make wd great again Making Microsoft Defender as good or even better than paid options

[captain_to_fire]

Edit: As of Windows 10 version 2004, Windows Defender has been renamed as Microsoft Defender Antivirus.

 

You probably don't need to buy another third party antivirus program to keep your PC more secure with the advent of Windows Defender accompanied by its improvements in version 1709 aka Fall Creators Update. But later in this thread, I will show some situations on why you might want to use a third party antivirus program especially when managing remotely computers. @Ryan_Vickers, @wkdpaul, @leadeater tell me if what I said is wrong.

 

You may have seen YouTube videos of Windows Defender trailing behind when it comes to detection on execution despite scoring high on AV-Comparatives and other independent testing sites. The reason for this is they test it on default settings, which if you ask me is not really as good as the default settings of third party antivirus programs because some of the advanced settings of Windows Defender are turned off which is a bummer.

 

To make Windows Defender more secure, you need the following:

• a PC running the latest stable release of Windows 10 Pro 1909 or later. The reason why you need to use the Pro version is because of Group Policy which most of these advanced settings are buried deep and unavailable to Windows 10 Home users.
• Windows Updates enabled

 

Hit Start>type "gpedit">hit Enter

 

 

Go to Computer Configuration ➡ Administrative Tools ➡ Windows Components ➡ Windows Defender Antivirus

Within these settings, we will focus on the following protection components:

• MAPS (aka Microsoft Active Protection Service)
  • "Block at First Sight"
  • Automatic Sample Submission
• MpEngine
  • Configure Cloud Protection Levels
  • Extending cloud check
• Windows Defender Exploit Guard
  • Attack Surface Reduction
  • Controlled Folder Access
  • Network Protection

Take note several features such as Windows Defender Exploit Guard is a component of their paid, enterprise grade protection "Defender ATP" which is a component of a Windows 10 E5 subscription.

 

"Block at First Sight" & MAPS: Microsoft Active Protection Service

First, enable the Block At First Sight. Open that property and click Enable. What it will do is having a file scanned in real time by their local and cloud based algorithms to determine if a file is malicious or not.

 

In Microsoft's documentation, if the local detection algorithms can't immediately make a verdict, it will use a cloud service to do additional checks. To do this, open the "Join Microsoft MAPS" properties and enable "Advanced MAPS". Now, as shown in the screenshot Advanced MAPS will collect even more data such as ncluding the location of the software, file names, how the software operates, and how it has impacted your computer. If you think this is a little bit invasive, you can dial it down to Basic MAPS.

 

MpEngine

Next property to configure is the MpEngine which I believe is their actual detection process in Task Manager. Open "configure extended cloud check" and specify how much delay it will take before it executes. What it does is that executable files (clean or malicious) will not be executed unless it is scanned in the cloud. Obviously, a longer waiting time up to a minute could mean much better detection.

 

How cloud protection works is best described by Microsoft's infographic below. This method is used by almost all antivirus vendors. Basically, local and cloud detection algorithms locally try to determine if a new, unknown file is malicious or not. Then it will do a a of +1s and -1s if it exhibits behavior characteristic of malware, should it reach the threshold, the AV will delete/quarantine the file and send it for further analysis.

 

 

However, for the super paranoid or if there's a home PC and you don't want something malicious to execute because mom was tricked by a social engineering ad pretending to be Covid-19 charity, you need to Set the Cloud Protection Level. If you want, you can select "Zero Tolerance blocking level", which is basically whitelisting: any program that wasn't flagged by Microsoft to be safe will not execute. This is also useful for small businesses or anyone in a high risk working environment, but this setting will lead to many false positives. Or if you don't want that much annoyance, you can set the cloud blocking level to just High or High+.

 

 

 

Attack Surface Reduction

Next property to enable is Attack Surface Reduction. In Windows 10 Pro, only a subset of properties of ASR is available via Group Policy. The rest of the protection modules are only available to Windows 10 E5 (WDATP) or Intune. What ASR does is prevent the execution of malicious programs by blocking well known attack vectors such as creating child processes, obfuscated macro, or even malware from USB flash drives. To enable ASR rules, go to Windows Defender Exploit Guard ➡ Attack Surface Reduction ➡ Configure Attack Surface Reduction Rules ➡Enabled. From there, you have to unfortunately have to type GUID command and setting the value to 1 as if it's the registry editor. For WDATP and Intune, all it takes are a few mouse clicks to enable ASR,

 

Rule name	GUID	File & folder exclusions	Minimum OS supported
Block executable content from email client and webmail	BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block all Office applications from creating child processes	D4F940AB-401B-4EFC-AADC-AD5F3C50688A	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block Office applications from creating executable content	3B576869-A4EC-4529-8536-B80A7769E899	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block Office applications from injecting code into other processes	75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block JavaScript or VBScript from launching downloaded executable content	D3E037E1-3EB8-44C8-A917-57927947596D	Not supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block execution of potentially obfuscated scripts	5BEB7EFE-FD9A-4556-801D-275E5FFC04CC	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block Win32 API calls from Office macros	92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block executable files from running unless they meet a prevalence, age, or trusted list criterion	01443614-cd74-433a-b99e-2ecdc07bfc25	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Use advanced protection against ransomware	c1db55ab-c21a-4637-bb3f-a12568109d35	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block credential stealing from the Windows local security authority subsystem (lsass.exe)	9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block process creations originating from PSExec and WMI commands	d1e49aac-8f56-4280-b9ba-993a6d77406c	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block untrusted and unsigned processes that run from USB	b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block Office communication application from creating child processes	26190899-1602-49e8-8b27-eb1d0a1ce869	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block Adobe Reader from creating child processes	7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c	Supported	Windows 10, version 1709 (RS3, build 16299) or greater
Block persistence through WMI event subscription	e6db77e5-3df2-4cf1-b95a-636979351e5b	Not supported	Windows 10, version 1903 (build 18362) or greater

The rest of the documentation can be found in Microsoft's website. To demonstrate how ASR works, after enabling those features, it detected BitTorrent.exe as doing something similar to credential stealing. This might be a false positive but it might be shady too considering it's a piracy tool that served ads.

However, I am not sure if the ASR rules also protect other browsers other than Edge. ASR rules also don't apply when a third party antivirus is installed. I know that old Edge sucks because of their old rendering engine, you may opt to use the Chromium based Edge. Just don't forget to switch the search engine to Google because Bing sucks.

 

Protection against Potentially Unwanted Applications (PUAs)

 

Edit: As of June 15, 2020, Microsoft Defender AV has moved the option for PUA protection into the Windows Security GUI.

Start → type "Windows Security" → App & browser control → Reputation Based Protection → Turn On "Potentially unwanted app blocking"

 

It should be noted that this feature constantly receives information from Microsoft's cloud protection service so this will only work properly if Real-Time Protection and Cloud-delivered Protection are enabled.

 

 

 

By the time of writing, Windows 10 does have PUA detection but it's disabled by default. To enable it, hit Start ➡ type PowerShell ➡ Run As Administrator.

 

Then copy paste the following value and hit okay.

Set-MpPreference -PUAProtection enable

Or you can also enable it in Group Policy:

 

If you are curious as to what this module detects, it detects and blocks torrenting programs especially the popular ones. And yes, I have stopped using Bittorrent.

 

Protection Against Ransomware: ASR and Controlled Folder Access

You may have remembered that one of the ASR rules is advanced protection against ransomware by doing additional checks if an application is performing behavior/s characteristic of ransomware such as file enumeration and unwanted encryption. To better protect your PC against it, you need to enable Controlled Folder Access. This time, you don't need Group Policy as this option is also available to Windows 10 Home. Go to the bottom right corner of your taskbar and look for the shield icon. Double click it ➡ Virus & threat protection ➡ under Ransomware protection, click "Manage Ransomware Protection" ➡ turn on Controlled Folder Access. What it does is it prevents unknown applications to overwrite or access the protected folders. However, this can also lead to false positives and you have to manually whitelist programs. The reason why it is grayed out is because I enabled it in Group Policy as well. There's even an option to restore files should a ransomware succeed to encrypt some files but this feature is only available to Microsoft accounts who subscribed to Office 365.

 

Edit: Securing web access regardless of the browser of choice with Network Protection

 

At first I thought that Windows Defender's Smart Screen filter only applies to Office products and Microsoft Edge but it turns out I was wrong, as there's a hidden feature within Group Policy that prevents applications from accessing dangerous URLs, IP addresses, and phishing sites. With this feature, if I click on a link from a phishing email and I was using Chrome or Firefox, it blocks outbound HTTP(s) traffic from reaching your PC and Windows Defender will show a warning like the screenshot below. While that is good, I do not like how the notification appears as it is so generic looking without proper context as to what it has blocked unlike Smart Screen alerts in Microsoft Edge which is an explicit red warning warning. If Microsoft is reading this, please add more context to these alerts like adding what was blocked or that Smart Screen has deemed the URL or IP address to be malicious with a high certainty. It would be nice if Smart Screen alerts correspond to one's cloud blocking level. Let's say I have enabled "Zero Tolerance", this should also mean that Smart Screen including Network Protection should only allow sites that are whitelisted or flagged by Microsoft to be safe. Maybe in Windows 10 November 2020 update it's gonna be there.

 

 

The screenshot below is how the alert looks like with Google Chrome or any non-Microsoft browser. ⬇

 

To enable this, go to Group Policy ▶ Computer Configuration ▶ Administrative Templates ▶ Windows Components ▶ Windows Defender Antivirus ▶ Windows Defender Exploit Guard ▶ Network Protection. From there, enable the "Prevent users and apps from accessing dangerous websites" rule and set it to "Block". From then on, even if you use Chrome, Firefox or any browser, you will be protected from threats as long as Microsoft's cloud service called "Intelligent Security Graph" has flagged a file or URL as malicious.

 

 

Unfortunately, web control such as blocking select categories of websites are only available in the paid WDATP which is not cheap. If you ask me, this might be better than what most antivirus companies are doing with injecting scripts on every browser to determine if a site is malicious as it makes the user more susceptible to cross-site scripting attacks. [here] [here] [here] But the lack of web control out of the box and the upfront price to just have it is probably one of the reasons why many people pay for 3rd party antivirus.

 

Hardening Windows Defender against attacks: Tamper Protection and Core Isolation

Tamper Protection is turned on by default which prevents malware and other programs from turning Windows Defender off.

Core Isolation protects the Windows kernel by utilizing virtualization. This feature is turned off by default because other programs relying on virtualization such as VMWare will not work. Turn it on only if you don't host virtual machines and you think you're susceptible to targeted attacks.

 

 

And that is how you make Windows Defender as secure as third party AV programs. If you're enabling the settings above for a small business, don't forget to make your employees use standard accounts to prevent them from tampering those settings. It should be kept in mind that the settings above are only recommended for computing in a high risk environment, you're a small business, your non-tech savvy parents use the home PC and don't want social engineering attacks to succeed, or if you're paranoid about targeted attacks like spear-phishing. However, if you're a gamer it's better to just use the default protection level.

 

Why you might want to use a third party antivirus instead?

With all that said, there might be situations you might want to use a third party antivirus solution because:

• Number one reason why is remote management of computers. Right now, we're using Bitdefender GravityZone because one, I got it with a discount and second, is I can manage protection, patch management, schedule scans remotely. I can even block USB flash drives remotely or just mark it as read only, prevent our employees from accessing sites that they're not supposed to visit like torrenting, porn, or even job search site. Out of the box Windows Defender from Windows 10 Pro simply won't provide me that kind of control. To do that with Microsoft's offerings, I have to shell out more money either an W10 E5 license which quite an overkill for a small business, or subscribe to Intune which costs more.

For our small family business with seven computers that I remotely manage, Bitdefender Gravityzone is a better choice when it comes to price. At the time of writing, it cost $260 for a license of 10 computers including 3 file servers. Should I spend the money for Microsoft's Intune, it will cost us $734.16 every year just to protect 7 devices which is more expensive than what I've paid Bitdefender for. While you might say well Intune also protects mobile devices including Android and iOS via MDM, well Bitdefender's higher tier Gravityzone Advance is still cheaper than Intune because it only costs $406 by the time of writing. That's the reason why if you're a small business who:

1. Doesn't want to use Microsoft Edge (Chromium or EdgeHTML)
2. Only uses Windows 10, macOS or Linux and no phone or tablet are being used
3. On a tight budget
4. Would still want web, device and application control

Then, a third party endpoint security solution might be a better choice than what Microsoft's paid solutions offer.

 

⬇ Pricing comparison between Bitdefender Gravityzone vs Microsoft Intune

Spoiler

 

 

But as I've said previously, if you don't care about those and would just want PCs in a small business to be protected, then the in-house Windows Defender with Advanced Settings is your best choice.

• Also, many paid antivirus programs have additional features such as parental controls for children, password manager, and VPN.
• Also, most of the top AV vendors know best if a file is malicious or not and has lower false positives. This is important especially if you're gaming and all of a sudden Windows Defender blocks installation of a Steam game because of enabling ASR or higher cloud blocking.

 

But, some security researchers recommend Windows Defender over other AVs for a couple of reasons:

• Windows Defender doesn't inject scripts in a browser (similar to a MiTM) to determine if a site is malicious or not unlike most of 3rd party AVs, due to the fact that Windows Defender only protects Microsoft Edge so it's tightly integrated. Unlike third party AVs, Windows Defender is less susceptible to cross site scripting attacks.
• While most antivirus programs are exploitable because of the fact that it has a deep access to the system including the kernel, by the time of writing only Microsoft took the effort to sandbox the Windows Defender process, thus reducing the chances of being exploited. Take note that the sandbox isn't enabled by default. If one wants to enable the AppContainer sandbox for Windows Defender, open Command Prompt as an Administrator and type:

  setx /M MP_FORCE_USE_SANDBOX 1

  
• Windows Defender is now catching up to the big boys of the antivirus industry. Unlike it's pathetic detection scores way back years ago.

 

[Streetguru]

3 minutes ago, captain_to_fire said:

 

I just disable it as much as possible because I don't want it eating up CPU resources

[Radium_Angel]

6 minutes ago, captain_to_fire said:

10 Pro

Nice of MS to fuck over any system bought at a retail store.

[captain_to_fire]

6 minutes ago, Streetguru said:

I just disable it as much as possible because I don't want it eating up CPU resources

You can limit Windows Defender's CPU usage in the Group Policy as well:

Computer Configuration ➡ Administrative Templates ➡ Windows Components ➡ Windows Defender Antivirus ➡ Scan ➡ Specify the maximum percentage of CPU utilization during a scan

[Streetguru]

1 minute ago, captain_to_fire said:

 

Can I set it to 0? I feel like none of that stuff works anyways, even with a metered network connection microsoft forces updates on me.

[WkdPaul]

7 minutes ago, Streetguru said:

Can I set it to 0? I feel like none of that stuff works anyways, even with a metered network connection microsoft forces updates on me.

This is about Windows Defender, not Windows update!

 

BTW, you can make Windows do an update only when you tell it to, it's also in the GPOs.

 

 

EDIT ;

Computer Configuration > Admin Templates > Windows Components > Windows Update

 

Configure Automatic Update

Enable

2 - Notify for update and auto-install

 

With that, Windows will notify you that there's updates, but won't download or install anything.

Edited April 23, 2020 by wkdpaul

[TVwazhere]

32 minutes ago, captain_to_fire said:

You may have seen YouTube videos of Windows Defender trailing behind when it comes to detection on execution despite scoring high on AV-Comparatives and other independent testing sites. The reason for this is they test it on default settings, which if you ask me is not really as good as the default settings of third party antivirus programs because some of the advanced settings of Windows Defender are turned off which is a bummer.

Spoiler

 

To make Windows Defender more secure, you need the following:

• a PC running the latest stable release of Windows 10 Pro 1909. The reason why you need to use the Pro version is because of Group Policy which most of these advanced settings are buried deep and unavailable to Windows 10 Home users.
• Windows Updates enabled

So, When all is said and done, how much more secure does it now make it compared to this rating system? Does it jump to 3 stars, or only 2? Or is it it kinda like a "Make it as secure as you want" sorta thing based on the levels of blocking you set it to?

Quote

If you want, you can select "Zero Tolerance blocking level", which is basically whitelisting: any program unknown that wasn't flagged by Microsoft to be safe will not execute. This is also useful for small businesses or anyone in a high risk working environment, but this setting will lead to many false positives. Or if you don't want that much annoyance, you can set the cloud blocking level to just High or High+.

[leadeater]

37 minutes ago, captain_to_fire said:

tell me if what I said is wrong.

I haven't read any of it yet but...

 

[homeap5]

Everything is pretty and nice explained. Do you have any collection of viruses and malware to test it? Or it's just theory?

 

Defender is widely spread with win10 and all virus and malware creators have access to it for test their viruses. To other av too. So there are only two options - a) nobody make viruses and malware anymore, because it's pointless, b) all this fancy protection is mostly useless.

 

Ask yourself basic question - do you know anyone who had virus or malware? And then please tell me - was his computer protected by av? Probably answer to both questions will be "yes". So my question is - why should I slow down my computer for no reason? Viruses are mostly easy to detect since they trying to connect to internet - all you need is good firewall that notify you about any program that wants to connect and then you may investigate suspicious files by yourself and block that program.

[captain_to_fire]

9 minutes ago, TVwazhere said:

So, When all is said and done, how much more secure does it now make it compared to this rating system? Does it jump to 3 stars, or only 2? Or is it it kinda like a "Make it as secure as you want" sorta thing based on the levels of blocking you set it to?

I've seen a couple of videos, and the detection score are higher and that's just with High cloud blocking. I don't think testing organizations like AV-Comparatives use advanced settings in their tests.

Edit: This one with High+ blocking, the detection is close to 100%

 

Edited April 23, 2020 by captain_to_fire

[captain_to_fire]

11 minutes ago, leadeater said:

I haven't read any of it yet but...

 

Which one?

Edited April 23, 2020 by captain_to_fire

[leadeater]

8 minutes ago, TVwazhere said:

So, When all is said and done, how much more secure does it now make it compared to this rating system? Does it jump to 3 stars, or only 2? Or is it it kinda like a "Make it as secure as you want" sorta thing based on the levels of blocking you set it to?

Depends who tests it, the big German AV tester I currently forget the name of already ranks Defender as one of the top. Defender actually is really good now and I trust it far more than the likes of Symantec for example, they do a lot of dodgy stuff and if that gets compromised (it has before) you had god level access even greater than being an administrator.

[leadeater]

7 minutes ago, captain_to_fire said:

Which one?

How would I know? I hadn't read it yet. Just making a bad joke.

 

Btw I've always used this as my AV comparison source, https://www.av-test.org/en/antivirus/home-windows/. You can also see Defender being tested in a business/enterprise situation on there too.

 

Edit:

Quote

Whereas the products for home users are installed with default settings, the manufacturer is able to specify the configuration of corporate solutions. The products are updated and have complete Internet access at all times.

So defaults for home user test and some optimization for corporate tests

[captain_to_fire]

Just now, leadeater said:

Who would I know? I hadn't read it yet. Just making a bad joke.

Corona blues I guess

 

[captain_to_fire]

56 minutes ago, Radium_Angel said:

Nice of MS to fuck over any system bought at a retail store.

The thing is that even Windows 10 Home users are protected because even if a malware succeeds in executing on one PC (patient zero), because Defender (and every other antivirus program) uses a cloud service for additional algorithms and detonation, it will eventually inoculate all Windows 10 PCs using Defender.

[vanished]

I should just post here to say I did notice this when you first tagged me, I just wasn't sure what to say to be honest.  The quantity and detail of content was rather staggering and I don't think I have the particular expertise necessary to comment meaningfully on any part of it.

[Colonel_Gerdauf]

Neat. Now I need to build a script to automate the process for the other computers in my home.

[captain_to_fire]

2 minutes ago, Colonel_Gerdauf said:

Neat. Now I need to build a script to automate the process for the other computers in my home.

Mind you though that turning on all Windows 10 Pro's built in protection settings might cause false positives especially with aggressive cloud protection. Try it first on one computer and see how it performs.

[Helpful Tech Witch]

I was expecting a guide, but I got a essay.

[captain_to_fire]

23 minutes ago, TheTechWizardThatNeedsHelp said:

I was expecting a guide, but I got a essay.

I don't know what kind of guide you want when I have listed every step of the way

[Helpful Tech Witch]

8 minutes ago, like_ooh_ahh said:

I don't know what kind of guide you want when I have listed every step of the way

I love a detailed guide, but this is longer than my ssat essay and my HS admission essays, combined.  I wish people put this much work into android root/os replacement guides.

[homeap5]

7 hours ago, TheTechWizardThatNeedsHelp said:

I was expecting a guide, but I got a essay.

Why these days everything longer than sms is an essay for people? This is just article about defender and even if I may not agree or think it may be pointless, I world never say it's essay (is it supposed to be some kind of sneer?).