{"id":4632,"date":"2016-11-21T21:41:04","date_gmt":"2016-11-21T16:11:04","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=4632"},"modified":"2019-05-12T02:53:04","modified_gmt":"2019-05-12T02:53:04","slug":"defender-block-at-first-sight-cloud-protection","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/defender-block-at-first-sight-cloud-protection\/","title":{"rendered":"How Windows Defender &#8220;Block at First Sight&#8221; Cloud Protection Feature works?"},"content":{"rendered":"<p>Windows Defender or the Microsoft anti-malware platform protects home computers, servers and online services such as Office 365. With the wealth of threat intelligence and telemetry data, Defender&#8217;s cloud backend is an astounding malware protection service.<!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/11\/defender-1.png\" alt=\"defender block at first sight\" width=\"700\" height=\"396\" class=\"alignnone size-full wp-image-4638\" \/><\/p>\n<p>When a new malware appears in the wild, it can take hours for the Microsoft anti-malware team (or any other anti-virus or anti-malware company for that matter) to analyze, reverse engineer and perform malware detonation of the file before it can release a signature update. And, not to mention the QC the signature update has to pass through.<\/p>\n<p>As far as malware protection is concerned, there is no denying the fact that signature-based protection is prime. But that&#8217;s not sufficient, as it may not always help &#8212; especially in the case of brand new or unknown malware. As per Microsoft&#8217;s report when a new malware appears, 30% of the computers are infected within the first four hours. The signature updates usually come hours later.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/11\/defender-3.png\" alt=\"defender block at first sight\" width=\"699\" height=\"464\" class=\"alignnone size-full wp-image-4636\" \/><\/p>\n<p>Windows Defender&#8217;s robust cloud-based protection, on the other hand, uses heuristics, machine learning model, and does detailed analysis at the backend to determine if a file is malware.<\/p>\n<p>Windows Defender cloud-based protection or &#8220;block at first sight&#8221; feature is by default enabled. If you&#8217;ve turned off cloud protection option in Windows Defender due to &#8220;privacy&#8221; concerns, you better watch the demo by Windows Defender Engineering team, which shows how effective cloud protection can be.<\/p>\n<div class=\"qt\">\n<h3><a href=\"https:\/\/channel9.msdn.com\/Events\/Ignite\/2016\/THR2195R\" target=\"_blank\" rel=\"noopener noreferrer\">Channel 9 Video: Explore Windows Defender Instant Protection | Microsoft Ignite 2016<\/a><\/h3>\n<\/div>\n<h2>Make sure &#8220;Block at First Sight&#8221; Cloud Protection is enabled<\/h2>\n<p>Click Start, Settings. (Or press WinKey + i)<\/p>\n<p>In the Settings page, click Update &amp; Security and then Windows Defender.<\/p>\n<p>Make sure that <strong>Cloud-based Protection<\/strong> and <strong>Automatic sample submission<\/strong> settings are enabled.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/11\/defender-5.png\" alt=\"defender cloud protection\" width=\"781\" height=\"622\" class=\"alignnone size-full wp-image-4634\" \/><\/p>\n<p>When Windows Defender&#8217;s &#8220;Block at first sight&#8221; cloud protection and sample submission options are enabled in Windows Defender Settings, if the system encounters a suspicious file which otherwise passes signature-based detection, Defender sends the metadata of the suspicious file to the cloud backend. Note that the cloud doesn&#8217;t always request the entire file.<\/p>\n<p>The machines at the cloud backend analyze the metadata, making use of the various logics, URL reputation, and telemetry data to determine if the file is malware.<\/p>\n<p>For example, if the malware filename matches the name of a core Windows module, the cloud backend checks the digital signature of the module. If it&#8217;s unsigned or not signed by Microsoft, and it&#8217;s &#8220;classification&#8221; is malware (with &#8220;confidence&#8221; level 85%), then the cloud determines the file is malware.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/11\/defender-4.png\" alt=\"defender cloud protection\" width=\"691\" height=\"377\" class=\"alignnone size-full wp-image-4635\" \/><\/p>\n<p>The &#8220;Classification&#8221; and &#8220;confidence&#8221; assessments which constitute the most important part of the backend analysis, are obtained through the machine-learning model.<\/p>\n<p>In case the cloud backend comes up with no verdict, it requests the entire file for a detailed analysis. Until the file is uploaded and the cloud confirms the receipt of the same, Windows Defender locks the file and doesn&#8217;t allow to run on the client. That&#8217;s a key change the Windows Defender team has made in the Windows 10 Anniversary Update (v1607).<\/p>\n<p>Previously, the suspicious file was allowed to run while the upload was in progress, synchronously. Even before the upload completed, the malware would have finished running and self-destroyed itself.<\/p>\n<p>Coming to Windows Defender Engineering team&#8217;s demo, there were two scenarios discussed. In Scenario 1, the cloud backend classifies a file as malware, only based on the metadata. Device #1 with cloud protection turned off, gets infected when running the file. And device #2 with cloud protection On, is instantly protected.<\/p>\n<p>In Scenario 2, the first user runs an unknown malware. The cloud reached no verdict based on the metadata, and thus the entire file was automatically submitted.<\/p>\n<p>The submission time was at 19:48:59 hours &#8211; backend completed the automated analysis at 19:49:01 hours (~2 seconds from the time upload hit the cloud backend) and determined the file is malware.<\/p>\n<p>From the very moment, Windows Defender would block any future encounters of that file, thus protecting millions of other devices which have Windows Defender cloud-based protection enabled.<\/p>\n<p>Microsoft also has a test site named <a href=\"http:\/\/aka.ms\/wdtestground\" target=\"_blank\" rel=\"noopener noreferrer\">Windows Defender Testground<\/a> where you can check the effectiveness of Defender&#8217;s cloud protection by uploading samples.<\/p>\n<p>Although the second demo didn&#8217;t succeed due to some connectivity issues with the cloud, overall it&#8217;s a useful presentation which explains the importance of Windows Defender&#8217;s &#8220;block at first sight&#8221; cloud-based protection feature. If you had turned off the feature, I guess you&#8217;ll now have a second thought.<\/p>\n<h4>References &amp; Credits<\/h4>\n<p><a href=\"https:\/\/technet.microsoft.com\/en-us\/itpro\/windows\/keep-secure\/windows-defender-block-at-first-sight?f=255&amp;MSPPError=-2147217396\" target=\"_blank\" rel=\"noopener noreferrer\">Enable the Block at First Sight feature to detect malware within seconds<\/a><br \/><a href=\"https:\/\/channel9.msdn.com\/Events\/Ignite\/2016\/THR2195R\" target=\"_blank\" rel=\"noopener noreferrer\">Explore Windows Defender Instant Protection | Microsoft Ignite 2016 | Channel 9<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Windows Defender or the Microsoft anti-malware platform protects home computers, servers and online services such as Office 365. With the wealth of threat intelligence and telemetry data, Defender&#8217;s cloud backend is an astounding malware protection service.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[8],"tags":[661],"class_list":["post-4632","post","type-post","status-publish","format-standard","hentry","category-windows-10","tag-windows-defender"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":5125,"url":"https:\/\/www.winhelponline.com\/blog\/windows-defender-disabled-real-time-protection-virus\/","url_meta":{"origin":4632,"position":0},"title":"Microsoft Defender: &#8220;Managed by your administrator&#8221; or &#8220;Your IT administrator has limited access&#8221;","author":"Ramesh","date":"January 23, 2017","format":false,"excerpt":"In the aftermath of a malware attack, the Windows Defender Security settings page may show the message Some settings are managed by your organization\u00a0or This setting is managed by your administrator. The real-time protection and cloud-based protection options may remain disabled or grayed out. Here is what the Windows Defender\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"Microsoft Defender Antivirus group policy settings","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2017\/01\/windows-defender-gpedit-ui.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":3689,"url":"https:\/\/www.winhelponline.com\/blog\/start-windows-defender-offline-scan\/","url_meta":{"origin":4632,"position":1},"title":"How to Start Microsoft Defender Offline Scan in Windows 10\/11","author":"Ramesh","date":"August 4, 2016","format":false,"excerpt":"Malware is more complex today than it was many years ago. It operates at the filter driver, service, or rootkit level, and eliminating it is tough. Sometimes, you need to boot to the Windows RE environment and then delete the core malware files and services added to your Windows installation.\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"Microsoft Defender Offline scan - Virus and threat protection - Windows Security","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/08\/wdo-scan-4.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/08\/wdo-scan-4.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/08\/wdo-scan-4.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":18890,"url":"https:\/\/www.winhelponline.com\/blog\/windows-defender-service-missing-security-page-empty\/","url_meta":{"origin":4632,"position":2},"title":"Windows Defender Service Missing; Security at a glance page is Empty","author":"Ramesh","date":"September 26, 2020","format":false,"excerpt":"In the aftermath of malware infection, when you open the Services MMC on a Windows 10 or 11 computer, you may find that the Windows Defender (\"Microsoft Defender Antivirus Service\") service is missing from the Services MMC. The Windows Security settings \"Security at a glance\" page may show up empty\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"advancedrun start regedit.exe","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/09\/advancedrun-start-regedit.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/09\/advancedrun-start-regedit.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2020\/09\/advancedrun-start-regedit.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]},{"id":25816,"url":"https:\/\/www.winhelponline.com\/blog\/startupchecklibrary-winscomrssrv-dll-missing-error-startup\/","url_meta":{"origin":4632,"position":3},"title":"[Fix] StartupCheckLibrary.dll and Winscomrssrv.dll Error at Startup","author":"Ramesh","date":"January 20, 2022","format":false,"excerpt":"When you log in to your Windows computer, the following error message windows may pop up: RunDLL There was a problem starting StartupCheckLibrary.dll The specified module could not be found. RunDLL There was a problem starting winscomrssrv.dll The specified module could not be found. Additionally, you may see the following\u2026","rel":"","context":"In &quot;Utilities&quot;","block_context":{"text":"Utilities","link":"https:\/\/www.winhelponline.com\/blog\/category\/utilities\/"},"img":{"alt_text":"startupchecklibrary.dll malware startup error","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/01\/malwarebytes-history.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/01\/malwarebytes-history.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/01\/malwarebytes-history.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/01\/malwarebytes-history.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2022\/01\/malwarebytes-history.png?resize=1050%2C600&ssl=1 3x"},"classes":[]},{"id":4472,"url":"https:\/\/www.winhelponline.com\/blog\/windows-defender-running-alongside-antivirus-program-limited-periodic-scanning\/","url_meta":{"origin":4632,"position":4},"title":"Why Is Windows Defender Running Alongside my Antivirus Program?","author":"Ramesh","date":"October 30, 2016","format":false,"excerpt":"Is Windows Defender running alongside their main antivirus program, as the icons for both programs are visible in the Notification area? Isn't Windows Defender supposed to turn itself off when it detects a third-party antivirus program? Windows Defender and Avast antivirus icons in the Notification area. \"Limited Periodic Scanning\" enabled?\u2026","rel":"","context":"In &quot;Windows 10&quot;","block_context":{"text":"Windows 10","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/windows-10\/"},"img":{"alt_text":"Limited periodic scanning - Defender settings - Windows 11","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/10\/enable-limited-periodic-scanning-windows-11.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/10\/enable-limited-periodic-scanning-windows-11.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/10\/enable-limited-periodic-scanning-windows-11.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/10\/enable-limited-periodic-scanning-windows-11.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":4568,"url":"https:\/\/www.winhelponline.com\/blog\/defender-enable-pua-pup-adware-protection\/","url_meta":{"origin":4632,"position":5},"title":"How to Enable Scanning for PUA\/PUP\/Adware in Windows Defender","author":"Ramesh","date":"November 12, 2016","format":false,"excerpt":"Windows Defender can detect and remove malware and viruses, but it doesn't catch Potentially Unwanted Programs or crapware by default. However, there is an opt-in feature that you can enable to make Microsoft Defender antivirus scan and eliminate adware, PUAs, or PUPs in real-time. Potentially Unwanted Program (PUP), Potentially Unwanted\u2026","rel":"","context":"In &quot;Windows&quot;","block_context":{"text":"Windows","link":"https:\/\/www.winhelponline.com\/blog\/category\/microsoft\/windows\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/11\/windows-defender-header.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/11\/windows-defender-header.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.winhelponline.com\/blog\/wp-content\/uploads\/2016\/11\/windows-defender-header.png?resize=525%2C300&ssl=1 1.5x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/4632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/comments?post=4632"}],"version-history":[{"count":0,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/posts\/4632\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/media?parent=4632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/categories?post=4632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.winhelponline.com\/blog\/wp-json\/wp\/v2\/tags?post=4632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}