid AV, as well as scripting methods to execute their payloads in userspace directories.

One example of Ransomware I can think of where SRP could play a role in stopping:

REvil / Sodinokibi: The Crown Prince of Ransomware

Cybereason has been tracking a new type of ransomware dubbed REvil / Sodinokibi - the Cybereason Defense Platform detects and blocks this nasty ransomware that struck meatpacker JBS.

www.cybereason.com

My apologies for bringing up SRP, but I couldn't help myself in this case.

I just found it odd that people were discussing security theater, but did not mention the security theater champ.

 

[ForgottenSeer 92963]

As @ScandinavianFish said... "DUI's tamper protection IS Microsoft Defender's tamper protection".

MD requires TP to be disabled in order to adjust some of the settings. This applies to any product that controls MD, including ConfigureDefender and DefenderUI.

When I use Configure Defender the security centre will show that tamper protection is enabled.

So when I look at the security centre when using DUI (Pro) I will see that tamper protection is enabled also? I am not using DUI so could you post a picture confirming that tamper protection is enabled while using DUI's real time tamper protection.

 

[danb]

First. what part of "SRP has its limitations" did you not understand? I agreed with you that SRP is not the answer for all malware intrusions, but in combination with other off-the-shelve security mechanisms it helps to reduce the risk of malware to acceptable levels for me. SRP is just one of the players in my security team. When one player in my team has been passed by an opponent, it does nat mean that the opponent scored a goal or won the game. That is the benefit of using multiple levels of security IMO.

Secondly: the truth of science has shifted over time when better observations lead to other conclusions (like the earth is flat evolved to earth is round and the evolution theory) and scientific studies leading to ambiguous conclusions (link). So for what I know now, SRP as used in SWH helps to make MD (probably all AV's) stronger.



So its makes sense to disable Microsoft Defender tamper protection to enable DUI's (tamper) protection for Microsoft Defender?

Flat earth was well before the scientific method was established. Flat earth was never based in science, so it did not shift over time.

 

[danb]

When I use Configure Defender the security centre will show that tamper protection is enabled.

So when I look at the security centre when using DUI (Pro) I will see that tamper protection is enabled also? I am not using DUI so could you post a picture confirming that tamper protection is enabled while using DUI PRO.

If I am understanding you correctly, yes, that is correct. You have to manually disable Tamper Protection in Security Center if you want CD or DUI to control a few of the features, listed below...

"While most DefenderUI features function out of the box, there are a handful that do not function while Microsoft Defender Tamper Protection is enabled. These features include Real-time Protection, Behavior Monitoring, Scan all downloaded files and attachments, Script scanning and Threat Default Actions."

 

[ForgottenSeer 92963]

Tamper protection in MD defends itself from getting disabled in the first place, while DUI's DefenderGuard continuously monitors the RTP settings to ensure it isnt disabled, they are compatible because they work in completely different ways.

As per Dan's answer above, DUI's defender guard disables MD's tamper protection, so they are not compatible. Configure Defender keeps tamper protection enabled while enabling all "hidden" corporate features of MD.

 

[danb]

As per Dan's answer. DUI's defender guard disables MD's tamper protection, so they are not compatible.

People believing earth was flat, were the main stream scientist at that time.

DUI's DefenderGuard is completely independent of MD's Tamper Protection. Does that answer the question? If not, please let me know.

But science was not science until the scientific method was established .

 

[ScandinavianFish]

As per Dan's answer above, DUI's defender guard disables MD's tamper protection, so they are not compatible. Configure Defender keeps tamper protection enabled while enabling all "hidden" corporate features of MD.

Manually disabling it is required for changing DUI's Default Threat Actions, nothing else, and it does not disable MD's Tamper Protection

 

[danb]

As per Dan's answer above, DUI's defender guard disables MD's tamper protection, so they are not compatible. Configure Defender keeps tamper protection enabled while enabling all "hidden" corporate features of MD.

Both of these statements are not true.

DUI's DefenderGuard does not disable MD's Tamper Protection, and they are compatible with each other.

CD does nothing with Tamper Protection at all. Also, when Tamper Protection is enabled, the following features cannot be adjusted with CD or DUI: Behavior Monitoring, Scan all downloaded files and attachments and Script scanning.

 

[Moonhorse]

Whatever dui does i love it & Its not myth anymore that defender has improved, andys pictures show it on first page atleast were getting some action here

 

[Andy Ful]

You are aware that VS was tested in AutoPilot mode, so your comment is quite disingenuous. This is the exact kind of security theater that I am talking about.

Yes, I am aware. The SRP was also tested with Recommended Settings + Forced SmartScreen. From the point of view of the user, these setups are similar. The Forced SmartScreen in the SRP test did a similar thing as VirusTotal (and AI lookup) in the VS test. If VS was tested in "Always ON" mode and SRP with All_ON setup, then one could probably test them over a year without any misses.

Software Restriction Policy was designed to stop the user from running user mode software. It was not designed as a sophisticated anti-malware mechanism that blocks modern threats.

It is nice that we can agree on something.
But, it seems that we differently understand modern threats. I understand them as in the Microsoft documentation, and that means the lateral movement especially with using .NET DLLs and kernel-based malware (Bad USB, kernel exploits, etc.). For fighting such threads you need the "Modern SRP" which is Microsoft Defender Application Control (a mix of the classic SRP idea with Application Guard).

 

[Andy Ful]

As @ScandinavianFish

MD requires TP to be disabled in order to adjust some of the settings. This applies to any product that controls MD, including ConfigureDefender and DefenderUI.

None of the ConfigureDefender profiles (DEFAULT, HIGH, INTERACTIVE, and MAX) need to disable Tamper Protection.