Do you really understand AV test results?

[Rebsat]

Yes. Any SRP solution (AppGuard, Hard_Configurator, SSRP, SRP via GPO, SRP reg tweaks). But, this is a prevention type solution = 'do not open/execute to be safe'.
Most people do not like prevention.

Do you think that what our respected member @Evjl's Rain did for his Avast free AV by adding some custom extensions in "Scan when opening":
.js, .jse, .jsw, .bat, .cmd, .scr, .ps1, .vbs, .hta, .vbe, .wsf
will be enough to protect Avast free AV users from those scripts and scriptlets you talked about?
Link:
SECURE - Evjl's Rain's security config

 

[Nightwalker]

Every test shows that Kaspersky is one of the best AVs.

Kaspersky doesnt have any weak link in its foundation; it has a very powerful emulator, great signatures, fast reaction, powerful behavior blocker and HIPS like functionality, advanced cloud protection with AI and machine learning (the famous post infection "signature" UDS: DangerousObject.Multi.Generic).

 

[Rebsat]

Every test shows that Kaspersky is one of the best AVs.

I think Avast in not far away from Kaspersky in real world tests and in MH tests? Anyone agree with me?

 

[shmu26]

I think Avast in not far away from Kaspersky? Anyone agree with me?

Look at the malware hub testing here on MT. It tells you much better about how AVs handle zero-day malware. However, you have to take into account what settings are used in the tests. Sometimes, Kaspersky is tested with TAM enabled, if I am not mistaken. There are other AVs that are sometimes tested with specially tweaked settings. These tweaks can make a big difference.

 

[Deleted member 65228]

The malware that Opcode created to bypass vs?

Artificial Intelligence scanning for static analysis looks at a file and compares it to another combination of files. It basically checks how close it is to the trained files or not... This means the goal is to make the Portable Executable look as genuine as possible, so it doesn't match closer to malicious trained files or it looks closer to safe trained files.

You also need to remember that with VoodooShield specifically, the entropy is calculated and taken into account. This means that by packing/obfuscating the image, the randomness of data will be increased and thus VoodooShield will pick this up - it is extremely common for malware in the wild to be using packing techniques to evade static identification from Anti-Virus software, and harden analysis time from a malware analyst (forces them to unpack the sample unless they simply don't care and just monitor API calls for that specific scenario). Therefore, you cannot pack the sample otherwise it'll be flagged by VoodooShield.

I won't go into elaboration on what exactly I did specifically because I don't want to assist people with bypassing Artificial Intelligence systems like this, my job is not to help people do this... However an example would be spoofing the Import Address Table (because genuine software will use hundreds or more of various APIs, and malware usually doesn't have so many because it is usually quite small and sticks to its payload, among having a small file-size and/or packing added on-top of that (and packing makes the imports even smaller because it dynamically handles them which is why packed samples usually have very few in the Import Address Table, including GetProcAddress/LoadLibraryA/W)). That would be one technique. You can't simply just apply techniques like file pumping with null bytes though, that can increase the awareness of the sample.

Bear in mind that VoodooShield didn't just ignore the test sample. It identified it but claimed it looked clean, and only ignored it when Auto-Pilot was enabled. I do not know what configurations the VoodooShield users use, but this is why I always advise to keep User Account Control/SmartScreen enabled regardless of using software like VoodooShield.

You need to remember what all my tests are strictly tests, and should also be taken with a grain of salt!

 

[Evjl's Rain]

Do you think that what our respected member @Evjl's Rain did for his Avast free AV by adding some custom extensions in "Scan when opening":
.js, .jse, .jsw, .bat, .cmd, .scr, .ps1, .vbs, .hta, .vbe, .wsf
will be enough to protect Avast free AV users from those scripts and scriptlets you talked about?
Link:
SECURE - Evjl's Rain's security config

I don't think it's enough to make avast safe against these kinds of threat. 1 because I don't know which extensions avast can protect by default . 2/ protection against these is mostly by signatures because their Behavior shield is not great against them
perhaps, adding these extensions can make avast perform a bit better but not comparable to emsisoft and kaspersky. The best is blocking them from execution

 

[shmu26]

Avast in hardened mode/aggressive + a few tweaks from Hard_Configurator = decent protection.

 

[Sunshine-boy]

grain of salt!

Lol!Anyway thanks for your explanations! but the concept is too complicated for me! I just wanted to know which one is the real zero-day

 

[Windows_Security]

@Lockdown,

I used your own explanation (3-4 percent is near zero relevance) to show I could counter your statements on Windows Defender. I like to read your post, because you have a strong opinion, but I am not going into the discussion who understands AV-testing better. Let's stick to some facts.

Fact 1- MSRT
Microsoft sees more PC's than any other security vendor in the world with their monthly malware removal tool. So it would be irrational for Windows Defender to be worse than any other Anti Virus for malware older than two weeks (two weeks = half a month = average age of malware on PC when running MSRT).

Fact 2 - Microsoft AI platform
Microsoft is one of the top three vendors in Artificial Intelligence/Machine learning toolkits. They even made some components opens source (GA Cognitive toolkit 2 for example). Microsoft build Cortana on AI technology. So it would be irrational for Micrsoft not to include some of this knowledge into the cloud backend of Windows Defender.

Fact 3 - Windows Defender is first OS aware Antivirus
The advantage of an Antivirus Behavioral detection component having access to the inner mechanisms of the OS is immense. So their data (telemetry) collection is more detailed than any other third-party Antivirus. Combined with their huge user base, cloud based reputation service and AI/ML capabilities it explains why Windows Defender improved from 60% protection to above 95% protection on samples less than two weeks old.

P.S. I am not claiming that Windows Defender is a top tier antivirus, just explaning that Microsoft using a fraction of its knowledge is capable of creating an AntivIrus performing in the middle of the pack.

 

[Windows_Security]

@Andy Ful

Machine Learning / Artificial Intelligence needs big data, therefore Bitdefender and Avast have the best infrastructure to train their ML/AI platform. don't forget Sophos who bought Invincea to add ML/AI to their security solution. They need to feed the machine with samples, this explains the free Sophos for home use.

Regards Kees

 

[SHvFl]

@Lockdown,

I used your own explanation (3-4 percent is near zero relevance) to show I could counter your statements on Windows Defender. I like to read your post, because you have a strong opinion. You can claim that you understand things better than I do, but let stick to some undisputable facts.

Fact 1- MSRT
Microsoft sees more PC's than any other vendor in the world with their monthly malware removal tool. So it would be irrational for Windows Defender to be worse than any other Anti Virus for malware of two weeks old (two weeks = half a month = average age of malware on PC when running MSRT).

Fact 2 - Microsoft AI platform
Microsoft in one of the top three vendors in Artificial Intelligence/Machine learning toolkits. They even made soome compontents opens source (GA Cognitive toolkit 2 for example). Microsoft build Cortana on AI technology. So it would be irrational for Micrsoft not to include some of this knowledge into the cloud backend of Windows Defender.

Fact 3 - Windows Defender is first OS aware Antivirus
The advantage of an Antivirus Behavioral detection component having access to the inner mechanisms of the OS is immense. So their data (telemetry) collection is more detailed than any other third-party Antivirus. Combined with their huge user base, cloud based reputation service and AI/ML capabilities it explains why Windows Defender improved from 60% protection to above 95% protection on samples less than two weeks old.

P.S. I am not claiming that Windows Defender is a top tier antivirus, just explaning that Microsoft using a fraction of its knowledge is capable of creating an AntivIrus performing in the middle of the pack.

And they did create such an antivirus but they sell it as a subscription model for businesses. Windows defender atp does most of the things you expect MS would do but not on their WD basic protection.

 

[Andy Ful]

Do you think that what our respected member @Evjl's Rain did for his Avast free AV by adding some custom extensions in "Scan when opening":
.js, .jse, .jsw, .bat, .cmd, .scr, .ps1, .vbs, .hta, .vbe, .wsf
will be enough to protect Avast free AV users from those scripts and scriptlets you talked about?
Link:
SECURE - Evjl's Rain's security config

@Evjl's Rain is respected and experienced member, so he does not need any advice from me.
I do not know if adding those file extensions can give Avast the better anti-script protection.

 

[Rebsat]

I don't think it's enough to make avast safe against these kinds of threat. 1 because I don't know which extensions avast can protect by default . 2/ protection against these is mostly by signatures because their Behavior shield is not great against them
perhaps, adding these extensions can make avast perform a bit better but not comparable to emsisoft and kaspersky. The best is blocking them from execution

Thank you very much for your participating over here bro Well, in your case that you're still using Avast Free AV with your custom tweaks/settings... What did you do to make your Avast strong enough at blocking them from execution just like Emsisoft and Kaspersky?

 

[Andy Ful]

I think Avast in not far away from Kaspersky in real world tests and in MH tests? Anyone agree with me?

Yes - for some real-world tests. Yes - for EXE files tested in MH. Not for scripts (scriptlets) tested in MH.
And Yes - for all the above, if 'not far away' is sufficiently wide.

 

[Evjl's Rain]

Thank you very much for your participating over here bro Well, in your case that you're still using Avast Free AV with your custom tweaks/settings... What did you do to make your Avast strong enough at blocking them from execution just like Emsisoft and Kaspersky?

these are what I did

Spoiler: tweaks

1/ Process Lasso: disallowed wscript, cscript, powershell.exe, powershell_ise.exe, java.exe, javaw.exe
2/ Group Policy (SRP): blocked some extensions: .hta, .jar, .scr
3/ Regedit: blocked windows script host
4/ Windows Firewall:
- blocked all inbound connections
- block outbound: msra.exe, msha.exe, wscript, cscript, powershell, powershell_ise, conhost, cmd

when I need to execute a script, I just need to unblock WSH via registry and wscript, cscript from process lasso

I make sure I only execute .exe files so avast's hardened mode will work

I think avast + these tweaks, avast can be more powerful than Emsisoft but still a bit behind kaspersky IS (fully tweaked). If we trust HM 100% because it's default-deny and can block safe programs. The same programs might be whitelisted automatically after a few days when they have enough number of users

 

[Andy Ful]

@Andy Ful

Machine Learning / Artificial Intelligence needs big data, therefore Bitdefender and Avast have the best infrastructure to train their ML/AI platform. don't forget Sophos who bought Invincea to add ML/AI to their security solution. They need to feed the machine with samples, this explains the free Sophos for home use.

Regards Kees

I tried to find some statistics about AV users:
BitDefender 500 mln, Avast 400 mln, Defender ??? mln, Sophos ???.

 

[Sunshine-boy]

Eset also uses machine learning:notworthy: that's how it has good static detection rate!!
Machine learning by ESET: The road to Augur
Threat intelligence solution for your organization

 

[Andy Ful]

And they did create such an antivirus but they sell it as a subscription model for businesses. Windows defender atp does most of the things you expect MS would do but not on their WD basic protection.

That is right.
I could only add that postinfection signatures may be good for home users, but not so good for Enterprises/Companies. If one computer in a big local network is compromised, then AI may not manage to make malware signature on time, and all network can be infected. That is why ATP is so important for Defender in Enterprises.

 

[Sunshine-boy]

this explains the free Sophos for home use.

Sophos provides the Sophos free before they bought the Sandboxie, SurfRight, and Invincea!

 

[Deleted member 65228]

The advantage of an Antivirus Behavioral detection component having access to the inner mechanisms of the OS is immense.

The engineers for Windows Defender don't necessarily have intelligence for undocumented internals of the Windows NT Kernel all the time. They may gain intelligence to silent things sometimes, but not always. Windows Defender typically uses techniques that other vendors have done for much longer, or techniques newly introduced for new OS versions which are also accessible to third-parties. Even if Windows Defender does something not exposed to third-parties by default, such as an undocumented kernel-mode callback, some reverse engineering and bobs your uncle now you know how Windows Defender does it. If Windows Defender can do it, so can a third-party.

Microsoft have to keep their eyes pealed and re-assess everything they do for Windows Defender. If they silently implement something to let Windows Defender gain an advantage, if it gets exposed through reverse engineering/analysis then it could be abused for some really bad things by criminals.

There are engineers at vendors like Norton and Kaspersky who have been working with Windows NT Kernel since the start of security software for it. They may not work at Microsoft and be involved with the development, but they are bound to know a ton and it is usually these same engineers/researchers that find and exploit vulnerabilities in the Windows NT Kernel/find new methods of doing something to mitigate the attack in advance.