Advice Request Is this normal - definitions are old

[MacDefender]

Because the first thing, the malware does, is blocking AV from updating/connecting home, to prevent just that, an online detection.
New threats use years old malware, they just create new ways to bypass the detection, so they could easily download the main load.
AV companies do not like updating signatures, because it increases the load on the servers. Most have limited ones for free versions.

By the time malware is executing and preventing the AV from connecting, that means that your AV already allowed the malware to run. The AV would’ve checked the malware against the cloud before allowing it to run.
If after it starts running it manages to subvert your network, which is very much possible, then almost every layer of defense that you have has failed.

Even if you had offline signatures, you would be hoping for a signature update which might not be delivered for the same reason you can’t do cloud lookups.

I think offline signatures are more useful for corporate setups that are airgapped or on a non-Internet VLAN.

 

[oldschool]

Why does it really matter though? Offline signatures/scanning is something most people do not have to care about. Windows Defender, in particular, has extremely poor performance offline.

It doesn't really matter, as @Andy Ful has pointed out many times. No matter how often you set update schedule, sigs only update maybe 2 or 3 Xs/day.

 

[TairikuOkami]

By the time malware is executing and preventing the AV from connecting, that means that your AV already allowed the malware to run.

Many AVs fail to detect malicious scripts/powershell, there is only a handful of AVs that actually can and even they are struggling with it (~50%).

 

[MacDefender]

Many AVs fail to detect malicious scripts/powershell, there is only a handful of AVs that actually can and even they are struggling with it (~50%).

I agree that’s an issue, but I don’t think less reliance on cloud signatures makes a big difference for that kind of threat. At the end of the day, once an AV, online or offline, has permitted a malicious script to run, that script could have disabled networking and prevent the AV from getting updates.

(BTW not just scripts. You can easily package a trojan that acts like a VPN and just bundles OpenVPN with a profile that blocks AV communications. As long as you can trick the user into installing it, I've never seen an AV smart enough to detect that it's about to get isolated from the internet)

 

[Andy Ful]

Because the first thing, the malware does, is blocking AV from updating/connecting home, to prevent just that, an online detection.
...

Yes, this is dangerous, but not due to signatures but due to disabling the cloud delivered proactive features (behavior based ML, postinfection protection, etc.).

 

[SeriousHoax]

It doesn't really matter, as @Andy Ful has pointed out many times. No matter how often you set update schedule, sigs only update maybe 2 or 3 Xs/day.

Is this for Windows Defender? Actually it's not correct then. Windows Defender updates its signature at least 5-6 times in a day on average. I also like that you can see what signatures they have added/updated. It's not very common anymore nowadays. Check this here. On 2nd May alone they updated their signatures 7 times:

Antimalware updates change log - Microsoft Security Intelligence

 

[Andy Ful]

It doesn't really matter, as @Andy Ful has pointed out many times.
...

Yes. On default settings, WD updates itself only probably 2 or 3 times a day. The offline signatures are not relevant when Cloud delivered protection works without issues, which is usually fulfilled in the home environment. But, I think that WD can probably update offline signatures more frequently than 3 times a day (if set so). There are also updates of some signatures when WD blocks the file for several seconds (10s by default) to check it in the cloud or when WD cloud detects malware.

 

[oldschool]

Windows Defender updates its signature at least 5-6 times in a day on average.

I stand corrected.

 

[Andy Ful]

The available updates do not mean that a particular computer will get all of them. That can depend on WD settings (can be set by PowerShell or GPO). Usually, one will get 2 or 3 updates (as @oldschool mentioned), and this can depend also on some other things.

 

[SeriousHoax]

The available updates do not mean that a particular computer will get all of them. That can depend on WD settings (can be set by PowerShell or GPO). Usually, one will get 2 or 3 updates (as @oldschool mentioned), and this can depend also on some other things.

That's correct. I just said that Microsoft updates Windows Defender's signatures 5-6 times a day on average.

 

[MacDefender]

Yes, this is dangerous, but not due to signatures but due to disabling the cloud delivered proactive features (behavior based ML, postinfection protection, etc.).

One concern being implied is that many AV engines have lower static scanning performance offline vs online, most likely because their cloud lookups are either using larger databases that they consider proprietary, or to reduce the bandwidth/space requirements of the offline signature database that they have to continuously update:

Though for the reasons I mentioned earlier, I don't think this is a problem for the average home user who is constantly connected to the Internet. As @Andy Ful said, with such AVs, the bigger thing you lose is that the online lookup service gives you a much more comprehensive scan which may help with both zero-days and with ancient malware that they no longer consider worth putting in the signatures. An attack taking advantage of this would require sophisticated malware that either waits for an opportune moment of network downtime to unpack their real payload, or somehow manage to knock out the network without being caught by a behavior blocker.

I kind of wish security software would have a paranoid mode where if they don't have the cloud lookup for a brand new binary, they simply refuse to execute it until you can get back online (or prompt you about it). Basically, a TAM-while-offline mode.


Still, these kinds of threats are not the ones I would waste time worrying about. Between the recent Ransominator POC, the fun.bat samples, and similar techniques, we've seen that with not too much coding effort there are plenty of ways of defeating an AV suite. It's just one piece of layered protection.

 

[fabiobr]

Why does it really matter though? Offline signatures/scanning is something most people do not have to care about. Windows Defender, in particular, has extremely poor performance offline.

I have never seen a case where Kaspersky fails to detect something simply because the signatures need updating -- they just use KSN detections to cover emerging threats.

Even in a detection engine with good offline scanning, you still lose out on cloud based reputation lookups. I've not seen a single AV solution that has an offline cache of that.

And tests can't measure which module loses without cloud lookup. Each AV is different.

Because the first thing, the malware does, is blocking AV from updating/connecting home, to prevent just that, an online detection.
New threats use years old malware, they just create new ways to bypass the detection, so they could easily download the main load.
AV companies do not like updating signatures, because it increases the load on the servers. Most have limited ones for free versions.

But that is the essence of any malware, malware always seeks to bypass detection.

It doesn't care if it is signatures, cloud, or proactive modules.

 

[fabiobr]

I kind of wish security software would have a paranoid mode where if they don't have the cloud lookup for a brand new binary, they simply refuse to execute it until you can get back online (or prompt you about it). Basically, a TAM-while-offline mode.

Smartscreen warns you when you're offline and therefore can't check file reputation.