Search the Community

Microsoft published a new Defender update when it released its October 2024 Patch Tuesday (it did not release any in November.) This update package is necessary as a Windows installation image may contain old, outdated anti-malware definitions and software binaries. Aside from better security, these updates can also provide improved performance benefits in some cases. Microsoft delivered the latest security definitions for Windows images via security intelligence update version 1.419.396.0. The Defender package version is also the same. Microsoft also published a link to its detailed guidance about the recent NPD data breach which leaked SSNs, house addresses, and more, of over 150 million people. In the support document describing the new update, Microsoft explains: From Microsoft's security bulletin, we learn that the security intelligence update version 1.419.396.0 was released last month. It adds threat detections for various backdoor exploits, trojans, among others. For those wondering, the latest intelligence update is version 1.421.573.0 at the time of writing. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. 2023: Over 5,800 news posts | 2024 (till end of November): 5,298 news posts RIP Matrix | Farewell my friend

It looks like a bug nearly half a decade old has finally been fixed by Microsoft and Mozilla. The issue was related to Windows Defender and its Antimalware Service Executable (MsMpEng.exe) service which would lead to high CPU usage on Mozilla Firefox. The resource usage was noticeably higher compared to Google Chrome and Microsoft Edge. For example, the image below (taken at the time of initial reporting of the bug) shows average CPU usage when reloading YouTube six times. As you can see, the spikes were clearly higher on Firefox. The bug was recently resolved by the efforts of Microsoft and the Mozilla development team. Yannis Juglaret, a Firefox developer confirmed this around three weeks ago: According to Microsoft, this will be deployed to all users as part of regular definition updates, which are packaged independently from OS updates. This includes even Windows 7 and 8.1 users, even though these platforms should not have had the performance issue with Firefox in the first place because the ETW events that cause it do not exist on these older versions of Windows. Later on, Yannis Juglaret added that the recent Microsoft Defender March-2023 definition update (Platform: 4.18.2302.x | Engine: 1.1.20200.4) fixed the issue: mpengine.dll version 1.1.20200.4 was released on April 4, so the fix should be available for everybody now. Here are details for the Defender update: March-2023 (Platform: 4.18.2302.x | Engine: 1.1.20200.4) Security intelligence update version: 1.381.61.0 Release date: April 4, 2023 (Engine) / April 11, 2023 (Platform) Platform: 4.18.2302.x Engine: 1.1.20200.4 Interestingly, it has also been found that there is further scope of improvements to the processor usage in Firefox when compared to Chrome. Perhaps we will see such performance improvements in upcoming browser updates and it won't just be exclusive to Microsoft Defender alone. Microsoft finally fixes 5 year old Windows Defender high CPU bug on Mozilla Firefox

Vulnerable Driver Blocklist is a new security feature of Windows Defender on Windows 10, Windows 11 and Windows Server 2016 or newer devices that protects against malicious or exploitable drivers. Announced by Microsoft's Vice President of Enterprise and OS Security, David Weston, on Twitter, the Microsoft Vulnerable Driver Blocklist is a new security feature that is enabled by default on Windows 10 in S mode devices and on devices that have the Core Isolation feature Memory Integrity, which Microsoft may also refer to as Hypervisor-protected code integrity (HVCI), enabled. Memory integrity, or HVCI, makes use of Microsoft's Hyper-V technology to protect Windows kernel-mode processes against malicious code injections. The feature was not enabled on existing devices when it first shipped, but it appears to be enabled by default on devices with new installations of Windows. Some users reported issues with certain devices with HVCI enabled, and that disabling it resolved the issues that they experienced. The core idea behind the new protective feature is to maintain a list of drivers that will be blocked by Windows Defender because the drivers have at least one of the following attributes: Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel Malicious behaviors (malware) or certificates used to sign malware Behaviors that are not malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel Microsoft cooperates with hardware vendors and OEMs to maintain the blocklist. Suspected drivers may be submitted to Microsoft for analysis and manufacturers may request that changes are made to drivers that are on the vulnerable blocklist, e.g., after patching an issue. Devices that run Windows 10 in S mode and devices with HVCI enabled protect against these security threats once the feature is rolled out to devices. Windows users and administrators may enable the Memory Integrity prerequisite in the following way on non-Windows 10 S-mode devices: Select Start and then Settings, or use the keyboard shortcut Windows-I to open the Settings application. On Windows 10, go to Update & Security > Windows Security. Select Open Windows Security. On Windows 11, go to Privacy & Security > Windows Security > Select Open Windows Security. Select Device Security from the sidebar on the left side. Activate the "core isolation details" link. Toggle the Memory Integrity setting to On to enable the feature. Restart the device. Windows administrators will see the new Microsoft Vulnerable Driver Blocklist on the Core isolation page of Windows Security once the feature becomes available. The feature can be toggled on or off, and also managed through other means. David Weston notes that turning it on will enable a more aggressive blocklist. Microsoft states that it recommends enabling HVCI or using S mode, but that administrators may also block the drivers on the list using an existing Windows Defender Application Control policy. The documentation lists an XML file that contains the blocked drivers ready for use. Now You: is memory integrity enabled on your devices, if you use Windows Defender? Windows Defender: Vulnerable Driver Blocklist protects against malicious or exploitable drivers

WinDefLogView is a new portable application by Nirsoft. The program displays information about recent threats that the default Windows security solution detected. While it is possible to check detected threats elsewhere, doing so requires quite a few clicks in the Windows Security app. The way results are displayed is also not ideal for getting a quick overview of recent threats. WinDefLogView is a typical Nirsoft application. It is small in size and portable. Just download the archive from the Nirsoft website, extract it on the system, and run the executable file to launch the app. The program is compatible with Microsoft's Windows 10 and 11 operating systems only, but it may be run on older versions of Windows, e.g., Windows 7, to display information from remote systems running Windows 10 or 11. The interface displays all detected threats in a table. Each line lists the filename, detection name, threat name, severity, category, action, origin, process name and more. A click on a column header sorts the listing accordingly, e.g., by date or severity. The shortcut Ctrl-F or the selection of Edit > Find displays a search option to filter based in input; this is useful if lots of threats are displayed. The selection of File > Choose data source enables you to retrieve the data from remote computer systems or external folders. The right-click menu displays several options. The most interesting opens the threat URL on Microsoft's website, which offers additional information on the detected threat. WinDefLogView is a threat viewer, which means that it does not offer any options to react to the threats it displays. Some or all lines can be exported to the local system in several formats, including CSV, JSON and XML. Items can also be copied directly using CTRL-C. The copied items can then be pasted into spreadsheet applications such as Excel. Description on Nirsoft's website: WinDefLogView is a tool for Windows 10 and Windows 11 that reads the event log of Windows Defender (Microsoft-Windows-Windows Defender/Operational) and displays a log of threats detected by Windows Defender on your system. For every log line, the following information is displayed: Filename, Detect Time, Threat Name, Severity, Category, Detection User, Action, Origin, and more... You can view the detected threats log on your local computer, on remote computers on your network, and on external disk plugged to your computer. Closing Words WinDefLogView is a useful application, as it provides a quick view of all detected Windows Defender threats. While it does not support threat actions, it may point users in the right direction immediately without having to use the cumbersome Windows Security application. Now You: do you use Windows Defender? Display all threats that Windows Defender detected with WinDefLogView

Last month, Microsoft released its anticipated Windows 11 2022 feature update to the general availability channel. The new release brought with it, among many things, new security features. You can find a list of the changes and improvements made in this dedicated article. Among the changes, Microsoft also updated its vulnerable driver blocklist and its functionality, which will now be enabled by default on Windows 11 22H2 under the following conditions: Now with Windows 11 22H2 is out of the way, the Redmond giant has turned its focus on the Windows 10 22H2 update, which is anticipated to be heading out soon. This has been confirmed via leaked ISO links that were spotted recently. Microsoft has previously suggested that a "scoped" set of features will be coming and it looks like Defender will be one of the aspects of Windows 10 22H2 to receive some of them. According to its driver vulnerability block rules documentation that the company updated today, Microsoft is apparently planning to release an updated driver blocklist on Windows 10 22H2. The document says: The blocklist is updated with each new major release of Windows. We plan to update the current blocklist for non-Windows 11 customers in an upcoming servicing release and will occasionally publish future updates through regular Windows servicing. This means the upcoming 2022 feature update on Windows 10 could be getting the same treatment as Windows 11 did. Also, the October Patch Tuesday is less than a week away and we could also be seeing the updated driver block-list roll out with it, instead of with the 22H2 release. Either way, the two incidents are unlikely to be far off from one another. Just like Windows 11, Windows 10 22H2 could be getting a boost to Defender right at launch

Anti-malware assessment company AV-Comparatives has released its latest September 2022 report today. The report has found that Microsoft's in-house Defender antivirus has one of the poorest offline detection rates at just 69.8%. Meanwhile, G DATA has topped the chart with 96.0%. This means Microsoft Defender relies heavily on cloud-based protection. Although this is really poor compared to the other contenders, the result is significantly better than what Defender managed to do in the previous March test. On the contrary, the online detection and protection rates for the Microsoft product are among the best. In case you are wondering what the difference between protection and detection is, here's how AV-Comparatives defines the two: The File Detection Test we performed in previous years was a detection-only test. That is to say, it only tested the ability of security programs to detect a malicious program file before execution. This Malware Protection Test checks not only the detection rates, but also the protection capabilities, i.e. the ability to prevent a malicious program from actually making any changes to the system. You can find the full comparison of the various anti-malware solutions for offline and online detection rates, as well as the protection rates in the image below: As you may have noticed above, Defender not only has one of the worst offline detections, it also suffers from a lot of false positive alarms. This is something Defender has been struggling with for a while, as we have had several instances of it recently. This is despite Microsoft openly expressing it wanted to improve in this aspect. Thankfully for Microsoft, it also got compromised in just 1 out of 10,019 malware sample cases. Meanwhile, Trend Micro did worst of all, as it has 259 compromises. The products have been classified in clusters (either 1, 2, 3, or 4) depending on their protection rates: Here is the full test results showing the breakdown of each of the percentage categories - compromised, user-dependent, blocked, and false positives: Lastly, we have the final rankings of all the products. The rankings are based on how the anti-malware solutions have done with respect to their statistical clusters assigned (image above) and the total false positives detected. Defender managed to score the ADVANCED+ award last time, but this time has to settle for ADVANCED. AV-Comparatives has, however, acknowledged that the very high number of false positives has affected this. Source: AV-Comparatives AV-Comparatives finds Windows Defender suffering from poor offline detection, false alarms

Microsoft released September 2024 Patch Tuesday updates on the 9th under KB5043064, KB5043050, KB5043051, KB5043083 for Windows 10; KB5043076, KB5043067 for Windows 11 22H2 and 21H2; and KB5043080 for Windows 11 24H2. They mainly address security issues but also add new features and bug fixes among others. Alongside these, it also released the OOBE update (KB5043939), but for version 24H2 only. The company also published a Setup update (KB5043353), and a WinRE update (KB5043355) as well, also for version 24H2. Microsoft also published a new Defender update during that. This update package is necessary as a Windows installation image may contain old, outdated anti-malware definitions and software binaries. Aside from better security, these updates can also provide improved performance benefits in some cases. Microsoft is delivering the latest security definitions for Windows images via security intelligence update version 1.417.472.0. The Defender package version is 1.413.494.0. Microsoft has also published a link to its detailed guidance about the recent NPD data breach which has leaked SSNs, house addresses, and more, of over 150 million people. In the support document describing the new update, Microsoft explains: From Microsoft's security bulletin, we learn that the security intelligence update version 1.417.472.0 was released last month. It adds threat detections for various trojans, ransomware, adware, and backdoor exploits, among others. For those wondering, the latest intelligence update is version 1.419.109.0 at the time of writing. Source RIP Matrix | Farewell my friend Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every single day for many years. 2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts

In its rankings for 2021, anti-virus assessment firm AV-Comparatives wasn't super-impressed by Windows Defender, at least when compared to some of its rival products. However, AV-TEST had a somewhat different opinion as its report showed Microsoft Defender doing exceptionally well in the second half of the year reports, scoring full marks in both the October 2021 test and the December 2021 assessment. But, despite the great showing, Microsoft and fans of the Defender antivirus solution may be somewhat disappointed as the consumer version of the product failed to win any of the awards that AV-TEST conferred to the products it felt were the best anti-virus solutions of 2021. For Windows, three awards were given for three different categories: Best Protection Best Performance Best Usability As stated above, Defender failed to secure any of the categories for its consumer product. In case you are wondering who the winners are, they are listed below under the categories they won in. Best Protection Bitdefender Kaspersky Norton 360 Best Performance ESET G DATA Kaspersky Norton 360 PC Matic Protected.net Total AV Best Usability Avira ESET Not all is bad for Microsoft though as Defender managed to snag a win in the Best Protection for Corporate users category. You can view the full report here. Windows Defender for home users fails to win any of AV-TEST's best anti-virus 2021 awards

A few days ago, we came to learn about a new Windows Defender Preview app that Microsoft has been working on. It was speculated that the new application might be a new Defender version built specifically for Windows 11. However, that appears not to be the case. Twitter leakster WalkingCat shared the Microsoft Store link for Windows Defender Preview two days ago on his handle. From the store, we come to know that the new app will run on Windows 10 too, as long as the build is 19041.0 or newer. As such, I fired it up on my Windows 10 PC but when trying to proceed from the initial Get Started screen (image at top), we are greeted with a message that reads "Your account isn't authorized to use Microsoft Defender yet". This blocks us from proceeding further. A Twitter user Ahmed Walid however was able to use a hack to bypass this block and has posted some screenshots of the user interface of the new Microsoft Defender Preview. The application is still a work in progress with more features like "Identity" and "Connections" labeled as Coming soon. Below is what the home screen of the new Defender app appears like: Overall, the new Microsoft Defender Preview seems unfinished still with some work remaining to be done on it. After that, the application could begin rolling out to Insiders first before being generally available. More images of the new Microsoft Defender Preview app leak out

Microsoft appears to be readying a new Windows Defender Preview app for Windows 11, according to a tweet by Alumia. The app has the code-name GibraltarApp and appears to be rebuilt using WPF and XAML. It will replace the current inbox app in Windows 11. It is claimed to offer “simple, seamless and personalized protection” to users and is expected to roll out to Windows Insiders in the near future. via Deskmodder Microsoft appears to be working on a new Windows Defender app for Windows 11

Although Microsoft Defender is generally a good anti-malware solution, the program can often go haywire on harmless stuff leading to its very poor false positive scores in third-party assessment programs. Earlier today, a similar thing happened when IT and system admins began reporting that after updating Defender definitions, they could no longer access shortcuts for apps in the Taskbar and Start menu. The issue was seemingly caused by the security intelligence update version 1.381.2140.0, as Defender would delete all shortcuts (.lnk) files located inside ProgramData\Microsoft\Windows\Start Menu\Programs. Users say the issue is happening on Windows 10 though it is possible that Windows 11 might have been affected too. System admins were working around the issue by setting Attack Surface Reduction Rule (ASR) rule "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b" to Audit only (via Reddit). A few hours ago the official Microsoft 365 Status Twitter handle confirmed the problem and stated that it was looking into the issue: An hour later, Microsoft updated its status saying that it had identified the problem and had reverted the rule back: However, IT admins are still visibly a bit furious as they would now need to restore the deleted shortcuts. Thanks for the tip majortom1981! Microsoft reminds all it's Friday the 13th as Defender deletes shortcuts on Windows 10