Controlled Folder feature

[itman 1,659]

1 hour ago, SeriousHoax said:

Did they use Microsoft Security Essential!

I assume that was the case although it wasn't specifically noted as such. Believe the purpose of the test was that a of corps. still use Win 7.

I personally still have a lot of doubts in regards to WD fileless malware protection on Win 10. WD doesn't have advanced memory scanning protection as best as I can determine. It is relying primarily on it's block-at-first-sight and resultant short duration cloud sandbox analysis to determine malicious post-execution behavior. Also Win 10 relies heavily on protected process - light (PPL) to protect its critical processes. Problem is that its rather trivial to bypass PPL.

If you do use WD, make sure you enable its self-sandboxing feature since I really don't trust its self-protection mechanisms that were introduced in Win 10 1903. This will at least protect you from malware spreading outside the sandbox if the WD engine, MsMpEng.exe, is compromised.

Finally and a clear indication that base WD protection is deficient against ransomware is the fact that an optional PowerShell or Group Policy implemented advanced surface reduction (ASR) rule exists;

Use advanced protection against ransomware

to provide additional protection.

Edited September 14, 2019 by itman

[SeriousHoax 83]

3 hours ago, itman said:

I assume that was the case although it wasn't specifically noted as such. Believe the purpose of the test was that a of corps. still use Win 7.

I personally still have a lot of doubts in regards to WD fileless malware protection on Win 10. WD doesn't have advanced memory scanning protection as best as I can determine. It is relying primarily on it's block-at-first-sight and resultant short duration cloud sandbox analysis to determine malicious post-execution behavior.

I'm not sure how WD handle that but here's a recent article about fileless malware and Microsoft's take on it.

What is fileless malware and how do you protect against it?

3 hours ago, itman said:

If you do use WD, make sure you enable its self-sandboxing feature since I really don't trust its self-protection mechanisms that were introduced in Win 10 1903.

Actually, WD's sandbox feature is not stable yet and it acted weird the last time enabled it. So I have kept it off. Hopefully they will make it stable and turn it on by default soon.

3 hours ago, itman said:

Finally and a clear indication that base WD protection is deficient against ransomware is the fact that an optional PowerShell or Group Policy implemented advanced surface reduction (ASR) rule exists;

Use advanced protection against ransomware

to provide additional protection.

Thanks for this suggestion. But actually I've already enabled some ASR rule and also added some additional protection feature on WD via this two tool. I wouldn't use WD otherwise I think.

Hard_Configurator

ConfigureDefender

Anyway, I haven't moved to WD permanently. ESET's web protection, signature and performance is superior to WD. I never gave WD a try before so thought about giving it a go now. Also, I see some people are having problem with the latest ESET update so it's ok to stay away for some time.

Edited September 14, 2019 by SeriousHoax

[itman 1,659]

9 minutes ago, SeriousHoax said:

Actually, WD's sandbox feature is not stable yet and it acted weird the last time enabled it. So I have kept it off. Hopefully they will make it stable and turn it on by default soon.

I am not referring to the new Win 10 stand-alone sandbox feature, but Windows Defender's self-sandbox feature. Refer to this article on how to enable it: https://www.howtogeek.com/fyi/windows-defender-now-offers-ultra-secure-sandbox-mode-heres-how-to-turn-it-on/

[SeriousHoax 83]

38 minutes ago, itman said:

I am not referring to the new Win 10 stand-alone sandbox feature, but Windows Defender's self-sandbox feature. Refer to this article on how to enable it: https://www.howtogeek.com/fyi/windows-defender-now-offers-ultra-secure-sandbox-mode-heres-how-to-turn-it-on/

I was talking about this as well. More or less 6-7 months ago I once enabled it to check it out and after that it wasn't deleting any malware. I don't know if it's still buggy or not.

[itman 1,659]

2 hours ago, SeriousHoax said:

I'm not sure how WD handle that but here's a recent article about fileless malware and Microsoft's take on it.

What is fileless malware and how do you protect against it?

This is an excerpt from a corresponding Microsoft blog posting. I would think that by now most would take stuff like this as pure unmitigated marketing propaganda. Case in point.

In an also recently Microsoft blog posting: https://www.microsoft.com/security/blog/2019/08/27/improve-security-simplify-operations-windows-defender-antivirus-morphisec/ spotlighting how one company is addressing its concerns over 0-day and fileless malware, it was shown how they are using WD plus Morphisec, a Microsoft partner, solution to do so. Of note:

Quote

Morphisec is integrated with Windows Defender Antivirus and extends Towne Properties’ endpoint protection to include zero-days, advanced memory-based threats, malicious documents, and browser-based attacks. It’s lightweight and easy to manage, which is important to Bill.

Obviously Bill, the IT Director, is not going to waste corporate dollars on purchasing a duplicate protection solution if WD provided like protections. So what does Morphisec do:

Quote

4.1.10   MORPHISEC

Defense Category: Dynamic Runtime Environment

Threat Model: Attack Techniques

Mitigated: Code Injection and Control Injection

Details: This technique [63] defends against control-flow hijacking attacks in userspace application.  In particular, the technique defends against attacks that exploit a priori knowledge of the layout of memory.

Description

Details:

Morphisec is a commercial product and therefore technical details are not readily available.  From the marketing literature, the product randomizes the layout of memory, including libraries.  However, the granularity of randomization is unclear.  Morphisec also maintains a copy of  the  original  memory  layout.   Upon  malicious  input  to  conduct  code  or  control  injection,  the randomized application will crash.  Furthermore, the malicious input can be fed, presumably in an isolated environment,  to the original memory layout to conduct a forensic analysis.  Finally,  the results of this forensic analysis can be forwarded over the network to a dashboard process where an administrator can monitor the health of the enterprise.

http://web.mit.edu/br26972/www/pubs/mt_survey.pdf

Edited September 14, 2019 by itman

[SeriousHoax 83]

18 minutes ago, itman said:

This is an excerpt from a corresponding Microsoft blog posting. I would think that by now most would take stuff like this as pure unmitigated marketing propaganda. Case in point.

In an also recently Microsoft blog posting: https://www.microsoft.com/security/blog/2019/08/27/improve-security-simplify-operations-windows-defender-antivirus-morphisec/

Ow hmm you are right. I skimmed through this blog post few days ago. WD of course has improved over the last 2-3 years but still some other established AVs are currently ahead of it. Beside, WD is still pretty buggy which is bothering me. I might get back to ESET sooner than I expected. I hope the issue of the latest version 12.2.29.0 gets fixed very soon.

Edited September 14, 2019 by SeriousHoax

[itman 1,659]

Another thing about WD is that it can be bypassed as noted here: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/

My gut is telling me that even if Win 10 1903 WD self-protection was enabled, the registry mod implemented by this WMI event would have bypassed it. Perhaps the ASR mitigation to prevent WMI events from being created would have helped. But ASR mitigations would only be deployed by advanced users and in themselves, can cause operational issues in that they a absolutely block the activity.

[itman 1,659]

Windows Defender Controlled Folders option has an additional anti-ransomware feature that will automatically backup your Controlled Folders to your cloud OneDrive account. The feature is called Ransomware Data Recovery. It is not enabled by default. Here's how to enable it: https://www.bleepingcomputer.com/news/microsoft/how-to-enable-ransomware-protection-in-windows-10/

Edited September 16, 2019 by itman

[SeriousHoax 83]

23 minutes ago, itman said:

Windows Defender Controlled Folders option has an additional anti-ransomware feature that will automatically backup your Controlled Folders to your cloud OneDrive account. The feature is called Ransomware Data Recovery. It is not enabled by default. Here's how to enable it: https://www.bleepingcomputer.com/news/microsoft/how-to-enable-ransomware-protection-in-windows-10/

I thought Windows Defender Controlled Folders works alongside other AVs but it doesn't 😐

[itman 1,659]

32 minutes ago, SeriousHoax said:

I thought Windows Defender Controlled Folders works alongside other AVs but it doesn't

That's the "gotcha" with Microsoft. WD has be the real-time scan engine. Also, ditto for ASR mitigations and network protection.

What I have been experimenting with yielding very good results so far is using WD real-time instead of Eset's, but keeping Eset installed and operational. As best as I can determine, all Eset functionality still exists; especially Web Access and e-mail protection. Startup scanning and the like still runs fine.  For example, all the AMTSO desktop tests are still detected by Eset.

Perhaps Eset will soon offer this same option?

[SeriousHoax 83]

7 minutes ago, itman said:

That's the "gotcha" with Microsoft. WD has be the real-time scan engine. Also, ditto for ASR mitigations and network protection.

What I have been experimenting with yielding very good results so far is using WD real-time instead of Eset's, but keeping Eset installed and operational. As best as I can determine, all Eset functionality still exists; especially Web Access and e-mail protection. Startup scanning and the like still runs fine.  For example, all the AMTSO desktop tests are still detected by Eset.

Perhaps Eset will soon offer this same option?

I'm kinda confused. So, you're using ESET and Windows Defender at the same time but ESET real time protection is turned off? Some features of both AVs are active and some are not? Hybrid? Something like, ESET Defender? lol. What are the exact feature that you enabled/disabled?

[itman 1,659]

3 minutes ago, SeriousHoax said:

So, you're using ESET and Windows Defender at the same time but ESET real time protection is turned off?

Exactly. I long suspected that Eset's "real-time" protection is modularized. This is evidenced by the ability for different Threat Sense settings for real-time, Web Access, e-mail, and on-demand scanning. 

So in essence you are really only using WD for scanning of program and script execution only. However, this might change when advanced machine learning is implemented in Eset ver. 13. That feature appears to be part of Eset's real-time scanning feature.

Presently, all of Eset's advanced protection methods are part of the HIPS.

[Marcos 5,074]

My understanding is that disabling real-time protection would have adverse effect on Advanced Memory Scanner, Ransomware shield and possibly other protection mechanisms as well since they would not receive information about file system operations which are crucial for correct functioning of some of the protection features. Checking with devs.

[itman 1,659]

Forgot to mention how I am disabling Eset's real-time protection is via Advanced Settings option. I am not disabling it via "Protections" opinions that show various pause duration settings.

[itman 1,659]

2 hours ago, Marcos said:

My understanding is that disabling real-time protection would have adverse effect on Advanced Memory Scanner, Ransomware shield

As far as AMS goes, per the below Eset online help description that it works in conjunction with exploit protection leads me to believe it only applies to Web Access protection; the real-time function I have validated still is in effect if WD real-time protection is enabled:

Quote

Enable Advanced memory scanner – works in combination with Exploit Blocker to strengthen  protection against malware that has been designed to evade detection by antimalware products through the use of obfuscation or encryption. Advanced memory scanner is enabled by default. Read more about this type of protection in the glossary.

Enable Exploit Blocker – designed to fortify commonly exploited application types such as web browsers, PDF readers, email clients and MS Office components. Exploit blocker is enabled by default. Read more about this type of protection in the glossary.

As far as ransomware shield protection, it also is a HIPS setting. If there is an Eset's real-time component to it, recent AV lab tests have shown WD's out-of-the-box ransomware detection is equal that of Eset's. An additional advanced anti-ransomware ASR mitigation can also be deployed. I assume that mitigation will block all non-Windows process based use of the crypto API's.

 

Edited September 16, 2019 by itman

[Marcos 5,074]

AMS has nothing to do with web access protection since it springs into action upon execution. However, disabling RTP should not affect it. It's different with Ransomware protection when disabling RTP may cause some new ransomware not to be detected upon execution because of missing information about operations at the file system level.

For business users we have a KB with instructions how to create HIPS rules to improve protection, however, the rules need to be applied with caution since they may block otherwise legitimate scripts and operations in certain environments: https://support.eset.com/kb6119/. Since there's no difference in HIPS between Endpoint and consumer products, the rules can be applied by advanced users as well.

[SeriousHoax 83]

22 hours ago, itman said:

Exactly

Do you not feel any slowdown with two of them together? WD is a lot heavier than ESET.

I always use ESET with Voodoshield free version. A great companion.

[SeriousHoax 83]

7 hours ago, Marcos said:

For business users we have a KB with instructions how to create HIPS rules to improve protection, however, the rules need to be applied with caution since they may block otherwise legitimate scripts and operations in certain environments: https://support.eset.com/kb6119/.

I have this rules active on ESET HIPS as well. Very useful. I have enabled some SRP which covers almost all of these but it's nice that ESET has such options.

[itman 1,659]

9 hours ago, Marcos said:

AMS has nothing to do with web access protection since it springs into action upon execution. However, disabling RTP should not affect it. It's different with Ransomware protection when disabling RTP may cause some new ransomware not to be detected upon execution because of missing information about operations at the file system level.

Good to know AMS is not dependent upon RTP.

As far as ransomware additional HIPS rules, I use Eset's recommended ones plus many more of my own.

My understanding of WD's advanced ransomware ASR mitigation is it is doing similar to what you noted in regards to Eset file level operations monitoring. If it detects during heuristic analysis at process startup like activities, those operations and/or processes are blocked. Assumed there could be conflicts with legit encryption software due to this. So exceptions to the ASR mitigation would have to be added. N/A for me since I don't use any like software.

Again, I am still in the experimentation phase as to using WD as real-time protection but as noted, it does look promising.

Edited September 17, 2019 by itman

[itman 1,659]

1 hour ago, SeriousHoax said:

Do you not feel any slowdown with two of them together?

Not that I noticed. Note that WD will whitelist a process after the initial block-at-first-sight scan so it is not repeated.

[SeriousHoax 83]

5 minutes ago, itman said:

Not that I noticed. Note that WD will whitelist a process after the initial block-at-first-sight scan so it is not repeated

I see. In my PC WD often randomly uses high CPU. Didn't face any performance issue though, even while gaming but ESET is definitely lighter.

Anyway, keep testing them together and let us know how things go.

[itman 1,659]

For those likewise "experimenting" with WD real-time, here is an article to how to configure block-at-first sight for the maximum time period of 60 secs. cloud scanning; i.e. 10 secs. default plus additional 50 secs.: https://www.ghacks.net/2017/05/26/set-windows-defender-antivirus-blocking-to-high-on-windows-10/ . Without a doubt, GPO is the way to do stuff like this but you need Win 10 Pro+ to do so.

Note: this article is two years old, so perform web due diligence and verify the registry mods. given are still applicable if going that route on Win 10 Home. Also assume those reg. mods will definitely be wiped out by applying the next Feature Upgrade and possibly so by a cumulative update.

There is also a possibility these high block-at-first sight will increase the likelihood of false positives so be prepared for that.

[SeriousHoax 83]

14 hours ago, itman said:

For those likewise "experimenting" with WD real-time, here is an article to how to configure block-at-first sight for the maximum time period of 60 secs. cloud scanning; i.e. 10 secs. default plus additional 50 secs.: https://www.ghacks.net/2017/05/26/set-windows-defender-antivirus-blocking-to-high-on-windows-10/ . Without a doubt, GPO is the way to do stuff like this but you need Win 10 Pro+ to do so.

Note: this article is two years old, so perform web due diligence and verify the registry mods. given are still applicable if going that route on Win 10 Home. Also assume those reg. mods will definitely be wiped out by applying the next Feature Upgrade and possibly so by a cumulative update.

There is also a possibility these high block-at-first sight will increase the likelihood of false positives so be prepared for that.

Everything can be done via this tool. One tool for everything related to Windows Defender: https://github.com/AndyFul/ConfigureDefender