App Review How Secure Are You? Testing Windows Defender Against Ransomware! (Shocking Results?) | 2024 [TESTED]

[NB InfoTech]

Content source

https://youtu.be/f30KvcIrHag

How Secure Are You? Testing Windows Defender Against Ransomware! (Shocking Results?) | 2024 [TESTED]

Hello Guys!!

Welcome back, In this test we are testing Windows Defender Antivirus against 20 executable plus 2 script ransomware samples.
Stay tuned to watch surprising results.

Click to watch full video


Click to visit channel homepage

https://www.youtube.com/@nbinfotech

#windows #microsoft #windowsdefender #antivirusreview #cybersecurity #ransomware #malware #virus #infosec #nbinfotech

 

[Bot]

Hello! Thanks for sharing this informative video. It's always helpful to see real-world tests of antivirus software, especially against ransomware. Looking forward to the surprising results. #windowsdefender #cybersecurity

 

[Practical Response]

Remember we have enabled almost all security features.

We disabled them while unzipping the pack as to keep the product from doing as designed, we also executed them via script on the desktop instead of using true real world testing methods "route of infection" to actually test all these features as designed "MOTW" ect.

So freak out, throw tons of other security on your system, tweak it until you break things, and then when you want to run that shady application make sure to whitelist it and run it anyway. No need of good habits or even learning the products you are using, because these testers will show you.

 

[oldschool]

It's just folks trying to make some cold, hard cash making YT clickbait! What else can you say?

 

[oldschool]

I suppose no one should use Microsoft Defender. Maybe I'll install a really good AV like Dr. Web Katana.

 

[Andy Ful]

How to bypass Windows security features silently, so people wrongly think that the real protection is tested.

The solution: Use WinRar and temporarily disable the real-time protection when unpacking the archive, so Defender wrongly thinks that the unpacked samples are local files. Microsoft Defender does not use the 0-day protection ( "Block at first sight" ) when local files are executed. Congratulations to the authors of the video.

A similar method can be used to test Norton AV with Download Insight:
Download the archive and unpack the samples. Next, install Norton AV. Norton wrongly thinks that the samples are local files. Download Insight is not used when the local file is executed.

I know some other smart ideas to incorrectly test other AVs if the authors are interested.

 

[Andy Ful]

The video is like a story about a bear.
It is easy to survive in the woods with bears. If you are hungry, then simply skin the bear and roast a piece of meat.
Of course, we can skip the easy part of killing that bear.

 

[Andy Ful]

How to be sure that AVG detection will score 100%?

1. Use only the .exe files in the test.
2. Set AVG to Hardened Mode, to be sure that any .exe sample will be checked against the allowlist of files with a good reputation.

Here is the shocking result (the same authors):



Edit.
A similarly shocking result could get Microsoft Defender with activated ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria".
It works similarly to the AVG's Hardened Mode.

 

[Azazel]

How to bypass Windows security features silently, so people wrongly think that the real protection is tested.

The solution: Use WinRar and temporarily disable the real-time protection when unpacking the archive, so Defender wrongly thinks that the unpacked samples are local files. Microsoft Defender does not use the 0-day protection ( "Block at first sight" ) when local files are executed. Congratulations to the authors of the video.

A similar method can be used to test Norton AV with Download Insight:
Download the archive and unpack the samples. Next, install Norton AV. Norton wrongly thinks that the samples are local files. Download Insight is not used when the local file is executed.

I know some other smart ideas to incorrectly test other AVs if the authors are interested.

Shouldn't an antivirus check and respond to files whether they are local or not. For example a behavioral blocker should stepped in.

 

[Shadowra]

20 executables? Is that all?
I've already said that a test using only EXEs is useless

 

[Practical Response]

Shouldn't an antivirus check and respond to files whether they are local or not. For example a behavioral blocker should stepped in.

There is a design/modules according to route of infection, how the files are normally typically introduced. There are indicators that trigger responses from this route.

You have to ask yourself, would a normal user download that, disable their security and unpack it?

Of course one could easily ask,
Shouldn't the file be spotted before downloaded most likely from a phishing email?

 

[Andy Ful]

Shouldn't an antivirus check and respond to files whether they are local or not. For example a behavioral blocker should stepped in.

In the case of Microsoft Defender, extended behavior-based detections are done in the cloud for files downloaded from the Internet and new files dropped to the disk.
Such detections can take several seconds (minutes), so they are skipped for local files. Those files are checked behaviorally by the local resources.

The only useful information from that video is that the "Controlled Folder Access" feature can be sometimes bypassed if ransomware is allowed to run.
Anyway, Microsoft recommends applying an increased "Cloud Protection Level" (High+) and ASR rules to effectively prevent/detect/block ransomware.
Defender's default settings can prevent ransomware by detecting the parent malware but are not focused on the ransomware detection.

 

[blackice]

In the case of Microsoft Defender, extended behavior-based detections are done in the cloud for files downloaded from the Internet and new files dropped to the disk.
Such detections can take several seconds (minutes), so they are skipped for local files. Those files are checked behaviorally by the local resources.

The only useful information from that video is that the "Controlled Folder Access" feature can be sometimes bypassed if ransomware is allowed to run.
Anyway, Microsoft recommends applying an increased "Cloud Protection Level" (High+) and ASR rules to effectively prevent/detect/block ransomware.
Defender's default settings can prevent ransomware by detecting the parent malware but are not focused on the ransomware detection.

Would Runbysmartscreen be useful here with cloud at default, or would high+ be needed to really benefit?

 

[Andy Ful]

Would Runbysmartscreen be useful here with cloud at default, or would high+ be needed to really benefit?

RunBySmartscreen could help if the ransomware were downloaded and executed by the user, because almost all ransomware samples are unsigned or signed with fake certificates. In such cases, the malware is blocked by SmartScreen.
RunBySmartscreen ensures that the file will be checked by SmartScreen file reputation in the cloud. But, this can be done only on-demand, via 'Run By SmartScreen' option from the right-click Explorer context menu. Unfortunately, in most cases, the ransomware will not be run by the user:
https://malwaretips.com/threads/how...cking-results-2024-tested.130668/post-1085059

In most cases, RunBySmartscreen can be useful to prevent the initial malware that could execute ransomware.

 

[Andy Ful]

The NB InfoTech tests use only ransomware samples and the malware is executed in a "standard way" as a child process of some parent process. This could have been acceptable some years ago, but nowadays ransomware is often executed as a payload in a "non-standard way". The attackers can use advanced loaders as parent malware.

Shortly, all NB InfoTech ransomware tests are pretty much useless as the protection tests. The right method would be a real-world route that starts from the initial sample and continues through all infection stages up to the final ransomware payload.

Of course, the right test should include many more samples (as @Shadowra already noticed) or should be continued several times. With twenty 0-day samples, even the top AV with dedicated anti-ransomware protection can miss two 0-day samples from time to time.

 

[Azazel]

The NB InfoTech tests use only ransomware samples and the malware is executed in a "standard way" as a child process of some parent process. This could have been acceptable some years ago, but nowadays ransomware is often executed as a payload in a "non-standard way". The attackers can use advanced loaders as parent malware.

Shortly, all NB InfoTech ransomware tests are pretty much useless as the protection tests. The right method would be a real-world route that starts from the initial sample and continues through all infection stages up to the final ransomware payload.

Of course, the right test should include many more samples (as @Shadowra already noticed) or should be continued several times. With twenty 0-day samples, even the top AV with dedicated anti-ransomware protection can miss two 0-day samples from time to time.

18/20 protection rate from secondary modules (behavioral) is a success to me.
Unlike 0/20 from Defender. Also depending on MOTW is not something that is worthy of counting as reputable protection.
It is better to use information such as prevalence, number of days or verified signatures with heuristics.

 

[Practical Response]

18/20 protection rate from secondary modules (behavioral) is a success to me.
Unlike 0/20 from Defender. Also depending on MOTW is not something that is worthy of counting as reputable protection.
It is better to use information such as prevalence, number of days or verified signatures with heuristics.

You are hand picking one component of the route of infection which does make a difference when the product is designed to look for and respond to variables "many of these combined"

Tell me, what is the most prevalent way users end up with infections now days? Let me spell it out for you "social engineering", these come from emails, social media, baiting, ads, ect.

The user is the first line of defense, they determine if the rest of the chain is initiated, and there is a sequence just as Andy just stated himself with "real world route" which for some reason, sounds familiar , that these samples will need to take to trigger the software "as it's designed".

Upon true route of infection if tested in this way a product fails, it's because the product has "real deficiencies in it's design" and not from these "altered" incorrectly tested glimpses you see meaning at that point it's the products fault not the tester.

I don't know about you, but I would rather watch real world testing to accurately get a glimpse of a product and abilities then this so called entertainment that on its best day is still misleading... As now you are looking at the product as if it is failing and missing the whole point to most of these responses.