Windows Defender is integrated with Windows 10, so it’s no wonder it’s up there for the most popular Anti-virus solution. Once you login to your new Windows 10 machine, it’s pretty much ready to go. The plus side is that Defender is a pretty solid AV and if you look at Gartner, they even rate them as the best.
As not to play favourites, I will say this is slightly deceptive though as for this level of quality, you really need the full package of ATP. Defender is good on it’s own, don’t get me wrong but to compete at enterprise level, and have the customisation of some of the other leaders, you need the advance threat protection package. By no means is your child going to have ATP on a laptop they use for Netflix.
As with every security product, it’s only as good as it’s configured to be. Security doesn’t come out of the box and if it does, it normally has “holes”. What I’m about to cover, isn’t so much a “hole”, it’s more the sledgehammer creating it.
To show you what I mean, I’m going to be using Ecar: https://www.eicar.org/
Ecar is a simple line of code that helps test if your security solution is doing it’s job.
As you can see below, Defender notices that the “malicious” code has been written to a file. Good job!
Because Defender is integrated into Windows, it has it’s own PowerShell modules/cmdlets. This allows you to automate tasks, which can be really handy; for both sides.
Below, I’ve used the “Add-MPPreference” cmdlet to exclude the path before I create the Ecar file. Notice that there is no warning and I’ve managed to create the file.
This is because Defender can no longer see that location and cannot prevent the threat. This single line of code, could potentially allow malware to be ran on your machine without you noticing. It won’t be this obvious though and will normally be masked in a fake or malicious executable/installer. Reason being is that these are often ran as admin and changing Defenders exclusions require privilege.
Below is an example taken from a real threat:
Notice that the path is “C:\Users” which excludes all files saved under all user profiles.
This path is excluded before the payload does its thing. If ran successfully, it could be game over. Click the link below the picture to see how the example works, it’s pretty interesting.
Hopefully this makes you aware of potential threats and why it’s worth checking.
Especially after you clicked or downloaded that file your not too sure off.
To check, open Security Center and click Manage Settings:
Scroll down to Exclusions and click Add or remove exclusions
Here you will see your Exclusions. If you have any you wish to remove, click the down arrow and click remove: