Windows 10: Defending against ransomware with Windows 10 Anniversary Update

Source: Defending against ransomware with Windows 10 Anniversary Update | Windows For Your Business

:)

 

Blocking cryptolocker behaviors?

I won't try to discuss the specifics for anything other than Windows Defender, since that's what I have info for.

Defending against ransomware with Windows 10 Anniversary Update

Here are some of the many ways we’re fighting back against ransomware:

• Six of the top 10 ransomware threats use browser, or browser-plugin-related exploits, so we made it harder for malware authors to exploit
  
  Windows 10 and
  Microsoft Edge.
• We increased detection and blocking capability in our email services, increasing the number of ransomware-related attachments being blocked.
• We added new technology to Windows Defender to reduce detection time to seconds, increasing our ability to respond before the infection can occur.

The article goes into more detail for these and others like Windows Defender ATP, which is post-breach response specific to businesses. However, the following paragraphs most relate to changes in Windows Defender itself.

"Machine learning. Enhancements to our cloud infrastructure let our antimalware researchers extend machine learning models in a way that we can identify and block malware more quickly. Before the Anniversary Update, the process of collecting
a suspicious program for analysis, classifying it and responding with protection generally took hours. Now it takes minutes."

"New and improved Windows Defender. Windows Defender, which is enabled by default, can respond to new threats faster using improved cloud protection and automatic sample submission features to

block malware “at first sight”. We’ve also improved Windows Defender’s behavioral heuristics to help determine if a file is performing ransomware-related activities, and then detect and take action more quickly."

Rob

 

virus RSA-2048 and AES-128

From your limited description it's not possible to say why. It depends on how recent this variant of ransomware is and/or if it's something that has been added to the virus (malware) definition database or has behavior that would be recognized as malicious.

Regardless of what protection Windows Defender may provide, you, as the end user may have inadvertently allowed the malware to install; it can happen to even the advanced user.

A recent quick test of Windows Defender (Win 10 Anniversary edition) indicates that it does a fair job of protecting against ransomware.

Does Windows Defender Offer Enough Protection in Windows 10



~

 

I get on average one "Hello I am from Windows" call a month. I usually just ask them what its like not to have a conscience? Or, Does it bother you being one of the lowest forms of life on the planet? *Wink

 

Next time they call reply....this call has been intercepted, please state your business.
That should give them food for thought.

 

My mentioning I am a Microsoft MVP usually results in a click, followed by dial tone. *Wink

Other fun stuff is to say this "call is being recorded" or "I don't own a computer", that throws them for a lop too. Sometimes I just like to string them along as long as possible just to piss them off and waist their time.

 

I have not seen ransomware, which would be able to run with useless WSH disabled. *Sleepy All it takes is this:

reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f

Articles say, that malware run by itself, no it does not, scripting does. It is hard to find an in-depth info, but when you do, it is obvious, like with Locky. If you get rid of PS, you are 99% safe. Win updates nor Store do not need WSH or PS.

 

I got 4 such calls yesterday and the caller couldn't get it in his head that my computer was out of service because the hard drive had crashed, finally quit calling in the afternoon but got another call in the evening with a female on the phone. It was somewhat funny as the hard drive failure is the first I've had in that computer since building it 6 years ago and running Win7 followed by Win10.

 

I've had to recover 2 PC's for friends that fell for those calls and had their PC's locked out on them. It wasn't really a recovery though. I just wiped them clean and did clean installs to be sure there was nothing left behind. I slaved the hard drive in my spare PC that was isolated from the Internet to recover their personal files like pictures etc. Then also wiped it clean and reinstalled Windows on it. The drives weren't encrypted, they were just blocked from logging in to their PC.

 

Windows Defender Advanced Threat Protection (ATP) only appears to be of any help in company networks. Its purpose seems to be to alert the IT admins that one of the PCs on the network has succumbed (or is being attacked) by malware. Not much help for Home users there.

Block at First Sight would appear to be of more use, but there's no actual setting to turn it on (or off). As the link above explains, you turn it on by satisfying certain prerequisites - a sort of one-step-removed 'settings'.

Still, at least it seems that this is one thing that can be turned on for Home and Pro systems alike.

 

So I am a bit confused...

Can we assume that ATP is built in to Windows Defender if one is on Win 10 Pro Anniversary version?

 

Nope, it's for Enterprise customers:

Windows Defender Advanced Threat Protection - Windows Defender

 

Thank you for the response!

 

You're welcome*Smilejust browse around following the links at TechNet for more in-depth information, that's where I go when any new Windows technology is blogged or reported.

 

Topics like these should be tagged in the title Enterprise so not to confuse regular users.