I am used to it.
I think that some emotional or off topic posts are OK, if they are not continued endlessly. Let's keep it that way.
Very true
I do apologize if I've been the cause of any of this, was never my intention. Let's keep it about WD
The truth about Windows Defender on Windows 10 (Home & Pro).
- Thread starter Andy Ful
- Start date
Very true
I do apologize if I've been the cause of any of this, was never my intention. Let's keep it about WD@Local Host Sorry missed your previous post.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,816
One correction. In this case the malware did not disabled WD. The initial document was detected (malicious content), but WD allowed to download/run the payload. The final payload was not detected and remained persistent after reboot.
Anyway, that can be a good example to show that WD on default settings (even in sandbox) is not the best solution for people who use MS Office and allow macros for documents downloaded from the Internet. That behavior is like crossing the street with eyes closed.
Edit.
@RoboMan, thanks for the interesting video.
Last edited:
About the above comments...
1. Windows was designed for administrators to make changes and as such, overrule things like security configurations. This means that administrators can enable and disable Windows Defender/Firewall, or modify the configuration. Therefore, malware running with administrative rights has and always will be able to overrule Windows Defender, the same way it has more opportunity to attack third-party AVs on the machine.
2. The sandbox container which was implemented into Windows Defender was never supposed to do anything in regards to preventing Windows Defender from being disabled by software running with administrative rights on the environment. It was implemented to help restrict malicious code being executed under the context of Windows Defender processes which are under the sandbox container post-exploitation to prevent the attackers from being able to do as much as they could before whilst masking the operations as being from Windows Defender's compromised process/es. Furthermore, I imagine it also uses exploit mitigation techniques more aggressively/effectively to make old exploits fail until updated and new future vulnerabilities possibly harder to exploit.
1. Windows was designed for administrators to make changes and as such, overrule things like security configurations. This means that administrators can enable and disable Windows Defender/Firewall, or modify the configuration. Therefore, malware running with administrative rights has and always will be able to overrule Windows Defender, the same way it has more opportunity to attack third-party AVs on the machine.
2. The sandbox container which was implemented into Windows Defender was never supposed to do anything in regards to preventing Windows Defender from being disabled by software running with administrative rights on the environment. It was implemented to help restrict malicious code being executed under the context of Windows Defender processes which are under the sandbox container post-exploitation to prevent the attackers from being able to do as much as they could before whilst masking the operations as being from Windows Defender's compromised process/es. Furthermore, I imagine it also uses exploit mitigation techniques more aggressively/effectively to make old exploits fail until updated and new future vulnerabilities possibly harder to exploit.
Well, is it worth to run Windows Defender sandboxed, then? A little worth it? A lot? I went to the horse's mouth and 4th paragraph under "Why sandbox? Why now?" basically says what goes in the box, stays in the box. Sounds great; however, I now see that testing here suggests this system is neither fail-safe nor 100% fool proof. Is anyone currently running WD sandboxed? I chose "no"--I have an anti-exe plus I run vulnerable programs like Media Player in Sandboxie. Plus, like I harped on before, this feature currently isn't enabled by default, you have to look for it. Eeww!
The Windows Defender sandbox container is never going to be 100% full-proof, no sandbox container ever will be. Anyway, I would say that it is not recommended to enable it at this point in time because it is still early days and it is only available as an opt-in experimental feature (as far as I am aware).
Until extensive testing has been done, and the feature has definitely been released as "officially released" with proper documentation to the changes it makes and how it works, along with strong testing by people experienced in vulnerability research and exploitation (e.g. Google Project Zero), it is probably best to just avoid it for your own sake.
Until extensive testing has been done, and the feature has definitely been released as "officially released" with proper documentation to the changes it makes and how it works, along with strong testing by people experienced in vulnerability research and exploitation (e.g. Google Project Zero), it is probably best to just avoid it for your own sake.
Thanks for the clarification, this was my understanding as well!
I agree
I gave it a try just to see what it was all about, it didn't slow down my system anymore than what WD does which is great. I think it is a good feature to have in order to help keep the OS more secure from malicious code trying to take advantage of an exploit via WD.
However, like you said it's still very experimental at this point and I think Microsoft still has some things to iron out before its ready for prime time. I have since disabled it as I found out (while doing very basic tests via ATMSO and the WD Testing grounds) that some of WD detection capabilities stopped working (on some tests) when the sandbox was enabled. Even though the sandbox should not have any impact whats so ever on WD detection capabilities, currently it seems to be conflicting with some of them (at least for me on 1809). Since disabling the sandbox, WD was able to pass those tests without issue, compared to when it was enabled. Personally I think people should wait until its all ironed out and officially rolled out before using it, just in case it is (unintentionally) affecting WD's protection capabilities negatively.
Last edited by a moderator:
- Mar 29, 2018
- 7,902
@Raiden - yes, we talked about that a short time ago and I disabled it then. I think the Beatles wrote a song about it - Within You and Without You, so no big deal either way!
- May 4, 2018
- 2,266
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,816
You must be a very "old school" to remember the Beatles.
- Oct 7, 2018
- 44
Hey oldschool, how about the U2 song, "With or Without You?". Makes you a little more contemporary. Sorry for going off topic, couldn't help it, he heYou must be a very "old school" to remember the Beatles.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,816
That would be certainly true, if Windows 10 did not hate 3rd party security.
I like the fact of WD improvements, because it can now compete with 3rd party AVs. The competitive pressure and diversity are usually advantageous for the customers.
So, I wish WD to improve and make 3rd party security better. If I have to buy 3rd party, real-time security, I would rather choose AppGuard alongside Defender.
- Mar 29, 2018
- 7,902
Oh yeah, I remember it but the Beatles came to my mind first.
- Jul 1, 2017
- 1,396
I have found things on my computer in the Recycle bin and AppData that Windows Defender never detected. Thank mother nature for Emsisoft Emergency Kit.
For me the main issue is that I have had issues with the definition updates. They would corrupt and there is no way to troubleshoot and reset Windows Defender. I cannot rely on an AV that cannot even update its signatures. My heart was racing. What kind of trash was on my computer. So I disabled WD in Group Policy for eternity and have always used 3rd party AVs since Windows 10 1607 (Anniversary Update).
For me the main issue is that I have had issues with the definition updates. They would corrupt and there is no way to troubleshoot and reset Windows Defender. I cannot rely on an AV that cannot even update its signatures. My heart was racing. What kind of trash was on my computer. So I disabled WD in Group Policy for eternity and have always used 3rd party AVs since Windows 10 1607 (Anniversary Update).
- Oct 15, 2014
- 164
Great post with useful information.
Just to add something,
I believe that even if Microsoft is nobody's friend, business wise they will want to make their operating system more secure, with the increase in popularity of Linux (mainly because of security reasons) and mac os Microsoft knows they have competition even if it's relatively small. The users will want a more secure system because the average user, the professional or better yet 99.9% of people that use Windows will not enjoy removing malware from their system or getting files encrypted and Microsoft knows that if they don't offer a secure system then they will lose more and more users in the long run.
"It is not from the benevolence of the butcher, the brewer, or the baker that we expect our dinner, but from their regard to their own interest" (Adam Smith)
Just to add something,
I believe that even if Microsoft is nobody's friend, business wise they will want to make their operating system more secure, with the increase in popularity of Linux (mainly because of security reasons) and mac os Microsoft knows they have competition even if it's relatively small. The users will want a more secure system because the average user, the professional or better yet 99.9% of people that use Windows will not enjoy removing malware from their system or getting files encrypted and Microsoft knows that if they don't offer a secure system then they will lose more and more users in the long run.
"It is not from the benevolence of the butcher, the brewer, or the baker that we expect our dinner, but from their regard to their own interest" (Adam Smith)
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,816
Your experiment with highly restricted system + WD was not especially successful. I used highly restricted system too, and I know that it can cause some problems. Now, I prefer only some well tested restrictions like SRP (administrators excluded).
Did you try the system refresh? I am curious if it could repair Defender. That would be not good if it could not.
You will have the similar problems with most of advanced AVs, because they are not prepared to run on highly restricted systems. The system can work well several months and after some Windows or AV updates it can have a problem, anyway. But, you probably like solving the problems, so I wish you to find the balance between restrictions and compatibility/stability.
Be safe.
That would be certainly true, if Windows 10 did not hate 3rd party security.
I like the fact of WD improvements, because it can now compete with 3rd party AVs. The competitive pressure and diversity are usually advantageous for the customers.
So, I wish WD to improve and make 3rd party security better. If I have to buy 3rd party, real-time security, I would rather choose AppGuard alongside Defender.
In my testing, just about every 3rd party security soft out-performs Windows security. In short, people are better off using a 3rd party security solution. For one, even though they can be complex, they are not the hassle that Windows security is. Computer illiterates just cannot wrap their heads around Windows security. However, they can buy an internet security suite, install it, and run with the defaults. And those defaults offer significantly better protection than Windows security.
The way that Microsoft does things causes quite a lot of problems for consumers. This is like, what ? - a 30 year fact ?
Competition is good, but Microsoft uses its position to make it difficult and problematic for 3rd parties. In short, 3rd parties are a distinct competitive disadvantage. It's the reason that Kaspersky and others are suing Microsoft.
People started to complain about Microsoft security way before there was ever an antivirus product for consumers to purchase.
3rd parties provide better protection than Microsoft. That's all that matters.
And yes, Microsoft does things unilaterally and uses its position to make things much more difficult and problematic for 3rd party publishers... way more difficult than they need to be. That stifles competition and\or causes inordinately difficult problems.
Microsoft would like nothing more than to make the entire world a 100 % Microsoft product-only world. If you don't believe that is true, then I don't know what to tell you. Because that is exactly what it is trying to do. And it will do whatever it can to accomplish that.
Anyway you cut it, Microsoft is a monopoly. It has a grip (some would say stranglehold) on most things IT like no other.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,816
I could say:
From my experience, Windows Defender out-performs every 3rd party real-time security (on system stability & compatibility). In short, people are better off when avoiding 3rd party real-time security solution.
But this would not be a sound reasoning. Simply, the first sentence may be true, but not the second. I think that your second sentence is also not true.
My personal view is slightly more complicated:
- For many people who prefer stability & compatibility over usability, WD will be a reasonable solution. Many of them will be also interested in system hardening.
- For people who prefer usability over stability & compatibility, some 3rd party software will be better.
- Other people, will often choose 3rd party security, because there is one WD and many 3rd party security applications.
I could say:
From my experience, Windows Defender out-performs every 3rd party real-time security (on system stability & compatibility). In short, people are better off when avoiding 3rd party real-time security solution.
But this would not be a sound reasoning. Simply, the first sentence may be true, but not the second. I think that your second sentence is also not true.
My personal view is slightly more complicated:
I am glad that we do not agree on something. The world would be boring if people would agree on everything.
- For many people who prefer stability & compatibility over usability, WD will be a reasonable solution. Many of them will be also interested in system hardening.
- For people who prefer usability over stability & compatibility, some 3rd party software will be better.
- Other people, will often choose 3rd party security, because there is one WD and many 3rd party security applications.
A typical home user does not visit security soft forums or research how to tweak Windows Defender. So they are better off using a 3rd party security solution. Protection-wise, Windows security has, by design, holes in it. Plus, consumers will get better support from a 3rd party solution. There is no support for Windows Defender... not unless the user is wiling to pay the $100 support fee.
From my field observations, it is Microsoft that causes the most number of problems - and not 3rd party software. If Microsoft wouldn't constantly change things, then users wouldn't find themselves in the predicament of Windows breaking stuff all the time. 3rd parties do a good job, but it is Microsoft that ruins it for everyone.
All one need do is keep track of the number of people using W10 security in malware removal assistant threads across the web, and the picture is clear. Windows Defender just isn't what it is hyped up to be. The two leading AVs found in malware removal assistance threads are default Windows Defender and Malwarebytes. One cannot argue with this kind of data.
Similar threads
