For the last 10 days or so we have noticed Cerber ransomware disabling Windows Defender by using firewall rules to prevent Windows Defender accessing the internet.
21 March 2017: deliverydetails.js VirusTotal | Payload Security /counter/exe1.exe delivers Cerber VirusTotal This shows a change in behaviour using firewall blocks to disable windows defender. This will be primarily aimed at Windows 10 users. Windows Defender is the inbuilt “free” antivirus in Windows 8.1 and Windows 10. The Windows 10 version uses cloud technology, which very basically, when an unknown file is discovered on the computer, Defender sends out a message to the cloud, asking ” what is this”. Once more than a certain number of computers send out the message, then automatic analysis takes place and signatures are automatically created and sent out to every Windows Defender user to block the malware.
Note: this does not completely stop Windows Defender getting signatures or updating. Windows Defender uses 2 methods of updating itself. 1. Via Windows update. 2. via its internal updating mechanism. This firewall block only blocks the internal updating & cloud technology. You will still get updated virus signatures and program updates, just a lot slower and delayed. I seem to remember something about WU updating only kicking in after about 4 days of no internal program updates or signature updates.
All versions of Cerber that I have seen everyday ( from all sources) since 21st March 2017 continues to block Windows Defender