Need somebody else to test VirusCope's abilities. Had no time to run hundreds of files one by one.
Please provide comments and solutions that are helpful to the author of this topic.
Folder Name | Total Files Before Scan | Total Files After Scan | Detection rate in % |
Clean | 2202 | 1954 | 11.26 |
Malware | 1049 | 106 | 89.89 |
PUP | 1065 | 17 | 98.40 |
Sensitivity | Low | Medium | High |
Clean | %2.4 | %21.75 | %45.77 |
PUP | %64.3 | %97.37 | %99.34 |
Malicious | %33.71 | %87.52 | %97.14 |
Folder Name | Total Files Before Scan | Total Files After Scan | Detection Rate in % |
Clean | 2202 | 1825 | 17.12 |
Malware | 1049 | 38 | 96.37 |
PUP | 1065 | 29 | 97.27 |
This is fixable:I tried to test Windows Defender's detection rate but it was taking too long and also the UI crashed every time I clicked Protection history which is a known bug
RogueKiller | MalPE off | MalPE on |
Clean | %0.45 | %17.3 |
PUP | %0.093 | %8.9 |
Malicious | %4.28 | %19.14 |
MalwareBytes | - | AI on (default setting) | AI / Expert system algorithms on |
Clean | %9.17 | %13.71 | %13.76 |
PUP | %96.61 | %98.78 | %98.97 |
Malicious | %73.61 | %89.52 | %89.52 |
There's another easier way. Disable Tamper Protection then delete everything inside this folder "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" and then enable Tamper Protection again.This is fixable:
The db file will be regenerated at the next start.
- Launch the command prompt via Safe Mode
- Enter the following command in the prompt:
- del "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
- reboot
For me that fix the UI crash
Source:
Windows Defender Schutzverlauf löschen funktioniert nicht
Hallo., Möchte gerne auf meinem Rechner (W10/Version1909-18363.628) im Defender den Schutzverlauf der Übersichtlichkeit halber löschen. Alle Tipps aus dem Netz (u.a. Deskmodder) über Powershell oder den Eintrag unter C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service löschen...www.computerbase.de
I agree with the vendor. I think it's reasonable to classify cracks which do nothing malicious, as safe, or as is sometimes the case, identify them as a cracks. I do however understand that antiviruses often identify cracks as malware due to their heuristics, rather than intentionally identifying cracks with signatures.The vendor believed that cracks, keygens, trainers, etc. should only be considered malware if they exhibit malicious behaviors on the actual endpoint. I personally believed, and still believe today that if a file contains any malicious code, it cannot be considered Safe, simply because we have no idea what else it might contain.
These large packs are a bit overwhelming for both testers and antiviruses. That’s why in my opinion, it’s better to do a test with 30-40 samples, that you’ve analysed and know are actively working, scan them quickly, and execute the rest.There's another easier way. Disable Tamper Protection then delete everything inside this folder "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service" and then enable Tamper Protection again.
Anyway, this bug has been known for a long time. I'm disappointed that it hasn't been fixed yet. The UI needs some change. The Protection History UI management is awful.
Yeah, it would be extremely interesting how WD does with these samples... especially the PUP samples with PUP detection ON vs OFF. But it will probably be a chore though with WD, it is not the easiest to test. I might fire up a VM and work on it a little each day. We should have the results by Christmas .I tried to test Windows Defender's detection rate but it was taking too long and also the UI crashed every time I clicked Protection history which is a known bug. I also made the mistake of extracting it into my HDD instead of SSD. I waited more than 2 hours and only 20% threats were removed by that time so it would have taken 6-7 hours more maybe. Lol. Couldn't afford to wait that long. Anyway, scanning and deleting over 4000 malwares all at a time is not ideal in any universe so I'll not blame WD too much for taking time.
Yeah, I can certainly see both sides.I agree with the vendor. I think it's reasonable to classify cracks which do nothing malicious, as safe, or as is sometimes the case, identify them as a cracks. I do however understand that antiviruses often identify cracks as malware due to their heuristics, rather than intentionally identifying cracks with signatures.
I've tried downloading from your Google Drive link, but I had issues downloading yesterday and as of now Google has temporarily suspended downloading due to the number of times its been downloaded. Anyway, I'll try again later.
Yeah, malware testing is not as easy as it looks. And when youtube testers download massive email attacks to test, and do not remove the duplicates or check to see if each file is in fact real malware then the results may not be all that accurate. Supposedly these samples are highly vetted and classified correctly which is one reason they are interesting.These large packs are a bit overwhelming for both testers and antiviruses. That’s why in my opinion, it’s better to do a test with 30-40 samples, that you’ve analysed and know are actively working, scan them quickly, and execute the rest.
Thanks!Hi Guys! One thing that could be noticed on a quick perusal of the files contained in the Malware directory is that all of the files are exe's. As there are just oodles of malicious files that exist in other formats this should be kept in mind for anyone testing.
Product X may be the Cat's Meow against PE32 malware, but may be wretched against vbs worms.
Very true, and I hear that WV does quite well with non PE32 malware. But this sample set was created to test ML/Ai efficacy, so it only contains exe binaries. Finding tens of thousands non PE32 malware to build training data sets has always proved to be challenging, which is probably why most ML/Ai products focus on PE32 malware. If you happen to have a good source for non PE32 malware I would love to know about it!Hi Guys! One thing that could be noticed on a quick perusal of the files contained in the Malware directory is that all of the files are exe's. As there are just oodles of malicious files that exist in other formats this should be kept in mind for anyone testing.
Product X may be the Cat's Meow against PE32 malware, but may be wretched against vbs worms.
I author it myself sometimes, when I’m lazy I use any.run and hybrid analysis. Non-pe malware is centred around 2 concepts: concealed downloading and concealed dropping. It’s not too rich in functionality, but the form varies. With one obfuscator you can create thousands of forms that can be used to train ML, but they are easiest to block in real-time.Very true, and I hear that WV does quite well with non PE32 malware. But this sample set was created to test ML/Ai efficacy, so it only contains exe binaries. Finding tens of thousands non PE32 malware to build training data sets has always proved to be challenging, which is probably why most ML/Ai products focus on PE32 malware. If you happen to have a good source for non PE32 malware I would love to know about it!
Hmmm, very interesting. What obfuscator do you recommend? I would love to play around with this. My initial thought is that is that it would not produce a diverse enough (or even realistic / effective) training data set, but I would like to play around with it out of curiosity.I author it myself sometimes, when I’m lazy I use any.run and hybrid analysis. Non-pe malware is centred around 2 concepts: concealed downloading and concealed dropping. It’s not too rich in functionality, but the form varies. With one obfuscator you can create thousands of forms that can be used to train ML, but they are easiest to block in real-time.
Java is an exception.