App Review Microsoft Defender- A Possible Future

[Anthony Qian]

I do not like the possibility of excluding the paths by the attacker, even if it is not commonly used in the wild against home users.
This method can invalidate AV protection, but it is hard to test how effective it could be in widespread (automated) attacks. There are some additional factors that must be taken into account:
1. It is usually easier and more efficient to use a new 0-day (morphed) variant, than creating a loader and finding an older malware (X.exe in the video) that can bypass the AV behavior-based protection.
2. We must be certain that the X.exe (older malware) can bypass the AV behavior-based protection. This can be tested, but the AV can learn during the test. So, the test can increase malware detection (by behavior).
3. After some time, the AV can behaviorally detect the initial malware loader, even if the X.exe is executed from the excluded folder.

In targeted attacks, the above points can be less important. So it would be interesting to test how efficient this method could be.

What’s your comment on this ( Video - Antivirus vs RedLine Stealer malware Competition )?

This technique has been used in the wild.

 

[Andy Ful]

What’s your comment on this ( Video - Antivirus vs RedLine Stealer malware Competition )?

This technique has been used in the wild.

My comment would be the same as in this thread. The technique of abusing Microsoft Defender exclusions is used in the wild (in targeted attacks) for several years to obtain persistence and lateral movement. It is nothing new and uncommon. The "unpleasant possibility" is that this technique could be possibly used in widespread attacks (not targeted or personalized) as a part of initial malware, like in this thread. For now, I cannot see evidence for that. The widespread attack (spray and pray) with info stealer does not make much sense, because such malware will attack also computers of experts, malware hunters, and advanced users. So, it will not be long living. That is why such malware as RedLine Stealer is usually distributed as cracked games, applications, ADs, or services. Of course, this can change in the future. I think that Microsoft should strengthen the protection against such threats, but this will probably happen to protect business users (not home users).

 

[Andy Ful]

If one uses cracked games, applications, and pirated software, then Microsoft Defender is probably not the best solution (for several reasons). But, unfortunately, other AVs on default settings are not much better, as some MT members already reported.
There is also a problem with testing the malware samples distributed with pirated/cracked software due to a small number of tested samples. Furthermore, the infection rate is also sensitive to the phishing vector - the malicious links are distributed via forums, ADs, etc.

Unfortunately, it is unclear how the AV detection scoring in the test with such samples can reflect the real protection in the wild. Many of the tested malware samples are in fact "dead bees" that already lost their stings. The AV can detect such samples when they cannot infect anyone in the wild. The tester usually makes an assumption, that detecting more bees in the test (including many dead) means that the AV could also protect against more bees when they all were alive. A clear example that such an assumption may be untrue is TrendMicro and its striking results in the AV-Comparatives Malware Protection tests, for example (November 2022):

As we know, TrendMicro has got very good scorings in Real-World tests comparable with top AVs.
For example, let's look at the results of the AV-Comparatives Real-World test: