New Update How the hell WD works on Windows Home & Pro?

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
You could run Shadowdefender on your host and run your tests in a VM. that is what I do.
Hmm that's a nice idea and I did this before but testing in a VM can be done without using Shadow Defender specially with Oracle VM Virtual Box as it has snapshot feature unlike VmWare Player. I test other AVs on a Windows 7 VM but I had a constant CPU usage problem with Windows 10 in a vm so didn't try after that.

Good thing most people don’t run in to large packs of malware running around in the wild!
I think most people don't even run into any malware in general. Almost everyday in my country I see people posting screenshots about their files got encrypted. And 99.99% of the time the reason is they downloaded a cracked program or game from some random site and either they turned off their AV before running that file or if it's a Windows 7 user then most of them didn't even have any AV installed.
Excluding Windows Defender, Kaspersky is the most used AV here. They have a huge market share as they were first to come here and promote and sell AVs. According to Kaspersky's latest report, my country is number 1 in their list of countries with most ransomwares attack. Like I said above, all those are related to creaked programs. People with good browsing habits are rarely infected.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Hmm that's a nice idea and I did this before but testing in a VM can be done without using Shadow Defender specially with Oracle VM Virtual Box as it has snapshot feature unlike VmWare Player. I test other AVs on a Windows 7 VM but I had a constant CPU usage problem with Windows 10 in a vm so didn't try after that.


I think most people don't even run into any malware in general. Almost everyday in my country I see people posting screenshots about their files got encrypted. And 99.99% of the time the reason is they downloaded a cracked program or game from some random site and either they turned off their AV before running that file or if it's a Windows 7 user then most of them didn't even have any AV installed.
Excluding Windows Defender, Kaspersky is the most used AV here. They have a huge market share as they were first to come here and promote and sell AVs. According to Kaspersky's latest report, my country is number 1 in their list of country with most ransomwares attack. Like I said above, all those are related to creaked program. People with good browsing habits are rarely infected.
I got all excited last week when I actually encountered real malware. Someone gave my wife a flash drive to put some files on it, and yeah, it had a really ancient flash drive bug that turns everything into shortcuts, so you can't see the files and folders. And if you click on the shortcut, it tries to run malware by a bat script or something. But opened in Linux, the flash drive behaves normally. :)

My wife's laptop has Windows Defender and Comodo Firewall. (Also H_C, but with light settings.) WD didn't make a peep, but Comodo @CS contained the malware. Hurrah.

I live in a certain segment of the population that doesn't use internet so much, and uses flash drives a lot. (I am a bit of an exception.) Some people don't have an updated AV on their computer, and the flash drive viruses are hard to squash, they just keep circulating.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
SeriousHoax,
Could you make a few tests (static and dynamic) when disconnected from the Internet?
It would be interesting to see if the ML behavior-based models are only for finding the suspicious files before checking them in the cloud or can also block something on execution.
I think that the first scenario might be probable.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
I got all excited last week when I actually encountered real malware. Someone gave my wife a flash drive to put some files on it, and yeah, it had a really ancient flash drive bug that turns everything into shortcuts, so you can't see the files and folders. And if you click on the shortcut, it tries to run malware by a bat script or something. But opened in Linux, the flash drive behaves normally. :)

My wife's laptop has Windows Defender and Comodo Firewall. (Also H_C, but with light settings.) WD didn't make a peep, but Comodo @CS contained the malware. Hurrah.

I live in a certain segment of the population that doesn't use internet so much, and uses flash drives a lot. (I am a bit of an exception.) Some people don't have an updated AV on their computer, and the flash drive viruses are hard to squash, they just keep circulating.
Haha, I know what you're talking about. This malware is still pretty common here. Here every pc user know it as "Shortcut virus" :D and people are very scared about it. But it's pretty surprising that Windows Defender didn't catch it on that machine of yours :unsure:

SeriousHoax,
Could you make a few tests (static and dynamic) when disconnected from the Internet?
It would be interesting to see if the ML behavior-based models are only for finding the suspicious files before checking them in the cloud or can also block something on execution.
I think that the first scenario might be probable.
Ok sure I will. I also think the first scenario is more probable. Evjl's Rain used and tested WD for an extended period of time so he probably already knows a thing or two about it. Do you?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
y wife's laptop has Windows Defender and Comodo Firewall. (Also H_C, but with light settings.) WD didn't make a peep, but Comodo @CS contained the malware. Hurrah.
...
It is possible that CF contained/blocked the malware by sandbox restrictions, so it could not do anything malicious/suspicious. In this way, only the local/offline WD protection was applied.
But please, do not check this on the real system.:giggle:(y)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Haha, I know what you're talking about. This malware is still pretty common here. Here every pc user know it as "Shortcut virus" :D and people are very scared about it. But it's pretty surprising that Windows Defender didn't catch it on that machine of yours :unsure:
I was also surprised. Maybe WD would have stopped it at later stage, but Comodo contained it, so it couldn't get very far. Don't know. She returned the flash drive so I couldn't play around with it further.

But please, do not check this on the real system
That is the right advice, but I already cleaned this shortcut virus from my daughter's computer a year ago, and it was pretty easy, so I am not so scared of it. It is a stupid and very old virus, it is not dangerous by modern standards. After that happened, I put advanced protection on my daughter's machine, and no more problems since then.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
That is the right advice, but I already cleaned this shortcut virus from my daughter's computer a year ago, and it was pretty easy, so I am not so scared of it. It is a stupid and very old virus, it is not dangerous by modern standards. After that happened, I put advanced protection on my daughter's machine, and no more problems since then.
What advanced protection did you install on your daughter's machine?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Do AMSI, PUA protection, ASR rules, and Network Protection work in Windows Home & Pro?

I tested AMSI, PUA Protection, ASR rules, and Network Protection on Windows Home and they worked well. But, this protection can be overridden/invalidated by 3rd part security software. It is recommended to use WD demo webpage to test it via Edge or Chrome (BAFS samples seem do not work on Firefox):

On Malware Hub these features were configured by ConfigureDefender (except AMSI) and tested on Windows Pro (without installed WD ATP):

ASR rules

AMSI

PUA protection
 
Last edited:
9

93803123

I live in a certain segment of the population that doesn't use internet so much, and uses flash drives a lot. (I am a bit of an exception.) Some people don't have an updated AV on their computer, and the flash drive viruses are hard to squash, they just keep circulating.

Malicious samples on routinely exchanged drives is an epidemic in southcentral and southeast Asia. Infection via non-download is a very real-world problem.
 

notabot

Level 15
Verified
Oct 31, 2018
703
I got all excited last week when I actually encountered real malware. Someone gave my wife a flash drive to put some files on it, and yeah, it had a really ancient flash drive bug that turns everything into shortcuts, so you can't see the files and folders. And if you click on the shortcut, it tries to run malware by a bat script or something. But opened in Linux, the flash drive behaves normally. :)

My wife's laptop has Windows Defender and Comodo Firewall. (Also H_C, but with light settings.) WD didn't make a peep, but Comodo @CS contained the malware. Hurrah.

I live in a certain segment of the population that doesn't use internet so much, and uses flash drives a lot. (I am a bit of an exception.) Some people don't have an updated AV on their computer, and the flash drive viruses are hard to squash, they just keep circulating.

Is this the "minimal" comodo product if all one wants is the sandbox : Personal Firewall for Windows 10 | Vital Protection for Windows OS ?

Also is it possible to just keep the sandbox and keep using Windows firewall or one has to use Comodo Firewall as well?

Regarding the incident, do you have BAFS on WD? I'd assume if it's on that it would block it ( tho without internet/a response from the cloud I'm not sure if it lets the executable through )
 

notabot

Level 15
Verified
Oct 31, 2018
703
And 99.99% of the time the reason is they downloaded a cracked program or game from some random site and either they turned off their AV before running that file or if it's a Windows 7 user then most of them didn't even have any AV installed.
....
People with good browsing habits are rarely infected.

This, anyone with good browsing habits, esp if they open docs via google docs is mostly safe. OS & Software updates are so fast these days and in-built security so much better than 10-20 years ago that it's very difficult to get infected.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Is this the "minimal" comodo product if all one wants is the sandbox : Personal Firewall for Windows 10 | Vital Protection for Windows OS ?

Also is it possible to just keep the sandbox and keep using Windows firewall or one has to use Comodo Firewall as well?

Regarding the incident, do you have BAFS on WD? I'd assume if it's on that it would block it ( tho without internet/a response from the cloud I'm not sure if it lets the executable through )
It is the free Comodo firewall with no antivirus component. I have it set in CruelSister configuration. You can keep using Windows firewall if you want. You can even use both at the same time, if you want.

BAFS is enabled. There is an active internet connection on the machine that recently got infected. (Although there is no internet on the one that got the same virus a year ago, which was a Windows 7 machine without an updated antivirus). I assume that WD was quiet because Comodo firewall acted first, and contained it.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
Regarding the incident, do you have BAFS on WD? I'd assume if it's on that it would block it ( tho without internet/a response from the cloud I'm not sure if it lets the executable through )
BAFS could not block it. Files on flash drives cannot have MOTW, because they usually have not NTFS file system. Normally (without CF), the malware could be stopped by ASR rule "Block untrusted and unsigned processes that run from USB" or some other ASR rules depending on script or WMI usage. SRP can easily block such malware by blocking shortcuts in User Space (like in H_C).
 
Last edited:

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,602
Tested PUA test from Home - Windows Defender Testground, i have been using windows defender on default settings for a week and pua file remained on download folder

After downloading configuredefender > set high settings > reboot > re-test did block download

New edge browser has pua/pup protection aka advanced download protection wich doesnt allow files without digital signature is more effective than WD:s PUA protection thought
microsoft-edge-chromium-pua-protection.png
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Thanks, it's interesting that the 2 firewalls stack together
They seem to work well together. :)
Windows does not detect Comodo firewall, and does not turn it off automatically, which can be seen if you check in Windows Control Panel. But if you install Comodo Internet Security, which has an AV component, then Windows firewall will turn off.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top