Windows Defender - June 2019 Report

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
I don't know. I didn't test smartscreen
but if you want, I can check it out now

edit: it does trigger smartscreen (signed exe)
Thanks. :giggle:
I have asked, because you use Defender max settings and I assumed that they were configured by ConfigureDefender. But, then the file with MOTW would be blocked (SmartScreen set to Block).
If the file was not blocked in ConfigureDefender MAX settings, then it did not have MOTW (with some rare exceptions). So, also BAFS was not tested.
If so, then this is a special kind of test (but common on Malware Hub), like in the situation of downloading the files from the FAT32 pen drive to the hard disk and running them from the hard disk. Such a test is different from real-world tests performed by AV Labs, so the user should not compare the results.
Anyway, it is a very interesting test for detecting the strength of other WD features (Cloud Protection Level, ASR rules, Network Protection, etc.).:emoji_ok_hand:
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Thanks. :giggle:
I have asked, because you use Defender max settings and I assumed that they were configured by ConfigureDefender. But, then the file with MOTW would be blocked (SmartScreen set to Block).
If the file was not blocked in ConfigureDefender MAX settings, then it did not have MOTW (with some rare exceptions). So, also BAFS was not tested.
If so, then this is a special kind of test (but common on Malware Hub), like in the situation of downloading the files from the FAT32 pen drive to the hard disk and running them from the hard disk. Such a test is different from real-world tests performed by AV Labs, so the user should not compare the results.
Anyway, it is a very interesting test for detecting the strength of other WD features (Cloud Protection Level, ASR rules, Network Protection, etc.).:emoji_ok_hand:
I prefer testing products in extreme condition so they can show their strengths because one day we might be in the same situation, not as ideal as downloading a file from the internet
This is also a real-world test because I see it everyday in my country (download a password-protected archive, extract with winrar)
every kind of test is real-world at some point

I do prefer malware protection test from AV-C or from MRG than real-world tests because they are more extreme and correctly reflect the true power of an AV in any condition
real-world test is kind of boring because most of the links they test are not zero-day anymore, I assume
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
@Andy Ful
Is it relevant to trigger SmartScreen that the sample BitmapCase.exe is signed?

It is, as can be seen from the test if the file would have the MOTW (SmartScreen was triggered). :giggle:
Only EV signed files can automatically bypass SmartScreen check.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I'm starting to get tired of testing WD because the context scan (local offline signatures and heuristics) has been extremely poor, which forces testers to test more dynamic samples. almost every pack results in infection
it's clearly that the context scan has no cloud implementation, only in on-access and on-execution
on-access has cloud support only if it has mark-of-the-web
next test I will try out if WD has has any offline protection or it's fully dependent on cloud => sometimes, the cloud connection can be unstable => you're finished
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
That is also my observation. Windows Defender detection of never seen samples strongly depends on the cloud (except ASR rules and Controlled Folder Access). Furthermore, the best protection (BAFS) is available only when files are recognized as downloaded from the Internet.
People who use FAT32 sources (flash drives, USB disks) for sharing files with other people are not so well protected, except when they will upload the files to OneDrive or execute the files directly from the USB source (protected by very aggressive ASR rule). If so, then the file downloaded to the hard disk from OneDrive will be automatically checked by BAFS.
It is also crucial to use the Windows built-in ZIP archiver or Bandzip archiver, which can preserve MOTW after decompressing files from archives (downloaded from the Internet).

With the above precautions, WD + ConfigureDefender can achieve similar protection for fresh samples, as any commercial AV on default settings. This protection can be even stronger when applying SysHardener restrictions or maximize the protection with Hard_Configurator.
 
F

ForgottenSeer 72227

I'm starting to get tired of testing WD because the context scan (local offline signatures and heuristics) has been extremely poor, which forces testers to test more dynamic samples. almost every pack results in infection
it's clearly that the context scan has no cloud implementation, only in on-access and on-execution
on-access has cloud support only if it has mark-of-the-web
next test I will try out if WD has has any offline protection or it's fully dependent on cloud => sometimes, the cloud connection can be unstable => you're finished
I guess that's the downfall of how WD is designed and implemented. The HUB testing methodology doesn't allow it to be tested necessarily how MS designed and implemented it. Not making excuses at all, nor am I saying your doing it wrong @Evjl's Rain, I just mean that the hub doesn't necessarily test how one uses a computer, ie downloading malware through a browser. This is just a minor flaw in the testing methodology that applies to all products, not just WD. Whether this makes a difference remains to be seen, but it's still a part that is missed. Don't get me wrong, I know it's not done due to complexity and being dangerous, but it's still a flaw.;)

Again due to the way WD is designed and implemented there will be some gaps. Aside from USB malware, I would hazard to guess that in real world use there may be a different outcome, as it seems like MS designed it to work a certain way. Again not making excuses, just something to think about;)

@Evjl's Rain I know you want to stop testing WD, but I am wondering if you wanted to test it maxed out with configure defender running along side OSA, or syshardener? I know this isn't testing WD specifically, but rather how a setup may do over all.(y)
 
Last edited by a moderator:

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,866
I guess that's the downfall of how WD is designed and implemented. The HUB testing methodology doesn't allow it to be tested necessarily how MS designed and implemented it. Not making excuses at all, nor am I saying your doing it wrong @Evjl's Rain, I just mean that the hub doesn't necessarily test how one uses a computer, ie downloading malware through a browser. This is just a minor flaw in the testing methodology that applies to all products, not just WD. Whether this makes a different remains to be seen, but it's still a part that is missed. Don't get me wrong, I know it's not done due to complexity and being dangerous, but it's still a flaw.;)

Again due to the way WD is designed and implemented there will be some gaps. Aside from USB malware, I would hazard to guess that in real world use there may be a different outcome, as it seems like MS designed it to work a certain way. Again not making excuses, just something to think about;)

@Evjl's Rain I know you want to stop testing WD, but I am wondering if you wanted to test it maxed out with configure defender running along side OSA, or syshardener? I know this isn't testing WD specifically, but rather how a setup may do over all.(y)
I would also like to see WD tested with OSA as I run that on some machines. But, I can see how it is exhausting. Whatever you decide to test next I appreciate the effort!
 
F

ForgottenSeer 72227

It is also crucial to use the Windows built-in ZIP archiver or Bandzip archiver, which can preserve MOTW after decompressing files from archives (downloaded from the Internet).

@Andy Ful just out of curiosity, I know WD has archive scanning, so doesn't WD scan inside the archive before its extracted? If so should it be irrelevant if you use 7zip which removes MOTW, or is it because the cloud/BAFS does not work on scanning with archives, only after the file has been extracted?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
I noticed in the WD log, that in most cases of infections, WD initially allows running the malware, but the suspicious actions and payloads are blocked anyway. After several seconds the cloud is alarmed about malicious actions, so the malware is blocked and often removed from disk, but sometimes is not killed (still active in memory). After reboot, the system is protected, although WD often leaves leftovers in the registry startup locations. These startup entries produce alerts because they cannot find the malware which was already removed from disk.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
@Andy Ful just out of curiosity, I know WD has archive scanning, so doesn't WD scan inside the archive before its extracted? If so should it be irrelevant if you use 7zip which removes MOTW, or is it because the cloud/BAFS does not work on scanning with archives, only after the file has been extracted?
most archives are password-protected => untouchable for all AVs
when they are extracted, MOTW is already removed
Bandizip rocks :emoji_pray: and will save us from a lot of infections thanks to smartscreen with all AVs including panda or webroot
 
F

ForgottenSeer 72227

most archives are password-protected => untouchable for all AVs
when they are extracted, MOTW is already removed
Bandizip rocks :emoji_pray: and will save us from a lot of infections thanks to smartscreen with all AVs including panda or webroot

Thanks and that makes sense.

I have to admit I like 7-zip, its a great program, but I am going to give Bandizip and try, especially since it's based of 7-zip if I'm not mistaken.
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I guess that's the downfall of how WD is designed and implemented. The HUB testing methodology doesn't allow it to be tested necessarily how MS designed and implemented it. Not making excuses at all, nor am I saying your doing it wrong @Evjl's Rain, I just mean that the hub doesn't necessarily test how one uses a computer, ie downloading malware through a browser. This is just a minor flaw in the testing methodology that applies to all products, not just WD. Whether this makes a difference remains to be seen, but it's still a part that is missed. Don't get me wrong, I know it's not done due to complexity and being dangerous, but it's still a flaw.;)

Again due to the way WD is designed and implemented there will be some gaps. Aside from USB malware, I would hazard to guess that in real world use there may be a different outcome, as it seems like MS designed it to work a certain way. Again not making excuses, just something to think about;)

@Evjl's Rain I know you want to stop testing WD, but I am wondering if you wanted to test it maxed out with configure defender running along side OSA, or syshardener? I know this isn't testing WD specifically, but rather how a setup may do over all.(y)
I will try to test WD with syshardener maxed out
I don't like OSA to be honest because it produced some FPs and used a noticeable amount of CPU on my PC
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,458
@Andy Ful just out of curiosity, I know WD has archive scanning, so doesn't WD scan inside the archive before its extracted? If so should it be irrelevant if you use 7zip which removes MOTW, or is it because the cloud/BAFS does not work on scanning with archives, only after the file has been extracted?
BAFS can recognize malware in ZIP archives (from Internet Zone) and probably in most known archive types too. But, as @Evjl's Rain already mentioned, this does not apply for password-protected archives.(y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top