Windows Defender Antivirus cloud protection service: Advanced real-time defense against...

Status
Not open for further replies.

Bot

AI-powered Bot
Thread author
Apr 21, 2016
4,516
For cybercriminals, speed is the name of the game. It takes newly released malware an average of just four hours to achieve its goal—steal financial information, extort money, or cause widespread damage. In a recent report, the Federal Trade Commission (FTC) said that cybercriminals will use hacked or stolen information within nine minutes of posting in underground forums. Stopping new malware in real-time is more critical than ever.

Approximately 96% of all malware files detected and blocked by Windows Defender Antivirus (Windows Defender AV) are observed only once on a single computer, demonstrating the polymorphic and targeted nature of modern attacks, and the fragmented state of the threat landscape. Hence, blocking malware at first sight is a critical protection capability.

To fight the speed, scale, and complexity of threats, we work to continually enhance Windows Defender AV and other security features built into Windows 10. In our white paper "The evolution of malware prevention" we discussed our advanced, predictive approach to protecting customers from threats that they face today, as well as those that will emerge in the future.

This blog continues that discussion and provides the first detailed account of one way we improve our capability to stop never-before-seen malware with new enhancements to the Windows Defender Antivirus cloud protection service.


In Windows 10 Creators Update, the Windows Defender AV client uploads suspicious files to the cloud protection service for rapid analysis. Our ability to make a swift assessment of new and unknown files allows us to protect customers from malware the first time we see it.

We have built these enhancements on the next-gen security technologies enabling Windows Defender AV to automatically block most new, never-before-seen threats at first sight using the following methods:

  • Lightweight client-based machine learning models, blocking new and unknown malware
  • Local behavioral analysis, stopping file-based and file-less attacks
  • High-precision antivirus, detecting common malware through generic and heuristic techniques

In relatively rare cases, when Windows Defender AV needs additional intelligence to verify the intent of a suspicious file, it sends metadata to the cloud protection service, which can determine whether the file is safe or malicious within milliseconds using the following techniques:

  • Precise cloud-based machine learning models that can make an accurate assessment based on signals from the client
  • Microsoft Intelligent Security Graph that monitors threat data from a vast network of sensors

In rarer cases still, when Windows Defender AV cloud protection service is unable to reach a conclusive verdict based on metadata, it can request the potential malware sample for further inspection.

In Windows 10 Creators Update, the Windows Defender AV client uploads suspicious files to the cloud protection service for rapid analysis. While waiting for a verdict, the Windows Defender AV client maintains a lock on the dubious files, preventing possible malicious behavior. The Windows Defender AV client then takes action based on the verdict. For example, if the cloud protection service determines the file as malicious, it blocks the file from running, providing instant protection.



Instant protection at work: A few seconds can make a lot of difference in protection


In a recent real-life example, a Windows 10 Home customer was tricked into downloading a new variant of the Ransom:Win32/Spora family of ransomware.

The malware was disguised as a font file with the name "Chrome font.exe". It was hosted on an online learning website that had been compromised by an attacker, who attempted to trick people into downloading the malware using a social engineering tactic described by Proofpoint in this blog. In this scheme targeting Chrome users, legitimate websites were compromised to open a pop-up window indicating "The ‘HoeflerText’ font wasn’t found", requiring a supposed update to fix. The customer clicked the "Update" button in the pop-up window, which downloaded the Spora ransomware variant.

hoeflertext-font-wasnt-found.png


The customer’s Windows Defender AV client routinely scanned the file using on-box rules and definitions. Since it had not encountered the file before, Windows Defender AV did not detect it as malicious; however, it recognized the file’s suspicious characteristics, so it temporarily prevented the file from running. The client sent a query to the Windows Defender AV cloud protection service, which used machine-learning-powered cloud rules to confirm that the file was likely malware needing further investigation.

Within 312 milliseconds, the cloud protection service returned an initial assessment. It then instructed the client to send a sample and to continue locking the file until a more definite verdict was given.

In about two seconds, the client finished uploading the sample. By default, it’s set to wait for up to 10 seconds to hear back from the cloud protection service before letting such suspicious files run.

As soon as the sample was uploaded, a backend file-processing system analyzed the sample. A multi-class machine learning classifier determined there was more than a 95% chance that the file was malicious. The cloud protection service created a signature, which it sent back to client. All of this happened in just five seconds.

One second later, the Windows Defender AV client applied the cloud signature and quarantined the malware. It reported the results back to the cloud service; from that point on, this file was automatically blocked, protecting all Windows PC customers.

From the time Windows Defender AV uploaded the sample, the cloud protection service returned the malware signature in just five seconds, as shown by these actual timestamps:

2017-04-20 03:53:21 – Cloud protection service received query from Windows Defender AV client

2017-04-20 03:53:21 – Cloud protection service assessed it hadn’t seen the file and that is was suspicious, so it requested a sample and to keep locking the file

2017-04-20 03:53:23 – Sample finished uploading

2017-04-20 03:53:28 – Cloud protection service determined file as malware, generated signature, and sent that back to client

2017-04-20 03:53:29 – Windows Defender AV client notified that it successfully detected and removed the malware

Stay protected with Windows 10 Creators Update


Our many years of in-depth research into malware, cyberattacks, and cybercriminal operations give us insight into how threats continue to evolve and attempt to slip past security solutions. Guided by expert threat researchers, we use data science, machine learning, automation, and behavioral analysis to improve our detection solutions continuously.

In Windows 10 Creators Update, we rolled out important updates to Windows Defender Antivirus, which uses cloud protection service that delivers real-time protection against threats. With these enhancements, we show our commitment to providing unparalleled real-time defense against modern attacks.

Our ability to make a swift assessment of new and unknown files allows us to protect even would-be patient zero against attacks. More importantly, we use this intelligence to protect the rest of our customers, who may encounter these malware in subsequent attacks or similar threats in other cybercriminal campaigns.

Cloud-based protection is enabled in Windows Defender AV by default. To check that it’s running, launch the Windows Defender Security Center. Go to Settings > Virus & threat protection settings, and make sure that Cloud-based protection and Automatic sample submission are both turned On.

In enterprise environments, cloud protection service can be managed using Group Policy or via the Windows Defender Security Center app.

When enabled, Windows Defender AV locks a suspicious file for 10 seconds by default, while it queries the Windows Defender AV cloud protection service. Administrators can configure Windows Defender AV to extend the timeout period up to one minute to give the cloud service time to perform even more analysis and apply additional techniques to detect new malware.

As the threat landscape continues to move towards more sophisticated attacks and malware campaigns that can achieve their goals in hours instead of days, it is critical to be able to respond to new attacks in real-time. With Windows 10 Creators Update and the investments we’ve made in cloud protection service, we’re able to detect brand new threat families within seconds, protect “patient zero”, and disrupt new malware campaigns before they start.



Randy Treit

Senior Program Manager, Windows Defender Engineering

Continue reading...
 

ParaXY

Level 6
Verified
Mar 14, 2017
273
I saw this setting whilst tweaking WD using group policy editor. It seems it can act as a sort of Anti-Exe for unknown files, very interesting.


This is very interesting and is the first time I have heard of this.

Is there any good documentation/tutorials available that explain all the "Windows Defender Antivirus" Group Policy settings?
 
  • Like
Reactions: ZeroDay and MWNu72

ParaXY

Level 6
Verified
Mar 14, 2017
273
So I decided to give some of these advanced Windows Defender settings a try. Here's what I have set so far in Group Policy:


Computer Configuration > Administrative Templates > Windows Components > Windows Defender

  • MAPS - Configure the “Block at First Sight” feature - Enabled
  • MAPS - Join Microsoft MAPS - Enabled and Set to Advanced MAPS
  • MAPS - Send file samples when further analysis is required - Enabled and Send Safe Samples selected

  • MpEngine - Configure Extended Cloud Check - Enabled and 50 seconds entered
  • MpEngine - Select Cloud Protection Level - Enabled and High Blocking Level selected

  • Real-time Protection - Scan all downloaded files and attachedments - Enabled
  • Real-time Protection - Turn on behaviour monitoring - Enabled


Then I ran this test to ensure my firewall wasn't blocking anything:

Code:
C:\Program Files\Windows Defender>MpCmdRun.exe -ValidateMapsConnection

You should get this result if working:

Code:
ValidateMapsConnection successfully established a connection to MAPS

I then ran this test afterwards by clicking "Click here to download the test file" at this website:

Cloud-delivered protection - Windows Defender Testground

As soon as I was prompted by this test file:

upload_2017-7-23_8-20-41.png


I got this:

upload_2017-7-23_8-20-22.png


The file didn't even hit my download folder and there was no trace of it. I also got this in the Event Viewer:

Code:
Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Skeeyah.A!bit&threatid=2147695505&enterprise=0
     Name: Trojan:Win32/Skeeyah.A!bit
     ID: 2147695505
     Severity: Severe
     Category: Trojan
     Path: file:_C:\Users\Test\AppData\Local\Temp\MDwJM6c1.exe.part
     Detection Origin: Local machine
     Detection Type: FastPath
     Detection Source: Real-Time Protection
     User: NT AUTHORITY\SYSTEM
     Process Name: C:\Program Files\Mozilla Firefox\firefox.exe
     Action: Quarantine
     Action Status:  No additional actions required
     Error Code: 0x00000000
     Error description: The operation completed successfully.
     Signature Version: AV: 1.249.99.0, AS: 1.249.99.0, NIS: 117.2.0.0
     Engine Version: AM: 1.1.14003.0, NIS: 2.1.13804.0

I also ran this test:
http://www.amtso.org/feature-settings-check-potentially-unwanted-applications/
Feature Settings Check – Potentially Unwanted Applications » AMTSO

by clicking the "Download the Potentially Unwanted Application ‘test’ file…" and this was blocked as well.

I have yet to watch this but this may be helpful as well:

Explore Windows Defender Instant Protection

Anyways, I didn't realise all these options existed for Windows Defender in 1703. There are many other options too which I haven't set or investigated. I do realise you lose some privacy for setting the above cloud/MAPS settings but it sure does seem to increase the protection level you have if you only use Defender for AV/malware protection.

I did some tests afterwards as I wasn't sure if the changes I made were working or not.
 

Attachments

  • upload_2017-7-23_8-20-35.png
    upload_2017-7-23_8-20-35.png
    2.6 KB · Views: 601

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
So I decided to give some of these advanced Windows Defender settings a try. Here's what I have set so far in Group Policy:


Computer Configuration > Administrative Templates > Windows Components > Windows Defender

  • MAPS - Configure the “Block at First Sight” feature - Enabled
  • MAPS - Join Microsoft MAPS - Enabled and Set to Advanced MAPS
  • MAPS - Send file samples when further analysis is required - Enabled and Send Safe Samples selected

  • MpEngine - Configure Extended Cloud Check - Enabled and 50 seconds entered
  • MpEngine - Select Cloud Protection Level - Enabled and High Blocking Level selected

  • Real-time Protection - Scan all downloaded files and attachedments - Enabled
  • Real-time Protection - Turn on behaviour monitoring - Enabled


Then I ran this test to ensure my firewall wasn't blocking anything:

Code:
C:\Program Files\Windows Defender>MpCmdRun.exe -ValidateMapsConnection

You should get this result if working:

Code:
ValidateMapsConnection successfully established a connection to MAPS

I then ran this test afterwards by clicking "Click here to download the test file" at this website:

Cloud-delivered protection - Windows Defender Testground

As soon as I was prompted by this test file:

View attachment 160463

I got this:

View attachment 160461

The file didn't even hit my download folder and there was no trace of it. I also got this in the Event Viewer:

Code:
Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
 For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Skeeyah.A!bit&threatid=2147695505&enterprise=0
     Name: Trojan:Win32/Skeeyah.A!bit
     ID: 2147695505
     Severity: Severe
     Category: Trojan
     Path: file:_C:\Users\Test\AppData\Local\Temp\MDwJM6c1.exe.part
     Detection Origin: Local machine
     Detection Type: FastPath
     Detection Source: Real-Time Protection
     User: NT AUTHORITY\SYSTEM
     Process Name: C:\Program Files\Mozilla Firefox\firefox.exe
     Action: Quarantine
     Action Status:  No additional actions required
     Error Code: 0x00000000
     Error description: The operation completed successfully.
     Signature Version: AV: 1.249.99.0, AS: 1.249.99.0, NIS: 117.2.0.0
     Engine Version: AM: 1.1.14003.0, NIS: 2.1.13804.0

I also ran this test:
Feature Settings Check – Potentially Unwanted Applications » AMTSO

by clicking the "Download the Potentially Unwanted Application ‘test’ file…" and this was blocked as well.

I have yet to watch this but this may be helpful as well:

Explore Windows Defender Instant Protection

Anyways, I didn't realise all these options existed for Windows Defender in 1703. There are many other options too which I haven't set or investigated. I do realise you lose some privacy for setting the above cloud/MAPS settings but it sure does seem to increase the protection level you have if you only use Defender for AV/malware protection.

I did some tests afterwards as I wasn't sure if the changes I made were working or not.
WD does indeed seem a lot more powerful than most think. Once we start adjusting settings in group policy it does become pretty strong. Add all those features to smartscreen and the upcoming integrated EMET features and I honestly think third party AV's are going to get a run for their money, which, can only benefit users as third party security firms are going to have to look into new technologies to attract users.

I'm currently on the fast ring and there's WD with all the available tweaks, Emet built in and the protected folders feature. When the new Windows 10 version is released I honestly don't think there will be a need for a third party AV just add voodooshield and Sandboxie and you're going to be gtg
 

ParaXY

Level 6
Verified
Mar 14, 2017
273
WD does indeed seem a lot more powerful than most think. Once we start adjusting settings in group policy it does become pretty strong. Add all those features to smartscreen and the upcoming integrated EMET features and I honestly think third party AV's are going to get a run for their money, which, can only benefit users as third party security firms are going to have to look into new technologies to attract users.

I'm currently on the fast ring and there's WD with all the available tweaks, Emet built in and the protected folders feature. When the new Windows 10 version is released I honestly don't think there will be a need for a third party AV just add voodooshield and Sandboxie and you're going to be gtg

I agree. For my setup I don't have any 3rd party AV/Malware software installed on my machine. I only use Windows Defender in my setup so any improvements that are made or settings that can be enabled to make my machine more secure are welcomed.

I too have the Insider Preview of Windows 10 installed in a test VM but haven't had any time to check out the new security features the Fall update will offer. I'm quite interested in any further Defender improvements, EMET and the protected folders feature.

I just wish there was an easier way to configure and fully understand the changes one is making in the registry/group policy for Defender as it's a bit tricky trying to figure out all the settings. Currently I have set the following Defender settings via the Registry and added them to my secure desktop build notes:

Code:
;Customise Windows Defender:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
;Enable PUP in Defender:
"MpEnablePus"=dword:00000001
;Specify the extended cloud check time in seconds (50 seconds):
"MpBafsExtendedTimeout"=dword:00000032
;Enabled High Blocking Level:
"MpCloudBlockLevel"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
;Monitor file and program activity on your computer:
"DisableIOAVProtection"=dword:00000000
;Turn on behaviour monitoring:
"DisableBehaviorMonitoring"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet]
;Join Microsoft MAPS:
"SpynetReporting"=dword:00000002
;Configure the Block at First Sight Feature:
"DisableBlockAtFirstSeen"=dword:00000000
;Send file samples when further analysis is required (Send safe samples):
"SubmitSamplesConsent"=dword:00000001

One things for sure, I'll be upgrading as soon as build 1709 is released!! I'm also looking forward to Windows Server 2016 improvements as I only use Defender in my VMs so any improvements there too would be helpful.
 

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
WD does indeed seem a lot more powerful than most think. Once we start adjusting settings in group policy it does become pretty strong. Add all those features to smartscreen and the upcoming integrated EMET features and I honestly think third party AV's are going to get a run for their money, which, can only benefit users as third party security firms are going to have to look into new technologies to attract users.

I'm currently on the fast ring and there's WD with all the available tweaks, Emet built in and the protected folders feature. When the new Windows 10 version is released I honestly don't think there will be a need for a third party AV just add voodooshield and Sandboxie and you're going to be gtg

Are the new features built in the GUI or only in the Group Policy?
 

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
626
Hello,
I am running Windows 10 Pro and made all the changes that you described in Group Policy for Windows Defender to enhance it.
When I downloaded the test files that you mention above, none trigger a response from WD but from CFW using CS settings.
WD responds to the EICAR file test, and that is it.

All settings are on in the WD Security Center. Any clue, or do none of these settings apply to my version of Windows 10 which btw is the latest.

Thanks
 

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
The next thing MS needs to work on with WD is improving performance as well. Hope to see some changes in this area before the Fall Creators Build is released.
 
  • Like
Reactions: ZeroDay and MWNu72

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
626
Thanks for that info but when I configured WD according to the settings above in the GPE, and downloaded the test files, nothing happened. WD did not react to them other than the EICAR file. That being said, I turned off WD, and added the Comodo AV component to CFW with CS settings for seamless and trouble free operation.

Unfortunate WD is made to sound so great, maybe for the newbie it is better to be left on its default settings without tinkering with the GPE. Did not work for me.
 
  • Like
Reactions: MWNu72
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top