App Review A Microsoft Defender Follow-up

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Thanks for the interesting video. It is obvious that in the test the file is not locked and auto-submitted to the cloud (there is no alert). Somehow, this sample is not recognized as suspicious by the local AI. I can confirm that rarely it can happen for some samples. For example in the past year, I created a POC that did the same.

This sample is special because the Defender postinfection detection did not work for it. In my tests and tests of some other MT members, the Defender can usually recognize that the missed sample is malicious by monitoring the malicious actions and sending the telemetry to the cloud. This can take several minutes, so in the case of ransomware the first victim (@cruelsister) is lost, but others can be saved. I am not sure why this sample is so special and still ignored by Defender.

It would be good to test this sample on Malware Hub. I can also look at it to see why it is so troublesome for Defender. (y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Some time ago I tested Defender against KnowBe4 Ran Simulator. It uses a folder of files (documents, pictures, etc.) that are supposed to be encrypted. To make the tests quicker, I decreased the number of files in this folder. I noticed that the Defender postinfection detection did not work - all files were encrypted. After many tests, I used the full set of files, and in several cases, Defender stopped the process of encryption before it ended (not all files were encrypted).
So, the efficiency of post-execution/post-infection detection can be also related to the damage made by the malware. But, it is hard to be sure without inspecting the sample. :unsure:
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
Should the cloud even be needed to detect this sample, especially when CS submitted it at least 10 times to Microsoft and a month has already elapsed since? It just seems inexcusable to me that Microsoft has not included this sample in their local definitions database.
 

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Indeed she did, but to no avail.But he point of the video should not be the malware itself (or its close cousins), which is (are) hardly special and has (have) been in the Wild for a couple of months with the infection mechanism being even older. What one must wonder about is how such a thing can knife through local and cloud databases as well as things like UAC and CFA.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Indeed she did, ...
That is a really interesting sample. Usually, the malware submission is finished after 12 hours. I have seen a similar sample thanks to @SeriousHoax. He submitted a special (malicious) sample to Microsoft and noticed that it is still undetected on execution 2 days later, although it is already recognized in the cloud as malicious (this is visible on the submission webpage). I noticed that this sample is also undetected by BAFS even when it is recognized in the cloud as malicious. I resubmitted this sample with a similar effect (cloud detection = malicious) to start a dispute about it. But after several days my submission is not finished - there is no final determination from the Microsoft analyst.

@SeriousHoax, can you still run this sample without Defender's detection?

@cruelsister, what was the cloud detection and final analyst's determination of your sample?
 
Last edited:
F

ForgottenSeer 94943

God I loved the background music. I believe I was listening rather than watching. I'd appreciate it if you share the track name if you don't mind @cruelsister cruel
 
  • Like
Reactions: wat0114

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
That is a really interesting sample. Usually, the malware submission is finished after 12 hours. I have seen a similar sample thanks to @SeriousHoax. He submitted a special (malicious) sample to Microsoft and noticed that it is still undetected on execution 2 days later, although it is already recognized in the cloud as malicious (this is visible on the submission webpage). I noticed that this sample is also undetected by BAFS even when it is recognized in the cloud as malicious. I resubmitted this sample with a similar effect (cloud detection = malicious) to start a dispute about it. But after several days my submission is not finished - there is no final determination from the Microsoft analyst.

@SeriousHoax, can you still run this sample without Defender's detection?
I found two more samples a few days ago with the same problem. According to the Microsoft analyst it's already detected by MD and the "Final determination" section also shows Malware, but they are not detected either by Cloud or Client. No detection even after execution.
1659638066394.png
What does it mean? Is it detected by their other products, like their Enterprise version? I don't understand. I submitted MSI based Magniber samples to them multiple times previously and signature were added quickly. So I don't know what's going on with the sample she tested.
If @cruelsister or anyone else can give me the sample, then I can submit to Microsoft again. I can make the sample checked by an analyst within 24 hours, but can't guarantee detection like the example I gave above.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
Well this does does look like a major blunder by MS. I remember some time ago @Local Host saying it's user's common sense and safe Internet habits - or at least something along those lines - that keep themselves safe, and not Windows Defender, and at the time I mostly disregarded the assertion, but now I think there's a lot of merit to his (or her?) comment.
 
Jun 21, 2020
363
Well this does does look like a major blunder by MS. I remember some time ago @Local Host saying it's user's common sense and safe Internet habits - or at least something along those lines - that keep themselves safe, and not Windows Defender, and at the time I mostly disregarded the assertion, but now I think there's a lot of merit to his (or her?) comment.
Its the best way of describing it. Good, healthy browsing habits is 70% of the way. The remaining being common sense, if it doesn't feel right, don't look right or don't smell right. Don't click it. And the last stretch being some protection help. We are all human after all, mistakes or miss clicks happen.
 

Kiss

Level 4
Verified
Well-known
Oct 6, 2021
174
Some time ago I tested Defender against KnowBe4 Ran Simulator. It uses a folder of files (documents, pictures, etc.) that are supposed to be encrypted. To make the tests quicker, I decreased the number of files in this folder. I noticed that the Defender postinfection detection did not work - all files were encrypted. After many tests, I used the full set of files, and in several cases, Defender stopped the process of encryption before it ended (not all files were encrypted).
So, the efficiency of post-execution/post-infection detection can be also related to the damage made by the malware. But, it is hard to be sure without inspecting the sample. :unsure:
Is KnowBe4 RanSim a reliable tool to test an antivirus? I mean if the final result of the test is to be taken seriously, if the antivirus has a bad result, look for another solution?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Is KnowBe4 RanSim a reliable tool to test an antivirus? I mean if the final result of the test is to be taken seriously, if the antivirus has a bad result, look for another solution?
I do not know a reliable tool to check the anti-ransomware protection.
KnowBe4 can test only some aspects of a ransomware attack. Furthermore, the AVs could stop (in theory) about 90% of ransomware attacks without detecting any ransomware payload (MSI or EXE). See for example:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
... it's user's common sense and safe Internet habits - or at least something along those lines - that keep themselves safe, and not Windows Defender, ...

Many MT members keep saying this for many years in relation to any AV. Strict protection at home is required for children and casual users. It is not required for others except if one likes such protection or wants to learn how security layers work.
For example, you used H_C and OSA. If you can predict that your actions will trigger the H_C or OSA blocks, then neither H_C nor OSA is necessary.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
I found two more samples a few days ago with the same problem.
I found a Magniber sample on Malware Bazaar which was detected by Defender on Virus Total in June (Trojan:Script/Phonzy.A!ml) and still can be run with fully activated Defender. It uses Fodhelper to bypass UAC, but this is stopped when UAC is on MAX. All Magniber samples on Malware Bazaar (checked yesterday) are one month or elder (I inspected 76 samples submitted from 01.06.2022).

It seems that these special samples mentioned by you, me, and @cruelsister, do not trigger the cloud check on execution.
 

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
Maginer, like most malware nowadays (especially the nastiest ones that evade protection), spreads exclusively via cracked/pirated/torrented and otherwise illegal software, avoid those and Windows Defender will be enough.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Maginer, like most malware nowadays, spreads exclusively via cracked/pirated/torrented and otherwise illegal software, avoid those and Windows Defender will be enough.
Yes, I do not worry about Magniber - the attackers do not currently use MSI but rather CPL files. I worry that the method used by it can be adopted in the future also for other malware types. For now, Microsoft seems to ignore this danger.
 
  • Like
Reactions: vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top