- Nov 18, 2015
- 104
- Content source
- https://www.youtube.com/watch?v=tFiw8JQxyO4&t=0s
Windows Defender Test
- Thread starter nikos200
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Status
It's a lie ! It's negative propaganda ! It's a smear-campaign video ! How dare you ! Microsoft and Windows Defender save lives ! 
I just had to take a jab at the fanbois who will certainly scream "Foul ! foul !".
The real joke is on Windows 10 users.
I just had to take a jab at the fanbois who will certainly scream "Foul ! foul !".
The real joke is on Windows 10 users.
Last edited by a moderator:
- Jun 24, 2016
- 2,400
Windows users pay your salary
- May 8, 2018
- 143
btw, that was a cool way to execute that files. never saw that from a youtuber.
Horse and pony show... Not even close to realistic. No user is going to run a batch script of hundreds of samples from their desktop at once on their system.
The best way to test if you are going to, is to execute "dynamic testing" the samples 1 at a time and resetting the snapshot each time. During execution, file/registry/traffic monitoring should be deployed and monitoring system changes of exactly how the product fares with stopping/blocking, and removing completely all traces.
Side note, can we please refrain from getting personal with these threads, it is the same thing over and over.
- Jul 3, 2015
- 8,153
It would be silly to claim that Defender at default settings is the strongest AV out there. On the other hand, it should protect well enough if your system is taking advantage of native Windows security:
Windows 10 x64 1803, using the default apps (for instance, PDFs open in Edge).
Standard (limited) user account
UAC at max
Windows Defender configured with Andy Ful's ConfigureDefender, using the ASR rules.
Powershell in constrained language.
Harden the OS just a little bit, for instance by running NVT SysHardener at default settings.
If anyone wants to test a setup like this against a couple good packs of nasty zero-days, I would love to see the results.
Again, I am not claiming that Defender at default settings is great. It isn't. I am claiming that tweaked Defender, on a system utilizing native Windows security features, should be good enough.
Windows 10 x64 1803, using the default apps (for instance, PDFs open in Edge).
Standard (limited) user account
UAC at max
Windows Defender configured with Andy Ful's ConfigureDefender, using the ASR rules.
Powershell in constrained language.
Harden the OS just a little bit, for instance by running NVT SysHardener at default settings.
If anyone wants to test a setup like this against a couple good packs of nasty zero-days, I would love to see the results.
Again, I am not claiming that Defender at default settings is great. It isn't. I am claiming that tweaked Defender, on a system utilizing native Windows security features, should be good enough.
I would love to see those results as well as seeing the same from all other consumer products tested that way, bet it would be an eye opening experience for many. After they see this, i would like to also remind them, that the chances of them seeing these same results at their home, behind a router would be slim at best. It is so easy to get wrapped up into a mind set here in the forum of needing tons of security.
- Jul 3, 2015
- 8,153
Right. I think most AVs would do very well in this environment. My point is that Defender can be sufficient, if used in the right environment.
Parenthetically, I would add that the ASR rules might give Defender a certain advantage over other AVs as regards MS Office exploits.
- Apr 13, 2013
- 3,147
The right environment being one without any true Zero-Day malware...
Too bad such a result came out in the end. Well, I hope Microsoft will fix a few things.
Unpatched software and social engineering are the 2 most likely reasons a user would get exploited, even in a corporate environment. Not becoming lazy in maintenance and learning safer/informed habits will negate a good deal of this.
Please take note that i did not state it would stop them all.
- Jul 3, 2015
- 8,153
So why not put it to the test? Go ahead, prove me wrong.
Set up a VM like I suggested:
Windows 10 x64 1803, using the default apps (for instance, PDFs open in Edge).
Standard (limited) user account
UAC at max
Windows Defender configured with Andy Ful's ConfigureDefender, using the ASR rules.
Powershell in constrained language.
Harden the OS just a little bit, for instance by running NVT SysHardener at default settings.
- Apr 13, 2013
- 3,147
Shum26- I've done WD, UAC, and SUA bypass videos in the past. No one really cared then and I have no reasonable expectation that any would care now. If you want to do such a video, go for it. Personally I've given up.
All I want Is to collect my bonus this year, retire and be a Ski Bum. No computer, Security, or malware thoughts forever...
All I want Is to collect my bonus this year, retire and be a Ski Bum. No computer, Security, or malware thoughts forever...
- Jul 3, 2015
- 8,153
Yeah, I know it's not really your cup of tea. But if anyone else would be willing to test it out in an environment similar to the one I suggested, it would be interesting to see if Windows security can be smashed on its own ground.
- Dec 23, 2014
- 8,130
SysHardener + any AV will be probably very effective especially on SUA. This a simple but effective solution. Of course, the simple solutions have also some cons.
SysHardener is not as strong as default-deny protection via SRP. If you will disable too much file extensions in SysHardener, then the setup will not be so usable, because those files will not be opened from Explorer at all. SRP can whitelist Windows, Program Files, etc. so the blocked files are really blocked only outside whitelisted locations. When using SRP, one can effectively block much more file extensions than with SysHardener.
After looking at the blocked extensions by SysHardener 1.5, it is evident that CHM files are not protected. The attacker can run the CHM file and spoil all MS Office protections (no blocking of: macros, ActiveX, OLE, DDE), revert the file associations for all scripts, and unblock some other protections. This is possible because SysHardener makes many registry changes as standard user (in HKCU hive) for the single local account. On the contrary, SRP usually make system-wide changes (as administrator in HKLM hive). And there comes another problem - those changes will not be visible after running SysHardener - it can apply restrictions (via ticked options), but does not show the actual setup.
There are some other differences between SRP and SysHardener restrictions. SysHardener has some nice features not related to SRP like firewall outbound connections, etc.
Anyway, SysHardener in default settings + Windows Defender ASR will be a simpler solution for many users than SRP.
Last edited:
- Jul 3, 2015
- 8,153
Software Restriction Policy is the super-power of native Windows security. But the new ASR rules, as far as I have seen so far, are also very good. I think folks should check them out, before they dismiss Defender with a wave of their hand.
- Dec 23, 2014
- 8,130
WD ASR rules play well both with SRP and SysHardener. Also, the Exploit Guard program for popular vulnerable applications would be welcome.
- Jul 3, 2015
- 8,153
I am looking forward to your Exploit Guard settings in the next version of Hard_Configurator,/ConfigureDefender, if you can do that.
- Dec 23, 2014
- 8,130
I can see that such application would be welcome, but this will require much testing. So the plan is as follows (group work):
- Open the thread about WD Exploit Guard for popular vulnerable applications.
- MalwareTips members can post their Exploit Guard setups.
- The setups can be tested by the people who use those applications in daily tasks.
- The well tested EG setups can be included in the WD Exploit Guard program (in the future).
I had a plan to make a simpler version of Hard_Configurator for medium experienced users. But, now we have NVT SysHardener that can handle some vulnerable file extensions, scripts and vulnerable Windows programs to harden the system. It is not the default-deny solution (for EXE, MSI files), so does not require whitelisting. Furthermore, I think that it is sufficiently effective for the medium experienced users, so the new application is not needed.
- Status
Similar threads
