App Review How Secure Are You? Testing Windows Defender Against Ransomware! (Shocking Results?) | 2024 [TESTED]

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

NB InfoTech

Level 1
Thread author
Jun 18, 2023
18
How Secure Are You? Testing Windows Defender Against Ransomware! (Shocking Results?) | 2024 [TESTED]

Hello Guys!!

Welcome back, In this test we are testing Windows Defender Antivirus against 20 executable plus 2 script ransomware samples.
Stay tuned to watch surprising results.

Click to watch full video


Click to visit channel homepage

#windows #microsoft #windowsdefender #antivirusreview #cybersecurity #ransomware #malware #virus #infosec #nbinfotech
 

Attachments

  • Windows Defender vs Ransomware.png
    Windows Defender vs Ransomware.png
    4.9 MB · Views: 94
  • Like
Reactions: [correlate]

Bot

AI-powered Bot
Apr 21, 2016
4,225
Hello! Thanks for sharing this informative video. It's always helpful to see real-world tests of antivirus software, especially against ransomware. Looking forward to the surprising results. #windowsdefender #cybersecurity
 
  • Like
Reactions: [correlate]
F

ForgottenSeer 109138

Remember we have enabled almost all security features. :rolleyes:

We disabled them while unzipping the pack as to keep the product from doing as designed, we also executed them via script on the desktop instead of using true real world testing methods "route of infection" to actually test all these features as designed "MOTW" ect. :rolleyes:

So freak out, throw tons of other security on your system, tweak it until you break things, and then when you want to run that shady application make sure to whitelist it and run it anyway. No need of good habits or even learning the products you are using, because these testers will show you.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,382
How to bypass Windows security features silently, so people wrongly think that the real protection is tested.

The solution:
Use WinRar and temporarily disable the real-time protection when unpacking the archive, so Defender wrongly thinks that the unpacked samples are local files. Microsoft Defender does not use the 0-day protection ( "Block at first sight" ) when local files are executed. Congratulations to the authors of the video.

A similar method can be used to test Norton AV with Download Insight:
Download the archive and unpack the samples. Next, install Norton AV. Norton wrongly thinks that the samples are local files. Download Insight is not used when the local file is executed.

I know some other smart ideas to incorrectly test other AVs if the authors are interested.:)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,382
How to be sure that AVG detection will score 100%?
  1. Use only the .exe files in the test.
  2. Set AVG to Hardened Mode, to be sure that any .exe sample will be checked against the allowlist of files with a good reputation.
Here is the shocking result (the same authors)::)



Edit.
A similarly shocking result could get Microsoft Defender with activated ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".
It works similarly to the AVG's Hardened Mode.
 
A

Azazel

How to bypass Windows security features silently, so people wrongly think that the real protection is tested.

The solution:
Use WinRar and temporarily disable the real-time protection when unpacking the archive, so Defender wrongly thinks that the unpacked samples are local files. Microsoft Defender does not use the 0-day protection ( "Block at first sight" ) when local files are executed. Congratulations to the authors of the video.

A similar method can be used to test Norton AV with Download Insight:
Download the archive and unpack the samples. Next, install Norton AV. Norton wrongly thinks that the samples are local files. Download Insight is not used when the local file is executed.

I know some other smart ideas to incorrectly test other AVs if the authors are interested.:)
Shouldn't an antivirus check and respond to files whether they are local or not. For example a behavioral blocker should stepped in.
 
F

ForgottenSeer 109138

Shouldn't an antivirus check and respond to files whether they are local or not. For example a behavioral blocker should stepped in.
There is a design/modules according to route of infection, how the files are normally typically introduced. There are indicators that trigger responses from this route.

You have to ask yourself, would a normal user download that, disable their security and unpack it?

Of course one could easily ask,
Shouldn't the file be spotted before downloaded most likely from a phishing email?
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,382
Shouldn't an antivirus check and respond to files whether they are local or not. For example a behavioral blocker should stepped in.

In the case of Microsoft Defender, extended behavior-based detections are done in the cloud for files downloaded from the Internet and new files dropped to the disk.
Such detections can take several seconds (minutes), so they are skipped for local files. Those files are checked behaviorally by the local resources.

The only useful information from that video is that the "Controlled Folder Access" feature can be sometimes bypassed if ransomware is allowed to run.
Anyway, Microsoft recommends applying an increased "Cloud Protection Level" (High+) and ASR rules to effectively prevent/detect/block ransomware.
Defender's default settings can prevent ransomware by detecting the parent malware but are not focused on the ransomware detection.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,865
In the case of Microsoft Defender, extended behavior-based detections are done in the cloud for files downloaded from the Internet and new files dropped to the disk.
Such detections can take several seconds (minutes), so they are skipped for local files. Those files are checked behaviorally by the local resources.

The only useful information from that video is that the "Controlled Folder Access" feature can be sometimes bypassed if ransomware is allowed to run.
Anyway, Microsoft recommends applying an increased "Cloud Protection Level" (High+) and ASR rules to effectively prevent/detect/block ransomware.
Defender's default settings can prevent ransomware by detecting the parent malware but are not focused on the ransomware detection.
Would Runbysmartscreen be useful here with cloud at default, or would high+ be needed to really benefit?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,382
Would Runbysmartscreen be useful here with cloud at default, or would high+ be needed to really benefit?

RunBySmartscreen could help if the ransomware were downloaded and executed by the user, because almost all ransomware samples are unsigned or signed with fake certificates. In such cases, the malware is blocked by SmartScreen.
RunBySmartscreen ensures that the file will be checked by SmartScreen file reputation in the cloud. But, this can be done only on-demand, via 'Run By SmartScreen' option from the right-click Explorer context menu. Unfortunately, in most cases, the ransomware will not be run by the user:
https://malwaretips.com/threads/how...cking-results-2024-tested.130668/post-1085059

In most cases, RunBySmartscreen can be useful to prevent the initial malware that could execute ransomware.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,382
The NB InfoTech tests use only ransomware samples and the malware is executed in a "standard way" as a child process of some parent process. This could have been acceptable some years ago, but nowadays ransomware is often executed as a payload in a "non-standard way". The attackers can use advanced loaders as parent malware.

Shortly, all NB InfoTech ransomware tests are pretty much useless as the protection tests. The right method would be a real-world route that starts from the initial sample and continues through all infection stages up to the final ransomware payload.

Of course, the right test should include many more samples (as @Shadowra already noticed) or should be continued several times. With twenty 0-day samples, even the top AV with dedicated anti-ransomware protection can miss two 0-day samples from time to time.
 
Last edited:
A

Azazel

The NB InfoTech tests use only ransomware samples and the malware is executed in a "standard way" as a child process of some parent process. This could have been acceptable some years ago, but nowadays ransomware is often executed as a payload in a "non-standard way". The attackers can use advanced loaders as parent malware.

Shortly, all NB InfoTech ransomware tests are pretty much useless as the protection tests. The right method would be a real-world route that starts from the initial sample and continues through all infection stages up to the final ransomware payload.

Of course, the right test should include many more samples (as @Shadowra already noticed) or should be continued several times. With twenty 0-day samples, even the top AV with dedicated anti-ransomware protection can miss two 0-day samples from time to time.
18/20 protection rate from secondary modules (behavioral) is a success to me.
Unlike 0/20 from Defender. Also depending on MOTW is not something that is worthy of counting as reputable protection.
It is better to use information such as prevalence, number of days or verified signatures with heuristics.
 
F

ForgottenSeer 109138

18/20 protection rate from secondary modules (behavioral) is a success to me.
Unlike 0/20 from Defender. Also depending on MOTW is not something that is worthy of counting as reputable protection.
It is better to use information such as prevalence, number of days or verified signatures with heuristics.
You are hand picking one component of the route of infection which does make a difference when the product is designed to look for and respond to variables "many of these combined"

Tell me, what is the most prevalent way users end up with infections now days? Let me spell it out for you "social engineering", these come from emails, social media, baiting, ads, ect.

The user is the first line of defense, they determine if the rest of the chain is initiated, and there is a sequence just as Andy just stated himself with "real world route" which for some reason, sounds familiar 🤔, that these samples will need to take to trigger the software "as it's designed".

Upon true route of infection if tested in this way a product fails, it's because the product has "real deficiencies in it's design" and not from these "altered" incorrectly tested glimpses you see meaning at that point it's the products fault not the tester.

I don't know about you, but I would rather watch real world testing to accurately get a glimpse of a product and abilities then this so called entertainment that on its best day is still misleading... As now you are looking at the product as if it is failing and missing the whole point to most of these responses.
 

likeastar20

Level 9
Verified
Mar 24, 2016
413
In the case of Microsoft Defender, extended behavior-based detections are done in the cloud for files downloaded from the Internet and new files dropped to the disk.
Such detections can take several seconds (minutes), so they are skipped for local files. Those files are checked behaviorally by the local resources.

The only useful information from that video is that the "Controlled Folder Access" feature can be sometimes bypassed if ransomware is allowed to run.
Anyway, Microsoft recommends applying an increased "Cloud Protection Level" (High+) and ASR rules to effectively prevent/detect/block ransomware.
Defender's default settings can prevent ransomware by detecting the parent malware but are not focused on the ransomware detection.
Can you elaborate? From your answer, I still don't understand if WD has a proper local behavior blocker
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,382
Can you elaborate? From your answer, I still don't understand if WD has a proper local behavior blocker
What do you mean by a proper local behavior blocker? Which AV has such a blocker?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top