Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Microsoft Defender
Is the improved performance of Microsoft Defender a myth? Should we necessarily be using a 3rd party AV?
Message
<blockquote data-quote="Andy Ful" data-source="post: 968961" data-attributes="member: 32260"><p>It does not really matter for home users. When SRP is not running in Ring 0, then the malware running with Admin privileges must bypass fewer obstacles to dismantle the SRP protection, compared to the security running in Ring 0.</p><p>But this also assumes that:</p><ol> <li data-xf-list-type="ol">Malware knows that the home user applied SRP (hardly possible).</li> <li data-xf-list-type="ol">Malware has to infect/exploit the system (hardly possible with SRP on Windows 10).</li> <li data-xf-list-type="ol">Malware has to elevate (hardly possible with SRP on Windows 10, especially with Defender).</li> </ol><p>All of this can matter only with highly targeted attacks that can happen in Enterprises via lateral movement. Diplomats and dissidents can also consider this danger.</p><p>It is worth knowing that running a security program in Ring 0 does not mean that it can protect against kernel-based malware (like for example WannaCry worm). Also, running the security program in Ring 0 can be rather easily bypassed in highly targeted attacks. Furthermore, most security programs do not run fully in Ring 0, so they can be exploited/bypassed by processes from the userland.</p><p>[URL unfurl="true"]https://malwaretips.com/threads/endpoint-detection-and-response-how-hackers-have-evolved-part-1.106619/[/URL]</p><p>[URL unfurl="true"]https://malwaretips.com/threads/dell-windows-drivers-still-vulnerable-to-kernel-attacks.111526/[/URL]</p><p></p><p>The true security boundary has to be run in Ring -1 (Virtualisation-based Security). Such security was already adopted by some AV vendors. The Windows built-in Microsoft Defender Application Guard ("Modern SRP" model) uses it too.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 968961, member: 32260"] It does not really matter for home users. When SRP is not running in Ring 0, then the malware running with Admin privileges must bypass fewer obstacles to dismantle the SRP protection, compared to the security running in Ring 0. But this also assumes that: [LIST=1] [*]Malware knows that the home user applied SRP (hardly possible). [*]Malware has to infect/exploit the system (hardly possible with SRP on Windows 10). [*]Malware has to elevate (hardly possible with SRP on Windows 10, especially with Defender). [/LIST] All of this can matter only with highly targeted attacks that can happen in Enterprises via lateral movement. Diplomats and dissidents can also consider this danger. It is worth knowing that running a security program in Ring 0 does not mean that it can protect against kernel-based malware (like for example WannaCry worm). Also, running the security program in Ring 0 can be rather easily bypassed in highly targeted attacks. Furthermore, most security programs do not run fully in Ring 0, so they can be exploited/bypassed by processes from the userland. [URL unfurl="true"]https://malwaretips.com/threads/endpoint-detection-and-response-how-hackers-have-evolved-part-1.106619/[/URL] [URL unfurl="true"]https://malwaretips.com/threads/dell-windows-drivers-still-vulnerable-to-kernel-attacks.111526/[/URL] The true security boundary has to be run in Ring -1 (Virtualisation-based Security). Such security was already adopted by some AV vendors. The Windows built-in Microsoft Defender Application Guard ("Modern SRP" model) uses it too. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
