- Dec 23, 2014
- 8,458
Evjl's Rain,
Did the sample BitmapCase.exe from Malware Samples #15 (4/07/2019) trigger SmartScreen?
Did the sample BitmapCase.exe from Malware Samples #15 (4/07/2019) trigger SmartScreen?
I don't know. I didn't test smartscreenEvjl's Rain,
Did the sample BitmapCase.exe from Malware Samples #15 (4/07/2019) trigger SmartScreen?
Thanks.I don't know. I didn't test smartscreen
but if you want, I can check it out now
edit: it does trigger smartscreen (signed exe)
I prefer testing products in extreme condition so they can show their strengths because one day we might be in the same situation, not as ideal as downloading a file from the internetThanks.
I have asked, because you use Defender max settings and I assumed that they were configured by ConfigureDefender. But, then the file with MOTW would be blocked (SmartScreen set to Block).
If the file was not blocked in ConfigureDefender MAX settings, then it did not have MOTW (with some rare exceptions). So, also BAFS was not tested.
If so, then this is a special kind of test (but common on Malware Hub), like in the situation of downloading the files from the FAT32 pen drive to the hard disk and running them from the hard disk. Such a test is different from real-world tests performed by AV Labs, so the user should not compare the results.
Anyway, it is a very interesting test for detecting the strength of other WD features (Cloud Protection Level, ASR rules, Network Protection, etc.).:emoji_ok_hand:
It is, as can be seen from the test if the file would have the MOTW (SmartScreen was triggered).
yes I will do it in the next tests. I will find out how to use itWould be a problem for you to attach the "Defender Security Log" from ConfigureDefender, as an addition to the performed tests?
I guess that's the downfall of how WD is designed and implemented. The HUB testing methodology doesn't allow it to be tested necessarily how MS designed and implemented it. Not making excuses at all, nor am I saying your doing it wrong @Evjl's Rain, I just mean that the hub doesn't necessarily test how one uses a computer, ie downloading malware through a browser. This is just a minor flaw in the testing methodology that applies to all products, not just WD. Whether this makes a difference remains to be seen, but it's still a part that is missed. Don't get me wrong, I know it's not done due to complexity and being dangerous, but it's still a flaw.I'm starting to get tired of testing WD because the context scan (local offline signatures and heuristics) has been extremely poor, which forces testers to test more dynamic samples. almost every pack results in infection
it's clearly that the context scan has no cloud implementation, only in on-access and on-execution
on-access has cloud support only if it has mark-of-the-web
next test I will try out if WD has has any offline protection or it's fully dependent on cloud => sometimes, the cloud connection can be unstable => you're finished
I would also like to see WD tested with OSA as I run that on some machines. But, I can see how it is exhausting. Whatever you decide to test next I appreciate the effort!I guess that's the downfall of how WD is designed and implemented. The HUB testing methodology doesn't allow it to be tested necessarily how MS designed and implemented it. Not making excuses at all, nor am I saying your doing it wrong @Evjl's Rain, I just mean that the hub doesn't necessarily test how one uses a computer, ie downloading malware through a browser. This is just a minor flaw in the testing methodology that applies to all products, not just WD. Whether this makes a different remains to be seen, but it's still a part that is missed. Don't get me wrong, I know it's not done due to complexity and being dangerous, but it's still a flaw.
Again due to the way WD is designed and implemented there will be some gaps. Aside from USB malware, I would hazard to guess that in real world use there may be a different outcome, as it seems like MS designed it to work a certain way. Again not making excuses, just something to think about
@Evjl's Rain I know you want to stop testing WD, but I am wondering if you wanted to test it maxed out with configure defender running along side OSA, or syshardener? I know this isn't testing WD specifically, but rather how a setup may do over all.
It is also crucial to use the Windows built-in ZIP archiver or Bandzip archiver, which can preserve MOTW after decompressing files from archives (downloaded from the Internet).
most archives are password-protected => untouchable for all AVs@Andy Ful just out of curiosity, I know WD has archive scanning, so doesn't WD scan inside the archive before its extracted? If so should it be irrelevant if you use 7zip which removes MOTW, or is it because the cloud/BAFS does not work on scanning with archives, only after the file has been extracted?
most archives are password-protected => untouchable for all AVs
when they are extracted, MOTW is already removed
Bandizip rocks :emoji_pray: and will save us from a lot of infections thanks to smartscreen with all AVs including panda or webroot
I will try to test WD with syshardener maxed outI guess that's the downfall of how WD is designed and implemented. The HUB testing methodology doesn't allow it to be tested necessarily how MS designed and implemented it. Not making excuses at all, nor am I saying your doing it wrong @Evjl's Rain, I just mean that the hub doesn't necessarily test how one uses a computer, ie downloading malware through a browser. This is just a minor flaw in the testing methodology that applies to all products, not just WD. Whether this makes a difference remains to be seen, but it's still a part that is missed. Don't get me wrong, I know it's not done due to complexity and being dangerous, but it's still a flaw.
Again due to the way WD is designed and implemented there will be some gaps. Aside from USB malware, I would hazard to guess that in real world use there may be a different outcome, as it seems like MS designed it to work a certain way. Again not making excuses, just something to think about
@Evjl's Rain I know you want to stop testing WD, but I am wondering if you wanted to test it maxed out with configure defender running along side OSA, or syshardener? I know this isn't testing WD specifically, but rather how a setup may do over all.
BAFS can recognize malware in ZIP archives (from Internet Zone) and probably in most known archive types too. But, as @Evjl's Rain already mentioned, this does not apply for password-protected archives.@Andy Ful just out of curiosity, I know WD has archive scanning, so doesn't WD scan inside the archive before its extracted? If so should it be irrelevant if you use 7zip which removes MOTW, or is it because the cloud/BAFS does not work on scanning with archives, only after the file has been extracted?