AVLab.pl May 2022: Advanced In The Wild Malware Test (changes based on user suggestions)

Disclaimer

  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Andy Ful said:
Interesting. Could you retest it on the newest Firefox with Defender default settings (restart required)?
I am curious what setting could make Firefox work differently with BAFS.
Click to expand...
I checked this issue again today. It seems that now BAFS works on my computer also with Firefox. The change is related to Microsoft Defender or to my system settings, because BAFS works also on my old portable Firefox (was not updated).:)

Edit.
S...t!
My happiness did not last long. Now, the files downloaded from the Defender test webpage are not detected automatically (but detected on access) - no idea why. So, my conclusion is that BAFS can still work differently on Firefox as compared to Chrome-based web browsers.
 
Last edited:
  • Like
  • HaHa
Reactions: vtqhtr413, [correlate], roger_m and 1 other person
Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
220
This is not an attempt at an answer, I just remembered something while analyzing the Sysmon XML file righ now...

@Andy Ful
It relates to "the zone: -> downloading malware sample from "Internet zone" (ZoneID=3)

A piece of the event from Sysmon:

XML: 
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"/>
<EventID>15</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>15</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2022-09-07T10:54:53.8607770Z"/>
<EventRecordID>54833</EventRecordID>
<Correlation/>
<Execution ProcessID="2824" ThreadID="5296"/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-SG5N127</Computer>
<Security UserID="S-1-5-18"/>
</System>
<EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2022-09-07 10:54:53.849</Data>
<Data Name="ProcessGuid">{a3164e60-787d-6318-cb00-000000006400}</Data>
<Data Name="ProcessId">9176</Data>
<Data Name="Image">C:\Program Files\Google\Chrome\Application\chrome.exe</Data>
<Data Name="TargetFilename">C:\Users\test\Downloads\w2WIk_2022-09-07_exe:Zone.Identifier</Data>
<Data Name="CreationUtcTime">2022-09-07 10:54:53.503</Data>
<Data Name="Hash">MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000</Data>
<Data Name="Contents">[ZoneTransfer] ZoneId=3 </Data>
<Data Name="User">DESKTOP-SG5N127\test</Data>
</EventData>
</Event>

For your information only.
 
  • Like
  • +Reputation
Reactions: ErzCrz, Andy Ful and [correlate]
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Adrian Ścibor said:
This is not an attempt at an answer, I just remembered something while analyzing the Sysmon XML file righ now...

@Andy Ful
It relates to "the zone: -> downloading malware sample from "Internet zone" (ZoneID=3)
Click to expand...
It looks like a normal download from the Internet. So, the issue must be related to something else. I noticed a similar issue when downloading files by Firefox. It seems that BAFS does not support some APIs.
 
Adrian Ścibor

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
220
Andy Ful said:
It looks like a normal download from the Internet. So, the issue must be related to something else. I noticed a similar issue when downloading files by Firefox. It seems that BAFS does not support some APIs.
Click to expand...
Yes, it is probably "a bug" or something else. Thus the BAFS is enabled, because we have got the right answer from console output (attached screen):

Reference: Configure and validate Microsoft Defender Antivirus network connections

As you said before, there is a problem with Firefox, but as you know, we use the Chrome browser and it will remain that way for now. So the issue will be investigate and maybe we can break it down as before thanks to MalwareTips community your help. If so, I will let you know.
 

Attachments

  • console.png
    console.png
    259.6 KB · Views: 139
  • Like
  • +Reputation
Reactions: Andy Ful, roger_m, Bushman and 2 others

Similar threads

Adrian Ścibor
    • +Reputation
    • Like
    • Applause
AVLab.pl Summary of the Advanced In-The-Wild Malware Test – September 2024
Replies
7
Views
945
Security Statistics and Reports
Vitali Ortzi
Vitali Ortzi
Adrian Ścibor
    • Like
    • +Reputation
In the wild ransomware threats on the rise – May 2024 test summary
Replies
16
Views
1,728
Security Statistics and Reports
Adrian Ścibor
Adrian Ścibor
Adrian Ścibor
    • Like
    • +Reputation
AVLab.pl Product Enquiry - Which products should we test in your opinion?
Replies
62
Views
4,964
Security Statistics and Reports
roger_m
R

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top