Advice Request Windows Defender Delay Protection.

Please provide comments and solutions that are helpful to the author of this topic.

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Windows Defender Delay Protection is probably stronger than any antivirus Advanced Threat Protection (also that used in Microsoft Defender ATP in Enterprises). WDDP has an advantage that it can be easily understood and applied in a few minutes by most of the average users.

So, let's forget about AV battles, VirusTotal, and online Sandbox analyses. One does not need to waste time for a layered security and overkill setups. There is no need to install new security after each month and reinstall broken Windows two or more times a year. All of this can be solved in practice by using WDDP.

Yes, this would be too good to be true. Although the title is a kind of joke (Microsoft did not apply anything like WDDP), there exists a very easy procedure to avoid most of the 0-day malware, which is especially useful for Windows Defender. So, what is a Delay Protection? Simply, the user should execute/open the new files with one-day-delay. Why it can be useful? Because after one day, the malware is not 0-day anymore.
But, why it could be especially useful for WD? Because WD has got recently advanced postinfection behavior detection. It means that the user is well protected against the 0-day malware if he/she is not among the first few victims who use WD. In many cases, the postinfection detections are made within a few minutes after infecting the first victim. But often, the first victim who uses WD can be infected several hours after pushing the malware in the wild - that is why the one day delay is often necessary.
The Delay Protection will work well for other good AVs too when they use fast signatures instead of postinfection detections.

It is strange that such a simple and effective solution is not widely accepted by users. Are you ready for WDDP?:)
 

South Park

Level 9
Verified
Well-known
Jun 23, 2018
441
I use a version of it: I never let a file run if Smart Screen has blocked it, no matter how much I trust the source. Other than a few signed exe's from major vendors, Smart Screen usually requires 2-3 days to list new software, so it has the effect of preventing 0-day malware from running even if it passed BAFS.
 

PotentialUser

Level 1
May 28, 2020
35
What a small world Andy. I actually do almost exactly what you’re talking about.

Anything I download, be it an EXE, MSI, DOC, PDF, even PNGs — literally any type of file — is first saved to a folder called “Monitoring.” I then upload that file from Monitoring to VirusTotal. The file remains in Monitoring for 72 hours of quarantine. After 72 hours, I re-upload to VirusTotal. If it’s still clean, I then interact with it for the first time.

Is this process a hassle? Yes. Is it annoying? Definitely. Does it keep oneself relatively bullet-proof? Seems like it. I’ve been doing this for years; I found I don’t necessarily need to install/run/open/etc. every file I download the second I find it.

A bit of patience and caution goes a long way.
 

avstor

Level 1
Jun 6, 2020
17
It is strange that such a simple and effective solution is not widely accepted by users.

because user psychology does not prioritize security first and, most importantly, it is neither rational nor based on common sense
user psychology is premised entirely upon convenience and instant gratification above all else, and this is true of both consumer as well as enterprise\institutional users

This is the future man

the users never needed it, they just needed to follow one very simple rule... "Don't do that."
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
To be honest, I do not think that any AV vendor would like to apply a Delay Protection. But, it is interesting that such a simple procedure can be very effective nowadays. It is also interesting that probably only a small percent of users can live with it, even if it is technically very simple and easy to understand.:unsure:

As one of the posters already mentioned, the execution/opening delay can be useful in practice to support SmartScreen, instead of turning it off. SmartScreen is actually the best file reputation service, but many people ignore the alerts because of many false positives. So my proposition for them is as follows:
  1. Keep an eye on SmartScreen alerts.
  2. If the executable triggers the SmartScreen alert, then wait minimum one day before executing the file.
  3. Do it also for not safe files (no SmartScreen alert) like: email attachments, links embedded in emails, archives, MS Office or Adobe Reader documents, files shared with other people, etc.
This is much easier to live with, I think.:)(y)

Edit.
If I correctly recall, the DP is present in some form in Comodo IS.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
Hi, Andy Ful. A question regarding SmartScreen. SmartScreen doesn't usually trust unsigned files but why SmartScreen itself I mean smartscreen.exe is not signed?! What's the reason behind it? 🤔
1.PNG
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Hi, Andy Ful. A question regarding SmartScreen. SmartScreen doesn't usually trust unsigned files but why SmartScreen itself I mean smartscreen.exe is not signed?! What's the reason behind it? 🤔
View attachment 242330
Many system files are recognized internally by the Windows (like cmd.exe, conhost.exe, cscript.exe, mmc.exe, notepad.exe, powershell.exe, regedit.exe, wscript.exe, etc.).
You can check it by applying <Validate Admin C.S.> = ON and running powershell.exe with Admin rights. Normally, the unsigned file would be blocked, but as you will see the powershell will run with Admin rigths.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
What do you think about Application Guard in Microsoft 365 for Enterprise?
This feature can be of course very useful in Enterprises. It is nothing new because a similar idea was already used in Sandboxie, ReHIPS, etc. Microsoft implanted it on the hardware isolation-level which makes it much stronger. It is an open question of how it will work in practice (printing, saving documents, file sharing, etc.). For now, it requires Windows E5 license, so most people can forget about it.
 

Nagisa

Level 7
Verified
Jul 19, 2018
342
What about viruses that can exploit SmartScreen, Windows Defender or the browser itself? What about fileless malware? I'm not knowledgable, I wonder if such a thing is possible. Windows Defender, I guess, is the first thing that hackers try to bypass.


I would prefer using Defender alone as long as it's tweaked to highest settings from CG (not MAX). But such things I said above is keeping me from trusting this setup.
 
F

ForgottenSeer 85179

What about viruses that can exploit SmartScreen, Windows Defender or the browser itself? What about fileless malware? I'm not knowledgable, I wonder if such a thing is possible. Windows Defender, I guess, is the first thing that hackers try to bypass.


I would prefer using Defender alone as long as it's tweaked to highest settings from CG (not MAX). But such things I said above is keeping me from trusting this setup.
No AV can you protect 100%. Malware need to blocked at execution and Andy provide that with Hard_Configurator in a very easy way.
Combine that with Windows Defender and you're safe.

Exploits get quickly fixed nowadays and if you use new Edge as browser, you already use a strong setup.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
What about viruses that can exploit SmartScreen, Windows Defender or the browser itself? What about fileless malware?
...
You still can be infected - nothing is bullet-proof on Windows. But, you have similar (or greater) chances to be infected due to exploit or fileless malware, when using the top AV with Advanced Thread Protection.
The possible problem with the idea of Delay Protection is not security, but users' habits.

The nice feature of Delay Protection is that you can be "twice as safe" when using it with top AV and ATP.:)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top