Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Security Statistics and Reports
[CheckLab.pl] - Test of free antivirus
Message
<blockquote data-quote="Andy Ful" data-source="post: 847521" data-attributes="member: 32260"><p>SmartScreen integrated with native Edge allows downloading files if they are not recognized as malicious. But, it can block the websites with a bad reputation (phishing or malware websites). So, the unrecognized malicious file can be downloaded (with MOTW) if the URL is not blocked. Next, the WD "Block at First Sight" is triggered to check the file against the cloud backend. In the real-world scenario, WD + Edge would block most samples on Level 1 (P1). In your test, all malicious samples were blocked by WD on Level 3 (P3).</p><p>At present, "Block at First Sight" can check portable executable files, scripts, and macros (also in archives).</p><p>If the file with MOTW is not recognized as malicious, then it can be executed and you will see the alert from the SmartScreen integrated with Explorer - the file reputation has been checked. If the user ignores this alert, then the file is finally executed. From this moment the SmartScreen and "Block at First Sight" are usually not triggered if the malware downloads payloads, because they are downloaded without MOTW. In fact, this was probably tested in your test.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" /></p><p></p><p></p><p>I can see three possibilities:</p><ol> <li data-xf-list-type="ol">Do not change the methodology and do not test WD.</li> <li data-xf-list-type="ol">Test WD with WDBP + keep MOTW of downloaded files.</li> <li data-xf-list-type="ol">Test WD with WDBP (keep MOTW) and without WDBP (keep MOTW).</li> </ol><p>I would prefer the point 3, because it is easy to apply with your current methodology, it is most informative to the users, and <strong>it takes into account that WD is not the ordinary AV</strong> (it is preinstalled on Windows).</p><p>The requirement of keeping MOTW of downloaded files should be probably consulted with Microsoft. Before <a href="https://malwaretips.com/goto/post?id=847517" target="_blank">Evjl's Rain</a> tests on Malware Hub, I thought that the MOTW is not necessary when the file is executed and checked by the cloud backend (cloud-delivered protection). The tests confirmed that there is a difference due to "Block at First Sight" which can detect files on access, and was stronger than cloud-delivered protection in <a href="https://malwaretips.com/goto/post?id=847517" target="_blank">Evjl's Rain</a> tests. The tests were done some time ago, so this might be changed by Microsoft.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 847521, member: 32260"] SmartScreen integrated with native Edge allows downloading files if they are not recognized as malicious. But, it can block the websites with a bad reputation (phishing or malware websites). So, the unrecognized malicious file can be downloaded (with MOTW) if the URL is not blocked. Next, the WD "Block at First Sight" is triggered to check the file against the cloud backend. In the real-world scenario, WD + Edge would block most samples on Level 1 (P1). In your test, all malicious samples were blocked by WD on Level 3 (P3). At present, "Block at First Sight" can check portable executable files, scripts, and macros (also in archives). If the file with MOTW is not recognized as malicious, then it can be executed and you will see the alert from the SmartScreen integrated with Explorer - the file reputation has been checked. If the user ignores this alert, then the file is finally executed. From this moment the SmartScreen and "Block at First Sight" are usually not triggered if the malware downloads payloads, because they are downloaded without MOTW. In fact, this was probably tested in your test.(y) I can see three possibilities: [LIST=1] [*]Do not change the methodology and do not test WD. [*]Test WD with WDBP + keep MOTW of downloaded files. [*]Test WD with WDBP (keep MOTW) and without WDBP (keep MOTW). [/LIST] I would prefer the point 3, because it is easy to apply with your current methodology, it is most informative to the users, and [B]it takes into account that WD is not the ordinary AV[/B] (it is preinstalled on Windows). The requirement of keeping MOTW of downloaded files should be probably consulted with Microsoft. Before [URL='https://malwaretips.com/goto/post?id=847517']Evjl's Rain[/URL] tests on Malware Hub, I thought that the MOTW is not necessary when the file is executed and checked by the cloud backend (cloud-delivered protection). The tests confirmed that there is a difference due to "Block at First Sight" which can detect files on access, and was stronger than cloud-delivered protection in [URL='https://malwaretips.com/goto/post?id=847517']Evjl's Rain[/URL] tests. The tests were done some time ago, so this might be changed by Microsoft. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
