- Apr 13, 2013
- 3,141
- Content source
- https://www.youtube.com/watch?v=YQwKeYcF39I
Ever wonder how fast Microsoft enters previously submitted malware into its AV database?
Last edited:
A Microsoft Defender Follow-up
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Dec 23, 2014
- 8,114
Thanks for the interesting video. It is obvious that in the test the file is not locked and auto-submitted to the cloud (there is no alert). Somehow, this sample is not recognized as suspicious by the local AI. I can confirm that rarely it can happen for some samples. For example in the past year, I created a POC that did the same.
This sample is special because the Defender postinfection detection did not work for it. In my tests and tests of some other MT members, the Defender can usually recognize that the missed sample is malicious by monitoring the malicious actions and sending the telemetry to the cloud. This can take several minutes, so in the case of ransomware the first victim (@cruelsister) is lost, but others can be saved. I am not sure why this sample is so special and still ignored by Defender.
It would be good to test this sample on Malware Hub. I can also look at it to see why it is so troublesome for Defender.
This sample is special because the Defender postinfection detection did not work for it. In my tests and tests of some other MT members, the Defender can usually recognize that the missed sample is malicious by monitoring the malicious actions and sending the telemetry to the cloud. This can take several minutes, so in the case of ransomware the first victim (@cruelsister) is lost, but others can be saved. I am not sure why this sample is so special and still ignored by Defender.
It would be good to test this sample on Malware Hub. I can also look at it to see why it is so troublesome for Defender.
Last edited:
- Dec 23, 2014
- 8,114
Some time ago I tested Defender against KnowBe4 Ran Simulator. It uses a folder of files (documents, pictures, etc.) that are supposed to be encrypted. To make the tests quicker, I decreased the number of files in this folder. I noticed that the Defender postinfection detection did not work - all files were encrypted. After many tests, I used the full set of files, and in several cases, Defender stopped the process of encryption before it ended (not all files were encrypted).
So, the efficiency of post-execution/post-infection detection can be also related to the damage made by the malware. But, it is hard to be sure without inspecting the sample.
So, the efficiency of post-execution/post-infection detection can be also related to the damage made by the malware. But, it is hard to be sure without inspecting the sample.
- Apr 5, 2021
- 564
Should the cloud even be needed to detect this sample, especially when CS submitted it at least 10 times to Microsoft and a month has already elapsed since? It just seems inexcusable to me that Microsoft has not included this sample in their local definitions database.
- Dec 23, 2014
- 8,114
Did she? I understood that she assumed auto-submission when running the sample.
Seems the point was missed again and as always excuses are being made over MD failed test, thanks for another great video CS. 
- Apr 13, 2013
- 3,141
Indeed she did, but to no avail.But he point of the video should not be the malware itself (or its close cousins), which is (are) hardly special and has (have) been in the Wild for a couple of months with the infection mechanism being even older. What one must wonder about is how such a thing can knife through local and cloud databases as well as things like UAC and CFA.
- Dec 23, 2014
- 8,114
That is a really interesting sample. Usually, the malware submission is finished after 12 hours. I have seen a similar sample thanks to @SeriousHoax. He submitted a special (malicious) sample to Microsoft and noticed that it is still undetected on execution 2 days later, although it is already recognized in the cloud as malicious (this is visible on the submission webpage). I noticed that this sample is also undetected by BAFS even when it is recognized in the cloud as malicious. I resubmitted this sample with a similar effect (cloud detection = malicious) to start a dispute about it. But after several days my submission is not finished - there is no final determination from the Microsoft analyst.
@SeriousHoax, can you still run this sample without Defender's detection?
@cruelsister, what was the cloud detection and final analyst's determination of your sample?
Last edited:
God I loved the background music. I believe I was listening rather than watching. I'd appreciate it if you share the track name if you don't mind @cruelsister cruel
- Jan 16, 2017
- 1,469
She has listed it on the video description.
- Mar 16, 2019
- 3,632
I found two more samples a few days ago with the same problem. According to the Microsoft analyst it's already detected by MD and the "Final determination" section also shows Malware, but they are not detected either by Cloud or Client. No detection even after execution.
What does it mean? Is it detected by their other products, like their Enterprise version? I don't understand. I submitted MSI based Magniber samples to them multiple times previously and signature were added quickly. So I don't know what's going on with the sample she tested.
If @cruelsister or anyone else can give me the sample, then I can submit to Microsoft again. I can make the sample checked by an analyst within 24 hours, but can't guarantee detection like the example I gave above.
- Apr 5, 2021
- 564
Well this does does look like a major blunder by MS. I remember some time ago @Local Host saying it's user's common sense and safe Internet habits - or at least something along those lines - that keep themselves safe, and not Windows Defender, and at the time I mostly disregarded the assertion, but now I think there's a lot of merit to his (or her?) comment.
- Jun 21, 2020
- 363
Its the best way of describing it. Good, healthy browsing habits is 70% of the way. The remaining being common sense, if it doesn't feel right, don't look right or don't smell right. Don't click it. And the last stretch being some protection help. We are all human after all, mistakes or miss clicks happen.
- Oct 6, 2021
- 155
Is KnowBe4 RanSim a reliable tool to test an antivirus? I mean if the final result of the test is to be taken seriously, if the antivirus has a bad result, look for another solution?Some time ago I tested Defender against KnowBe4 Ran Simulator. It uses a folder of files (documents, pictures, etc.) that are supposed to be encrypted. To make the tests quicker, I decreased the number of files in this folder. I noticed that the Defender postinfection detection did not work - all files were encrypted. After many tests, I used the full set of files, and in several cases, Defender stopped the process of encryption before it ended (not all files were encrypted).
So, the efficiency of post-execution/post-infection detection can be also related to the damage made by the malware. But, it is hard to be sure without inspecting the sample.
- Dec 23, 2014
- 8,114
I do not know a reliable tool to check the anti-ransomware protection.
KnowBe4 can test only some aspects of a ransomware attack. Furthermore, the AVs could stop (in theory) about 90% of ransomware attacks without detecting any ransomware payload (MSI or EXE). See for example:
Dark Web Research Suggests 87% of Ransomware Brands Exploit Malicious Macros
The findings uncovered 475 web pages of elaborate ransomware products and services
www.infosecurity-magazine.com
- Dec 23, 2014
- 8,114
Many MT members keep saying this for many years in relation to any AV. Strict protection at home is required for children and casual users. It is not required for others except if one likes such protection or wants to learn how security layers work.
For example, you used H_C and OSA. If you can predict that your actions will trigger the H_C or OSA blocks, then neither H_C nor OSA is necessary.
Last edited:
- Dec 23, 2014
- 8,114
I found a Magniber sample on Malware Bazaar which was detected by Defender on Virus Total in June (Trojan:Script/Phonzy.A!ml) and still can be run with fully activated Defender. It uses Fodhelper to bypass UAC, but this is stopped when UAC is on MAX. All Magniber samples on Malware Bazaar (checked yesterday) are one month or elder (I inspected 76 samples submitted from 01.06.2022).
It seems that these special samples mentioned by you, me, and @cruelsister, do not trigger the cloud check on execution.
Maginer, like most malware nowadays (especially the nastiest ones that evade protection), spreads exclusively via cracked/pirated/torrented and otherwise illegal software, avoid those and Windows Defender will be enough.
- Apr 1, 2017
- 1,760
What i learned from the video:
- Block at First Sight is just a marketing term from MS and it doesn't work in real world.
- WD is buggy and should be used with caution.
- Dec 23, 2014
- 8,114
Yes, I do not worry about Magniber - the attackers do not currently use MSI but rather CPL files. I worry that the method used by it can be adopted in the future also for other malware types. For now, Microsoft seems to ignore this danger.
Similar threads
