Serious Discussion Microsoft Defender Antivirus and firewall = 100 % clean?

[Studynxx]

I can't see anything you may have attached. Anyway, I always deploy my system images on bare metal hardware. No way I trust these pre-installed OS' even if they are probably retail-deployed.

 

[Oblivion99]

Because the definitions update in offline scanner didn't happen every second, it may happen daily or twice a day "you can configure if you want it to be shorter", while the online scanner is up-to-date all the time, so if the file is new it will not be determined in offline scanner "which is rarely".

So if it's a new file, that is newer than the last signature update, then the online scanner kicks in and scans the file?

What factors determine, if the file is newer than the last signature update?

 

[Oblivion99]

Edit: I think there are misunderstood between your question and my answer, I thought you asked about the time needed for MS Defender online scanner to check file after it connects again to the internet, but what I did with the CCleaner portable is that I disabled MS Defender completely, so when I enabled it back it catch the sample again, but as I mentioned I don't know which component that blocked the file.

1.
"don't really know exactly which component of MS Defender that blocked the file."
By component you mean online-scanner or offline-scanner, which of the two that blocked the file?
Or what other components are you refering to?

2.
What if the online-scanner gets interrupted scanning a file, because internet connection is lost.
And the system it never connected to the internet again.
Will the scanning proces stay in limbo?
What happens to the file?
There has to be some kind of result...

Thank you

 

[lokamoka820]

So if it's a new file, that is newer than the last signature update, then the online scanner kicks in and scans the file?

Yes, exactly.

What factors determine, if the file is newer than the last signature update?

It will calculate its hash and check if this hash is available in database or not, every file's hash is unique.

 

[lokamoka820]

1.
"don't really know exactly which component of MS Defender that blocked the file."
By component you mean online-scanner or offline-scanner, which of the two that blocked the file?
Or what other components are you refering to?

Yes, exactly, because I turn it off completely.

2.
What if the online-scanner gets interrupted scanning a file, because internet connection is lost.
And the system it never connected to the internet again.
Will the scanning proces stay in limbo?
What happens to the file?
There has to be some kind of result...

If the file is malicious, and it is defined in the offline scanner then MS Defender will quarantine it or deleted, otherwise your machine will get infected, it can't hold the file more than seconds.

 

[Oblivion99]

It will calculate its hash and check if this hash is available in database or not, every file's hash is unique.

Can the hacker manipulate the hash, so a new file "looks" old, and thereby cheats the scanner?

 

[Oblivion99]

If the file is malicious, and it is defined in the offline scanner then MS Defender will quarantine it or deleted, otherwise your machine will get infected, it can't hold the file more than seconds.

I tried explaining it better below. Hope it makes better sense.

If the file hash is newer than the last signature update, then the online scanners it.
What if the online-scanner gets interrupted in the scanning proces, because internet connection is lost.
And the system is never connected to the internet again.
The scanning proces was never completed, and you don't have a result, wether the file is clean or not.

Will the scanning proces stay in limbo?
What happens to the file?
There has to be some kind of result?

Thank you

 

[lokamoka820]

Can the hacker manipulate the hash, so a new file "looks" old, and thereby cheats the scanner?

No he can't, this is why software owners that don't own their servers publish the hash of their products and ask you to confirm that hashes are matched before using the product, to be sure that the server owner didn't change or modify the content.

 

[lokamoka820]

I tried explaining it better below. Hope it makes better sense.

If the file hash is newer than the last signature update, then the online scanners it.
What if the online-scanner gets interrupted in the scanning proces, because internet connection is lost.
And the system is never connected to the internet again.
The scanning proces was never completed, and you don't have a result, wether the file is clean or not.

There are types of lists in software, blacklist, whitelist, etc. in antivirus software the signature follow the blacklist approach, which mean when an update happens to the signature, the list will have the hashes of files "and the only files" that will be blocked and quarantined, anything out this list will be treated as safe file, so the file will be determined safe.

Will the scanning proces stay in limbo?

No, it will end and determine the file as safe for now until the next scan.

What happens to the file?

The file will be available in your machine as a safe file.

There has to be some kind of result?

I hope the result is clear now.

 

[Oblivion99]

There are types of lists in software, blacklist, whitelist, etc. in antivirus software the signature follow the blacklist approach, which mean when an update happens to the signature, the list will have the hashes of files "and the only files" that will be blocked and quarantined, anything out this list will be treated as safe file, so the file will be determined safe.

No, it will end and determine the file as safe for now until the next scan.

The file will be available in your machine as a safe file.

I hope the result is clear now.

Thank you for your long and great explanation.

But for the online scanner to scan the file:
The file in question is uploaded to the cloud
The file gets compared to the online signatures
A result is send back to the local antivirus software
-
What if internet connection is lost in the above proces, and internet connection is never restored.
Then the local antivirus software never gets a result / an answer what to do with the file.

I apologize, I know it's getting very theoretical...

 

[lokamoka820]

Thank you for your long and great explanation.

You are welcome.

But for the online scanner to scan the file:
The file in question is uploaded to the cloud
The file gets compared to the online signatures
A result is send back to the local antivirus software

It is not that online scanner will send the result back to offline scanner which is waiting a response.

Think about it like you have different components in the same product, and they are managed to work in compatible way but not relying literally on each other:

• The online scanner: upload the file and scan it against the always up-to-date signatures.
• The offline scanner: download the last updated signatures periodically and scan the file against it.

Now from a programming prospective, imagine the following workflow:

• MS Defender want to scan a file.
• By default, use the offline scanner component.
• If file hash defined, and it is malicious, then quarantine/delete.
• If file hash not defined, then use the online scanner component.
• If file hash defined, and it is malicious, then quarantine/delete.

What if internet connection is lost in the above proces, and internet connection is never restored.
Then the local antivirus software never gets a result / an answer what to do with the file.

Now, if the internet connection lost, the last sentence in the workflow will not apply at all, the local antivirus will not hold the file and wait for a result/answer, because as I mentioned in a previous answer it uses what called blacklist approach which means every file is safe unless it is in the blacklist.

I apologize, I know it's getting very theoretical...

Practically every antivirus software will be useless if internet connection lost and never restored.

 

[Szellem]

You are welcome.

It is not that online scanner will send the result back to offline scanner which is waiting a response.

Think about it like you have different components in the same product, and they are managed to work in compatible way but not relying literally on each other:

• The online scanner: upload the file and scan it against the always up-to-date signatures.
• The offline scanner: download the last updated signatures periodically and scan the file against it.

Now from a programming prospective, imagine the following workflow:

• MS Defender want to scan a file.
• By default, use the offline scanner component.
• If file hash defined, and it is malicious, then quarantine/delete.
• If file hash not defined, then use the online scanner component.
• If file hash defined, and it is malicious, then quarantine/delete.

Now, if the internet connection lost, the last sentence in the workflow will not apply at all, the local antivirus will not hold the file and wait for a result/answer, because as I mentioned in a previous answer it uses what called blacklist approach which means every file is safe unless it is in the blacklist.

Practically every antivirus software will be useless if internet connection lost and never restored.

What you write seems logical.

 

[Oblivion99]

local antivirus will not hold the file and wait for a result/answer, because as I mentioned in a previous answer it uses what called blacklist approach which means every file is safe unless it is in the blacklist.

I though that MS Defender "blocked" / "held" the file until it was declared safe / clean. Why I thought this, is because of your other answers:

• MS Defender will watch the downloaded file to complete, and you will not have access to it at all even if you try to run/copy/rename/whatever, no operations allowed.
• The exact second the file will complete downloading (you still don't have access to it) it will be scanned and quarantine if it is malicious.

• By default, use the offline scanner component.
• If file hash defined, and it is malicious, then quarantine/delete.

What makes it undefined / not defined, that is if the file hash is newer than the last local signature update?

Now, if the internet connection lost, the last sentence in the workflow will not apply at all, the local antivirus will not hold the file and wait for a result/answer, because as I mentioned in a previous answer it uses what called blacklist approach which means every file is safe unless it is in the blacklist.

So the local MS Defender is not waiting for a response from the cloud function / online scanner function?

The local MS Defender will only block or qurantine the file if it gets an answer from the online scanner?

Practically every antivirus software will be useless if internet connection lost and never restored.

What about the offline scanner function, I assume that is still viable / good?

Thank you

 

[lokamoka820]

I though that MS Defender "blocked" / "held" the file until it was declared safe / clean. Why I thought this, is because of your other answers:

• MS Defender will watch the downloaded file to complete, and you will not have access to it at all even if you try to run/copy/rename/whatever, no operations allowed.
• The exact second the file will complete downloading (you still don't have access to it) it will be scanned and quarantine if it is malicious.

Safe / clean mean it is not in the blacklist of MS Defender.

What makes it undefined / not defined, that is if the file hash is newer than the last local signature update?

Exactly.

So the local MS Defender is not waiting for a response from the cloud function / online scanner function?

No.

The local MS Defender will only block or qurantine the file if it gets an answer from the online scanner?

Yes.

What about the offline scanner function, I assume that is still viable / good?

Yes, it is good.

 

[Oblivion99]

Safe / clean mean it is not in the blacklist of MS Defender.

1.
But is MS Defender "blocking" / "holding" the file until it has been scanned and cleared?
Is that correct?

• The exact second the file will complete downloading (you still don't have access to it) it will be scanned and quarantine if it is malicious.

2.
But when do MS Defender allow access to the file?
When it has been scanned succesfully by the offline or online scanner?

Thank you

 

[lokamoka820]

1.
But is MS Defender "blocking" / "holding" the file until it has been scanned and cleared?
Is that correct?

• The exact second the file will complete downloading (you still don't have access to it) it will be scanned and quarantine if it is malicious.

2.
But when do MS Defender allow access to the file?
When it has been scanned succesfully by the offline or online scanner?

Thank you

Any new file to the system (downloaded / copied from USB / etc.) will be scanned before you access it, and if it is not in the blacklist it will be accessible then.
The scan process will be in the same order mentioned in a previous answer (MS Defender workflow).

 

[Oblivion99]

Any new file to the system (downloaded / copied from USB / etc.) will be scanned before you access it, and if it is not in the blacklist it will be accessible then.

But what if the file is never successfully scanned?
Will there never be granted access to the file?

It is undefined to the offline scanner - not scanned
The online scanner gets interrupted, and internet access is not restored - not successfully scanned

Thank you

 

[lokamoka820]

But what if the file is never successfully scanned?
Will there never be granted access to the file?

It is undefined to the offline scanner - not scanned
The online scanner gets interrupted, and internet access is not restored - not successfully scanned

Thank you

Think about it like when a police officer stops you on a checkpoint, he couldn't arrest you unless your SSN is defined on the government database as wanted (blacklist), so when the police officer couldn't get that you are wanted for any reason, for example if the system is stuck or the check result failed to return a result he will not hold you until he gets a clear result identifying you as a good citizen, this is exactly how antivirus work.

So file undefined - not scanned - no internet - whatever, you will access the file after seconds of no conformation that it is in the blacklist.

 

[Oblivion99]

Think about it like when a police officer stops you on a checkpoint, he couldn't arrest you unless your SSN is defined on the government database as wanted (blacklist), so when the police officer couldn't get that you are wanted for any reason, for example if the system is stuck or the check result failed to return a result he will not hold you until he gets a clear result identifying you as a good citizen, this is exactly how antivirus work.

So file undefined - not scanned - no internet - whatever, you will access the file after seconds of no conformation that it is in the blacklist.

So if the online scanner is stuck / can't get an answer from the online cloud - after a couple of seconds MS Defender will allow access to the file, even though it was not scanned?

 

[Oblivion99]

The mentioned scenario will apply to any file crated/opened/copied/pasted/modified/etc. to your laptop/system, it is not about how the file downloaded or where it came from, it is about any file in the system new or old.

1.
Also if the file was transfered via Bluetooth?

2.
Also if the laptop was connected to a compromised Chromecast unit, and the Chromecast unit somehow transfered / tried to transfer a malicous file to the system?