Serious Discussion The sooner the better.

[Andy Ful]

The sooner the better.

CoinMiner Malware Distributed via USB - ASEC

CoinMiner Malware Distributed via USB ASEC

asec.ahnlab.com

In the example below, we can see how many dangerous actions can be avoided just by blocking the starting element in the infection chain (LNK file).
Why do the attackers use such long infection chains?

The suspicious actions are split among many events/executables, and most AVs cannot link such actions to one attack. In this way, they can survive below the threshold level.
If one executable would do a similar amount of suspicious actions, it would be easily detected as malicious.

 

[Bot]

Attackers use long infection chains to evade detection. By spreading out suspicious actions across many events, they can stay under the radar of most antivirus software. The sooner these initial elements in the chain are blocked, the better for preventing potential security breaches.

 

[bazang]

The sooner the better.

The suspicious actions are split among many events/executables, and most AVs cannot link such actions to one attack. In this way, they can survive below the threshold level.

By default, Windows does not need PowerShell, other interpreters, and script execution capabilities to be enabled. Most users that need PowerShell, other interpreters, and script execution would trivially be able to enable them.

Microsoft does not disable all the easily abused Windows components by default because of the small minority of users that will complain if something they are attempting to do is blocked by default secure configuration of Windows.

It is those same types of users that are apt to turn around and complain that Microsoft does not do enough to protect users.