Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
A Microsoft Defender Follow-up
Message
<blockquote data-quote="Andy Ful" data-source="post: 998317" data-attributes="member: 32260"><p>Thanks for the interesting video. It is obvious that in the test the file is not locked and auto-submitted to the cloud (there is no alert). Somehow, this sample is not recognized as suspicious by the local AI. I can confirm that rarely it can happen for some samples. For example in the past year, I created a POC that did the same.</p><p></p><p>This sample is special because the Defender postinfection detection did not work for it. In my tests and tests of some other MT members, the Defender can usually recognize that the missed sample is malicious by monitoring the malicious actions and sending the telemetry to the cloud. This can take several minutes, so in the case of ransomware the first victim ([USER=7463]@cruelsister[/USER]) is lost, but others can be saved. I am not sure why this sample is so special and still ignored by Defender.</p><p></p><p>It would be good to test this sample on Malware Hub. I can also look at it to see why it is so troublesome for Defender. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" /></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 998317, member: 32260"] Thanks for the interesting video. It is obvious that in the test the file is not locked and auto-submitted to the cloud (there is no alert). Somehow, this sample is not recognized as suspicious by the local AI. I can confirm that rarely it can happen for some samples. For example in the past year, I created a POC that did the same. This sample is special because the Defender postinfection detection did not work for it. In my tests and tests of some other MT members, the Defender can usually recognize that the missed sample is malicious by monitoring the malicious actions and sending the telemetry to the cloud. This can take several minutes, so in the case of ransomware the first victim ([USER=7463]@cruelsister[/USER]) is lost, but others can be saved. I am not sure why this sample is so special and still ignored by Defender. It would be good to test this sample on Malware Hub. I can also look at it to see why it is so troublesome for Defender. (y) [/QUOTE]
Insert quotes…
Verification
Post reply
Top