Think Windows's Built-In Antivirus Will Keep You Safe? You're Wrong

Status
Not open for further replies.

rienna

Level 2
Verified
Mar 28, 2015
64
Microsoft Security Essentials + Malwarebytes Anti-Exploit + Toolwiz Timemachine (system sandbox with the option to exclude folders) + Zemana Anti-logger free + MBAM (free scanner only) + Brain (like Semprul above) = So far so good.

(Yes I dropped Bitdefender and PF, they were having problems and had to be removed. So I decided to try a different approach. It's working and using less CPU resources).
 
  • Like
Reactions: Cats-4_Owners-2

rienna

Level 2
Verified
Mar 28, 2015
64
@rienna Or MSE, SBIE and HMP Alert. Confident users can drop SBIE, unless running a vulnerable, non-patched OS.

It doesn't need to over-complicated, simple security is better.

True though I still recommend having a 2nd opinion scanner like Malwarebytes around.
You can never be too cautious. If you do happen to get an infection MSE doesn't clean up or HMP doesn't block, Malwarebytes should handle it.
I've also had luck with Norton Power Eraser as well. Honestly in an emergency Malwarebytes, Norton Power Eraser, and TDSS Killer have been invaluable tools for me.
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
Yes, an on-demand scanner has its purposes and helpful for many. I mainly commented on reducing the amount of real-time protection, MBAE and ZAL can be eliminated by using HitmanPro Alert 3, and according to Surfright's comparison page, it's far superior to any other. A licensed HMP will have free malware removal and beefed up online protection in Alert 3.

A system image can be used to replace an infected system, if you have backups. But it's always better to have safe surfing habits, and not to be click-happy or easily fooled by social engineering/phishing.
 

rienna

Level 2
Verified
Mar 28, 2015
64
Yes according to them that is.
But I would prefer to see it in action first. I would also like to see tests done with MBAE on maximum settings (all boxes checked in >Advanced settings) rather than default. It baffles me that by default only 1/10th or so of MBAE protections are actually on.

HMP is nice but it's not free.
System image backups are also nice, but they require space or storage to work with.
Which costs money. In my case I don't have it. And yes I agree. I've always practiced safe habits, except during bouts of obsessive curiosity (mental problem of mine). The only infection I've had in the past month was open-candy, but all it did was offer to install Qihoo 360 TS along with Axcrypt (during the installation of Axcrypt), that's the most it did.
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
Both HitmanPro and Malwarebytes have free versions available, but as I am discussing Alert 3, the free version is more than enough for the average PC user.

O/T: In my opinion, a licensed HitmanPro offers better value than paying for two separate products from Malwarebytes; Anti-Exploit Premium and Anti-Malware Premium.

You could check the documentation or contact Malwarebytes to see why their Default settings are, as they are.
 
  • Like
Reactions: rienna

Secondmineboy

Level 26
Verified
May 25, 2014
1,559
I would like to watch that video but this PC has no audio :(

But its nice to see Microsoft finally improving Defender, lets see how well it will get. :)
 

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
My dad uses Windows defender, I did a scan on his computer with malwarebytes and Emsisoft Emergency Kit and found that there were some PUPs and an adware in his computer, but other than that nothing serious. Just use your common sense when clicking on things and you'll be fine!
 

Vasudev

Level 33
Verified
Nov 8, 2014
2,247
Microsoft could easily make an Antivirus product which kicked every other Antivirus and Antimalware product out the market instantly. I've said it before, and I'll say it again... They own Windows. They could setup some hidden functions in the Windows API to do all sorts and just make sure no one else finds out about them. They could setup a behavioural blocking protection component which loaded kernel mode drivers (they would be running under SYSTEM. Windows services also run under SYSTEM however they are not as secure as a driver, they could be easily stopped by malware).

In this kernel mode drivers, they could do all sorts. Such as hooking all Nt* functions. Hooking NtLoadDriver (when another driver is loading), NtDeleteValueKey (when a registry value is being deleted - this could be used as some sort of protection feature in HIPS, so the user can be alerted when a process is trying to delete a value), NtOpenProcess (they could use this to prevent access to certain processes), NtTerminateProcess (commonly used API to try to terminate a process on the system),...

Did you know, most Antivirus software already hook these. For example, I am sure they would hook NtTerminateProcess for example.

In the driver, they then:
Code:
return STATUS_ACCESS_DENIED;

Ever tried to terminate a process in Task Manager and had a alert saying "Access denied"? It means you've been: STATUS_ACCESS_DENIED ... Well at least now you know why you get this. ;)

They can also do other things such as a "Application Control". This could involve support for allowing a program to execute without access to terminate a process, without internet access, without read/write access and the ability to have a log made if wanted of all the attempts it makes.

For example, a keylogger may use GetAsyncKeyState (API). Hooking this can help detect a keylogger in real-time with their behavioural protection.

Digital Signatures was a great idea, but it has a few flaws. Anyone can purchase one, and now it's used a lot in Adware. There should be some new identification like Digital Signatues, but with a slight change - the people wanting a signature have to have their application checked for any malicious components, and any "suspicious" actions, such as installing additional software without user rights. Malware writers already figured out how to "steal" them now, too.

In fact, I recon Microsoft could do everything I mentioned here in a AV product in less than a day or two. Like I said, they own Windows, they surely know more about how it works then the others...

As far as heuristic analysis goes... Microsoft surely know what is good and bad code. They could make great heuristics and have them adapted for new zero-day threats.

Although, I do see some reasons as to why they wouldn't hook functions to try to find malicious behaviour... Users may not always like it and it may cause false positives. As well as this, I can't even think to imagine what the other vendors would be feeling if they were kicked out of the AV industry just like that with no chance of competition.

UAC is a very importat feature in Windows. Without Admin priveleges, you won't be doing anything like loading drivers into kernel mode. Why do you think Antivirus installers need UAC at one point or another? It's so they can do things like load kernel mode drivers. They may also do things like create scheduled tasks to allow them to run without Administrative rights (the user-mode processes). So keeping it enabled is a WISE decsion.

Did you know, Microsoft already made protection against rogue drivers. There is a feature on 64-bit systems called PatchGuard. It works by denying access to load a driver without it being digitally signed. However, it can actually be disabled with some tweaking by malware writers... But, it does help. Unless you were a programmer wanting to make kernel mode drivers, I doubt you'd have known about PatchGuard.

PatchGuard disables the ability for SSDT hooking. SSDT stands for System Service Descriptor Table.

Code:
typedef struct SystemServiceDescriptorTable {
PULONG ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfServices;
PUCHAR ParamTableBase;
}SSDT,*PSSDT;

There is so much I could go into detail about and explain. Point being, Microsoft could make Windows Defender/MSE great if they wanted too, far from what it is now. UAC, SmartScreen, PathGuard... They are all there to protect the user, and they work, to an extent.

For experts who really know what they are doing, it's enough. For people who are click happy and don't know what they are doing need to run and try to hide if they want to use Windows Defender/MSE because it won't be enough.

Cheers. ;)
One strange thing I observed while scanning Malware samples using KVRT and MSE's RT was turned on and magically MSE flagged previously undetected items as a virus which proves that MS's behaviour/heuristics could use Kaspersky's AV capability to hunt down malware since they use Windows API to communicate with kernel. This is what i theorized. Also, MS sees to it, that MSE/WD are crippled in someway or the other so they AV companies come up with a product with so & so features and cost these much dollars.
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
Only reason I quit using MSE is having to manually update it to have the most recent signatures.
It relies on Windows Updates, and if you've changed it to other-than Automatic updates, you have to manually update.

Desktop shortcut: Windows Defender - Definitions update (workaround) uses "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate -MMPC
Windows Task Scheduler: How to schedule Windows Defender definitions update uses "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
 

FreddyFreeloader

Level 32
Verified
Top Poster
Well-known
Jul 23, 2013
2,115
It relies on Windows Updates, and if you've changed it to other-than Automatic updates, you have to manually update.

Desktop shortcut: Windows Defender - Definitions update (workaround) uses "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate -MMPC
Windows Task Scheduler: How to schedule Windows Defender definitions update uses "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
Usually it updates only once a day automatically, but there are updates available every 2-3 hours and if you want the latest ones, you gotta DIY. Thanks.
 

Sana

Level 5
Verified
Well-known
Dec 30, 2015
212
Very in-depth insight into lots of malwarian window pain stuff. :confused:

I think as @BoraMurdar and others mentioned, this is what I understood. If you were to stick with a Guest type account (and do not run any programs from there by Run as Admin), then chances of getting affected by malware or viruses would be highly unlikely.
 
  • Like
Reactions: Dirk41 and upnorth

blueblackwow65

Level 23
Verified
Well-known
Dec 19, 2012
1,250
I'm looking to use Defender to try in win10 with Comodo Cloud AV ,would this work or be too much.Is defender heavy on resources? Thks
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Quote Neil Rubenking : " My malware collection is relatively static, changed just once per year. o_O However, I also test how well a product handles malware-hosting URLs, and those downloads are typically no more than four hours old. Top score so far in this test is 85 percent protection, either preventing access to the URL or wiping out the malware download. The average score is 40 percent. Microsoft's score? Just 3 percent. "

khG2vqRl.gif




 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top