Unlock Microsoft Defender's Full Potential: Tools to Boost Your Security

By TJ Gallagher

    



     While Microsoft Defender has significantly improved over the years, rising from subpar status to earn respect from independent labs, consumers using the standard version face limitations. Customization options are restricted, potentially hindering the product's overall effectiveness.

    The default settings for the built-in Microsoft Defender can be described as passive. They rely on a more reactive approach to threats, putting a heavier emphasis on the user to manually select an action upon detection. This can allow a threat to persist on the system if the user doesn't quickly quarantine or remove it via the Windows Security Center. An example of this is shown below.

Credit: Microsoft Community
As we can see, the threat in this screenshot is still active - meaning it still posses a threat to the user until action is taken. This is a common issue with Microsoft Defender's default settings on Windows 10 and 11. 

In addition to this, the default settings leave out crucial configurations that can intercept and block a zero-day threat until it is properly analyzed. By default, block at first seen (or block at first sight) is not enabled for consumers. Block at First Sight is a feature in Microsoft Defender that rapidly blocks new, unknown malware. When Defender encounters a suspicious file, it checks the file against the cloud-based protection system. If the cloud can't immediately determine if the file is safe, Defender locks it down and uploads a copy for further analysis. Through machine learning and other advanced techniques, the cloud system analyzes the file and decides if it's malicious. If so, the file is blocked on your machine and across other systems using Defender, preventing potential harm. Obviously, having this feature enabled can improve security efficacy. 

    This brings us to Defender's cloud-delivered protection configuration. This can be enabled in the basic Windows Security Center - but that is the most configuration you get here.  Cloud protection uses Microsoft's cloud intelligence to quickly analyze suspicious files, comparing them against a massive threat database. If the cloud can't determine if a file is safe, Defender can lock it down while it uploads the file for deeper analysis. This system enables the antivirus to rapidly recognize and block new malware before it can infect your system. Furthermore, cloud protection is essential for several features within Microsoft Defender. This includes Block at First Sight (immediate blocking of new malware), automatic sample submission, tamper protection, and more.

    Cloud-delivered protection offers granular control through "protection levels" in enterprise products. This setting allows you to fine-tune the aggressiveness of Microsoft Defender in identifying and blocking suspicious files. Here's a breakdown of the available levels:

  • Not configured: The default setting.
  • High: Provides strong detection for potential threats.
  • High plus: Offers even stricter protection than the 'High' level, but might potentially slow down system performance.
  • Zero Tolerance: The most aggressive setting, blocking all unknown files. This can increase false positives (blocking legitimate files).
    Unfortunately, the Windows Security Center interface doesn't provide a user-friendly way to adjust these protection levels, as seen in other antivirus software. This leaves home users at a disadvantage. Even though Microsoft Defender is already running on their system, they lack the ability to easily increase its effectiveness.

    Another component of cloud protection is the cloud block timeout period. The cloud timeout period determines how long Microsoft Defender Antivirus will hold a suspicious file while it gets a verdict from the cloud protection service. Here's what it means:

  • Purpose: When Defender finds a suspicious file, it needs time to check with Microsoft's cloud intelligence to see if the file is known malware.
  • Default Timeout:  The initial timeout is 10 seconds. If the cloud service doesn't identify the file as a threat within this time,  the file is allowed to run by default.
  • Extending the Timeout: Security admins can extend the cloud block timeout (up to a total of 60 seconds) This gives the cloud more time to analyze the file and helps prevent potentially dangerous files from running too quickly.
Obviously, ten seconds is a very short time, especially when it comes to the static analysis of malware. More often than not, the cloud protection engine requires more time to reach a conclusion. If the cloud is still analyzing the file and ten seconds pass, the file is allowed to execute before analysis is complete. This is another obvious disadvantage for consumers using the system defaults. This feature can be extended up to a full minute on the Defender 365 offering, but not in the Windows Security Center.

    This leads us to sample submission. When Microsoft Defender Antivirus encounters a suspicious file it can't immediately identify as safe or malicious, the sample submission feature allows it to automatically send a copy of that file to Microsoft's cloud analysis systems. This can be enabled in the Windows Security Center, but the default setting is "send safe samples automatically". While this might sound good, there's a catch. According to Microsoft, safe samples can include file extensions like .bat, .scr, .dll, and .exe. The "Send safe samples automatically" setting focuses on files deemed unlikely to contain personal information. While this helps with privacy, it means potentially malicious files that don't fit the "safe" profile might slip through without being analyzed by Microsoft. There is no clear way to change the level of sample submission to "send all samples automatically". Choosing the latter option gives Microsoft's security systems a broader view of potential threats, including those disguised to appear harmless, providing a higher level of protection. Therefore, if a user wants a higher level of protection, the default settings can leave them at a disadvantage, especially in the era of fileless, polymorphic malware or macro-based malware.

    Finally, Microsoft Defender has a very valuable component called "Attack Surface Reduction". As the name implies, Attack Surface Reduction (ASR) in Microsoft Defender is like adding extra locks and security cameras to your digital house. It has a set of rules that watch for and block common tricks attackers use to break in, such as running malicious scripts, launching suspicious programs from Office documents, or holding your files hostage for ransom. ASR makes it harder for malware to sneak onto your system, even if it's a brand-new threat. While it's not foolproof, it significantly reduces the number of ways attackers can exploit your device. By default, most, if not all, of these rules are off for consumers. And while the Windows Security Center offers some exploit protection customization, it leaves out a lot of the best ASR rules available – one such being "use advanced protection against ransomware". This one rule alone totally changed the ransomware test results in this YouTube video from The PC Security Channel. In the video, with the default settings, ransomware was able to slip past Defender's protection. However, once this ASR rule was enabled, the results changed to a 100% protection ratio. To say the least, this leaves consumers with the default settings at a huge disadvantage to the most common malware type present today, even with the standard exploit protection settings in Windows Security Center.

    Now why did I go on a long exposition about the built-in Microsoft Defender's downfalls? Because, there is a way for normal consumers to take full advantage of these features without registry edits. There are multiple freeware tools online authored by reputable developers who are committed to their products. 

    DefenderUI, authored by VoodooSoft (who also develops the CyberLock application), is a prime example of an easy-to-use free program that allows users to manage every component of their built-in Microsoft Defender; from attack surface reduction rules to cloud protection level. It is free and easy to use, and can be found at their website: www.defenderui.com

DefenderUI's ASR Rules interface | Credit: DefenderUI

    DefenderUI is not the only tool that allows users to finetune Microsoft Defender. ConfigureDefender is another free tool that is available online that can be used to change the various settings of Microsoft Defender. While not being a program that can be installed or one that has a particularly pleasing user interface, it also offers the various configuration options mentioned in this post. It can be found on GitHub for free: https://github.com/AndyFul/ConfigureDefender

ConfigureDefender | Credit: MajorGeeks.com

    In conclusion, while Microsoft Defender offers decent protection, its default settings leave users vulnerable to sophisticated threats. To combat this, freeware tools like DefenderUI and ConfigureDefender provide the power you need. They unlock essential features like 'Block at First Sight,' customizable cloud protection, granular sample submission, and robust Attack Surface Reduction (ASR) capabilities.  These tools significantly boost your security posture by giving you the control and precision that the standard Windows Security Center lacks. As an average consumer, there is little reason to not take full advantage of one of these tools.

Sources:
  1. Article: Cloud protection and sample submission in Microsoft Defender Antivirus [https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide]
  2. Article: Turn on block at first sight to detect malware in seconds [https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide]
  3. Article: Configure the cloud block timeout period for Microsoft Defender Antivirus [https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus?view=o365-worldwide]
  4. Article: Specify the cloud protection level for Microsoft Defender Antivirus [https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus?view=o365-worldwide]
  5. Article: Attack Surface Reduction rules reference [https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide]

Comments

Post a Comment

Share your thoughts!

Popular posts from this blog

Latest AV-Comparatives Consumer AV Test Results (April 2024)

By TJ Gallagher
Image
Hello, this is more of an information post; here is an overview of the various tests that were released by the anti-virus testing lab AV Comparatives . False Positive Test https://www.av-comparatives.org/tests/false-alarm-test-march-2024/ The latest False Alarm Test from AV-Comparatives reveals that not all antivirus products are created equal when it comes to avoiding false positives. Some products generated very few false alarms, while others had a much higher rate. This can lead to frustration, unnecessary file deletions, and even system problems. Key Points: False positives are a significant metric for assessing antivirus quality. Products with higher false alarms rates are likely to be less reliable and disruptive to users. FPs are a key quality metric: A lower FP rate indicates better overall antivirus performance. Vendor differences exist: Focus on the significant variation in FP numbers across tested products. Impact on user experience: Highlight how FPs disrupt workflows and e...
Read more