RejZoR

Level 9
Verified
Joined
Nov 26, 2016
Messages
446
OS
Windows 10
Antivirus
Avast
#2
I'm wondering if they made that anti-ransomware feature any less garbage. They talk about it having a whitelist and yet it just keeps on blocking EVERYTHING even hugely popular apps that should be whitelisted.
 

shmu26

Level 70
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,960
OS
Windows 10
#4
As far as I can tell, Windows Defender is not essentially different in the October Update.
The way it provides info on the security status of the system is more accurate and less confusing.
Protected Folders is supposed to be more user-friendly, because it is easier to make exceptions. I use it, but I didn't get any new blocks yet, so I can't say how user-friendly it actually is. If I didn't get any new blocks, that is already a good sign...
This build was supposed to have a button to enable advanced exploit protection, otherwise known as ASR, Attack surface reduction. But I don't see that button anywhere. I guess that feature was not ready yet. It will probably come soon, though.

There may be important changes under the hood, but the documentation was not publicized yet.
 
Joined
Sep 22, 2017
Messages
5
OS
Windows 10
Antivirus
Avast
#6
Stayed with Defender a bit after my Clean Install of 1809, but sorta tempted to reinstall Avast thus far, main reasons is Defender seems still slow at scans, despite I only visit certain sites a day now, just little bit still uneasy using it some, but might keep using it, not sure yet at this point.
 

Spawn

Administrator
MalwareTips Staff
Verified
Joined
Jan 8, 2011
Messages
17,572
OS
Windows 10
Antivirus
Microsoft
#7
Windows Defender Security Center is now called Windows Security. More changes in link below.

This time around, we're not getting significant features with the Windows Security app. However, Microsoft is introducing a lot of tweaks, minor changes, and visual improvements with the October 2018 Update that should help make the experience a little easier to use by everyone, which is also key to help keep devices and data secure against hackers and malware.
Read more: What's new with Windows Security on the Windows 10 October 2018 Update
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#8
I just tested Application Guard. It doesn't look to be working to me or it just isn't WYSIWYG. Not sure... and I don't feel like searching for documentation that already know does not exist. I hope Microsoft does not allow the install of Application Guard, but the feature only works on Enterprise. If that is the case, then shame on Microsoft...

I just love how people will say that 3rd party security soft publishers play games, when in fact, Microsoft is the one that is the master at playing games with Windows security.
 
Last edited:

Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,126
OS
Windows 10
Antivirus
Microsoft
#9
Application Guard does not work on Windows Home.
A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS).
Microsoft requires 8GB RAM and 5GB free disk space.
AG does not work if VirtualBox or VMware are installed (only one hypervisor is allowed).
AG works on Windows 10 Enterprise edition version 1709+ and Windows 10 Professional edition version 1803+.

The user may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration:
HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.

Windows Defender Application Guard (Windows 10)
System requirements for Windows Defender Application Guard (Windows 10)
(y)
 
Last edited:

oldschool

Level 15
Verified
Joined
Mar 29, 2018
Messages
710
OS
Windows 10
Antivirus
Cylance
#10
Application Guard does not work on Windows Home.
A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS).
Microsoft requires 8GB RAM and 5GB free disk space.
AG does not work if VirtualBox or VMWare are installed (only one hypervisor is allowed).
AG works on Windows 10 Enterprise edition version 1709+ and Windows 10 Professional edition version 1803+.

The user may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration:
HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.

Windows Defender Application Guard (Windows 10)
System requirements for Windows Defender Application Guard (Windows 10)
(y)
Yes, I saw this yesterday. My Lenovo i3 machine does not support it.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#11
Application Guard does not work on Windows Home.
A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS).
Microsoft requires 8GB RAM and 5GB free disk space.
AG does not work if VirtualBox or VMWare are installed (only one hypervisor is allowed).
AG works on Windows 10 Enterprise edition version 1709+ and Windows 10 Professional edition version 1803+.

The user may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration:
HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.

Windows Defender Application Guard (Windows 10)
System requirements for Windows Defender Application Guard (Windows 10)
(y)
Microsoft documentation suxx.

From GHacks:
  • Jeff said on February 21, 2017 at 5:13 am
    Reply
    1. It has performance impact as every time you open Edge, a VM is started
    2. VirtualBox and VMware no longer work with it enabled
    3. It is Edge-only. Who wants to use that [edited] just to use this feature?
    4. App Guard will reset cookies and saved logins every time
    5. Enterprise edition only
 
Last edited:

shmu26

Level 70
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,960
OS
Windows 10
#12
I tried out Kaspersky IS, Bitdefender IS, and Windows Defender, all on 1809.
It seems that Microsoft did some magic to make Windows Defender faster than before, and 3rd party AVs slower than before.
I did not run performance tests, I am just reporting on how it "feels".
KIS used to be faster than WD, but now it is the reverse. The difference is particularly noticeable when launching MS Office apps.
My conclusion: if you want a strong and fast config, use Windows Defender with ASR rules enabled, but don't max out any settings related to cloud scanning, because cloud scanning is slow.
And harden your OS with SysHardener.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#13
I tried out Kaspersky IS, Bitdefender IS, and Windows Defender, all on 1809.
It seems that Microsoft did some magic to make Windows Defender faster than before, and 3rd party AVs slower than before.
I did not run performance tests, I am just reporting on how it "feels".
KIS used to be faster than WD, but now it is the reverse. The difference is particularly noticeable when launching MS Office apps.
My conclusion: if you want a strong and fast config, use Windows Defender with ASR rules enabled, but don't max out any settings related to cloud scanning, because cloud scanning is slow.
And harden your OS with SysHardener.
This is what happens when Microsoft changes stuff. 3rd parties have to run around and do damage control. In case anyone didn't know, Microsoft doesn't consult anyone. It just makes changes unilaterally.

As far as Windows Defender, Microsoft will make changes and then, like magic, "Poof" and Windows Defender suxx again. Invariably Microsoft ruins a usable Windows Defender with one of its own updates.

Microsoft has a slick way of making people think it is their friend. The reality is that Microsoft is no one's friend.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#14
And harden your OS with SysHardener.
If one uses @Andy Ful 's Hard_Configurator, then a lot of the settings in SysHardener make no sense. For example, enforcing the launch of digitally signed files when SRP default block is being applied makes no sense... because the SRP isn't going to allow anything to launch, even if it is digitally signed. And making firewall block rules for processes that are disabled from launching is uttlerly pointless.

What I am saying is that blindly enabling default-deny using Hard_Configurator and SysHardener makes no sense... but we know a lot of people do it because they are blinded by paranoia.
 

shmu26

Level 70
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,960
OS
Windows 10
#15
If one uses @Andy Ful 's Hard_Configurator, then a lot of the settings in SysHardener make no sense. For example, enforcing the launch of digitally signed files when SRP default block is being applied makes no sense... because the SRP isn't going to allow anything to launch, even if it is digitally signed. And making firewall block rules for processes that are disabled from launching is uttlerly pointless.

What I am saying is that blindly enabling default-deny using Hard_Configurator and SysHardener makes no sense... but we know a lot of people do it because they are blinded by paranoia.
Yeah, there is a lot of overlap if you enable all the sponsors in Hard_Configurator, but SysHardener does some other things, like turning off SMB and putting powershell in constrained language and other stuff.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#16
Yeah, there is a lot of overlap if you enable all the sponsors in Hard_Configurator, but SysHardener does some other things, like turning off SMB and putting powershell in constrained language and other stuff.
Constrained Language Mode is easily disabled.

AMSI is easily disabled.

The only effective way to cope with PowerShell is to disable PowerShell, PowerShell_ISE and system.management.automation.dll.

Hard_Configurator has multiple settings... to disable SMB1, 2 and 3.

Denying Microsoft Office access to interpreters is pointless if you have already disabled interpreter launch.

A 79-gadget Swiss Army knife approach to Windows security is a recipe for failures, breakages and consequent administrative fatigue. Unfortunately, that is the curse that Microsoft has foisted upon the sheeps of the world.
 
Likes: shmu26

Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,126
OS
Windows 10
Antivirus
Microsoft
#17
Yeah, there is a lot of overlap if you enable all the sponsors in Hard_Configurator, but SysHardener does some other things, like turning off SMB and putting powershell in constrained language and other stuff.
They are both activated in the recommended H_C settings.:giggle:(y)

Edit.
But only on Windows 10, or on specially updated Windows 7 and 8.1 (PowerShell updated to ver. 5.0+).
 
Last edited:

Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,126
OS
Windows 10
Antivirus
Microsoft
#19
Wait a minute, H_C puts powershell in constrained language? I didn't know that. It is part of "No powershell exe"?
No. This is the Windows built-in SRP feature available when SRP is set to default-deny - requires PowerShell 5.0+.
This version of PowerShell is built-in on Windows 10. There are also updates available on Windows 7 and Windows 8.1. I wrote about this in the thread:
Tutorial - How do you secure PowerShell?
Constrained Language Mode is activated for the processes running as standard user. For the elevated processes Full Language Mode is applied.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#20
Wait a minute, H_C puts powershell in constrained language? I didn't know that. It is part of "No powershell exe"?
On Windows 10 PoSh 5.0+ you can set Constrained Language mode by:

$ExecutionContext.SessionState.LanguageMode='ConstrainedLanguage'

In earlier versions of PoSh you can create a Profile.ps1 in WindowsPowerShell\v1.0 and specify:

$ExecutionContext.SessionState.LanguageMode='ConstrainedLanguage'

Then you will have to enable PoSh script execution policy.

There are 5 versions of PoSh. And there are multiple versions installed on some Windows versions.

Even if you enable Constrained Language mode, it is easily disabled. And how do you prevent that from happening ?... by disabling PoSh.

Confusing, innit ?

The only ones who keep PoSh enabled are those that use it and those that have some kind of weird OCD preventing them from disabling it. :X3:

Instead of dealing with a morass of non-documented PoSh stuff, trial-and-error, frustration, and a whole lot of potential for a whole lot of PoSh induced damage, ... it is just common sense to disable PoSh. Peace of mind and serenity in the light...

It doesn't matter to me what people do, but keeping PoSh enabled is them placing themselves in peril. Sort of like going to bed with a rattle snake.
 
Last edited:
Likes: shmu26