Advice Request Windows Defender & October Update

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

RejZoR

Level 15
Verified
Top Poster
Well-known
Nov 26, 2016
699
I'm wondering if they made that anti-ransomware feature any less garbage. They talk about it having a whitelist and yet it just keeps on blocking EVERYTHING even hugely popular apps that should be whitelisted.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
As far as I can tell, Windows Defender is not essentially different in the October Update.
The way it provides info on the security status of the system is more accurate and less confusing.
Protected Folders is supposed to be more user-friendly, because it is easier to make exceptions. I use it, but I didn't get any new blocks yet, so I can't say how user-friendly it actually is. If I didn't get any new blocks, that is already a good sign...
This build was supposed to have a button to enable advanced exploit protection, otherwise known as ASR, Attack surface reduction. But I don't see that button anywhere. I guess that feature was not ready yet. It will probably come soon, though.

There may be important changes under the hood, but the documentation was not publicized yet.
 

Bikeman0I17

Level 1
Verified
Sep 22, 2017
48
Stayed with Defender a bit after my Clean Install of 1809, but sorta tempted to reinstall Avast thus far, main reasons is Defender seems still slow at scans, despite I only visit certain sites a day now, just little bit still uneasy using it some, but might keep using it, not sure yet at this point.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Windows Defender Security Center is now called Windows Security. More changes in link below.

This time around, we're not getting significant features with the Windows Security app. However, Microsoft is introducing a lot of tweaks, minor changes, and visual improvements with the October 2018 Update that should help make the experience a little easier to use by everyone, which is also key to help keep devices and data secure against hackers and malware.
Read more: What's new with Windows Security on the Windows 10 October 2018 Update
 
5

509322

I just tested Application Guard. It doesn't look to be working to me or it just isn't WYSIWYG. Not sure... and I don't feel like searching for documentation that already know does not exist. I hope Microsoft does not allow the install of Application Guard, but the feature only works on Enterprise. If that is the case, then shame on Microsoft...

I just love how people will say that 3rd party security soft publishers play games, when in fact, Microsoft is the one that is the master at playing games with Windows security.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Application Guard does not work on Windows Home.
A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS).
Microsoft requires 8GB RAM and 5GB free disk space.
AG does not work if VirtualBox or VMware are installed (only one hypervisor is allowed).
AG works on Windows 10 Enterprise edition version 1709+ and Windows 10 Professional edition version 1803+.

The user may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration:
HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.

Windows Defender Application Guard (Windows 10)
System requirements for Windows Defender Application Guard (Windows 10)
(y)
 
Last edited:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Application Guard does not work on Windows Home.
A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS).
Microsoft requires 8GB RAM and 5GB free disk space.
AG does not work if VirtualBox or VMWare are installed (only one hypervisor is allowed).
AG works on Windows 10 Enterprise edition version 1709+ and Windows 10 Professional edition version 1803+.

The user may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration:
HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.

Windows Defender Application Guard (Windows 10)
System requirements for Windows Defender Application Guard (Windows 10)
(y)

Yes, I saw this yesterday. My Lenovo i3 machine does not support it.
 
5

509322

Application Guard does not work on Windows Home.
A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS).
Microsoft requires 8GB RAM and 5GB free disk space.
AG does not work if VirtualBox or VMWare are installed (only one hypervisor is allowed).
AG works on Windows 10 Enterprise edition version 1709+ and Windows 10 Professional edition version 1803+.

The user may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration:
HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.

Windows Defender Application Guard (Windows 10)
System requirements for Windows Defender Application Guard (Windows 10)
(y)

Microsoft documentation suxx.

From GHacks:
  • Jeff said on February 21, 2017 at 5:13 am
    Reply
    1. It has performance impact as every time you open Edge, a VM is started
    2. VirtualBox and VMware no longer work with it enabled
    3. It is Edge-only. Who wants to use that ##### just to use this feature?
    4. App Guard will reset cookies and saved logins every time
    5. Enterprise edition only
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I tried out Kaspersky IS, Bitdefender IS, and Windows Defender, all on 1809.
It seems that Microsoft did some magic to make Windows Defender faster than before, and 3rd party AVs slower than before.
I did not run performance tests, I am just reporting on how it "feels".
KIS used to be faster than WD, but now it is the reverse. The difference is particularly noticeable when launching MS Office apps.
My conclusion: if you want a strong and fast config, use Windows Defender with ASR rules enabled, but don't max out any settings related to cloud scanning, because cloud scanning is slow.
And harden your OS with SysHardener.
 
5

509322

I tried out Kaspersky IS, Bitdefender IS, and Windows Defender, all on 1809.
It seems that Microsoft did some magic to make Windows Defender faster than before, and 3rd party AVs slower than before.
I did not run performance tests, I am just reporting on how it "feels".
KIS used to be faster than WD, but now it is the reverse. The difference is particularly noticeable when launching MS Office apps.
My conclusion: if you want a strong and fast config, use Windows Defender with ASR rules enabled, but don't max out any settings related to cloud scanning, because cloud scanning is slow.
And harden your OS with SysHardener.

This is what happens when Microsoft changes stuff. 3rd parties have to run around and do damage control. In case anyone didn't know, Microsoft doesn't consult anyone. It just makes changes unilaterally.

As far as Windows Defender, Microsoft will make changes and then, like magic, "Poof" and Windows Defender suxx again. Invariably Microsoft ruins a usable Windows Defender with one of its own updates.

Microsoft has a slick way of making people think it is their friend. The reality is that Microsoft is no one's friend.
 
5

509322

And harden your OS with SysHardener.

If one uses @Andy Ful 's Hard_Configurator, then a lot of the settings in SysHardener make no sense. For example, enforcing the launch of digitally signed files when SRP default block is being applied makes no sense... because the SRP isn't going to allow anything to launch, even if it is digitally signed. And making firewall block rules for processes that are disabled from launching is uttlerly pointless.

What I am saying is that blindly enabling default-deny using Hard_Configurator and SysHardener makes no sense... but we know a lot of people do it because they are blinded by paranoia.
 
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
If one uses @Andy Ful 's Hard_Configurator, then a lot of the settings in SysHardener make no sense. For example, enforcing the launch of digitally signed files when SRP default block is being applied makes no sense... because the SRP isn't going to allow anything to launch, even if it is digitally signed. And making firewall block rules for processes that are disabled from launching is uttlerly pointless.

What I am saying is that blindly enabling default-deny using Hard_Configurator and SysHardener makes no sense... but we know a lot of people do it because they are blinded by paranoia.
Yeah, there is a lot of overlap if you enable all the sponsors in Hard_Configurator, but SysHardener does some other things, like turning off SMB and putting powershell in constrained language and other stuff.
 
5

509322

Yeah, there is a lot of overlap if you enable all the sponsors in Hard_Configurator, but SysHardener does some other things, like turning off SMB and putting powershell in constrained language and other stuff.

Constrained Language Mode is easily disabled.

AMSI is easily disabled.

The only effective way to cope with PowerShell is to disable PowerShell, PowerShell_ISE and system.management.automation.dll.

Hard_Configurator has multiple settings... to disable SMB1, 2 and 3.

Denying Microsoft Office access to interpreters is pointless if you have already disabled interpreter launch.

A 79-gadget Swiss Army knife approach to Windows security is a recipe for failures, breakages and consequent administrative fatigue. Unfortunately, that is the curse that Microsoft has foisted upon the sheeps of the world.
 
  • Like
Reactions: shmu26

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Yeah, there is a lot of overlap if you enable all the sponsors in Hard_Configurator, but SysHardener does some other things, like turning off SMB and putting powershell in constrained language and other stuff.
They are both activated in the recommended H_C settings.:giggle:(y)

Edit.
But only on Windows 10, or on specially updated Windows 7 and 8.1 (PowerShell updated to ver. 5.0+).
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
They are both activated in the recommended H_C settings.:giggle:(y)
Wait a minute, H_C puts powershell in constrained language? I didn't know that. It is part of "No powershell exe"?
 
  • Like
Reactions: oldschool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Wait a minute, H_C puts powershell in constrained language? I didn't know that. It is part of "No powershell exe"?
No. This is the Windows built-in SRP feature available when SRP is set to default-deny - requires PowerShell 5.0+.
This version of PowerShell is built-in on Windows 10. There are also updates available on Windows 7 and Windows 8.1. I wrote about this in the thread:
Tutorial - How do you secure PowerShell?
Constrained Language Mode is activated for the processes running as standard user. For the elevated processes Full Language Mode is applied.
 
5

509322

Wait a minute, H_C puts powershell in constrained language? I didn't know that. It is part of "No powershell exe"?

On Windows 10 PoSh 5.0+ you can set Constrained Language mode by:

$ExecutionContext.SessionState.LanguageMode='ConstrainedLanguage'

In earlier versions of PoSh you can create a Profile.ps1 in WindowsPowerShell\v1.0 and specify:

$ExecutionContext.SessionState.LanguageMode='ConstrainedLanguage'

Then you will have to enable PoSh script execution policy.

There are 5 versions of PoSh. And there are multiple versions installed on some Windows versions.

Even if you enable Constrained Language mode, it is easily disabled. And how do you prevent that from happening ?... by disabling PoSh.

Confusing, innit ?

The only ones who keep PoSh enabled are those that use it and those that have some kind of weird OCD preventing them from disabling it. :X3:

Instead of dealing with a morass of non-documented PoSh stuff, trial-and-error, frustration, and a whole lot of potential for a whole lot of PoSh induced damage, ... it is just common sense to disable PoSh. Peace of mind and serenity in the light...

It doesn't matter to me what people do, but keeping PoSh enabled is them placing themselves in peril. Sort of like going to bed with a rattle snake.
 
Last edited by a moderator:
  • Like
Reactions: shmu26
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top