Advice Request Windows Defender disabled by malware

[Andy Ful]

In Home AVs, you better off relying on Behaviour Blockers like System Watcher.

I don't even need to go far to see both Kaspersky and WD in action on the Malware Hub, which confirms how poor WD is against scripts even with your configuration, in comparison to Kaspersky.

Yes. You really do not like Defender. There is no support for your claims either on Malware Hub or in the AV testing Labs. Furthermore, the tests on MH are very old and do not include AMSI-based post-execution detections. You can see how invasive they can be in this thread:
https://malwaretips.com/threads/how...ven-vbs-script-as-containing-a-threat.107234/
Both Kaspersky (on default settings) and Defender have good anti-script protection compared to other AVs. But, on default settings, this protection is still insufficient. Kaspersky has the advantage that it can be configured to block scripts unknown in KSN - this setup is even stronger as compared to Defender with ASR rules.

We even had a recent example here, Q&A - Drive-by downloads: Can you get malware just from visiting a website?

The article is about scripts (and some other methods) running inside the web browser. It has also nothing to do with AMSI. Defender on default settings does not cover this attack vector at all. It can be prevented (in a great deal) by the web browser's built-in features (like SmartScreen) and Adblockers. Furthermore, it was agreed in that thread (and was mentioned in the article) that such attacks must also exploit the web browser (or system) to infect the system without user interaction.

Kaspersky blocked the custom script I wrote for testing that, while WD didn't even flinch as I expected, so much for that superior script protection you rely so much on.

Your personal experience is irrelevant. There are known professional tests that do not support your experience at all. A few months ago I bypassed AVG anti-script protection with dozens of scripts and I do not insist that it has poor protection. On the contrary, after obfuscating the scripts AVG blocked them all.

AMSI is pretty basic and it won't detect a good chunk of scripts, there's a good reason AMSI is complemented by Windows Defender ATP monitoring in the Enterprise, in the case of Kaspersky they have Adaptive Anomaly Control.

It seems that you do not know that AMSI does not detect anything.

I would like to stop our discussion here, because my experience and understanding of Defender protection is very different from yours. It also clear that we both can hardly agree on something without hundreds of posts and making all readers asleep.

Be safe.

 

[Andy Ful]

Thanks Andy,

good grief, I should have known this I actually have those rules enabled in Group Policy, done a long time ago I guess. Still I think for some reason I had some doubt that they were fully effective for non-enterprise users, but I take your word for it that they are.

View attachment 256814

Your doubt is a good thing. That is why you should test it:

Home - Microsoft Defender Testground

 

[Andy Ful]

Back to the topic. It will be interesting to use the POC for testing the Defender behavior-based detections. The POC can be easily modified by changing the hardcoded password, modifying the archive with payload, and Defender Control executable can be modified too by changing some unimportant bytes. Let's hope that the final effect will be optimistic like in this thread:
https://malwaretips.com/threads/how...ipt-as-containing-a-threat.107234/post-935955

 

[Terry Ganzi]

Is Windows Defender Any Good?
Britec09 hxxps://www.youtube.com/watch?v=T8yOwa9Z6Z4
People that don't use these forums seems to get infected easy.
When I see things like this it makes me feel like if people on forums live in a bubble separated from reality.

 

[Templarware]

To be fair, people who use these forums have common sense online and know most of what they're doing, while the others usually don't.

 

[Local Host]

Is Windows Defender Any Good?
Britec09 hxxps://www.youtube.com/watch?v=T8yOwa9Z6Z4
People that don't use these forums seems to get infected easy.
When I see things like this it makes me feel like if people on forums live in a bubble separated from reality.

People here like to defend WD like it is the best AV of the world.

You can find a hundred more results like that, run the tests yourself if in doubt, even with advanced configuration WD will fail in most cases.

Is a waste of time to argue about this however, let them be delusional.

 

[Andy Ful]

Is Windows Defender Any Good?
Britec09 hxxps://www.youtube.com/watch?v=T8yOwa9Z6Z4
People that don't use these forums seems to get infected easy.
When I see things like this it makes me feel like if people on forums live in a bubble separated from reality.

This video is a demonstration, not a test. The author clearly says (I agree with him) that he cannot advise any particular solution and that it is a user choice to choose among the free or paid AVs.
Please, do not continue here the discussion about differences in AV protection.

 

[Andy Ful]

People here like to defend WD like it is the best AV of the world.

It is not the best AV in the world and this clearly follows from the tests performed by AV testing Labs (I posted the summary of these results in this thread). It is usually defended when someone insists that Defender is the worst in the world.

 

[Chuck57]

People here like to defend WD like it is the best AV of the world.

There is no best AV. What is 'best' this month may not be the 'best' next month. Defender may not be the best, but it is among the best.

 

[plat]

Well, this is a LONG-time thing with me but very basically: Microsoft has a vested interest in keeping Defender competitive. Its marketing would fall flatter than flat in the face of billions of Windows installations and it could theoretically get sued in certain scenarios. It's been sued before due to crap updates literally destroying machines. Its tamper protection is a step forward but I know it's not bullet-proof--speaking for Home users now.

So why not say it's a capable antivirus and leave it at that? No harm in bolstering it with light 3rd parties, like Hard_Configurator. It's like taking vitamin supplements.

 

[ForgottenSeer 72227]

This constant back and forth about WD is getting old quite frankly. There's no such thing as the "best AV" and afaik, no one EVER said that WD is the "best AV in the whole world." WD has improved significantly on many fronts over the years and continues to do so....that doesn't mean it's perfect. As it's been said, WD improvements have been shown, over and over by multiple tests and testing organizations....it's not made up. I mean only a few years ago WD would constantly score 75%, or less on an AV-comparatives test, yet no one had a problem......Now it's scoring much higher, so naturally these tests are wrong, there's no possible way WD can be that good.

@Andy Ful has a wealth of knowledge concerning WD and has done a good job of explaining the intricacies of how WD works, as well as it's strengths and weaknesses. Sadly like many things, MS does a poor job with their documentation, so the confusion understandable. Furthermore, it does take time for past reputations to be overcome...so there's that aspect as well.

As others have stated, while not perfect, WD can definitely be considered to be among the best, it's just up to you if you want to use it, or not...

If you don't like it, don't use it...no one said that WD has to be used and liked by everyone, so just use what works for you.

 

[Ink]

People here like to defend WD like it is the best AV of the world.

You can find a hundred more results like that, run the tests yourself if in doubt, even with advanced configuration WD will fail in most cases.

Microsoft Defender not the Best Antivirus in the World, nor is any other for that matter. However, you could argue that Today's Microsoft Defender Antivirus is the BEST iteration of itself compared to previous versions; WD for Windows 8, Microsoft Security Essentials for Windows 7, Windows Live OneCare.

Looking at Malware Testing results is not a realistic approach to determining which Antivirus will Pass or Fail. A node is only as secure as the user operating the device, such as in the example below.
A vehicle with a 5-star Euro NCAP safety rating isn't invulnerable to causing a fatality. If the driver (User) is under the influence of alcohol/drugs (Malware testing) then they are a danger to the occupants and self (PC), and in an event of a collision (Bypass/FUD) will guarantee any safety measures to fail (Infected).

What's worse?
People still calling it Windows Defender after it was renamed to Microsoft Defender. It's no longer exclusive to Windows.

 

[Local Host]

Microsoft Defender not the Best Antivirus in the World, nor is any other for that matter. However, you could argue that Today's Microsoft Defender Antivirus is the BEST iteration of itself compared to previous versions; WD for Windows 8, Microsoft Security Essentials for Windows 7, Windows Live OneCare.

Looking at Malware Testing results is not a realistic approach to determining which Antivirus will Pass or Fail. A node is only as secure as the user operating the device, such as in the example below.
A vehicle with a 5-star Euro NCAP safety rating isn't invulnerable to causing a fatality. If the driver (User) is under the influence of alcohol/drugs (Malware testing) then they are a danger to the occupants and self (PC), and in an event of a collision (Bypass/FUD) will guarantee any safety measures to fail (Infected).

What's worse?
People still calling it Windows Defender after it was renamed to Microsoft Defender. It's no longer exclusive to Windows.

We should stop doing CAT tests, since if an accident happens is the driver fault anyway, doesn't matter how secure the car is.

Is pretty much what you said about Windows Defender, which in reality is not as secure as advertised, no one said Windows Defender hasn't improved in comparison to it's past self.

But "selling" it as a top tier product is just wrong.

The only place I would use Windows Defender would be in the Enterprise with ATP, and under skilled hands who can actually understand the information it supplies.

 

[Andy Ful]

Yesterday, I submitted the POC to Microsoft. The analyst flagged Defender Control as a HackTool so the POC stopped working. Anyway, after changing two bytes in Defender Control the modified POC still works. It has been submitted with my comment, that the POC should be blocked by behavior blocking. Now, I am waiting ...
Still cannot find any working UAC bypass. All known bypasses (even from this year) seem to be patched by Microsoft (I use Windows 10 20H2).

 

[danb]

Let's sum up.

1. @Local Host convinced everyone that he is a Defender expert.
2. Like any Defender expert, he does not use Defender.
3. His expert experience is most important. The experience of other MT members can be ignored.
4. The test results of the three biggest AV testing labs can be ignored, because they contradict his experience.
5. He found dozens of reliable homemade tests and he is sure that they support his experience. It does not matter that the authors of these tests sometimes do not think so.

Congrats. Everything is clear now. We should learn from experts.

Windows Security has come a very long way and it is a great product, but there is no need to be condescending, especially to members who bring up interesting and valid points.

The issue might be that when proponents of Windows Security only discuss the positive attributes and completely ignore the negative attributes and limitations of solely relying on built-in Windows Security (including SRP), it not only makes the proponents look like fanboys, it puts real users at risk because they are unaware of the deficiencies and limitations. This is especially true when the only response to valid Windows Security bypasses is always "Don't worry, home users are not targeted in this attack, this is an enterprise attack".

People bash other security products all of the time, why is it not okay to discuss the deficiencies and limitations of all products, so that everyone can be adequately protected?

 

[Andy Ful]

@danb,
We do not talk here about Windows security, but about Defender (mostly on default settings). No one criticizes here the valid points, but only invalid ones. All 5 points mentioned by me follow from this thread.

This is especially true when the only response to valid Windows Security bypasses is always "Don't worry, home users are not targeted in this attack, this is an enterprise attack".

As you can see from my previous post I do not ignore the vulnerability mentioned in the OP, even if it was not used in the wild yet.

 

[danb]

@danb,
We do not talk here about Windows security, but about Defender (mostly on default settings). No one criticizes here the valid points, but only invalid ones. All 5 points mentioned by me follow from this thread.

Whether you realize it or not, you are talking about Windows Security... "Windows 10 includes Windows Security, which provides the latest antivirus protection." and "Windows Security is built-in to Windows 10 and includes an antirvirus program called Microsoft Defender Antivirus. (In previous versions of Windows 10, Windows Security is called Windows Defender Security Center)."

Stay protected with Windows Security - Microsoft Support

Learn how to use antivirus protection in Windows Security to protect your Windows PC against malware, viruses, and other threats.

support.microsoft.com

Maybe we can start a new thread to discuss the deficiencies and limitations.

 

[Andy Ful]

Whether you realize it or not, you are talking about Windows Security... "Windows 10 includes Windows Security, which provides the latest antivirus protection."

To be precise. In this thread, we discuss a small part of Windows security, related to Defender vulnerability from the OP. No need to extend the discussion to include other Windows Security features. If you want you can open a separate thread. We have already too many off-topic posts here.

 

[danb]

To be precise. In this thread, we discuss a small part of Windows security, related to Defender vulnerability from the OP. No need to extend the discussion to include other Windows Security features. If you want you can open a separate thread. We have already too many off-topic posts here.

How many times have you mentioned other Windows Security components in this thread? So many times in fact, that I thought we were talking about Windows Security. And this is not the only thread this happens on.

 

[ForgottenSeer 72227]

Windows Security has come a very long way and it is a great product, but there is no need to be condescending, especially to members who bring up interesting and valid points.

I think part of the problem is that many people are not willing to listen, or hear what the other person is saying. In the case of WD, there are those who like to make assumptions on how it works and/or what are it's capabilities. Instead of having a friendly conversation, some just resort to calling people fanboys and stating that everyone is saying that WD is the best AV in the world, with no faults....which is not the case.

In this very thread @Andy Ful has done a pretty good job of explaining how WD works and has been trying to clarify some misunderstandings. In fact @Andy Ful, myself and many others have stated numerous times that WD is not perfect. We agree with the fact that it's not for everyone and has it's faults. Thing is, people who constantly bash WD miss that and only see our comments saying "it's good."

You will also have those who post one test and make a general conclusion that WD is garbage because of one test. When other members say well...according to these 10 tests it's not as bad as it's made out to be. Problem is...that one test just agrees with that person's opinion and therefore they ignore all of the other facts...this one test must be the right test because it agrees with my "experience." So I can see where the frustrations lie.

I think we can all be better in this front, however it takes both sides to respect and be willing to understand each others point of view. Problem is, we are still living in a world where many people think that "my opinion/experience is the only correct one and everyone else is wrong."

How many times have you mentioned other Windows Security components in this thread? So many times in fact, that I thought we were talking about Windows Security. And this is not the only thread this happens on.

That is true....I am of the opinion that it's very hard to discuss WD and not discuss other aspects of W10 security. Since MS has sprinkled various security features throughout the OS, it's hard to isolate everything, as it's all designed to complement one another...similar to a 3rd party security suite. I get that WD is the "AV" of the OS, but you cannot just ignore the other aspects, which many people do. It would be like just focusing on Kaspersky's real-time file scanner and ignoring their firewall, system watcher, TAM, etc...

All in all, I have said this numerous times and will continue to say it...there are many products to choose from, just pick the ones that works best for you. No AV/IS and I mean NO AV/IS is perfect, and every single AV/IS can miss malware. In the case of this thread any AV/IS can be bypassed/disabled. No solution is 100% immune to this...this isn't just a WD problem, even though many like to paint it that way....