- Dec 23, 2014
- 8,591
Are you stating that when a true route of infection is presented that security products such as the built in one will respond differently?
No.
Can you be more specific?
Are you stating that when a true route of infection is presented that security products such as the built in one will respond differently?
You stated without the motW the lnk Malware executed where as with it preserved SAC can block the file by default, so hence you stated the motW made a difference of the products ability to block by default and action different then without.No.
Can you be more specific?
Yes. SAC will block some files (like LNK shortcuts) if they originate from the Internet Zone and will not block the same files when dropped/created locally.You stated without the motW the lnk Malware executed where as with it preserved SAC can block the file by default, so hence you stated the motW made a difference of the products ability to block by default and action different then without.
Do you feel its important to test a products full abilities to block things based upon true routes of infection? To be fair to the products design and abilities I should say. Or at the very least be aware of these abilities and list that those abilities could have stopped a sample but were not tested/deployed?Yes. SAC will block some files (like LNK shortcuts) if they originate from the Internet Zone and will not block the same files when dropped/created locally.
So, mainly the malicious shortcut will be blocked as an initial attack vector, but will not be blocked when used in lateral movement or as a persistence method.
The EXE, DLL, and MSI files are blocked by SAC independently of MotW.
Do you feel its important to test a products full abilities to block things based upon true routes of infection?
Most certainly agree especially with the latter part.The most important tests should be done against true (in the wild) routes of infection, but it is hard to perform such tests. The test in this thread is made so, with some understandable shortcomings. An additional problem is constantly improving/changing Windows built-in and Microsoft software protection.
Other tests (ransomware tests, EXE tests, etc.) can also be interesting but are supplementary and it is hard to evaluate how they can affect real-world protection. Unfortunately, the results of those tests are usually misunderstood by readers.
Do you feel that a file sharing site could be one good/easy method to reproduce a real world route of infection by downloading the sample from?
Its certainly worth looking into or considering as additional methods to test other modules of a product more accurately. Although you are correct in both posts, as the number of samples has a lot to do with it as well. Then again the chances of typical users running into that much malware would probably be like hitting the lottery although I do account for the variables that you are referring too with such a large sample. Either way, all testing has its purpose and I would never claim other wise, but I feel its unfair to products and companies to state a product has failed if it has not been proven to have run the full gauntlet of its design and modules.This is an easy method. I cannot say how good it is. This can depend on the chosen samples.
The best method is using web crawlers. However, such a method is used only by well-known AV testing Labs.
Dont' worry I initially fell into the same Trap as @Shadowra; I was about to be my usual smart ass self and answer that no security have survived a senior citizen with a suicidal digital tendencies but then I realized you stated "Good habits" so that negated my argument. So basically with nearly perfect security comes great responsibility. But honestly a LOL blocker or windows hardening by @Andy Ful combined with this solution should be fairly sufficient for 90% of users. Extra 8% can be increased by adding VooDooshield to that solution. The last 2% can't be saved by anything besides a true positive detection with autodelete setting. Because those 2% of users are the "Damn the torpedo's full speed ahead" crowd that click YES RUN IT on any prompt.Yes sorry, my sarcasm can be easily misunderstood, but I was applauding this actually, as it demonstrates for users that are not able to handle advanced security that they can indeed stay safe also.
Well that escalated quickly. Went from pretty much stock security could protect you to add more 3rd party applications so most everyone can stay safe.Dont' worry I initially fell into the same Trap as @Shadowra; I was about to be my usual smart ass self and answer that no security have survived a senior citizen with a suicidal digital tendencies but then I realized you stated "Good habits" so that negated my argument. So basically with nearly perfect security comes great responsibility. But honestly a LOL blocker or windows hardening by @Andy Ful combined with this solution should be fairly sufficient for 90% of users. Extra 8% can be increased by adding VooDooshield to that solution. The last 2% can't be saved by anything besides a true positive detection with autodelete setting. Because those 2% of users are the "Damn the torpedo's full speed ahead" crowd that click YES RUN IT on any prompt.
How come MS defender does not detect files on access anymore? you have to execute a file for it to be detected this was changed recently? it works similar to Malwarebytes now which it does not detect files when downloaded only executed.
Actually, Kaspersky needs to have the vendor that signs the file as a Trusted Vendor in its list. Does MD have the same approach? Or does it allow all signed files no matter who signs it? Do you know anything about Microsoft's approach to unknown files?Currently, the protection (at home) of Defender + SAC is close to highly tweaked Kaspersky like in @harlan4096 settings (executables unknown to KSN run as Untrusted). This can change in the future, if the attackers will start using more properly signed malware in the widespread attacks.
The protection against malware from flash drives (shortcuts, scripts, etc.) is not so good, as we can see from the @Shadowra test.
MD screams loudly with just opening folder containing famous scripts for activating Windows and Office; the same applies to Kaspersky and Bitdefender.I've noticed that it only does this on certain files (like scripts), otherwise MS Defender detects as usual.
(We're not at Avira's level yet )
Actually, Kaspersky needs to have the vendor that signs the file as a Trusted Vendor in its list. Does MD have the same approach? Or does it allow all signed files no matter who signs it? Do you know anything about Microsoft's approach to unknown files?
Can the ASR rule that blocks untrusted executables also be used instead of SAC? I've had differing results with that rule.As far as I know, Microsoft Defender does not use something comparable to the Trusted Vendor List in Kaspersky, Comodo, etc.
SAC will allow any properly signed EXE files, except those blacklisted in Microsoft's ISG.
It can, but the protection rate is probably greater with SAC.Can the ASR rule that blocks untrusted executables also be used instead of SAC? I've had differing results with that rule.