App Review Microsoft Defender vs Magniber

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister
Good job Meghan ! ;) (followed + liked)

I suspected that Magniber would also pass the Microsoft Defender anti-ransomware shield, even in hardened...
This Ransomware is quite violent, I've already managed to bypass the anti-ransomware protection of Bitdefender and F-Secure....

Hopefully the editors will wake up soon! (Kaspersky & ESET have done some detections in Hexa)
 
  • Like
  • Wow
Reactions: windows1064, DJ Panda, brambedkar59 and 20 others
Excellent video, thanks. It would be interesting to know what process(es) in the infection chain ultimately did the encryption damage, especially when there were two visible alerts generated by Defender. Did Defender actually block those two attempts or did one or both of them blow right through it, or was it something else that Defender failed to block?
 
Last edited:
  • Like
Reactions: ForgottenSeer 94943, Vasudev, vtqhtr413 and 8 others
Shadowra said:
Good job Meghan ! ;) (followed + liked)

I suspected that Magniber would also pass the Microsoft Defender anti-ransomware shield, even in hardened...
This Ransomware is quite violent, I've already managed to bypass the anti-ransomware protection of Bitdefender and F-Secure....

Hopefully the editors will wake up soon! (Kaspersky & ESET have done some detections in Hexa)
Click to expand...

Are Kaspersky and ESET the only two av companies that provide detection for this threat?
 
  • Like
Reactions: Sunshine-boy, Vasudev, franz and 8 others
Hit and sunk filelessly. :)(y)

The Enterprises can be impacted via exploit kits (like Magnitude) used to compromise the network and deliver the Magniber.

The home users can be impacted when using pirated software or instructed on shady forums to install the update from an unsafe source.

The transmission method is still various forums, cracked software websites, fake pornographic websites, etc. When users visit these websites, they are induced to download from third-party network disks.
Click to expand...

Win11 users beware! Magniber ransomware has been upgraded again, aiming at win11 | 360 Total Security Blog

At the end of April this year, the Magniber ransomware disguised as a Windows 10 upgrade patch package and spread widely, and 360 Security Center...
blog.360totalsecurity.com blog.360totalsecurity.com
 
  • Like
  • +Reputation
  • Sad
Reactions: kylprq, Vasudev, vtqhtr413 and 10 others
wat0114 said:
Excellent video, thanks. It would be interesting to know what process(es) in the infection chain ultimately did the encryption damage, especially when there were two visible alerts generated by Defender. Did Defender actually block those two attempts or did one or both of them blow right through it, or was it something else that Defender failed to block?
Click to expand...
These two blocks were related to disk sectors, they did not block the modifications into the folders.
I think that the files can be restored via OneDrive synchronization (suggested by Microsoft).
There are two interesting questions:
  1. Did the malware get high privileges?
  2. Did the malware delete volume shadow copies?
 
  • Like
  • Thanks
Reactions: Vasudev, vtqhtr413, franz and 8 others
Although any video with working ransomware can be kinda shocking, the truth is that there is no need to worry. The method used by Magniber (MSI file) is very rarely used against home users.

Furthermore, for any AV one can find working malware. There is no perfect & usable protection against malware. Even such a strong protection like CF with @cruelsister settings cannot save many users. Of course, the installer/fix will be blocked, but this is expected for pirated software, game mods, or cracks. The blocked malware cannot expose the malicious actions, so the user will simply turn off the protection and still can be infected.

Microsoft can efficiently (but not perfectly) fight such malware in several ways:
  1. Making the samples very short-living (Block At First Sight + post-execution detections). Even if the sample could infect a few users, then after several minutes other users can be often protected against this sample.
  2. Adding the methods used by ransomware to ASR rules.
  3. Blocking delivery paths, when the malicious actors would like to use the malware in widespread attacks (weaponized documents, scripts, etc.).
  4. Adding the malicious URLs to SmartScreen (used also system-wide by Defender's Network Protection).
So, we will see the normal cat & mouse game. When Microsoft (or any other AV) is going to improve the protection, the Magniber fellows will make necessary modifications, and so on.
 
Last edited:
  • Like
  • +Reputation
Reactions: ForgottenSeer 94943, vtqhtr413, franz and 10 others
Andy Ful said:
1. Did the malware get high privileges?
Click to expand...

Good question. I didn't see any UAC alerts, but even if enabled and on Always Notify, could this malware bypass it somehow?

EDIT

I guess anyone downloading pirated software or "updates" from sketchy sites would happily elevate the prompts anyway :D
 
Last edited:
  • Like
Reactions: ForgottenSeer 94943, vtqhtr413, franz and 2 others
Shadowra said:
Good job Meghan ! ;) (followed + liked)

I suspected that Magniber would also pass the Microsoft Defender anti-ransomware shield, even in hardened...
This Ransomware is quite violent, I've already managed to bypass the anti-ransomware protection of Bitdefender and F-Secure....

Hopefully the editors will wake up soon! (Kaspersky & ESET have done some detections in Hexa)
Click to expand...
A tester has already tested Magniber vs Microsoft Defender configured to Max Protection, and files were still encrypted.
 
  • Like
  • Wow
Reactions: Sunshine-boy, franz, Dave Russo and 5 others

You may also like...