New Update How the hell WD works on Windows Home & Pro?

[SeriousHoax]

You could run Shadowdefender on your host and run your tests in a VM. that is what I do.

Hmm that's a nice idea and I did this before but testing in a VM can be done without using Shadow Defender specially with Oracle VM Virtual Box as it has snapshot feature unlike VmWare Player. I test other AVs on a Windows 7 VM but I had a constant CPU usage problem with Windows 10 in a vm so didn't try after that.

Good thing most people don’t run in to large packs of malware running around in the wild!

I think most people don't even run into any malware in general. Almost everyday in my country I see people posting screenshots about their files got encrypted. And 99.99% of the time the reason is they downloaded a cracked program or game from some random site and either they turned off their AV before running that file or if it's a Windows 7 user then most of them didn't even have any AV installed.
Excluding Windows Defender, Kaspersky is the most used AV here. They have a huge market share as they were first to come here and promote and sell AVs. According to Kaspersky's latest report, my country is number 1 in their list of countries with most ransomwares attack. Like I said above, all those are related to creaked programs. People with good browsing habits are rarely infected.

 

[shmu26]

Hmm that's a nice idea and I did this before but testing in a VM can be done without using Shadow Defender specially with Oracle VM Virtual Box as it has snapshot feature unlike VmWare Player. I test other AVs on a Windows 7 VM but I had a constant CPU usage problem with Windows 10 in a vm so didn't try after that.


I think most people don't even run into any malware in general. Almost everyday in my country I see people posting screenshots about their files got encrypted. And 99.99% of the time the reason is they downloaded a cracked program or game from some random site and either they turned off their AV before running that file or if it's a Windows 7 user then most of them didn't even have any AV installed.
Excluding Windows Defender, Kaspersky is the most used AV here. They have a huge market share as they were first to come here and promote and sell AVs. According to Kaspersky's latest report, my country is number 1 in their list of country with most ransomwares attack. Like I said above, all those are related to creaked program. People with good browsing habits are rarely infected.

I got all excited last week when I actually encountered real malware. Someone gave my wife a flash drive to put some files on it, and yeah, it had a really ancient flash drive bug that turns everything into shortcuts, so you can't see the files and folders. And if you click on the shortcut, it tries to run malware by a bat script or something. But opened in Linux, the flash drive behaves normally.

My wife's laptop has Windows Defender and Comodo Firewall. (Also H_C, but with light settings.) WD didn't make a peep, but Comodo @CS contained the malware. Hurrah.

I live in a certain segment of the population that doesn't use internet so much, and uses flash drives a lot. (I am a bit of an exception.) Some people don't have an updated AV on their computer, and the flash drive viruses are hard to squash, they just keep circulating.

 

[Andy Ful]

SeriousHoax,
Could you make a few tests (static and dynamic) when disconnected from the Internet?
It would be interesting to see if the ML behavior-based models are only for finding the suspicious files before checking them in the cloud or can also block something on execution.
I think that the first scenario might be probable.

 

[SeriousHoax]

I got all excited last week when I actually encountered real malware. Someone gave my wife a flash drive to put some files on it, and yeah, it had a really ancient flash drive bug that turns everything into shortcuts, so you can't see the files and folders. And if you click on the shortcut, it tries to run malware by a bat script or something. But opened in Linux, the flash drive behaves normally.

My wife's laptop has Windows Defender and Comodo Firewall. (Also H_C, but with light settings.) WD didn't make a peep, but Comodo @CS contained the malware. Hurrah.

I live in a certain segment of the population that doesn't use internet so much, and uses flash drives a lot. (I am a bit of an exception.) Some people don't have an updated AV on their computer, and the flash drive viruses are hard to squash, they just keep circulating.

Haha, I know what you're talking about. This malware is still pretty common here. Here every pc user know it as "Shortcut virus" and people are very scared about it. But it's pretty surprising that Windows Defender didn't catch it on that machine of yours

SeriousHoax,
Could you make a few tests (static and dynamic) when disconnected from the Internet?
It would be interesting to see if the ML behavior-based models are only for finding the suspicious files before checking them in the cloud or can also block something on execution.
I think that the first scenario might be probable.

Ok sure I will. I also think the first scenario is more probable. Evjl's Rain used and tested WD for an extended period of time so he probably already knows a thing or two about it. Do you?

 

[Andy Ful]

...
y wife's laptop has Windows Defender and Comodo Firewall. (Also H_C, but with light settings.) WD didn't make a peep, but Comodo @CS contained the malware. Hurrah.
...

It is possible that CF contained/blocked the malware by sandbox restrictions, so it could not do anything malicious/suspicious. In this way, only the local/offline WD protection was applied.
But please, do not check this on the real system.

 

[Evjl's Rain]

without the internet, WD is kinda useless
Behavior analysis only worked for 1-2 samples. The rest were running without being intercepted

 

[shmu26]

Haha, I know what you're talking about. This malware is still pretty common here. Here every pc user know it as "Shortcut virus" and people are very scared about it. But it's pretty surprising that Windows Defender didn't catch it on that machine of yours

I was also surprised. Maybe WD would have stopped it at later stage, but Comodo contained it, so it couldn't get very far. Don't know. She returned the flash drive so I couldn't play around with it further.

But please, do not check this on the real system

That is the right advice, but I already cleaned this shortcut virus from my daughter's computer a year ago, and it was pretty easy, so I am not so scared of it. It is a stupid and very old virus, it is not dangerous by modern standards. After that happened, I put advanced protection on my daughter's machine, and no more problems since then.

 

[Gandalf_The_Grey]

That is the right advice, but I already cleaned this shortcut virus from my daughter's computer a year ago, and it was pretty easy, so I am not so scared of it. It is a stupid and very old virus, it is not dangerous by modern standards. After that happened, I put advanced protection on my daughter's machine, and no more problems since then.

What advanced protection did you install on your daughter's machine?

 

[shmu26]

What advanced protection did you install on your daughter's machine?

This particular old clunker is disconnected from the internet, it is at risk mainly from flash drives etc. I installed OSA and MCShield.

 

[harlan4096]

I also know this malware (shortcut virus), I have disinfected pendrives devices with it form my costumer sometimes...

 

[Andy Ful]

Do AMSI, PUA protection, ASR rules, and Network Protection work in Windows Home & Pro?

I tested AMSI, PUA Protection, ASR rules, and Network Protection on Windows Home and they worked well. But, this protection can be overridden/invalidated by 3rd part security software. It is recommended to use WD demo webpage to test it via Edge or Chrome (BAFS samples seem do not work on Firefox):

Home - Microsoft Defender Testground

demo.wd.microsoft.com

On Malware Hub these features were configured by ConfigureDefender (except AMSI) and tested on Windows Pro (without installed WD ATP):

ASR rules

https://malwaretips.com/threads/malware-3-20-09-2019.95122/post-835474

https://malwaretips.com/threads/malware-samples-17-9-08-2019.94252/#lg=thread-94252&slide=71

https://malwaretips.com/threads/malware-samples-16-5-08-2019.94151/#lg=thread-94151&slide=8

https://malwaretips.com/threads/malware-samples-14-9-07-2019.93645/#lg=thread-93645&slide=2

https://malwaretips.com/threads/malware-samples-14-9-07-2019.93645/#lg=thread-93645&slide=7

https://malwaretips.com/threads/malware-samples-14-9-07-2019.93645/#lg=thread-93645&slide=9

https://malwaretips.com/threads/malware-samples-19-8-07-2019.93625/#lg=thread-93625&slide=17

https://malwaretips.com/threads/malware-samples-15-4-07-2019.93559/#lg=thread-93559&slide=7

AMSI

https://malwaretips.com/threads/malware-samples-14-9-07-2019.93645/#lg=thread-93645&slide=3

https://malwaretips.com/threads/malware-samples-15-4-07-2019.93559/#lg=thread-93559&slide=12

https://malwaretips.com/threads/mixed-threats-17-01-07-2019.93492/#lg=thread-93492&slide=35

PUA protection

https://malwaretips.com/threads/malware-samples-19-8-07-2019.93625/#lg=thread-93625&slide=3

 

[shmu26]

I also know this malware (shortcut virus), I have disinfected pendrives devices with it form my costumer sometimes...

I used the Kaspersky rescue disk to clean my daughter's machine from it.

 

[93803123]

I live in a certain segment of the population that doesn't use internet so much, and uses flash drives a lot. (I am a bit of an exception.) Some people don't have an updated AV on their computer, and the flash drive viruses are hard to squash, they just keep circulating.

Malicious samples on routinely exchanged drives is an epidemic in southcentral and southeast Asia. Infection via non-download is a very real-world problem.

 

[notabot]

I got all excited last week when I actually encountered real malware. Someone gave my wife a flash drive to put some files on it, and yeah, it had a really ancient flash drive bug that turns everything into shortcuts, so you can't see the files and folders. And if you click on the shortcut, it tries to run malware by a bat script or something. But opened in Linux, the flash drive behaves normally.

My wife's laptop has Windows Defender and Comodo Firewall. (Also H_C, but with light settings.) WD didn't make a peep, but Comodo @CS contained the malware. Hurrah.

I live in a certain segment of the population that doesn't use internet so much, and uses flash drives a lot. (I am a bit of an exception.) Some people don't have an updated AV on their computer, and the flash drive viruses are hard to squash, they just keep circulating.

Is this the "minimal" comodo product if all one wants is the sandbox : Personal Firewall for Windows 10 | Vital Protection for Windows OS ?

Also is it possible to just keep the sandbox and keep using Windows firewall or one has to use Comodo Firewall as well?

Regarding the incident, do you have BAFS on WD? I'd assume if it's on that it would block it ( tho without internet/a response from the cloud I'm not sure if it lets the executable through )

 

[notabot]

And 99.99% of the time the reason is they downloaded a cracked program or game from some random site and either they turned off their AV before running that file or if it's a Windows 7 user then most of them didn't even have any AV installed.
....
People with good browsing habits are rarely infected.

This, anyone with good browsing habits, esp if they open docs via google docs is mostly safe. OS & Software updates are so fast these days and in-built security so much better than 10-20 years ago that it's very difficult to get infected.

 

[shmu26]

Is this the "minimal" comodo product if all one wants is the sandbox : Personal Firewall for Windows 10 | Vital Protection for Windows OS ?

Also is it possible to just keep the sandbox and keep using Windows firewall or one has to use Comodo Firewall as well?

Regarding the incident, do you have BAFS on WD? I'd assume if it's on that it would block it ( tho without internet/a response from the cloud I'm not sure if it lets the executable through )

It is the free Comodo firewall with no antivirus component. I have it set in CruelSister configuration. You can keep using Windows firewall if you want. You can even use both at the same time, if you want.

BAFS is enabled. There is an active internet connection on the machine that recently got infected. (Although there is no internet on the one that got the same virus a year ago, which was a Windows 7 machine without an updated antivirus). I assume that WD was quiet because Comodo firewall acted first, and contained it.

 

[Andy Ful]

...
Regarding the incident, do you have BAFS on WD? I'd assume if it's on that it would block it ( tho without internet/a response from the cloud I'm not sure if it lets the executable through )

BAFS could not block it. Files on flash drives cannot have MOTW, because they usually have not NTFS file system. Normally (without CF), the malware could be stopped by ASR rule "Block untrusted and unsigned processes that run from USB" or some other ASR rules depending on script or WMI usage. SRP can easily block such malware by blocking shortcuts in User Space (like in H_C).

 

[Moonhorse]

Tested PUA test from Home - Windows Defender Testground, i have been using windows defender on default settings for a week and pua file remained on download folder

After downloading configuredefender > set high settings > reboot > re-test did block download

New edge browser has pua/pup protection aka advanced download protection wich doesnt allow files without digital signature is more effective than WD:s PUA protection thought

 

[notabot]

It is the free Comodo firewall with no antivirus component. I have it set in CruelSister configuration. You can keep using Windows firewall if you want. You can even use both at the same time, if you want.

Thanks, it's interesting that the 2 firewalls stack together

 

[shmu26]

Thanks, it's interesting that the 2 firewalls stack together

They seem to work well together.
Windows does not detect Comodo firewall, and does not turn it off automatically, which can be seen if you check in Windows Control Panel. But if you install Comodo Internet Security, which has an AV component, then Windows firewall will turn off.