App Review Best Antivirus vs Windows Defender: What's the difference? (PC Security Channel)

[lockeddown]

I got a 2 years old malware still undetected by comodo and windows defender .
Digital Signature is a made up nonsense .

 

[RoboMan]

"I’m not quarreling with the proposition that the industry misses a lot of malware. That’s incontrovertible, when every day we’re dealing with close to 100,000 new malware samples. In fact, that sort of level of detection that NSS is talking about — 50 to 60 percent right out of the gate — sounds realistic to me."

Can't imagine a better way to say it. It's funny to see people claim antivirus have 99.8% detection rate because a testing lab published a sheet that says so. Even more, people comparing that 99.8% to a 95%, calling this last one a "useless antivirus".

This "real statistic" about the industry reinforces the fact that a whitelist-based software is of huge importance, rather than the traditional blacklist approach.

 

[Andy Ful]

I got a 2 years old malware still undetected by comodo and windows defender .
Digital Signature is a made up nonsense .
View attachment 287062

Most of the top AVs consider this sample as unharmful (Avast, Bitdefender, Kaspersky, McAfee, Sophos, Zone Alarm). This happens when the rare sample is already inactive when submitted for the first time to analysis. It could be an initial part of attack and malicious actions were done in the wild by another file (usually downloaded from the Internet), that was removed from the attacker's server before file submission. So most AVs cannot detect malicious actions because there are none. Eset and a few other AVs could see that sample when it was active, and detected malicious actions of downloaded payload. Of course, it can also be a false positive.

 

[lockeddown]

Hi dear firend .

Most of the top AVs consider this sample as unharmful

Cause they are limited by design .

This happens when the rare sample is already inactive when submitted for the first time to analysis.

The specific sample was not submitted - it was created by me using 15 years old RAT and other software's .

So most AVs cannot detect malicious actions because there are none.

Now that i said that this is a RAT please elaborate how there are no malicious actions .
Did you meant that some AVs do not see those operations as malicious ?

Eset and a few other AVs could see that sample when it was active

It was uploaded to a none sharing site .
And i was only targeted Comodo (No container or hips ) for the fun .
I will install Eset and try to bypass it .

Thank you for the replay.

 

[Sorrento]

Things have come a long way since XP days with no firewall and terrible security. Microsoft receives a lot of hate and they deserve it but implementing WD for free is one of their better decisions. Compare AV from 2001 to now and it's day and night how far protection has improved. AV was never meant to stop targeted attacks using zero day's, but it's getting better over the last 20 years and now campaigns last for hours not days or months (rare these days) before being uncovered.

The problem with WD is that once Microsoft has crushed all of the competition will they start charging for basic WD protection or new features. They have a history of abusing their power.

If history repeats itself, perhaps, maybe MS will charge for Defender - IF, that day arose how many Defender users would continue to use it? I suspect most would jump ship & use another free AV solution ?

 

[Andy Ful]

The specific sample was not submitted - it was created by me using 15 years old RAT and other software's .

You added some new information about the sample:

1. It was not submitted for analysis or run against AVs (except Comodo).
2. It was modified by you.

This opens some new possibilities.
Did you try to analyze what it tried to do after the execution?
Without more information, the most probable explanation is that currently, that sample does not do truly malicious actions.

 

[lockeddown]

hello dear friend .
Just to clarify i am not a programmer .

You added some new information about the sample:

1. It was not submitted for analysis or run against AVs (except Comodo)

There is no reason to submit it cause the same file can be altered .
imagine millions of the same file that just being altered
So the reverse engineer will just reverse the same file over and over .
The picture shows it bypass windows defender too .

Did you try to analyze what it tried to do after the execution?

The file only opens without any startup or other things .
The processes can be closed and there will be no residue .
It just obfuscated and protected by the other software's i modified it with .
I can add startup and other things .

Without more information, the most probable explanation is that currently, that sample does not do truly malicious actions.

The file is used for malicious actions .
The main file is a RAT remote admin tool Trojan.
Not by me i am just a tester .
Just wanted to show that there is no such thing digital signature .

 

[Andy Ful]

The file is used for malicious actions .

It is the sample modified by you. Does anybody use it for malicious actions?
Many samples used in the wild can often be unharmful after some time. It is a common behavior.
For example, it could be identified as malicious because of downloading a known malicious payload from a known malicious URL and then establishing the connection with the C2 server. Currently, the URL and IP of the C2 server have been forgotten and dead for 15 years, so the sample cannot do anything.
It is possible to make some of such samples "alive" by changing the hardcoded URL and IP (controlled by a malicious actor) and putting a new malicious payload there. But then, there would be chances that the sample could be detected by other AVs.

Anyway, If you need more information about what the sample really does, you can upload the sample to online sandboxes or submit it for analysis as a false-negative.

 

[lockeddown]

Hello , Friend

It is the sample modified by you. Does anybody use it for malicious actions?

i will clarify more .
"The sample" is made first from the main program which is the RAT i have .
Then you can use different programs to make it look legitimate .

Many samples used in the wild can often be unharmful after some time. It is a common behavior.
For example, it could be identified as malicious because of downloading a known malicious payload from a known malicious URL and then establishing the connection with the C2 server. Currently, the URL and IP of the C2 server have been forgotten and dead for 15 years, so the sample cannot do anything.

The file itself is the remote accesses Trojan like in left of the picture inside the sandboxie
And on the right the live PC on the Rat program you cannot see the RAT program cause i deleted some part of the picture .
There is no URL or IP of a someone else Cause it is locally made and then modified .
And You can find the RAT Program online , but you need some time testing with the other programs
That obfuscated the protecting the final execution .

It is possible to make some of such samples "alive" by changing the hardcoded URL and IP (controlled by a malicious actor) and putting a new malicious payload there. But then, there would be chances that the sample could be detected by other AVs.

The final file is really hard you will need to be a super reverse engineer to change the IP / Port .
And you can create new bypass every time , so if you think that the file gonna be recognized
You can remotely replace it .

Anyway, If you need more information about what the sample really does, you can upload the sample to online sandboxes or submit it for analysis as a false-negative.

i know what the file does i am playing with sandboxes for over 15 years .

Great conversation .

 

[Andy Ful]

@lockeddown​

If I correctly understand you used some programs to make a kind of FUD from the old RAT.

Does your sample download anything and connect with the alive C2 server?
Is it persistent?
Could you submit it to Any.Run?

Interactive Online Malware Analysis Sandbox - ANY.RUN

Cloud-based malware analysis service. Take your information security to the next level. Analyze suspicious and malicious activities using our innovative tools.

app.any.run

Edit (for readers).
By the way, Sandboxie is not a good program to expose the RAT behaviors. It is also not recommended for malware analysis, except if used in a Virtual Machine with a VPN.
Some malware can also infect the computers in the local network or even some computers of nearby Wi-Fi networks.

 

[lockeddown]

@Andy Ful
it download nothing it is a straight up connection to the RAT on the windows 7 VM machine .
You can after that download the execute other things .
The specific file is not persistent Example - Injection , startup , side load on every startup like dropping another file that will execute it .
But i can add that ..

You can use Buster Sandbox analyzer for offline use .
And you can setup a specific honypot forgot the name of the site that supply it with the tools .

It is also not recommended for malware analysis, except if used in a Virtual Machine with a VPN.
Some malware can also infect the computers in the local network or even some computers of nearby Wi-Fi networks.

on that specific use case there is no need in vpn its locally like 192.168.1.1
I know all of those things , but still a good reminder for starters .

 

[Andy Ful]

It is hard to figure out why the sample is undetected by top AVs, without a more exhaustive analysis.
It is still possible that AVs can block/detect it after execution.
Did you submit the sample to Any.Run?

 

[lockeddown]

Did you submit the sample to Any.Run?

proof that windows defender did nothing
Comodo too i will record the proof if you want
I am not submitting cause there is no reason too
It will just be modified by another software combo and configuration .
Like i said the same file just altered millions times .
Imagine reverse engineer getting the same file month after month with different protections
He will quite the job haha
or better he will get a raise for extra hours
on disassembly the same file

 

[Andy Ful]

proof that windows defender did nothing
Comodo too i will record the proof if you want

It is not necessary. Your proof may be interpreted that the FUD sample does nothing, except when you show malicious changes, data leaks, etc.
That is why submission to online analysis could be helpful.
Of course, you are not obliged to do so. We know that AVs can miss many FUD samples.

 

[Andy Ful]

Imagine reverse engineer getting the same file month after month with different protections
He will quite the job haha

Some custom and non-prevalent FUDs can bypass most AVs. Anyway, most run-time FUDs can be detected by a combination of Machine (Deep) Learning, cloud sandboxes, code emulation, etc. The analysts may bother to reverse engineer the crypter software when it becomes sufficiently prevalent.

 

[lockeddown]

It is not necessary. Your proof may be interpreted that the FUD sample does nothing, except when you show malicious changes, data leaks, etc.

The test that i did was on the local machine like file transfer , deletion , send commands so on and so forth .
I feel like you want something special that i cannot provide sorry

 

[lockeddown]

Some custom and non-prevalent FUDs can bypass most AVs. Anyway, most run-time FUDs can be detected by a combination of Machine (Deep) Learning, cloud sandboxes, code emulation, etc. The analysts may bother to reverse engineer the crypter software when it becomes sufficiently prevalent.

Now you are talking about a locked down software with advanced configuration and an expert IT man that sitting beyond you .

 

[lockeddown]

I am talking about the regular home user and you have like 1billions of those or more

 

[Andy Ful]

The test that i did was on the local machine like file transfer , deletion , send commands so on and so forth .
I feel like you want something special that i cannot provide sorry

I believe you.
I think that your RAT can be undetected by top AVs because the C2 server is local and the sample is not persistent.

No you are talking about locked own software with advanced configuration and an expert IT man that sitting beyond you .

No. For example, the current version of Avast can block most FUDs via CyberCapture. Many FUDs use old or rarely updated crypters and can be detected by Microsoft Defender and some other AVs by Machine Learning and code emulation. Of course, many FUDs can bypass such security. But those bypasses are removed after a short time, so the crypters must be updated daily to produce true FUDs. After some time, the crypter is useless, and a new crypter is developed.

I am talking about the regular home user and you have like 1billions of those or more

All that I posted was related also to home users.

 

[lockeddown]

@Andy Ful
If windows defender using locally sandbox emulation it failed
For my knowledge for windows defender to upload the sample
Or the user do that manually or the AV alert and then user do that
here the defender and the firewall didn't alert
while at commode the firewall alerted cause of my settings.