App Review Best Antivirus vs Windows Defender: What's the difference? (PC Security Channel)

[Andy Ful]

If windows defender using locally sandbox emulation it failed

Code emulation is different from the sandboxing. But it is not important, Defender failed anyway (it is not unusual even for top AVs).
If I correctly recall, Microsoft Defender can use also a cloud sandbox. But this would require advanced settings and using Windows Enterprise edition.
Advanced settings are also required to use the full strength of the cloud backend.

 

[Vitali Ortzi]

The test that i did was on the local machine like file transfer , deletion , send commands so on and so forth .
I feel like you want something special that i cannot provide sorry

Basically you had a shell and we're able to do at least limited operations without raising behavior monitoring to flag the operation as malicious

So it's something you made so no signature , behavior wasn't malicious enough to cause av software to filter it and since av software by default are configured to have low false positives and auto allowed based on emulation,behavior , signatures and maybe more tricks depending on the av

The reason Andy asked for an any.run is because that sandbox automates every action of an executable , command and shows what mitre tactics were used and it helps a lot in understanding if and wich malicious behaviors are used

You're totally correct that default settings especially on defender
allows shell even with privileges and future malicious behavior can be executed (no malicious behavior at first )

Yes it is a security issue and there is no solution that isn't aggressive and Microsoft is working on vbs , adminless (security by default ) that should not allow privilege access (under vbs , standard user privileges or lower )
Unfortunately the solution Microsoft is working on is aggressive but should make windows more like other consumer os systems like chrome os , android , iOS where every third party process is restricted in a sandbox with limited permission

 

[Vitali Ortzi]

Code emulation is different from the sandboxing. But it is not important, Defender failed anyway (it is not unusual even for top AVs).
If I correctly recall, Microsoft Defender can use also a cloud sandbox. But this would require advanced settings and using Windows Enterprise edition.
Advanced settings are also required to use the full strength of the cloud backend.

Specifically that setting is understandable to be paid as cloud sandbox is expensive to run but they should have more enterprise options available to consumers even it a cost as defender ATP is an insanely good product

 

[Vitali Ortzi]

Now you are talking about a locked down software with advanced configuration and an expert IT man that sitting beyond you .

emulation and behavioral , dynamic analysis is done by majority of av software and cloud sandbox emulation is done by a few consumer avs too (eset, checkpoint and a few others )

So a good amount of zero day malware in the wild can get detected by those modules sometimes before a user executes the sample himself (some av software send to sandbox or local emulate on first sight )

 

[Vitali Ortzi]

I got a 2 years old malware still undetected by comodo and windows defender .
Digital Signature is a made up nonsense .
View attachment 287062

The avs that detected above did with these signatures kryptik (eset ), malpack (Malwarebytes) etc based on it being obfuscated and seems like defender didn't detect it because of the sample being obfuscated and there wasn't shown any malicious behavioral so it's intended behavior unless shown any malicious action

 

[Andy Ful]

Specifically that setting is understandable to be paid as cloud sandbox is expensive to run but they should have more enterprise options available to consumers even it a cost as defender ATP is an insanely good product

They decided to introduce Smart App Control .
It is incredibly effective against FUDs that could affect non-enterprise users.

 

[Andy Ful]

@lockeddown

Home users can be mainly protected against such threats by Defender + SmartScreen (or Smart App Control). You can use the RunBySmartscreen tool to check it (simulation of running the sample downloaded from the Internet).
It would be also interesting to test this sample against top AVs (Kaspersky, F-Secure, Norton, etc.) installed on the computer. The detections on VirusTotal are not so effective.

 

[lockeddown]

1. You can bypass smart screen - did not test it
2. You can download it if you bind it to another file - Media , EXE , or document . (or even without bind it )
3. In the mean while i tried bypass ESET on max config and didn't succeed . he hunt it on the spot ( I am not using any special ESET bypass tool )

 

[Andy Ful]

1. You can bypass smart screen ...

There were some bypasses (currently patched) mainly related to the "Mark of the Web" (MotW) issues. But they did not bypass RunBySmartScreen. SmartScreen has known limitations, so it must be used in addition to the AV. Its effectiveness is similar to Avast's CyberCapture (cloud sandbox).
The Smart App Control protection of PE files (EXE, DLL, etc.) cannot be bypassed via MotW issues. However, the protection against other potentially dangerous file types (scripts, shortcuts, etc.) can be bypassed in this way.