Search the Community

Edit: As of Windows 10 version 2004, Windows Defender has been renamed as Microsoft Defender Antivirus. You probably don't need to buy another third party antivirus program to keep your PC more secure with the advent of Windows Defender accompanied by its improvements in version 1709 aka Fall Creators Update. But later in this thread, I will show some situations on why you might want to use a third party antivirus program especially when managing remotely computers. @Ryan_Vickers, @wkdpaul, @leadeater tell me if what I said is wrong. You may have seen YouTube videos of Windows Defender trailing behind when it comes to detection on execution despite scoring high on AV-Comparatives and other independent testing sites. The reason for this is they test it on default settings, which if you ask me is not really as good as the default settings of third party antivirus programs because some of the advanced settings of Windows Defender are turned off which is a bummer. To make Windows Defender more secure, you need the following: a PC running the latest stable release of Windows 10 Pro 1909 or later. The reason why you need to use the Pro version is because of Group Policy which most of these advanced settings are buried deep and unavailable to Windows 10 Home users. Windows Updates enabled Hit Start>type "gpedit">hit Enter Go to Computer Configuration ➡ Administrative Tools ➡ Windows Components ➡ Windows Defender Antivirus Within these settings, we will focus on the following protection components: MAPS (aka Microsoft Active Protection Service) "Block at First Sight" Automatic Sample Submission MpEngine Configure Cloud Protection Levels Extending cloud check Windows Defender Exploit Guard Attack Surface Reduction Controlled Folder Access Network Protection Take note several features such as Windows Defender Exploit Guard is a component of their paid, enterprise grade protection "Defender ATP" which is a component of a Windows 10 E5 subscription. "Block at First Sight" & MAPS: Microsoft Active Protection Service First, enable the Block At First Sight. Open that property and click Enable. What it will do is having a file scanned in real time by their local and cloud based algorithms to determine if a file is malicious or not. In Microsoft's documentation, if the local detection algorithms can't immediately make a verdict, it will use a cloud service to do additional checks. To do this, open the "Join Microsoft MAPS" properties and enable "Advanced MAPS". Now, as shown in the screenshot Advanced MAPS will collect even more data such as ncluding the location of the software, file names, how the software operates, and how it has impacted your computer. If you think this is a little bit invasive, you can dial it down to Basic MAPS. MpEngine Next property to configure is the MpEngine which I believe is their actual detection process in Task Manager. Open "configure extended cloud check" and specify how much delay it will take before it executes. What it does is that executable files (clean or malicious) will not be executed unless it is scanned in the cloud. Obviously, a longer waiting time up to a minute could mean much better detection. How cloud protection works is best described by Microsoft's infographic below. This method is used by almost all antivirus vendors. Basically, local and cloud detection algorithms locally try to determine if a new, unknown file is malicious or not. Then it will do a a of +1s and -1s if it exhibits behavior characteristic of malware, should it reach the threshold, the AV will delete/quarantine the file and send it for further analysis. However, for the super paranoid or if there's a home PC and you don't want something malicious to execute because mom was tricked by a social engineering ad pretending to be Covid-19 charity, you need to Set the Cloud Protection Level. If you want, you can select "Zero Tolerance blocking level", which is basically whitelisting: any program that wasn't flagged by Microsoft to be safe will not execute. This is also useful for small businesses or anyone in a high risk working environment, but this setting will lead to many false positives. Or if you don't want that much annoyance, you can set the cloud blocking level to just High or High+. Attack Surface Reduction Next property to enable is Attack Surface Reduction. In Windows 10 Pro, only a subset of properties of ASR is available via Group Policy. The rest of the protection modules are only available to Windows 10 E5 (WDATP) or Intune. What ASR does is prevent the execution of malicious programs by blocking well known attack vectors such as creating child processes, obfuscated macro, or even malware from USB flash drives. To enable ASR rules, go to Windows Defender Exploit Guard ➡ Attack Surface Reduction ➡ Configure Attack Surface Reduction Rules ➡Enabled. From there, you have to unfortunately have to type GUID command and setting the value to 1 as if it's the registry editor. For WDATP and Intune, all it takes are a few mouse clicks to enable ASR, Rule name GUID File & folder exclusions Minimum OS supported Block executable content from email client and webmail BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Supported Windows 10, version 1709 (RS3, build 16299) or greater Block all Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A Supported Windows 10, version 1709 (RS3, build 16299) or greater Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899 Supported Windows 10, version 1709 (RS3, build 16299) or greater Block Office applications from injecting code into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 Supported Windows 10, version 1709 (RS3, build 16299) or greater Block JavaScript or VBScript from launching downloaded executable content D3E037E1-3EB8-44C8-A917-57927947596D Not supported Windows 10, version 1709 (RS3, build 16299) or greater Block execution of potentially obfuscated scripts 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Supported Windows 10, version 1709 (RS3, build 16299) or greater Block Win32 API calls from Office macros 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B Supported Windows 10, version 1709 (RS3, build 16299) or greater Block executable files from running unless they meet a prevalence, age, or trusted list criterion 01443614-cd74-433a-b99e-2ecdc07bfc25 Supported Windows 10, version 1709 (RS3, build 16299) or greater Use advanced protection against ransomware c1db55ab-c21a-4637-bb3f-a12568109d35 Supported Windows 10, version 1709 (RS3, build 16299) or greater Block credential stealing from the Windows local security authority subsystem (lsass.exe) 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Supported Windows 10, version 1709 (RS3, build 16299) or greater Block process creations originating from PSExec and WMI commands d1e49aac-8f56-4280-b9ba-993a6d77406c Supported Windows 10, version 1709 (RS3, build 16299) or greater Block untrusted and unsigned processes that run from USB b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Supported Windows 10, version 1709 (RS3, build 16299) or greater Block Office communication application from creating child processes 26190899-1602-49e8-8b27-eb1d0a1ce869 Supported Windows 10, version 1709 (RS3, build 16299) or greater Block Adobe Reader from creating child processes 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c Supported Windows 10, version 1709 (RS3, build 16299) or greater Block persistence through WMI event subscription e6db77e5-3df2-4cf1-b95a-636979351e5b Not supported Windows 10, version 1903 (build 18362) or greater The rest of the documentation can be found in Microsoft's website. To demonstrate how ASR works, after enabling those features, it detected BitTorrent.exe as doing something similar to credential stealing. This might be a false positive but it might be shady too considering it's a piracy tool that served ads. However, I am not sure if the ASR rules also protect other browsers other than Edge. ASR rules also don't apply when a third party antivirus is installed. I know that old Edge sucks because of their old rendering engine, you may opt to use the Chromium based Edge. Just don't forget to switch the search engine to Google because Bing sucks. Protection against Potentially Unwanted Applications (PUAs) Edit: As of June 15, 2020, Microsoft Defender AV has moved the option for PUA protection into the Windows Security GUI. Start → type "Windows Security" → App & browser control → Reputation Based Protection → Turn On "Potentially unwanted app blocking" It should be noted that this feature constantly receives information from Microsoft's cloud protection service so this will only work properly if Real-Time Protection and Cloud-delivered Protection are enabled. By the time of writing, Windows 10 does have PUA detection but it's disabled by default. To enable it, hit Start ➡ type PowerShell ➡ Run As Administrator. Then copy paste the following value and hit okay. Set-MpPreference -PUAProtection enable Or you can also enable it in Group Policy: If you are curious as to what this module detects, it detects and blocks torrenting programs especially the popular ones. And yes, I have stopped using Bittorrent. Protection Against Ransomware: ASR and Controlled Folder Access You may have remembered that one of the ASR rules is advanced protection against ransomware by doing additional checks if an application is performing behavior/s characteristic of ransomware such as file enumeration and unwanted encryption. To better protect your PC against it, you need to enable Controlled Folder Access. This time, you don't need Group Policy as this option is also available to Windows 10 Home. Go to the bottom right corner of your taskbar and look for the shield icon. Double click it ➡ Virus & threat protection ➡ under Ransomware protection, click "Manage Ransomware Protection" ➡ turn on Controlled Folder Access. What it does is it prevents unknown applications to overwrite or access the protected folders. However, this can also lead to false positives and you have to manually whitelist programs. The reason why it is grayed out is because I enabled it in Group Policy as well. There's even an option to restore files should a ransomware succeed to encrypt some files but this feature is only available to Microsoft accounts who subscribed to Office 365. Edit: Securing web access regardless of the browser of choice with Network Protection At first I thought that Windows Defender's Smart Screen filter only applies to Office products and Microsoft Edge but it turns out I was wrong, as there's a hidden feature within Group Policy that prevents applications from accessing dangerous URLs, IP addresses, and phishing sites. With this feature, if I click on a link from a phishing email and I was using Chrome or Firefox, it blocks outbound HTTP(s) traffic from reaching your PC and Windows Defender will show a warning like the screenshot below. While that is good, I do not like how the notification appears as it is so generic looking without proper context as to what it has blocked unlike Smart Screen alerts in Microsoft Edge which is an explicit red warning warning. If Microsoft is reading this, please add more context to these alerts like adding what was blocked or that Smart Screen has deemed the URL or IP address to be malicious with a high certainty. It would be nice if Smart Screen alerts correspond to one's cloud blocking level. Let's say I have enabled "Zero Tolerance", this should also mean that Smart Screen including Network Protection should only allow sites that are whitelisted or flagged by Microsoft to be safe. Maybe in Windows 10 November 2020 update it's gonna be there. The screenshot below is how the alert looks like with Google Chrome or any non-Microsoft browser. ⬇ To enable this, go to Group Policy ▶ Computer Configuration ▶ Administrative Templates ▶ Windows Components ▶ Windows Defender Antivirus ▶ Windows Defender Exploit Guard ▶ Network Protection. From there, enable the "Prevent users and apps from accessing dangerous websites" rule and set it to "Block". From then on, even if you use Chrome, Firefox or any browser, you will be protected from threats as long as Microsoft's cloud service called "Intelligent Security Graph" has flagged a file or URL as malicious. Unfortunately, web control such as blocking select categories of websites are only available in the paid WDATP which is not cheap. If you ask me, this might be better than what most antivirus companies are doing with injecting scripts on every browser to determine if a site is malicious as it makes the user more susceptible to cross-site scripting attacks. [here] [here] [here] But the lack of web control out of the box and the upfront price to just have it is probably one of the reasons why many people pay for 3rd party antivirus. Hardening Windows Defender against attacks: Tamper Protection and Core Isolation Tamper Protection is turned on by default which prevents malware and other programs from turning Windows Defender off. Core Isolation protects the Windows kernel by utilizing virtualization. This feature is turned off by default because other programs relying on virtualization such as VMWare will not work. Turn it on only if you don't host virtual machines and you think you're susceptible to targeted attacks. And that is how you make Windows Defender as secure as third party AV programs. If you're enabling the settings above for a small business, don't forget to make your employees use standard accounts to prevent them from tampering those settings. It should be kept in mind that the settings above are only recommended for computing in a high risk environment, you're a small business, your non-tech savvy parents use the home PC and don't want social engineering attacks to succeed, or if you're paranoid about targeted attacks like spear-phishing. However, if you're a gamer it's better to just use the default protection level. Why you might want to use a third party antivirus instead? With all that said, there might be situations you might want to use a third party antivirus solution because: Number one reason why is remote management of computers. Right now, we're using Bitdefender GravityZone because one, I got it with a discount and second, is I can manage protection, patch management, schedule scans remotely. I can even block USB flash drives remotely or just mark it as read only, prevent our employees from accessing sites that they're not supposed to visit like torrenting, porn, or even job search site. Out of the box Windows Defender from Windows 10 Pro simply won't provide me that kind of control. To do that with Microsoft's offerings, I have to shell out more money either an W10 E5 license which quite an overkill for a small business, or subscribe to Intune which costs more. For our small family business with seven computers that I remotely manage, Bitdefender Gravityzone is a better choice when it comes to price. At the time of writing, it cost $260 for a license of 10 computers including 3 file servers. Should I spend the money for Microsoft's Intune, it will cost us $734.16 every year just to protect 7 devices which is more expensive than what I've paid Bitdefender for. While you might say well Intune also protects mobile devices including Android and iOS via MDM, well Bitdefender's higher tier Gravityzone Advance is still cheaper than Intune because it only costs $406 by the time of writing. That's the reason why if you're a small business who: Doesn't want to use Microsoft Edge (Chromium or EdgeHTML) Only uses Windows 10, macOS or Linux and no phone or tablet are being used On a tight budget Would still want web, device and application control Then, a third party endpoint security solution might be a better choice than what Microsoft's paid solutions offer. ⬇ Pricing comparison between Bitdefender Gravityzone vs Microsoft Intune But as I've said previously, if you don't care about those and would just want PCs in a small business to be protected, then the in-house Windows Defender with Advanced Settings is your best choice. Also, many paid antivirus programs have additional features such as parental controls for children, password manager, and VPN. Also, most of the top AV vendors know best if a file is malicious or not and has lower false positives. This is important especially if you're gaming and all of a sudden Windows Defender blocks installation of a Steam game because of enabling ASR or higher cloud blocking. But, some security researchers recommend Windows Defender over other AVs for a couple of reasons: Windows Defender doesn't inject scripts in a browser (similar to a MiTM) to determine if a site is malicious or not unlike most of 3rd party AVs, due to the fact that Windows Defender only protects Microsoft Edge so it's tightly integrated. Unlike third party AVs, Windows Defender is less susceptible to cross site scripting attacks. While most antivirus programs are exploitable because of the fact that it has a deep access to the system including the kernel, by the time of writing only Microsoft took the effort to sandbox the Windows Defender process, thus reducing the chances of being exploited. Take note that the sandbox isn't enabled by default. If one wants to enable the AppContainer sandbox for Windows Defender, open Command Prompt as an Administrator and type: setx /M MP_FORCE_USE_SANDBOX 1 Windows Defender is now catching up to the big boys of the antivirus industry. Unlike it's pathetic detection scores way back years ago.