Advice Request Windows Defender Delay Protection.

[Andy Ful]

Windows Defender Delay Protection is probably stronger than any antivirus Advanced Threat Protection (also that used in Microsoft Defender ATP in Enterprises). WDDP has an advantage that it can be easily understood and applied in a few minutes by most of the average users.

So, let's forget about AV battles, VirusTotal, and online Sandbox analyses. One does not need to waste time for a layered security and overkill setups. There is no need to install new security after each month and reinstall broken Windows two or more times a year. All of this can be solved in practice by using WDDP.

Yes, this would be too good to be true. Although the title is a kind of joke (Microsoft did not apply anything like WDDP), there exists a very easy procedure to avoid most of the 0-day malware, which is especially useful for Windows Defender. So, what is a Delay Protection? Simply, the user should execute/open the new files with one-day-delay. Why it can be useful? Because after one day, the malware is not 0-day anymore.
But, why it could be especially useful for WD? Because WD has got recently advanced postinfection behavior detection. It means that the user is well protected against the 0-day malware if he/she is not among the first few victims who use WD. In many cases, the postinfection detections are made within a few minutes after infecting the first victim. But often, the first victim who uses WD can be infected several hours after pushing the malware in the wild - that is why the one day delay is often necessary.
The Delay Protection will work well for other good AVs too when they use fast signatures instead of postinfection detections.

It is strange that such a simple and effective solution is not widely accepted by users. Are you ready for WDDP?

 

[Vitali Ortzi]

Interesting concept .
If this becomes a reality one day I would use it on most windows computers in my house .

 

[blackice]

I tend to use this method regardless of AV.

 

[bayasdev]

This is the future man

 

[South Park]

I use a version of it: I never let a file run if Smart Screen has blocked it, no matter how much I trust the source. Other than a few signed exe's from major vendors, Smart Screen usually requires 2-3 days to list new software, so it has the effect of preventing 0-day malware from running even if it passed BAFS.

 

[PotentialUser]

What a small world Andy. I actually do almost exactly what you’re talking about.

Anything I download, be it an EXE, MSI, DOC, PDF, even PNGs — literally any type of file — is first saved to a folder called “Monitoring.” I then upload that file from Monitoring to VirusTotal. The file remains in Monitoring for 72 hours of quarantine. After 72 hours, I re-upload to VirusTotal. If it’s still clean, I then interact with it for the first time.

Is this process a hassle? Yes. Is it annoying? Definitely. Does it keep oneself relatively bullet-proof? Seems like it. I’ve been doing this for years; I found I don’t necessarily need to install/run/open/etc. every file I download the second I find it.

A bit of patience and caution goes a long way.

 

[ForgottenSeer 85179]

Microsoft did not apply anything like WDDP

To be fair:
they provide a ASR rule but it's more restricted with less comfort

 

[avstor]

It is strange that such a simple and effective solution is not widely accepted by users.

because user psychology does not prioritize security first and, most importantly, it is neither rational nor based on common sense
user psychology is premised entirely upon convenience and instant gratification above all else, and this is true of both consumer as well as enterprise\institutional users

This is the future man

the users never needed it, they just needed to follow one very simple rule... "Don't do that."

 

[Andy Ful]

To be honest, I do not think that any AV vendor would like to apply a Delay Protection. But, it is interesting that such a simple procedure can be very effective nowadays. It is also interesting that probably only a small percent of users can live with it, even if it is technically very simple and easy to understand.

As one of the posters already mentioned, the execution/opening delay can be useful in practice to support SmartScreen, instead of turning it off. SmartScreen is actually the best file reputation service, but many people ignore the alerts because of many false positives. So my proposition for them is as follows:

1. Keep an eye on SmartScreen alerts.
2. If the executable triggers the SmartScreen alert, then wait minimum one day before executing the file.
3. Do it also for not safe files (no SmartScreen alert) like: email attachments, links embedded in emails, archives, MS Office or Adobe Reader documents, files shared with other people, etc.

This is much easier to live with, I think.

Edit.
If I correctly recall, the DP is present in some form in Comodo IS.

 

[Andy Ful]

It is worth mentioning that DP is effective not only for executing/opening the files. It is also effective for phishing links, because over 90% of them are dead after one day.

 

[SeriousHoax]

Hi, Andy Ful. A question regarding SmartScreen. SmartScreen doesn't usually trust unsigned files but why SmartScreen itself I mean smartscreen.exe is not signed?! What's the reason behind it?

 

[Andy Ful]

Hi, Andy Ful. A question regarding SmartScreen. SmartScreen doesn't usually trust unsigned files but why SmartScreen itself I mean smartscreen.exe is not signed?! What's the reason behind it?
View attachment 242330

Many system files are recognized internally by the Windows (like cmd.exe, conhost.exe, cscript.exe, mmc.exe, notepad.exe, powershell.exe, regedit.exe, wscript.exe, etc.).
You can check it by applying <Validate Admin C.S.> = ON and running powershell.exe with Admin rights. Normally, the unsigned file would be blocked, but as you will see the powershell will run with Admin rigths.

 

[Ink]

What do you think about Application Guard in Microsoft 365 for Enterprise?

 

[Andy Ful]

What do you think about Application Guard in Microsoft 365 for Enterprise?

This feature can be of course very useful in Enterprises. It is nothing new because a similar idea was already used in Sandboxie, ReHIPS, etc. Microsoft implanted it on the hardware isolation-level which makes it much stronger. It is an open question of how it will work in practice (printing, saving documents, file sharing, etc.). For now, it requires Windows E5 license, so most people can forget about it.

 

[Nagisa]

What about viruses that can exploit SmartScreen, Windows Defender or the browser itself? What about fileless malware? I'm not knowledgable, I wonder if such a thing is possible. Windows Defender, I guess, is the first thing that hackers try to bypass.


I would prefer using Defender alone as long as it's tweaked to highest settings from CG (not MAX). But such things I said above is keeping me from trusting this setup.

 

[ForgottenSeer 85179]

What about viruses that can exploit SmartScreen, Windows Defender or the browser itself? What about fileless malware? I'm not knowledgable, I wonder if such a thing is possible. Windows Defender, I guess, is the first thing that hackers try to bypass.


I would prefer using Defender alone as long as it's tweaked to highest settings from CG (not MAX). But such things I said above is keeping me from trusting this setup.

No AV can you protect 100%. Malware need to blocked at execution and Andy provide that with Hard_Configurator in a very easy way.
Combine that with Windows Defender and you're safe.

Exploits get quickly fixed nowadays and if you use new Edge as browser, you already use a strong setup.

 

[Andy Ful]

What about viruses that can exploit SmartScreen, Windows Defender or the browser itself? What about fileless malware?
...

You still can be infected - nothing is bullet-proof on Windows. But, you have similar (or greater) chances to be infected due to exploit or fileless malware, when using the top AV with Advanced Thread Protection.
The possible problem with the idea of Delay Protection is not security, but users' habits.

The nice feature of Delay Protection is that you can be "twice as safe" when using it with top AV and ATP.