Apple's Craig Federighi: Mac malware state "Non Acceptable" and why iOS != Mac

[WolframaticAlpha]

2 minutes ago, Ashley MLP Fangirl said:

i'm a fulltime Mac user, i know. but still like 90% of the software i use can't be installed from the App Store...

Most of the SW that I would use was there. But again I used to spend 60-80% of my time on my linux partition or my desktop

[leadeater]

5 hours ago, captain_to_fire said:

Yes, but the point I made is that of all the antivirus programs as far as I know, Microsoft is the only one who made an effort to reduce the chances of being exploited by placing it in an sandbox since 2018 though it is not turned on by default. Perhaps nowadays other vendors followed their example. ¯\_(ツ)_/¯

Oh yea for sure, was just commenting on your point about how AV's can be a huge source of real and actual risk. That's why more than one security researcher/expert have commented that it's actually best to leave AV up to the OS developer as they are the best suited to do it, and properly.

 

Microsoft pushed in to the Sandboxing hard after the incident with that bug that gave code execution as system privileges, nothing like a kick in the pants to speed things up.

 

We're a full Microsoft Defender and Microsoft ATP shop now, even on our Linux servers.

 

Fairly sure other AV vendors do Sandboxing as well just not sure exactly who and at what level you have to actually pay to get it, some are not part of the basic base package etc.

[leadeater]

7 hours ago, RejZoR said:

Then there is HTTP scanning and anti-phishing, other antiviruses scan HTTP traffic in all browsers to prevent exploits and block phishing sites. WD only has anti phishing capability in Edge with no HTTP scanning anywhere.

 

Quote

App & browser control – This feature allows you to use Windows Defender Smart Screen, which can protect your computer against potentially dangerous files, sites, apps, and downloads. Moreover, it provides a customization exploit protection feature.

 

https://support.microsoft.com/en-us/windows/app-browser-control-in-windows-security-8f68fb65-ebb4-3cfb-4bd7-ef0f376f3dc3#:~:text=App %26 browser control in Windows Security provides the settings for,files%2C websites%2C and downloads.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection?branch=wdeg&view=o365-worldwide

 

It does do web content scanning, along with running Edge in a Sandbox as well.

 

Sure valid point it's only for Edge but well.. Microsoft end to end solution isn't a bad thing. Maybe browsers also need to pickup their game and do better.

[StDragon]

18 minutes ago, leadeater said:

Oh yea for sure, was just commenting on your point about how AV's can be a huge source of real and actual risk. That's why more than one security researcher/expert have commented that it's actually best to leave AV up to the OS developer as they are the best suited to do it, and properly.

 

Microsoft pushed in to the Sandboxing hard after the incident with that bug that gave code execution as system privileges, nothing like a kick in the pants to speed things up.

 

We're a full Microsoft Defender and Microsoft ATP shop now, even on our Linux servers.

 

Fairly sure other AV vendors do Sandboxing as well just not sure exactly who and at what level you have to actually pay to get it, some are not part of the basic base package etc.

The vast majority of malware is through e-mail with malicious URLs and landing on infected websites (or an infected ad server serves up a drive-by-download). And while much of it as filtered at the anti-spam and firewall level in a corporate network, for home users it's not.

 

And therein lies the rub; I find Windows Defender to do a horrible job at URL filtering whereas Bitdefender does it better by far. But then again, I'm paying for that service. I don't believe this is because Windows Defender is an inferior product by lack of MS's capability, rather perhaps that's because it's not their focus from what I can tell. There's something else going at the organization level. If Microsoft offered a paid subscription for an enhanced version of Defender that does URL filtering as good as Bitdefender, I'd rather pay them for the service as it's more tightly integrated with the OS.

 

 

[leadeater]

1 minute ago, StDragon said:

The vast majority of malware is through e-mail with malicious URLs and landing on infected websites (or an infected ad server serves up a drive-by-download). And while much of it as filtered at the anti-spam and firewall level in a corporate network, for home users it's not.

 

And there inline is the rub; I find Windows Defender to do a horrible job at URL filtering whereas Bitdefender does it better by far. But then again, I'm paying for that service. I don't believe this is because Windows Defender is an inferior product by lack of MS's capability, rather perhaps that's because it's not their focus from what I can tell. There's something else going at the organization level. If Microsoft offered a paid subscription for an enhanced version of Defender that does URL filtering as good as Bitdefender, I'd rather pay them for the service as it's more tightly integrated with the OS.

Defender, and ATP layer on top of that, are both really business/corporate first focused products and you can really tell by the way the features are handled and managed. However you really have to be doing something really stupid to get in a situation where Defender isn't able to protect you, and that goes for every other AV to. For a general user it's honestly not a problem, for the rest, well you should know better. Don't be the guy that disabled Defender/AV and Windows Firewall and then end up nuking a medical research center aka Stop and Think!

[WolframaticAlpha]

7 hours ago, RejZoR said:

Microsoft constantly brags how advanced Windows Defender is, but really it's pretty dumb antivirus. Maybe the stuff they have going on on their side is advanced, but on user's end it's incredibly dumb. Allegedly it has behavior blocker. Never ever seen a single detection. Had to ask people around and managed to get provided with 2! documented events of it. For other AV's that have behavior blockers you can see countless examples of it in action. Anti-ransomware blocking? Totally useless because their whitelist is pure trash or their implementation since it just doesn't work, never worked and apparently never will because it has been broken since its inception from years ago. Getting constant blocking on legit files is annoying as hell. avast! has same tech that actually works. Whitelisted apps are allowed to modify protected files, others are not. Then there is HTTP scanning and anti-phishing, other antiviruses scan HTTP traffic in all browsers to prevent exploits and block phishing sites. WD only has anti phishing capability in Edge with no HTTP scanning anywhere. And there is also performance issue with WD. It's incredibly slow and taxing for all systems, from lowest end to highest end. It's so bad I need to have avast! installed on my ASUS Transformer so I don't have several seconds long pauses when executing pretty much anything. With avast!, same apps take half a second to execute. It's been this way from before when it was not even called Windows Defender yet. And in all these years Microsoft hasn't done anything to make ANY of above better. You'd expect them to do better given it's Microsoft and not some small 3rd party developer.

Microsoft defender makes a very good false positive detector.

 

 

 

 

 

This might be an opinion.

[captain_to_fire]

21 minutes ago, leadeater said:

We're a full Microsoft Defender and Microsoft ATP shop now, even on our Linux servers.

It requires an E5 subscription which if you ask me is too much even for a mid-size organization with 100 workstations. But that also gives you Office 365 as well if I'm not sure.

[leadeater]

1 minute ago, WolframaticAlpha said:

Microsoft defender is not so much as an av but much more of an false positive tool.

Well the two independent organizations that test AV products disagrees with this statement, I think that is just your opinion and not an actual fact.

[StDragon]

5 minutes ago, leadeater said:

However you really have to be doing something really stupid to get in a situation where Defender isn't able to protect you, and that goes for every other AV to. For a general user it's honestly not a problem.

So while Defender is probably good to prevent a box from being rooted, it still doesn't intercept URL that would otherwise be phishing sites. If by chance there was malware, typically it's the browser cache that would get trashed and isolated with just that browser with Defender protecting the rest of the system. But that doesn't help when credentials are now leaked to the hacker.

[leadeater]

2 minutes ago, captain_to_fire said:

It requires an E5 subscription which if you ask me is too much even for a mid-size organization with 100 workstations. But that also gives you Office 365 as well if I'm not sure.

Yea E5/A5 is everything package such is why it's so expensive. At least A5 is cheaper but we still have to license it for ~35k students and ~5k staff so it's still damn expensive even with that education pricing.

[leadeater]

2 minutes ago, StDragon said:

it still doesn't intercept URL that would otherwise be phishing sites

Yes it does, that literally all that SmartScreen did way back when it was first introduced. Any short falls with SmartScreen is down to Microsoft's signature/website list being inferior to everyone else's. Even Chrome has a better hit rate, but that's backed by Google so not that surprising really. 

[StDragon]

1 minute ago, leadeater said:

Any short falls with SmartScreen is down to Microsoft's signature/website list being inferior to everyone else's.

Right, that's my point. Hence why I'm using a 3rd party paid subscription for AV. I'd rather not, but....

[StDragon]

I don't know if MS already has an API to Defender for other vendors, but I wouldn't mind using Windows Defender with URL defs managed via subscription to a 3rd party if that's what it would take. Would be the best of both worlds IMHO.

[leadeater]

7 minutes ago, StDragon said:

Right, that's my point. Hence why I'm using a 3rd party paid subscription for AV. I'd rather not, but....

Would be nice if everyone worked together and there was a global database that everyone submitted to and could be queried. But that would ruin the incentive to go with a paid product, so maybe charge for access. So like free product tiers only update from that list every 24 hours and paid ones every 1-4 hours or something. All these closed vaults of information really doesn't actually help global security.

[leadeater]

2 minutes ago, StDragon said:

I don't know if MS already has an API to Defender for other vendors, but I wouldn't mind using Windows Defender with URL defs managed via subscription to a 3rd party if that's what it would take. Would be the best of both worlds IMHO.

lol thinking the exact same thing.

[WolframaticAlpha]

2 minutes ago, leadeater said:

Would be nice if everyone worked together and there was a global database that everyone submitted to and could be queried. But that would ruin the incentive to go with a paid product, so maybe charge for access. So like free product tiers only update from that list every 24 hours and paid ones every 1-4 hours or something. All these closed vaults of information really doesn't actually help global security.

Isn't that called virustotal?

[leadeater]

7 minutes ago, WolframaticAlpha said:

Isn't that called virustotal?

No because they aren't the only provider of such a site/service, the issue is each AV vendor maintains their own lists and often doesn't share them or only does so once it's no longer useful in preventing time sensitive issues.

 

When you're competing for customers there isn't much business incentive to share your information with competitors. 

 

Edit:

Well to be more fair, yes it could be that but the shortfall is on vendors sharing information to it in a timely manor and all of it.