[CheckLab.pl] - Test of free antivirus

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
173
here you are, this is my test on Windows 10 x64 v1903 in VMware
Browser: Google Chrome (latest)
AV: No AV - WD was disabled using Defender Control v1.5 (sordum.org)

I downloaded OOshutup from majorgeeks. MOTW was present
I also tried to download a .msi file (0patch) from their website, MOTW was present

View attachment 230500

OK. In your case WD is/was installed anyway. Seems to another option is probably responsible for MOTW enabled, available in Group Edit / Windows Component. Disabling WD probably doesn't matter. So we have different results...
 

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
173
It is probably not SmartScreen, but WD Block at First Sight feature. (y)

Accorging to this article the Block at First Sight in Windows 10 is not really crossed with SmartScreen?

The official document signed by Microsoft also is not contain any details about SmartScreen with Block at First Sight.

To activate or deactivate Block at First Sight you have to enable/disable WD and the cloud deliver protection.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Adrian Ścibor,
Please look at the Registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments
and
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments

If there is a value SaveZoneInformation = 1 (Reg_DWORD), then the MOTW will be skipped.
If this value does not exist or SaveZoneInformation = 2, then MOTW will be added.
The behavior of skipping MOTW may be also a leftover after some uninstalled security application. In Windows default settings the SaveZoneInformation value does not exist.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Accorging to this article the Block at First Sight in Windows 10 is not really crossed with SmartScreen?
...
To activate or deactivate Block at First Sight you have to enable/disable WD and the cloud deliver protection.
SmartScreen is independent of BAFS and vice versa. SmartScreen can work if WD is disabled and another AV is installed, except when something will disable SmartScreen.
BAFS will not work if you will disable WD real-time protection. You do not have to disable WD.
Skipping MOTW is not related to the browser. If I recall correctly Chrome uses the IAttachmentExecute interface and FireFox adds MOTW to file by writing Alternate Data Stream directly. MOTW is skipped when the appropriate Policy is applied or can be removed by AV after the file is downloaded to avoid SmartScreen integrated with Explorer.
 
Last edited:

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
173
The Zone settings is default as value 3 in our machines. It means that is enabled.

zone.png
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The Zone settings is default as value 3 in our machines. It means that is enabled.

View attachment 230529
WIndows Policies can be also applied by direct Registry changes and this will be not visible when using Gpedit because Group Policy Object was not used. You have to look at the appropriate Registry keys to be sure.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
In the registry the value is set as 3 also.
This is a non-standard value, so it was written by the security application. It does not force skipping MOTW on my machine. You can try to delete this value to see what will happen.

Adrian, you just need to utilize Andy as an advisor for the next test.

That's all.

You guys are probably neighbors..
I like to post about Windows in English.:sneaky:
 

Mjolnir

Level 2
Verified
Jul 4, 2019
69
Gentlemen...let me ask a very simple and straightforward question - if I am using Norton internet security - NO browser extensions - to receive MOTW do I have to use MS EDGE or will MOTW show up with Chrome as well. Please keep the answer as simple as possible.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Gentlemen...let me ask a very simple and straightforward question - if I am using Norton internet security - NO browser extensions - to receive MOTW do I have to use MS EDGE or will MOTW show up with Chrome as well. Please keep the answer as simple as possible.
If it is downloaded via chrome not any other download manager then it should work. Test yourself by downloading a file then check properties and if there's an unblock option then it's working.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top