App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)

[Shadowra]

Content source

https://odysee.com/@Shadowra:f/Microsoft-Defender-Antivirus-+-Windows-11-SAC:3

Microsoft Defender is the antivirus system developed by Microsoft since Windows 8.
Formerly called Windows Defender (and Microsoft Security Essentials on Windows 7 and even Windows Live OneCare before that! ) Windows antivirus has never shone.
But since Windows 10, Microsoft has bounced back to become a very popular antivirus.
On Windows 11, Microsoft has included SAC (Smart App Control), which blocks unknown applications (like Avast's Hardened Mode) as well as a few risky actions.
Let's see if Microsoft keeps its promises.

\!/ Microsoft Defender is set to default!



User interface :
The Microsoft Defender Security Center interface is very simple to use and easy to find.
Since it's a major security brick, it's got it all (Firewall, Antivirus, Smart App Control, anti-ransomware protection with file recovery through OneDrive, Web filtering with SmartScreen, etc.).

Web protection: 12/12
Microsoft Defender blocks all malicious links and downloads.
Note that I did this test via Microsoft Edge to stay on the Microsoft eco-system... There is, however, an extension called Microsoft Defender Browser Protection for Chrome.

Fake crack : 1/1
During launch, we can see that SAC prevents malware from being launched.
But after execution, Microsoft Defender also removes the files. There's good consistency.

Malware Pack : Remaining 7 files out of 152.
Microsoft Defender is very efficient at detecting malware.
Smart App Control also protects and makes up for the mistakes made by Microsoft Defender by blocking malware that was in .MSI files.
However, 2 pieces of malware managed to install themselves (StrRat in Java and AlteraAgent, which is signed).
The machine can be disinfected.

Final scan :
Microsoft : 0
NPE : 0
MBAM : 0
KVRT : 2

Final opinion:

Microsoft provides excellent protection.
Microsoft Defender has made great strides over the years to become a high-performance antivirus.
Smart App Control adds extra protection and can block malware.
However, Smart App Control will be totally ineffective on malware with a valid signature and on Java/VBS/JS attacks. It will be Microsoft Defender's job to block the file.
Recommended protection.

 

[Bot]

Thanks for the comprehensive review! It's great to see that Microsoft Defender and Windows 11's Smart App Control (SAC) are providing robust security measures. The interface simplicity and efficiency in malware detection are commendable. However, the point on SAC's ineffectiveness on malware with valid signatures and Java/VBS/JS attacks is noteworthy. It's clear that while SAC adds an extra layer of protection, Microsoft Defender remains crucial in blocking potential threats.

 

[Shadowra]

Thanks for the comprehensive review! It's great to see that Microsoft Defender and Windows 11's Smart App Control (SAC) are providing robust security measures. The interface simplicity and efficiency in malware detection are commendable. However, the point on SAC's ineffectiveness on malware with valid signatures and Java/VBS/JS attacks is noteworthy. It's clear that while SAC adds an extra layer of protection, Microsoft Defender remains crucial in blocking potential threats.

Microsoft Defender can block signed files and Java/JS/VBS attacks, but only if its database or cloud knows about them.
But yes, in 0-day, it can pass (like any antivirus, in fact... no antivirus is infallible).

 

[Bot]

Microsoft Defender can block signed files and Java/JS/VBS attacks, but only if its database or cloud knows about them.
But yes, in 0-day, it can pass (like any antivirus, in fact... no antivirus is infallible).

Absolutely, no antivirus software is perfect, and they all have their strengths and weaknesses. It's reassuring to know that Microsoft Defender can block signed files and Java/JS/VBS attacks if they are known in its database or cloud. It's also a good reminder that new, unknown threats (0-day) can slip through, highlighting the importance of regular updates and safe online practices.

 

[aftech]

Microsoft Defender is the antivirus system developed by Microsoft since Windows 8.
Formerly called Windows Defender (and Microsoft Security Essentials on Windows 7 and even Windows Live OneCare before that! ) Windows antivirus has never shone.
But since Windows 10, Microsoft has bounced back to become a very popular antivirus.
On Windows 11, Microsoft has included SAC (Smart App Control), which blocks unknown applications (like Avast's Hardened Mode) as well as a few risky actions.
Let's see if Microsoft keeps its promises.

\!/ Microsoft Defender is set to default!



User interface :
The Microsoft Defender Security Center interface is very simple to use and easy to find.
Since it's a major security brick, it's got it all (Firewall, Antivirus, Smart App Control, anti-ransomware protection with file recovery through OneDrive, Web filtering with SmartScreen, etc.).

Web protection: 12/12
Microsoft Defender blocks all malicious links and downloads.
Note that I did this test via Microsoft Edge to stay on the Microsoft eco-system... There is, however, an extension called Microsoft Defender Browser Protection for Chrome.

Fake crack : 1/1
During launch, we can see that SAC prevents malware from being launched.
But after execution, Microsoft Defender also removes the files. There's good consistency.

Malware Pack : Remaining 7 files out of 152.
Microsoft Defender is very efficient at detecting malware.
Smart App Control also protects and makes up for the mistakes made by Microsoft Defender by blocking malware that was in .MSI files.
However, 2 pieces of malware managed to install themselves (StrRat in Java and AlteraAgent, which is signed).
The machine can be disinfected.

Final scan :
Microsoft : 0
NPE : 0
MBAM : 0
KVRT : 2

Final opinion:

Microsoft provides excellent protection.
Microsoft Defender has made great strides over the years to become a high-performance antivirus.
Smart App Control adds extra protection and can block malware.
However, Smart App Control will be totally ineffective on malware with a valid signature and on Java/VBS/JS attacks. It will be Microsoft Defender's job to block the file.
Recommended protection.

That's why adding app locker to the aresenal for blocking scripts outside system space is mandatory.

 

[cartaphilus]

like any antivirus, in fact... no antivirus is infallible).

Would God ever create an antivirus that even it couldn't defeat?

I guess the 2nd party apps need to really shine in order to compete with free and good. The only thing that ESET and FProtect bring to the table is lighter performance.

 

[TuxTalk]

Would God ever create an antivirus that even it couldn't defeat?

I guess the 2nd party apps need to really shine in order to compete with free and good. The only thing that ESET and FProtect bring to the table is lighter performance.

It did already

 

[cartaphilus]

It did already

We are not talking about the multiverse entity called Webroot

 

[cartaphilus]

That's why adding app locker to the aresenal for blocking scripts outside system space is mandatory.

what app locker do you use/recommend?

Sidenote: One solid example that humans are asshole species is from the pure fact that we don't let sleeping dogs lay. For example each time my dog sleeps comfortably I just have an extreme desire to hug and pet him.

 

[ErzCrz]

Looking forward to watching the test later.. SAC was disabled by default with my factory installation so I use CyberLock as well as DefenderUI

 

[ForgottenSeer 114834]

Microsoft Defender is the antivirus system developed by Microsoft since Windows 8.
Formerly called Windows Defender (and Microsoft Security Essentials on Windows 7 and even Windows Live OneCare before that! ) Windows antivirus has never shone.
But since Windows 10, Microsoft has bounced back to become a very popular antivirus.
On Windows 11, Microsoft has included SAC (Smart App Control), which blocks unknown applications (like Avast's Hardened Mode) as well as a few risky actions.
Let's see if Microsoft keeps its promises.

\!/ Microsoft Defender is set to default!



User interface :
The Microsoft Defender Security Center interface is very simple to use and easy to find.
Since it's a major security brick, it's got it all (Firewall, Antivirus, Smart App Control, anti-ransomware protection with file recovery through OneDrive, Web filtering with SmartScreen, etc.).

Web protection: 12/12
Microsoft Defender blocks all malicious links and downloads.
Note that I did this test via Microsoft Edge to stay on the Microsoft eco-system... There is, however, an extension called Microsoft Defender Browser Protection for Chrome.

Fake crack : 1/1
During launch, we can see that SAC prevents malware from being launched.
But after execution, Microsoft Defender also removes the files. There's good consistency.

Malware Pack : Remaining 7 files out of 152.
Microsoft Defender is very efficient at detecting malware.
Smart App Control also protects and makes up for the mistakes made by Microsoft Defender by blocking malware that was in .MSI files.
However, 2 pieces of malware managed to install themselves (StrRat in Java and AlteraAgent, which is signed).
The machine can be disinfected.

Final scan :
Microsoft : 0
NPE : 0
MBAM : 0
KVRT : 2

Final opinion:

Microsoft provides excellent protection.
Microsoft Defender has made great strides over the years to become a high-performance antivirus.
Smart App Control adds extra protection and can block malware.
However, Smart App Control will be totally ineffective on malware with a valid signature and on Java/VBS/JS attacks. It will be Microsoft Defender's job to block the file.
Recommended protection.

Wow does this mean with built in security and good habits one can be relatively safe online? Say it isn't so. Think of that tight integration into the OS as well, less bugs/vulnerabilities added and more stability. What a concept you have demonstrated here today.

 

[Shadowra]

Wow does this mean with built in security and good habits one can be relatively safe online? Say it isn't so. Think of that tight integration into the OS as well, less bugs/vulnerabilities added and more stability. What a concept you have demonstrated here today.

I don't think I quite understand what you mean.
This protection is effective.
With common sense and, above all, prevention, you can protect yourself without paying for another service.

 

[ForgottenSeer 114834]

I don't think I quite understand what you mean.
This protection is effective.
With common sense and, above all, prevention, you can protect yourself without paying for another service.

That is exactly what I meant

 

[Shadowra]

That is exactly what I meant

Ok, so I did misunderstand

 

[ForgottenSeer 114834]

Ok, so I did misunderstand

Yes sorry, my sarcasm can be easily misunderstood, but I was applauding this actually, as it demonstrates for users that are not able to handle advanced security that they can indeed stay safe also.

 

[SumTingWong]

Wow, Microsoft is killing it. It just needs some kind of behavior blocker then it can be a strong contender against 3rd party antivirus.

 

[ForgottenSeer 114834]

Wow, Microsoft is killing it. It just needs some kind of behavior blocker then it can be a strong contender against 3rd party antivirus.

So much misconception amongst these threads. What do you think the odds are of an actual user coming into contact with that much malware especially in one shot? Let's take a daily driver with those settings and good habits, as well as contingencies such as images and backups of personal on external.

Now let's add in the fact the security is built in, integrated into the OS, and therefore does not add additional bugs and vulnerability that a 3rd party application does, and then ask yourself, are you sure you have the correct perspective of this.

 

[aftech]

what app locker do you use/recommend?

Sidenote: One solid example that humans are asshole species is from the pure fact that we don't let sleeping dogs lay. For example each time my dog sleeps comfortably I just have an extreme desire to hug and pet him.

Windows built-in applocker; blocking scripts and unsigned executables in the user space. It can partially replace SAC with the advantage of customizability.

 

[Andy Ful]

@Shadowra,

It looks like you used WinRar with an option to skip MotW. This caused the execution of LNK malware.
The older versions of WinRar used to skip MotW, but the current version (7.01) preserves MotW by default (Settings >> Security >> Propagate Mark of the Web). It is also true for Explorer, 7-ZIP, Bandizip, Explzh, Nanazip, and Peazip).

GitHub - nmantani/archiver-MOTW-support-comparison

Contribute to nmantani/archiver-MOTW-support-comparison development by creating an account on GitHub.

github.com

In most cases (at home), the LNK malware will have MotW and SAC can block such files by default. The same is true for scripts, scriptlets, and other unsafe file types:

• appref-ms
• .appx
• .appxbundle
• .Bat
• .Chm
• .Cmd
• .com
• .Cpl
• .dll
• .drv
• .gadget
• .hta
• .ISO
• .Js
• .jse
• . lnk
• .Msc
• .Msp
• .ocx
• .pif
• .ppkg
• .printerexport
• .ps1
• .rdp
• .Reg
• .Scf
• .Scr
• .settingcontent-ms
• .sys
• .url
• .Vb
• .vbe
• .vbs
• .Vhd
• .vhdx
• .vxd
• .website
• .wsf
• .wsh.

Edit 1.
The attack with LNK malware could succeed in the wild when performed via a flash drive (non-NTFS format). The MotW is skipped when the file is copied to non-NTFS drive.

Edit 2.
I removed WinZip, because I am not sure which file types are supported.

 

[ForgottenSeer 114834]

@Shadowra,

It looks like you used WinRar with an option to skip MotW. This caused the execution of LNK malware.
The older versions of WinRar used to skip MotW, but the current version preserves MotW by default (it is also true for Explorer, 7-ZIP, Bandizip, Nanazip, Peazip, WinZip, etc.).

GitHub - nmantani/archiver-MOTW-support-comparison

Contribute to nmantani/archiver-MOTW-support-comparison development by creating an account on GitHub.

github.com

In most cases (at home), the LNK malware will have MotW and SAC can block such files by default. The same is true for scripts, scriptlets, and other unsafe file types:

• appref-ms
• .appx
• .appxbundle
• .Bat
• .Chm
• .Cmd
• .com
• .Cpl
• .dll
• .drv
• .gadget
• .hta
• .ISO
• .Js
• .jse
• . lnk
• .Msc
• .Msp
• .ocx
• .pif
• .ppkg
• .printerexport
• .ps1
• .rdp
• .Reg
• .Scf
• .Scr
• .settingcontent-ms
• .sys
• .url
• .Vb
• .vbe
• .vbs
• .Vhd
• .vhdx
• .vxd
• .website
• .wsf
• .wsh.

Edit
The attack with LNK malware could succeed in the wild when performed via a flash drive (non-NTFS format). The MotW is skipped when the file is copied to non-NTFS drive.

Are you stating that when a true route of infection is presented that security products such as the built in one will respond differently?