Jump to content

Search the Community

Showing results for tags 'microsoft defender'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 15 results

  1. It's probably fair to say that Microsoft's Defender hasn't had the best of times recently. A couple of days ago there were reports of Defender for Endpoint causing various issues on client Windows 10 systems. And now, there is bit more bad news as Microsoft's in-house anti-malware product can really hit lower end Windows systems bad according to the latest Performance Imapact testing by AV-Comparatives. In the final Awards rating, Defender was barely able to secure the "Standard" rating as it came in second-last in the evaluation alongside Total Defense Anti-Virus. In all, the following anti-malware products were tested: Avast Free Antivirus 22.3 AVG Free Antivirus 22.3 Avira Prime 1.1 Bitdefender Internet Security 26.0 ESET Internet Security 15.1 G Data Total Security 25.5 K7 Total Security 16.0 Kaspersky Internet Security 21.3 Malwarebytes Premium 4.5 McAfee Total Protection 25.5 Microsoft Defender 4.18 NortonLifeLock Norton 360 Deluxe 22.22 Panda Free Antivirus 21.01 TotalAV Antivirus Pro 5.16 Total Defense Essential Antivirus 13.0 Trend Micro Internet Security 17.7 VIPRE Advanced Security 11.0 AV-Comparatives final Awards The following real-world tests were done using an up-to-date Windows 10 21H2 64-bit system with Intel Core-i3, 4GB of RAM, and SSD. The i3 and 4GB RAM was used to simulate typical lower-end PCs which generally are impacted most by anti-virus programs. File copying Archiving / unarchiving Installing / uninstalling applications - using silent install mode Launching applications - Microsoft Office (Word, Excel, PowerPoint) and Adobe Acrobat Reader Downloading files Browsing Websites - using Google Chrome The total score received in the above tests is being referred to as "AV-C Score". Other than the real world tests listed above, the PC Mark 10 Professional Testing Suite synthetic benchmark was also run. Here is how all the products have performed in the tests. The image on topshows the AV-C performances while the image on the bottom shows the total scores which also includes the PC Mark scores: If you are wondering what the "Impact Score" is, the column basically represents how far off the total obtained score is from the full marks of 190. Therefore, bigger the Impact Score, the greater performance impact an anti-malware program had on the tested system. For example, if we take Microsoft Defender, it has an Impact Score of 24.6, which implies it has scored 24.6 points less than the full score of 190, ie, 165.4. You can read the original report on AV-Comparatives' site here. If you are wondering how Defender and the other products has done in case of general protection, you can read this article here. AV-Comparatives' latest test finds Microsoft Defender hogs your system real bad
  2. Anti-malware assessment company AV-Comparatives has released its latest March 2022 report today. The report has found that Microsoft's in-house Defender anti-virus has one of the poorest offline detection rates of just 60.3%. Meanwhile G DATA has topped the chart with 98.6%. This means Microsoft Defender relies heavily on cloud-based protection. The online detection and protection rates for the Microsoft product, however, are amongst the best. In case you are wondering what the difference between protection and detection is, here's how AV-Comparatives defines the two: The File Detection Test we performed in previous years was a detection-only test. That is to say, it only tested the ability of security programs to detect a malicious program file before execution. [..] This Malware Protection Test checks not only the detection rates, but also the protection capabilities, i.e. the ability to prevent a malicious program from actually making any changes to the system. You can find the full comparison of the various anti-malware solutions for offline and online detection rates as well as the protection rates in the image below: Here's a breakdown of the protection rates for the various antivirus programs. A total of 10,040 malicious samples were used for the test: Here's a full breakdown of the entire Malware Protection Test March 2022 data: Aside from the Malware Protection Test, AV-Comparatives has also released data for what it calls the Real-World Protection Test that you can see in the image below. Here's how the firm distinguishes between the two: In the Malware Protection Test, malicious files are executed on the system. While in the Real-World Protection Test the vector is the web, in the Malware Protection Test the vectors can be e.g. network drives, USB or cover scenarios where the malware is already on the disk. Finally, we have the awards that the various tested anti-virus programs have received. Here Microsoft Defender has received the highest praise as it has got the ADVANCED+ award. Incidentally, none of the products has received the ADVANCED award. You can find more details on the tests at the source links below. Source: AV-Comparatives (1 , 2) AV-Comparatives finds Microsoft Defender has one of the poorest offline detection rates
  3. Microsoft Defender has once again scored the full 18 marks on AV-TEST's latest ranking for the month of February 2022. Out of the full 18 marks, AV-TEST awards those products that score 17.5 points or higher as "TOP PRODUCT". The security assessment firm releases these reports every two months after evaluating the performance of various anti-malware solutions available in the market. AV-TEST says: During January and February 2022 we continuously evaluated 18 home user security products using their default settings. We always used the most current publicly-available version of all products for the testing. They were allowed to update themselves at any time and query their in-the-cloud services. We focused on realistic test scenarios and challenged the products against real-world threats. In the previous two rankings of October 2021 and December 2021, Defender scored full marks as well but failed to secure any of best home antivirus awards. In total, 18 anti-malware products including Defender were tested across three categories: Protection Performance Usability You can see the scores of the various products by clicking on the image below: Despite some of its faults, Microsoft has been continuing to add helpful features to Defender which is probably one of the reasons why it continues to do well in security assessment reports. For example, the firm recently added a "Vulnerable Driver Blocklist" option and it is also actively working to improve false positive detections. Source: AV-TEST GmbH (Twitter) Despite no wins, Microsoft Defender continues to dazzle AV-TEST shows latest report
  4. Microsoft has announced that the company's new cloud-based Microsoft Defender security solution has entered preview for home customers in the United States. The new app has been announced with the release of Windows 11 Insider Preview Build 22572, now available in the Dev Channel (we were also able to install it on previously released Insider builds). "Key to Microsoft Defender is the ability to view and manage your online security in one central dashboard view, across your devices, and your family member's devices," the Windows Insider team said. "Plus get added malware and phishing protections on your mobile devices. The ability to view your family's devices is currently only available in the Windows app." Right now, Microsoft Defender can be downloaded as an app for Windows 10, Windows 11, Android, and iOS devices, with Redmond still working on a macOS app that will also be released to preview soon. Microsoft Defender threat alert (BleepingComputer) The Microsoft Defender Preview provides users with a dashboard to manage and monitor their devices' security status, as well as malware protection and real-time threat scanning. It also comes with safety alerts and recommendations, including real-time warnings about changes to your devices' security status and suggestions to keep your data and devices secure. Microsoft says that malware protection is available for Windows PCs and Android phones, while anti-phishing protection is available on Android and iOS phones. Malware protection is not supported on iPhones because Apple already provides it. While in preview, you can download and use the Microsoft Defender app across five devices per person, including a Windows computer, iPhone, or Android phone. Microsoft Defender iOS (BleepingComputer) Hands-on with the Microsoft Defender Preview While Microsoft paints a pretty picture of Microsoft Defender Preview's capabilities, in reality, the application is in its very early stages. Today, BleepingComputer tested the Microsoft Defender preview, and the application is more of a front end to the underlying Windows Security infrastructure. When using the app, we could add devices to our cloud dashboard and monitor their protection status. However, it is not possible to control any security feature on the main device or connected devices. The new Microsoft Defender works as a front-end for Windows Security and a dashboard to see alerts and security recommendations for enrolled devices. "In some situations, you'll be required to use the Windows Security app, but Microsoft Defender will connect you to that app," as Microsoft explains. "For example, to run a manual scan on a Windows device or to manage your allow list, you must click on 'Manage in Windows Security' from within Microsoft Defender where you will receive additional guidance." Microsoft Defender Preview (BleepingComputer) BleepingComputer also conducted a test where we downloaded multiple malware samples to a connected device. While these samples were detected and reflected (very briefly) in the Microsoft Defender Preview app, they never showed up in the security alerts of the cloud dashboard for a Windows 11 device, with the Defender dashboard continuing to say that the device was protected and did not have any issues. However, the Microsoft Defender dashboard worked just fine for one of our test Windows 10 devices, displaying a "Needs attention" status after the malware was detected. Microsoft Defender Preview (BleepingComputer) You can get the Microsoft Defender app for Windows from the Microsoft Store, iPhones from the App Store, and Android phones via Google Play. More information on how you can add new devices to your account can be found on the Adding devices to your Microsoft Defender account support page. At the moment, you don't need to have a subscription to use Microsoft Defender Preview; however, the app will require a Microsoft 365 Family or Personal subscription. Microsoft tests new cloud-based Microsoft Defender for home users
  5. Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there. The issue has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2. Lax permissions Like any antivirus solution, Microsoft Defender lets users add locations (local or on the network) on their systems that should be excluded from malware scans. People commonly make exclusions to prevent antivirus from affecting the functionality of legitimate applications that are erroneously detected as malware. Since the list of scanning exceptions differs from one user to another, it is useful information for an attacker on the system, since this gives them the locations where they can store malicious files without fear of being detected. Security researchers discovered that the list of locations excluded from Microsoft Defender scanning is unprotected and any local user can access it. Regardless of their permissions, local users can query the registry and learn the paths that Microsoft Defender is not allowed to check for malware or dangerous files. Antonio Cocomazzi, a SentinelOne threat researcher who is credited for reporting the RemotePotato0 vulnerability, points out that there is no protection for this information, which should be considered sensitive, and that running the “reg query” command reveals everything that Microsoft Defender is instructed not to scan, be it files, folders, extensions, or processes. Another security expert, Nathan McNulty, confirmed that the issue is present on Windows 10 versions 21H1 and 21H2 but it does not affect Windows 11. McNulty also confirmed that one can grab the list of exclusions from the registry tree with entries that store Group Policy settings. This information is more sensitive as it provides exclusions for multiple computers. A security architect versed in protecting the Microsoft stack, McNulty warns that Microsoft Defender on a server has “automatic exclusions that get enabled when specific roles or features are installed” and these do not cover custom locations. Although a threat actor needs local access to get the Microsoft Defender exclusions list, this is far from being a hurdle. Many attackers are already on compromised corporate networks looking for a way to move laterally as stealthily as possible. By knowing the list of Microsoft Defender exclusions, a threat actor that already compromised a Windows machine can then store and execute malware from the excluded folders without fear of being spotted. In tests done by BleepingComputer, a malware strain executed from an excluded folder ran unhindered on the Windows system and triggered no alert from Microsoft Defender. We used a sample of Conti ransomware and when it executed from a normal location Microsoft Defender kicked in and blocked the malware. After placing Conti malware in an excluded folder and running it from there, Microsoft Defender did not show any warning and did not take any action, allowing the ransomware to encrypt the machine. This Microsoft Defender weakness is not new and has been highlighted publicly in the past by Paul Bolton: source: Paul Bolton A senior security consultant says that they noticed the issue about eight years ago and recognized the advantage it provided to a malware developer. "Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension" - Aura Given that it's been this long and Microsoft has yet to address the problem, network administrators should consult the documentation for properly configuring Microsoft Defender exclusions on servers and local machines via group policies. Microsoft Defender weakness lets hackers bypass malware detection
  6. Microsoft Defender for Endpoint is currently blocking Office documents from being opened and some executables from launching due to a false positive tagging the files as potentially bundling an Emotet malware payload. Windows system admins are reporting [1, 2, 3, 4, 5] that this is happening since updating Microsoft's enterprise endpoint security platform (previously known as Microsoft Defender ATP) definitions to version 1.353.1874.0. When triggered, Defender for Endpoint will block the file from opening and throw an error mentioning suspicious activity linked to Win32/PowEmotet.SB or Win32/PowEmotet.SC. "We're seeing issues with definition update 1.353.1874.0 detecting printing as Win32/PowEmotet.SB this afternoon," one admin said. "We are seeing this detected for Excel, any Office app using MSIP.ExecutionHost.exe ( AIP Sensitivity Client ) and splwow64.exe," another added. A third one confirmed the issues with today's definition updates: "We're seeing the same behavior specifically with v.1.353.1874.0 of the definitions, which was released today, & included a definition for Behavior:Win32/PowEmotet.SB & Behavior:Win32/PowEmotet.SC." BleepingComputer was able to trigger the false positive on a Windows 10 virtual machine with the latest Microsoft Defender signatures, as shown below. Emotet false positive in Microsoft Defender (BleepingComputer) While Microsoft hasn't yet shared any info on what causes this, the most likely reason is that the company has increased the sensitivity for detecting Emotet-like behavior in updates released today, which makes Defender's generic behavioral detection engine too sensitive prone to false positives. The change was likely prompted by the recent revival of the Emotet botnet from two weeks ago, after Emotet research group Cryptolaemus, GData, and Advanced Intel began seeing TrickBot dropping Emotet loaders on infected devices. Even though this is almost surely not the real thing, the timing is definitely unfortunate with Emotet coming back and most Windows admins already on their toes. As some of them have reported, they almost took their data centers offline to stop a possible Emotet infection from spreading before realizing that what they were seeing were likely false positives. Since October 2020, Windows admins had to deal with other Defender for Endpoint including one that showed network devices infected with Cobalt Strike and another that marked Chrome updates as PHP backdoors. Microsoft has told BleepingComputer that they have fixed the issue for cloud-connected users and working on a fix for everyone else. "We are working to resolve an issue where some customers may have experienced a series of false-positive detections. This issue has been resolved for cloud-connected customers." - a Microsoft spokesperson. Update 11/30/21: Added Microsoft's statement. Microsoft Defender scares admins with Emotet false positives
  7. Microsoft Defender for Windows is getting a massive overhaul allowing home network admins to deploy Android, iOS, and Mac clients to monitor antivirus, phishing, compromised passwords, and identity theft alerts from a single security dashboard. In the past, antivirus solutions were very much a single PC application, where each device got its own protection, but none of the devices spoke to each other. With this setup, if one device detected malware, only the person using the device would know about it, rather than providing a centralized reporting dashboard. As home networks became increasingly more complicated, connected, and diverse, antivirus vendors started to offer stripped-down versions of their enterprise products that allowed a home admin to manage all of their devices from a single dashboard. Microsoft's full-featured home security suite For the past few years, Microsoft has been focusing on the enterprise's security while leaving Windows 10 consumers with the passable but fairly generic built-in Microsoft Defender antivirus software. Based on a new Microsoft Defender Preview app added to the Microsoft Store last week, this is all about to change, with Microsoft building what appears to be a full-featured home security suite for Windows 11, Windows 10, iOS, Android, and macOS. "Microsoft Defender is a security application that gives you peace of mind. Through our personalized dashboard, you can view the security posture of your Windows device and other connected devices (Mac, iOS, and Android) all in one place," reads the Microsoft Defender Preview app description. This new preview is codenamed 'Gibraltar' internally as it is currently restricted to Microsoft employees. However, BleepingComputer found strings in the executables that indicate that the new security solution will include antivirus, phishing protection, password breach detection, identity theft monitoring, security recommendations, and more. Home admins will add other family members to their personal dashboard using email or QR code invites. These invites will likely allow a device to install an iOS, Android, Windows, or macOS agent that automatically enrolls in the family's security dashboard. Windows software developer Ahmed Walid patched the application to bypass authentication, allowing us to get a glimpse of how the new Microsoft Defender security dashboard will look. Microsoft Defender Preview dashboard Source: Walid As you can see above, the dashboard will allow you to view health alerts for devices, with Identity and "Connections" monitoring coming soon. In addition, the Identity Theft Monitoring feature will support child, and adult subscriptions from API calls found in the Microsoft Defender Preview. Using their "personal dashboard," home network administrators can monitor all enrolled devices for "health" alerts that may include compromised passwords, malware alerts, or identity theft issues. Summary of monitored devices Source: Walid It is unclear when the Microsoft Defender Preview will be available to test, but it will likely come to Windows 10 and Windows 11 Insiders first in the coming months. BleepingComputer has contacted Microsoft with further questions about this new feature and will update the article if we receive a response. Microsoft Defender for Windows is getting a massive overhaul
  8. Earlier this week a new version of Microsoft’s popular security app, Microsoft Defender, showed up in the Store. Microsoft Defender Preview featured new styling and a simplified design, and appears to be designed to protect all your devices. The minimum requirements note support for both Windows 10 and Windows 11. The app is now available to download in the Store, but it appears the installation is still restricted for some users. Ahmed Walid managed to patch the installer and posted the screenshots which can be seen above. Try your luck by checking it out in the Store here. via the windows club New Microsoft Defender Preview now available in the Store for some
  9. Microsoft Defender now helps secure enterprise macOS devices Microsoft announced that Defender for Endpoint will now also help admins discover OS and software vulnerabilities affecting macOS devices on their organization's network. With the enterprise endpoint security platform's threat and vulnerability management feature now generally available for macOS, security admins can decrease endpoints' surface attack area and therefore increase their organization's resilience exposure against incoming attacks. "This capability expansion enables organizations to discover, prioritize, and remediate both software and operating system vulnerabilities on devices running macOS," Microsoft Senior Product Manager Tomer Reisner said. "After onboarding your macOS devices to Microsoft Defender for Endpoint, you'll get the latest security recommendations, review recently discovered vulnerabilities in installed applications, and issue remediation tasks, just like you can with Windows devices." Today, Microsoft also announced the inclusion of support for Windows 8.1 devices and the introduction of email notifications for vulnerability events to Defender for Endpoint, both in public preview. macOS security recommendations (Microsoft) Microsoft Defender for Endpoint (previously known as Microsoft Defender Advanced Threat Protection or Microsoft Defender ATP) was made generally available for Macs in May 2019. To test Defender's new macOS vulnerability assessment capabilities, you will need an A5 or E5 Microsoft volume license. You can follow these detailed instructions to onboard macOS endpoints to the Microsoft Defender for Endpoint service. Defender for Endpoint protects all major platforms Starting with October 2020, Microsoft Defender for Endpoint also provides admins with a report that helps them keep track of vulnerable Windows and macOS devices within their organization's environment. Among the insights that administrators can draw from this new Defender threat and vulnerability management report, Microsoft highlighted device vulnerability severity levels, exploit availability, vulnerability age, and vulnerable devices by operating system. Microsoft Defender also got updated with a Microsoft Secure Score for Devices feature that can be used to evaluate the collective security configuration state of devices on enterprise networks. It works by identifying unprotected devices and by providing recommended actions to boost the security of an organization's endpoints. Earlier this month, Microsoft announced that Defender for Endpoint's detection and response (EDR) capabilities are also generally available on Linux servers. Source: Microsoft Defender now helps secure enterprise macOS devices
  10. Microsoft Defender to enable full auto-remediation by default Microsoft will enable fully automated threat remediation by default for Microsoft Defender for Endpoint customers who have opted into public previews starting next month, on February 16, 2021. This change of the default automation level from Semi to Full comes after finding that organizations using full automation by default were more successful in remediating and containing threats. "Data collected and analyzed over the past year shows that organizations who are using full automation have had 40% more high-confidence malware samples removed than customers using lower levels of automation," Microsoft explains. "Full automation also frees up our customers’ critical security resources so they can focus more on their strategic initiatives." Fully automated tenants remediate threats faster When full automation is enabled on tenants, Microsoft's endpoint security platform will auto-create a remediation action that removes or contains the malicious entity found after investigating suspicious activity. This happens automatically, without the organization's security operations team having to remotely connect to the device or having to wait for the remediation action to be approved. However, when the default automation level is set to Semi, all remediation actions require manual approval which drastically lowers the reaction time, potentially allowing detected malware to infect other devices and causing further damage. The change comes after Microsoft has increased malware detection accuracy, upgraded its automated investigation infrastructure, and added an option to undo remediation actions. Additionally, since automated investigation and remediation capabilities were first added to Microsoft Defender for Endpoint, organizations with fully automated tenants have been able to successfully remediate and contain threats while tenants with semi-automation were left waiting for manual approval. Doesn't alter previously configured automation settings "The new default automation level can be kept (this is recommended) or changed according to your organizational needs," Microsoft added. "This change does not impact or override device group definitions that were previously set to control automation level." To start using Microsoft Defender for Endpoint public preview capabilities, customers have to manually toggle on preview features in the Microsoft Defender Security Center. Since October, Microsoft Defender for Endpoint also provides users with vulnerable device tracking capabilities to help them keep track of vulnerable Windows and macOS endpoints within their organization's environment. Redmond's endpoint security platform has also expanded to include non-Windows platforms in June, hitting general availability for Linux enterprise customers and entering public preview for those using Android devices. Source: Microsoft Defender to enable full auto-remediation by default
  11. Microsoft Defender now blocks cryptojacking malware using Intel TDT Microsoft today announced that Microsoft Defender for Endpoint, the enterprise version of its Windows 10 Defender antivirus, now comes with support for blocking cryptojacking malware using Intel's silicon-based Threat Detection Technology (TDT). Cryptojacking malware allows threat actors to secretly mine for cryptocurrency on infected devices, including personal computers, enterprise servers, and mobile devices). In some cases, cryptojacking drastically lowers the infected machines' performance by hogging valuable system resources. Detecting malware execution using CPU-based heuristics Intel TDT is part of the Hardware Shield's suite of capabilities available on Intel vPro and Intel Core platforms, providing endpoint detection and response (EDR) capabilities for advanced memory scanning, cryptojacking, and ransomware detection via CPU-based heuristics. Intel TDT couples low-level hardware telemetry collected from the CPU's performance monitoring unit (PMU) with machine learning to detect cryptomining malware at execution time. This helps Microsoft Defender block the malicious processes without using hypervisor introspection or code injection to get around detection evasion techniques such as code obfuscation used by malware creators. Microsoft also wants to use Intel TDT in the future to detect and stop other malware strains and attack techniques such as ransomware and side-channel attacks. "Even though we have enabled this technology specifically for cryptocurrency mining, it expands the horizons for detecting more aggressive threats like side-channel attacks and ransomware," Karthik Selvaraj Principal Research Manager, Microsoft 365 Defender Research Team, said. "Intel TDT already has the capabilities for such scenarios, and machine learning can be trained to recognize these attack vectors." Image: Microsoft Available for Intel vPro and Core, 6th gen or later While Intel TDT continuously monitors and analyzes telemetry data from virtual machines and applications for signals of malicious activity, this doesn't impact the system's overall performance since it delegates resource-intensive workloads to the integrated graphics processing unit (GPU). "This advanced threat detection doesn’t create a performance hit requiring IT leaders to make a tradeoff between better security or a good user experience," Intel added. "Intel TDT can offload performance-intensive security workloads to the integrated graphics controller and return performance back to the CPU, allowing for increased scanning and reduced impacts to the computing experience." The new capability is available for all customers using Intel Core processors and the Intel vPro platform, 6th Generation or later. "This partnership is one example of our ongoing investment and deep collaboration with technology partners across the industry," Selvaraj added. "We work closely with chipmakers to explore and adopt new hardware-based defenses that deliver robust and resilient protection against cyberthreats. "As organizations look to simplify their security investments, built-in platform-based security technologies, such as the integration of Intel TDT with Microsoft Defender for Endpoint, combine best of breed in a streamlined solution." Source: Microsoft Defender now blocks cryptojacking malware using Intel TDT
  12. Tamper Protection prevents malware from disabling Windows Defender features. Today, Microsoft announced the general availability of a new Microsoft Defender antivirus feature named Tamper Protection. This new feature works by blocking malware from disabling Microsoft Defender (formerly Windows Defender) features behind the user's back. According to Microsoft, with Tamper Protection, malicious apps won't be able to: Disable virus and threat protection Disable real-time protection Turn off behavior monitoring Disable Defender's antivirus components (such as IOfficeAntivirus (IOAV)) Disable cloud-delivered protection Remove security intelligence updates Microsoft says that Tamper Protection "essentially locks Microsoft Defender" and prevents security settings from being changed through third-party apps and methods like: Configuring settings in Registry Editor on a Windows machine Changing settings through PowerShell cmdlets Editing or removing security settings through group policies The feature will be available for both the free version of Microsoft Defender (the one that ships with all modern Windows OS versions) but also with Microsoft Defender Advanced Threat Protection (ATP) (the commercial version, primarily employed on enterprise networks). Work on Tamper Protection began in December 2018, when it was first rolled out to Windows Insiders previews. In March this year, Microsoft rolled Tamper Protection for more tests to Microsoft Defender ATP versions. Starting today, the feature will be available for all Microsoft Defender users. Microsoft told ZDNet in a phone call last week that the feature will be enabled by default for all users in the coming weeks, in a multi-stage rollout. If users don't want to wait, Microsoft said they can also enable Tamper Protection right now. A new option has been added to the Windows Security options page to control Tamper Protection's state. To enable or disable Tamper Protection, the steps are: Click Start, and start typing Defender. In the search results, select Windows Security. Select Virus & threat protection > Virus & threat protection settings. Set Tamper Protection to On or Off. But Microsoft emphasizes that Tamper Protection was specifically built for enterprise environments, where the protection level it provides is far superior to what a home user gets. Here, when a system administrator enables the feature for a company's workstations, Tamper Protection locks out malware and end-users alike. Once enabled, only administrators will be able to change Defender settings across a company's computers. The only catch is that administrators must use Microsoft Intune to manage their workstation fleet. "When an administrator enables the policy in Microsoft Intune, the tamper protection policy is digitally signed in the backend before it's sent to endpoints," Microsoft says. "The endpoint verifies the validity and intent, establishing that it is a signed package that only security operations personnel with Microsoft Intune admin rights can control." In enterprise setups, when malware or users try to modify Defender features, an alert is raised in Microsoft Defender ATP's Security Center, which administrators can investigate further. Tamper Protection is only available for Windows 10 1903 May release or later. Microsoft said it will work to port the feature to older versions. Source
  13. Ignite 2019: Microsoft details its efforts to level the playing field against cyber attackers. Microsoft announced the brand change from Windows Defender to Microsoft Defender in March after giving security analysts the tools to inspect enterprise Mac computers for malware via the Microsoft Defender console. Rob Lefferts, corporate vice president for Microsoft's M365 Security, told ZDNet that Microsoft Defender for Linux systems will be available for customers in 2020. Application Guard is also coming to all Office 365 documents. Previously, this security feature was only available in Edge and allowed users to safely open a webpage in an isolated virtual machine to protect them from malware. Now, users who open Office 365 apps, like Word or Excel, will have the same protection. "It's coming in preview first, but when you get an untrusted document with potentially malicious macros via email, it will open in a container," he said. It means when an attacker attempts to download more code from the internet and then install malware on the machine, the machine is a VM, so the victim never actually installs the malware. The move should help protect against phishing and other attacks that attempt to trick users into exiting from Protected View, which prevents users from running macros by default. Lefferts will also discuss how Microsoft is protecting organizations from sophisticated malware attackers who are exploiting the 'information parity problem' – a highbrow term for how aspects of a network can influence its overall design. "Defenders have to know everything perfectly and attackers only need to know one thing kind of well. The point is, it's not a level playing field and it's getting worse," said Lefferts. Key to this ability is the Microsoft Security Intelligent Graph that Microsoft is selling to enterprise customers. But what exactly is the Microsoft Intelligent Security Graph? "It's built into Defender ATP, Office 365, and Azure. We have signals built into events, behaviors, and things as simple as a user logged on to a machine or as complicated as the behavior of the memory layout in Word on this device is different to what it normally looks like," explained Lefferts. "Essentially we have sensors across all the identities, endpoints, cloud apps, and infrastructure and they're sending all of this to a central place inside Microsoft's cloud." Microsoft doesn't mean physical sensors in the context of its Intelligent Security Graph but rather pieces of code sitting inside its various applications that feed into to the Intelligent Security Graph. The idea is to assist security teams to solve challenges differently to the way humans would do it. "Humans aren't great at huge numbers, but this is the place where machines can provide new insight." Microsoft's evidence that it is making a difference is that it has helped prevent 13.5 billion malicious emails so far in 2019, and Lefferts expects Microsoft to have blocked 14 billion by the end of the year. The company has highlighted its work in defending US and European political organizations against cyberattacks ahead of the 2020 US presidential mid-term elections. "Defending democracy is a big point for us because we're making sure we take all the capabilities we're building here and use it to help organizations and governments around the world," he said. "The goal is to help defenders cut through the noise and prioritize important work and be ready to help protect and respond, both smarter and faster using signals from Windows, Office, and Azure." The key tool Microsoft is introducing now is automated remediation for Office 365 customers that have Microsoft Threat Protection. "There's a kill chain that represents every step an attacker takes as they move through the organization. When you find that going on, you want to ensure that you clean up the whole thing," said Lefferts. For example, a hacker breaches a network through a phishing email, installs malware on the device, and then moves laterally to critical infrastructure, such as an email server or domain controller. The hacker can maintain a presence on the network for potentially years. "The whole point about automation is finding all the compromised accounts and resetting those passwords, finding all the users who got malicious emails and scrubbing them out of inboxes, and finding all the devices that were impacted and isolating them, quarantining them, and cleaning them." Lefferts was careful not to use the word artificial intelligence and stressed that Microsoft's technologies are aimed at "augmentation of people" in security teams or "exoskeletons" for people rather than robots. So how would it help enterprise organizations respond to the next NotPetya ransomware outbreak? NotPetya spread initially through a poisoned update from a Ukraine-based accounting software firm, crippling several global firms, including Maersk and Mondelez. "The first thing is that it happens faster than the vendors can respond, which is a huge issue. [Responders] really need the augmentation that we're talking about so that they can go faster. There are also so many opportunities for defenders to intermediate and break the kill chain and fix everything. And we want to make sure we can work across that kill chain." Microsoft will also roll out new features for customers using Office 365 Advanced Threat Protection, offering admins a better overview of targeted phishing attacks. The idea is to subvert typical strategies that attackers use to avoid detection, such as sending email from different IP addresses. "However they pick their targets, they're going to have a factory where they're going to build a campaign that they're going to direct at those targets. And they will keep iterating on all the pieces of that campaign to see what's most effective at getting past the defenders and how they best trick the user into clicking something," said Lefferts. "It shows up as an onslaught of email across multiple users within the organization – sometimes just a few, sometimes in the hundreds. What we give defenders is a view of what's happening. There's email coming from different IP addresses and different sender domains and it's got different components in it because they keep running different experiments. We put the whole picture together to show you the flow, how it evolved over time." Source
  14. Microsoft Defender flags hosts files with Microsoft server redirects as malicious The native antivirus client of the Windows 10 operating system, Microsoft Defender, has started to flag the hosts file on the system as malicious if it contains redirects for certain Microsoft servers. The hosts file is a simple plain text designed to redirect connections. Users find it under C:\Windows\System32\drivers\etc\hosts on any system and it is easy enough to redirect requests. It has been used for ages to block known malicious sites or advertisement sites. All you have to do is add redirects in the form of www.microsoft.com to the hosts file to redirect requests to the site "www.microsoft.com" in this case to the local computer. The effect is simple: the request is blocked. With the release of Windows 10 came an increased Telemetry server blocking usage. Privacy tools would add known Telemetry servers to the hosts file to block connections and thus the transmission of Telemetry data to Microsoft. As of July 28, 2020, it appears that Microsoft Defender is flagging hosts files as malicious if they contain certain redirects. According to Günter Born, the following versions introduced the new behavior: Antimalware-Clientversion: 4.18.2006.10 Modulversion: 1.1.17300.4 Antiviren-Version: 1.321.144.0 Antispyware-Version: 1.321.144.0 Microsoft Defender Antivirus flags certain hosts file changes as a threat. An attempt to add telemetry.microsoft.com and microsoft.com redirects to to the hosts file resulted in Microsoft Defender flagging the file and restoring the original version. Attempts to save the file may display the following notification by Microsoft Defender: Operation did not complete successfully because the file contains a virus or potentially unwanted software. Restoring of the file did not restore the listing. Bleeping Computer's Lawrence Abrahams ran a few tests and discovered the following servers that Microsoft Defender flags when they are added to the hosts file on Windows 10 devices. www.microsoft.com microsoft.com telemetry.microsoft.com wns.notify.windows.com.akadns.net v10-win.vortex.data.microsoft.com.akadns.net us.vortex-win.data.microsoft.com us-v10.events.data.microsoft.com urs.microsoft.com.nsatc.net watson.telemetry.microsoft.com watson.ppe.telemetry.microsoft.com vsgallery.com watson.live.com watson.microsoft.com telemetry.remoteapp.windowsazure.com telemetry.urs.microsoft.com It is possible that other servers will also be seen as a threat by Microsoft Defender. Windows 10 users may allow the threat in Microsoft Defender, at least for now, to add these redirects to the file again. The problem with the approach is that it will allow all modifications, even those by malicious software. Another option is to turn off Microsoft Defender and to start using a different security solution for Windows. A false positive seems unlikely considering that the list of servers includes mostly Telemetry servers. Windows 10 tools that add entries to the hosts file may be affected by this negatively. Most privacy tools that manipulate the hosts file to block Telemetry will certainly fail to add the entries to the hosts file if Microsoft Defender is the resident antivirus solution. Microsoft Defender flags hosts files with Microsoft server redirects as malicious
  15. Microsoft Defender Antivirus in Windows 10 now comes with UEFI scanner to detect firmware attacks Microsoft Defender Antivirus is the built-in antivirus solution on Windows 10 PCs. It offers behavior-based, heuristic, and real-time antivirus protection for free. Microsoft has recently included a new component called UEFI scanner in the Microsoft Defender Antivirus. This UEFI scanner scans the firmware filesystem at runtime by interacting directly with the motherboard chipset. To detect security threats, this scanner performs analysis using following solution components: UEFI anti-rootkit, which reaches the firmware through Serial Peripheral Interface (SPI) Full filesystem scanner, which analyzes content inside the firmware Detection engine, which identifies exploits and malicious behaviors You can learn about how Microsoft built this new UEFI scanner from the source link below. The new UEFI scanner adds to a rich set of Microsoft technologies that integrate to deliver chip-to-cloud security, from a strong hardware root of trust to cloud-powered security solutions at the OS level. Source: Microsoft Microsoft Defender Antivirus in Windows 10 now comes with UEFI scanner to detect firmware attacks
  • Create New...