from Hacker News

Windows Defender is enough, if you harden it

by h0ek on 3/6/22, 7:37 PM with 285 comments

by inglor on 3/6/22, 8:19 PM
Hey, sorry for all the name changes of Microsoft Defender. I work at MSec (Microsoft's security org).
We ended up absorbing and acquiring a few companies to provide a better offering and a lot of re-branding happened. For example Security Center's old portal for active threat protection, automatic remediation, incident investigation etc is all now absorbed into (the better) security.microsoft.com which is (to my understanding, just an engineer) the current and last (for the foreseeable future) rebrand. The team I work at started as one person working on the frontend for MDE (Microsoft Defender for Endpoint) and now has hundreds of people working on the security portal across India, Israel and the US (as well as a few other smaller sites contributing).
Also, as an engineer I have to say the offering is good. The anti-virus and the telemetry is worked on by some really smart people. Client information is sacred, logging into production takes multiple audits and PII is scrubbed (heavily) any time logs are needed. We still have a lot of room to improve but I am confident in Microsoft both delivering a good product and acting in good faith (and there is a clear business incentive in the enterprise security space to do so rather than benevolence).
by technion on 3/6/22, 11:07 PM
I responded to multiple major compromises during the Hafnium Exchange hacks.
https://www.theverge.com/2021/3/8/22319934/microsoft-hafnium...
In quite a few cases, we identified that ultimately a server has been popped using this unknown zero day, but never before seen webshells and Cobalt strike droppers all ended up dropped on servers and then deleted by Windows Defender. We recommended rebuilds regardless but the product clearly provided more security than people give it credit for.
Then we identified a number of places it didn't appear to work. Why? The answer was people following "best practices" of adding AV exclusions for the whole web root folder, and for some reason the whole user profile folder.
That big Kaseya hack? Every Kaseya user was told by Kaseya to add exclusions for every folder used by the product.
One of the understated issues with modern EDR products is people simply following vendor advise and making it useless. I've got a software product that handles payment details that randomly drops EICAR test files in random folders all of the user PC while it's running just so it can shut itself down if it detects Defender in use "for support reasons".
All the top EDR products in the world and all the hardening advice you can find can go down the toilet pretty quickly if you let vendors tell you how to run these products - ignoring them is a highly rated hardening tip.
by sumthinprofound on 3/6/22, 8:12 PM
My firm belief is the that hardware vendors do end users a disservice by preloading 3rd party anti-virus software that expires ans requires payment after a period of time for virus signature updates. Typically this 3rd party software disables Defender, so once the pre-installed AV trial runs out, the user is exposed.
by fuzzy2 on 3/6/22, 8:24 PM
My only grief with Windows Defender is its resource use. My Windows 10 computer booted 26 hours ago. Windows Defender is using 2186 MiB of RAM. I don’t think that’s appropriate, even if I have 32 GiB in total.
With Office 365 ATP, things get even slower, too, which is not so great on my work device.
Detection rate is one thing. Performance is another. Both are important.
by alwaysanon on 3/6/22, 10:37 PM
The performance and battery life impacts of Windows Defender make it just not worth it for me though. I had a few months where I went back to Linux on my ThinkPad (unfortunately with an nvidia gpu - whose Linux drivers I think caused half my troubles) and it was soo much more performant - but it had enough various annoyances where I just went back to Windows 11 and WSL2.
The idea that pushed me over the edge to try it again was that, this time, I'd try disabling Defender (as I was 1/2 convinced the Linux performance boost was not having AV) and keep a fresh/clean install strictly limited to Chrome (now that I had gotten used to just using the web versions of everything like Slack, Spotify, etc.), VS Code, WSL2 and that's it. Basically what I'd been doing with Linux. And so far that's been great - better performance, runs cooler and quieter, longer battery life etc. than I ever used to have with Windows. It is like a whole new machine.
Knowing I don't have Defender I am even more careful about what I download (these days almost nothing - especially on the Windows side rather than the WSL2 Ubuntu dev side) and about ensuring everything is patched. But it is such a game-changer I am not going back...
by joe-collins on 3/6/22, 8:45 PM
> Sometimes it is easier to break a person than their computer security. Then even the most expensive solution will not help.
> Run this bat file!
by 0xbadc0de5 on 3/6/22, 8:04 PM
Defender has been the only worthwhile Windows AV solution for years. All others have been at best, on-par and at worst, net-negative (opening vulnerabilities that would not otherwise exist).
by tehdgvtd on 3/7/22, 2:16 AM
I read it all, and feel dumber than before.
Why the convoluted scripts to get admin? Why execing file with "~3" in the name when you can use the proper one? So much needles silly steps, too little actual explaining of anything that would matter.
Also, following that will just ensure you can never download curl or nmap lol. ...i guess, maybe i got the whole thing wrong. Who knows. I don't.

by jve on 3/7/22, 11:11 AM

Windows Defender also features exploit protection: https://docs.microsoft.com/en-us/microsoft-365/security/defe...

And attack surface reduction rules (which you must configure) - which greatly reduces office worker possibility of catching some nasty stuff:

  Block abuse of exploited vulnerable signed drivers
  Block Adobe Reader from creating child processes
  Block all Office applications from creating child processes
  Block credential stealing from the Windows local security authority subsystem (lsass.exe)
  Block executable content from email client and webmail
  Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  Block execution of potentially obfuscated scripts
  Block JavaScript or VBScript from launching downloaded executable content
  Block Office applications from creating executable content
  Block Office applications from injecting code into other processes
  Block Office communication application from creating child processes
  Block persistence through WMI event subscription * File and folder exclusions not supported.
  Block process creations originating from PSExec and WMI commands
  Block untrusted and unsigned processes that run from USB
  Block Win32 API calls from Office macros
  Use advanced protection against ransomware

by badrabbit on 3/6/22, 11:07 PM
This is an impossible question because of missing unfilled variables such as threat model, use case and the nature of data protected. I agree with the general sentiment.
Let's say you're a journalist at an important news org. Even for your personal devices, the builtin defender isn't enough.
There is a fundamental principle for sophisticated actors, that prevention is not enough. Your security software should do monitoring (off device) and do that very well. You are already compromised, you should be looking into the collected data to see where, when and by whom so you can do something about it. Unfortunately in the last fee years the line has been getting very blurry between sophisticated nation state actors and criminals and common criminals trying to score as much loot as possible (mostly due to being forced to use sophisticated tools and techniques because solutions like Defender have gotten very good).
You maybe an average joe and still be a target for "sophisticated" actors or you may think you are an "average joe" but your pwnage offers a strategic value to someone resourceful,
My advice is to take inventory of the data and resources you have access to and see (with help if needed) what threat model fits your use case. MS does offer a Defender ATP that's basically turning on few more switches and sending them a log of everything happening your machine.
Back tracking a bit: Defender is really good. Cloud based protection is their secret sauce, turn it on and pretend they are to be trusted with collecting random files from your PC.
by ec109685 on 3/6/22, 8:42 PM
Feels like one obvious step would be to make running as a non-admin user easier. Ended up giving up with kids computer given so much required admin password and no way (even through changing program’s options) to actually run a single program with true admin access. Also no way to say, “always allow” some action with some program.
by Angostura on 3/7/22, 12:15 AM
What would be handy in an article like this is an explanation of why the options are turned off by default. Presumably MS didn't decide to e.g leave the Ransomware protection turned off out of spite. So presumably there is a compromise between additional protection and ... something?
by benbristow on 3/6/22, 8:39 PM
One problem with Windows Defender I believe is that if you were a malware author the first AV you'd want to try and bypass is Windows Defender as it's the default which is used on most Windows PCs for your 'MVP'.
Bypassing other AVs would really be a 'nice to have'
by jrm4 on 3/6/22, 10:19 PM
I understand that many of you aren't in a position to bargain or move the needle here, but no claims of safety made by Microsoft should ever be taken seriously, ever. Not until a serious mea culpa on the extreme harm they've caused in this space.
by Comevius on 3/6/22, 8:00 PM
I have to say I never used an antivirus software before except I guess the built-in one in Windows.
I think sandboxes are better for software you don't trust. I imagine antivirus heuristics are only useful against a handful of common threats, if at all.
by asmr on 3/7/22, 3:07 PM
Created a gist as a reference with all of the powershell commands and some additional info from this thread, such as exploit protection. I'm considering a full script.
https://gist.github.com/superswan/1d6ed59e75273f90a481428964...
by jmrm on 3/6/22, 9:20 PM
As a "family SysAdmin" I'm pretty happy about how good Windows Defender and MRT updates works.
Aside from clearly aimed ransomeware, today's pretty difficult to have virus problems in Windows. Most of the time I have to repair any Windows machine is due to a driver install problem (specially sound cards) or a system update problem.
by HeavyStorm on 3/7/22, 7:27 PM
I've never used antivirus (other than defender). AFAICT, I wasn't ever affected by a virus with one exception, the Blaster (or Sasser) worm. This was before Defender existed.
On the other hand, whenever I use a machine with an antivirus, I want to quit my job. Those things are slow. Very slow.
My work machine has a multitude of security software that I can't disable, heck, I can't even touch. Doing a pip install on a common program takes 10, 15 minutes. The same installation on my personal machine takes about one minute. The culprit? The 3 different agents that spins out of control scanning my disk.
by 4oo4 on 3/6/22, 8:20 PM
I think most antivirus is security theater at this point, unless you're using endpoint security like CrowdStrike Falcon, Palo Alto Cortex, Carbon Black, etc. Which, I think only sell to B2B and not consumer.
by thrower123 on 3/6/22, 8:09 PM
I haven't had a virus problem since the days of Windows 2000.
I've had an incredible number of problems caused by antivirus software interfering with legitimate software.
by heavyset_go on 3/6/22, 10:44 PM
It's the first thing I disable in VMs because of what a resource hog it is.
by caymanjim on 3/6/22, 10:01 PM
How are people even getting viruses? I've been using Windows to varying degrees since the 1980s, and I've never once in my life gotten a virus. I never used any antivirus software. I let Windows do whatever it does by default, but it never flags anything. Are people picking up viruses from pirated games or something?
by alexklark on 3/8/22, 12:29 PM
Microsoft Defender and microsoft security is a unfunny long lasting joke that even beat UAC stupidity. All they do is invent new protection names and is trying to syphon all possible data from the PC it is supposedly protecting. The copy speed of 7gbs ssd is close to 10 mbs because you getti “protected”. Do you want to get protected even more? Enable cloud protection, enable online account protection, want to submit file to our protected protection to get protected? No, oh, in this way you are not protected anymore! But you know, last 5 days of your computer idling, it was scanned 10 times and nothing found. Thats important to know. Oh wait I found a generic.generic in your old keygen music file on CD, you not protected anymore! But i will try to delete it for ever. So much defending, such protection. WOW!
by kubb on 3/6/22, 9:35 PM
So the default settings are not secure and I need to go 10 levels deep in gpedit.msc to enable the security features?
What?
by ZYinMD on 3/7/22, 3:24 AM
I use my pc 12+ hours a day, haven't installed any 3rd party antivirus software since 2005, and haven't encountered a single problem, because I know what I'm doing. I think all people who read ycombinator should be able to do the same.
by galaxyLogic on 3/7/22, 1:56 AM
How about a simple scheme where software producers can register their .exe with Microsoft and when I download an exe I could verify that the fingerprint of the exe is registered on the Microsoft whitelist? Or is this kind of thing already happening by the Defender?
I have never seen a message saying "Defender does not recognize this application, are you sure you want to start it?"
Also there's a lot of downloadable Open Source software where users are asked to "verify the keys". Couldn't Windows do this kind of thing automatically, or at least make it easy?
by kimown on 3/7/22, 3:10 AM
Complete useless and waste cpu/mem/electricity/time
by Tempest1981 on 3/6/22, 9:47 PM
I wonder what the performance impact of these changes is. There must be a reason they are disabled by default.
by Joe_Boogz on 3/7/22, 5:07 AM
Can anyone point me to the software that this blog uses? Or if the owner is lurking can you tell me what you use for your site?
Looks really good, i'd like to create something similar for my site.
by 9wzYQbTYsAIc on 3/6/22, 9:00 PM
So true. Windows Defender has a ton of neat advanced features and you don’t have to worry about keeping up with some other vendor of security software, either.
by fomine3 on 3/7/22, 1:19 AM
Unpopular opinion: Defender can't be the best (but yes enough) because it's too popular, so every malware creator checks with it.
by icare_1er on 3/7/22, 12:55 PM
As a whitehat I can say that the AVs that i found the hardest to bypass was ESET32; Windefender, Kasperky, are just behind.
by Terry_Roll on 3/6/22, 11:48 PM
Cant agree with this, the GPU seems to be a weakness, but in light of nVidia's recent hack, I'd suggest nVidia GPU's are the weakness in windows, but I know ATI also have some weaknesses, they are like sim cards working with a mobile phone OS but also independently accessing the mobile phone hardware.
by AniseAbyss on 3/7/22, 7:48 AM
Defender UI is absolutely terrible and keeps deleting things.
It is enough for your average user though I'll give it that.
by trifit on 3/6/22, 7:55 PM
Most people don’t even download an antivirus so this is a good walkthrough.
by 323 on 3/6/22, 8:29 PM
Windows Defender doesn't have heuristics/behaviour based detection.
For example, if you write a simple keylogger using the Windows API in C++/Python/..., compile it and run it, an antivirus like BitDefender will block it by default. It's up to you then to allow it or not.
So it can sometimes detect and block unknown malware, a thing that Windows Defender can't. So for some people it might make sense to have a more "strict" antivirus.