AVLab.pl May 2022: Advanced In The Wild Malware Test (changes based on user suggestions)

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
Interesting. Could you retest it on the newest Firefox with Defender default settings (restart required)?
I am curious what setting could make Firefox work differently with BAFS.
I checked this issue again today. It seems that now BAFS works on my computer also with Firefox. The change is related to Microsoft Defender or to my system settings, because BAFS works also on my old portable Firefox (was not updated).:)

Edit.
S...t!
My happiness did not last long. Now, the files downloaded from the Defender test webpage are not detected automatically (but detected on access) - no idea why. So, my conclusion is that BAFS can still work differently on Firefox as compared to Chrome-based web browsers.
 
Last edited:

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
117
This is not an attempt at an answer, I just remembered something while analyzing the Sysmon XML file righ now...

@Andy Ful
It relates to "the zone: -> downloading malware sample from "Internet zone" (ZoneID=3)

A piece of the event from Sysmon:

XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385f-c22a-43e0-bf4c-06f5698ffbd9}"/>
<EventID>15</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>15</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2022-09-07T10:54:53.8607770Z"/>
<EventRecordID>54833</EventRecordID>
<Correlation/>
<Execution ProcessID="2824" ThreadID="5296"/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-SG5N127</Computer>
<Security UserID="S-1-5-18"/>
</System>
<EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2022-09-07 10:54:53.849</Data>
<Data Name="ProcessGuid">{a3164e60-787d-6318-cb00-000000006400}</Data>
<Data Name="ProcessId">9176</Data>
<Data Name="Image">C:\Program Files\Google\Chrome\Application\chrome.exe</Data>
<Data Name="TargetFilename">C:\Users\test\Downloads\w2WIk_2022-09-07_exe:Zone.Identifier</Data>
<Data Name="CreationUtcTime">2022-09-07 10:54:53.503</Data>
<Data Name="Hash">MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913,IMPHASH=00000000000000000000000000000000</Data>
<Data Name="Contents">[ZoneTransfer] ZoneId=3 </Data>
<Data Name="User">DESKTOP-SG5N127\test</Data>
</EventData>
</Event>

For your information only.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,244
This is not an attempt at an answer, I just remembered something while analyzing the Sysmon XML file righ now...

@Andy Ful
It relates to "the zone: -> downloading malware sample from "Internet zone" (ZoneID=3)
It looks like a normal download from the Internet. So, the issue must be related to something else. I noticed a similar issue when downloading files by Firefox. It seems that BAFS does not support some APIs.
 

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
117
It looks like a normal download from the Internet. So, the issue must be related to something else. I noticed a similar issue when downloading files by Firefox. It seems that BAFS does not support some APIs.
Yes, it is probably "a bug" or something else. Thus the BAFS is enabled, because we have got the right answer from console output (attached screen):

Reference: Configure and validate Microsoft Defender Antivirus network connections

As you said before, there is a problem with Firefox, but as you know, we use the Chrome browser and it will remain that way for now. So the issue will be investigate and maybe we can break it down as before thanks to MalwareTips community your help. If so, I will let you know.
 

Attachments

  • console.png
    console.png
    259.6 KB · Views: 21
Top