Do you consider this a block or a fail?

[Windows_Security]

Picture explains it all. In one of the test videos the testers response after this block is to run the sample as admin and passes SRP. And hard-configurator allows it (because it is set up that way). Next ransomware with admin rights destroys the system. What is the consensus of the members. Block or Fail

 

[shmu26]

I think the failure was in the testing methodology

 

[Andy Ful]

I would count it as a block.
It is a block for the user on SUA. It is a conditional block for users who know the admin password or use Admin account. This block schema is suited to Standard User Account (SUA), when the user does not know the admin password.
Most blocks are of conditional type, also when the malware is blocked by an AV. If the user can change the AV settings, then he/she can recover the file from the quarantine and even turn off the AV protection.

Edit
The problem is, that for most people the protective value of AV detection will be greater than protective value of administrative blocks.

 

[Local Host]

Block on Enterprise Environments.
Fail on Home Environments.

On Enterprise Environments this kinds of restrictions are normal, and most workers will be under a limited SUA.

However in Home Environments the majorly uses Admin accounts, and will run the file if they want to, there's ain't no one stopping them.

 

[shmu26]

Block on Enterprise Environments.
Fail on Home Environments.

On Enterprise Environments this kinds of restrictions are normal, and most workers will be under a limited SUA.

However in Home Environments the majorly uses Admin accounts, and will run the file if they want to, there's ain't no one stopping them.

If so, any AV that is not password-protected by an uncooperative admin should be considered a failure.

 

[Local Host]

If so, any AV that is not password-protected by an uncooperative admin should be considered a failure.

Comes the difference between an AV telling a file is malicious, and all the files being blocked without being said if malicious or not.

Is why Default Deny fails at Home Environments.

 

[Fabian Wosar]

Block. However, blocks aren't necessarily the only relevant metric here. Every single "anti-executable" will have a close to 100% block rate, but it also has a close to 100% false positive rate. Malware detection performance isn't just about how much was blocked. But also how much was blocked that wasn't malicious.

I would argue that anti-executable or applications restrictions like that are more compliance and policy enforcement tools than malware protection. They are useful in an enterprise environment (or maybe in a family environment with younger kids), because having a policy for your employees to not install or run their own programs is one thing, having a way to enforce that policy is another. It's in general always better to simply not allow people to do the wrong thing than it is to trust that they read the rules and remember them in the right situations.

 

[Andy Ful]

Comes the difference between an AV telling a file is malicious, and all the files being blocked without being said if malicious or not.

Is why Default Deny fails at Home Environments.

I would say that AV detection has 99% protective block rate and 1% fail rate. There are some people (let's assume 1% of users) who will run the crack even when AV quarantines the file.
Default deny blocks have much lower protective block rate, if the user can bypass the block. As you correctly noticed, most users value AV detection over other conditional blocks.

Yet, If we consider that about 80% malware is delivered as not PE executables, then Default deny will block the PE executable payloads (not the initial malware). The user will not know how to run the payload, so the Default deny block will be effective anyway (80% protective block rate).

In the special case of SRP applied on Windows Home by family administrator, the user (child, grandma, etc.) cannot bypass the blocks, so the protective block rate will be close to 100%.

Edit.
It is true that Default deny setup generally fails in home environment, but the reason is rather the lack of knowledge about using Default deny and less usability as compared to AV protection.

 

[shmu26]

Is why Default Deny fails at Home Environments.

This depends a lot on the particular home in question. It's hard to apply a sweeping statement like that to all cases. It also depends a lot on the particular default deny solution employed, because some solutions are much more user-friendly than others.

about 80% malware is delivered as not PE executables

Could you expand on that?

 

[ichito]

I think we should know what tester wanted to achive...what was the cause of such test. If it was checking of protection of the system - reasonable would be decide to "block"...but if the maine goal was to check effects of infection useful would be decide to "allow".

 

[Andy Ful]

... Every single "anti-executable" will have a close to 100% block rate, but it also has a close to 100% false positive rate. ...

It is an open question if we can talk about false positives in default deny setup.

 

[Fabian Wosar]

It is an open question if we can talk about false positives in default deny setup.

In the context of a malware protection test, there is no question that false positives and false negatives are both equally as important and therefore should be considered, as both have similarly bad impacts. IIRC there are studies done in enterprise environments, where the damage caused by false positives is even higher than by false negatives. But even in home environments, false positives cause major headaches. Best case it is an inconvenience. Worst case it renders your system unbootable.

That is of course under the assumption that this screenshot was from a malware protection test, but I am sure @Windows_Security will correct me if I am wrong.

 

[Andy Ful]

...
Could you expand on that?

https://malwaretips.com/threads/simple-stupid-security-vs-free-av.88193/post-778948

 

[Andy Ful]

In the context of a malware protection test, there is no question that false positives and false negatives are both equally as important and therefore should be considered, as both have similarly bad impacts.
...
But even in home environments, false positives cause major headaches. Best case it is an inconvenience. Worst case it renders your system unbootable.
...
@Windows_Security will correct me if I am wrong.

You share the viewpoint of 99% computer users, so one could say that you are 99% right.
One is probably 99% right too (except 1%, who are vegetarians), by saying that a vegetarian diet has 100% false positives for the meat meals.
The problem is that false positive is related to false detection. If the user applied intentionally the default deny setup, it is not for malware detection. In fact, many of them do not use default deny when installing applications, so most false positives come from AVs anyway.
Furthermore, SRP and some other solutions can use default deny with admin bypass. This is especially useful in the home environment, and then, the false positives for application installers and Windows Updates come from an AV.

Edit.
Post edited.

 

[Djnjd09]

Its a block, Windows Defender is your administrator! But there is the chance its a false positive... But better safe than sorry! I would uninstall it if I were you!

 

[RoboMan]

What good can any security software do if the final user just does whatever he wants?

Same case could be applied to Kaspersky with its Application Control. AC can blacklist a file for not being recognised. User goes and manually unblocks it + executes it = infection. Kaspersky fail? No, user stupidity. There ain't no software good enough yet to help these kind.

 

[shmu26]

What good can any security software do if the final user just does whatever he wants?

Same case could be applied to Kaspersky with its Application Control. AC can blacklist a file for not being recognised. User goes and manually unblocks it + executes it = infection. Kaspersky fail? No, user stupidity. There ain't no software good enough yet to help these kind.

It protects you against mistakes, and it protects you against sneaky attacks. Let's say my son thought he was doing me a favor for my birthday so he goes to KickAss Torrents and downloads the latest episode from my favorite TV series (just kidding, I don't even watch TV). I click on the video file, and the default deny starts going berserk.
I was protected.

That's what security software is supposed to do. It's not supposed to be a replacement for your brain or your conscience or whatever.

 

[Freki123]

Shoudn't "Block on first sight" create another warning message also? ( not sure if that was the default setting after install)

 

[Andy Ful]

Its a block, Windows Defender is your administrator! But there is the chance its a false positive... But better safe than sorry! I would uninstall it if I were you!

Shoudn't "Block on first sight" create another warning message also? ( not sure if that was the default setting after install)

Why do you think that WD was used in the test?

 

[RoboMan]

It protects you against mistakes, and it protects you against sneaky attacks. Let's say my son thought he was doing me a favor for my birthday so he goes to KickAss Torrents and downloads the latest episode from my favorite TV series (just kidding, I don't even watch TV). I click on the video file, and the default deny starts going berserk.
I was protected.

That's what security software is supposed to do. It's not supposed to be a replacement for your brain or your conscience or whatever.

Exactly. That's what "default-deny" means. It's not for regular users who will just disable every time to install or allow crap. If you will disable anti-exe or SRP to install unknown software, then you're probably looking for sig-based software. But anyways, this user will still disable real time protection being sure it's a false positive lol