- Dec 23, 2014
- 8,458
Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
- Thread starter Shadowra
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
You stated without the motW the lnk Malware executed where as with it preserved SAC can block the file by default, so hence you stated the motW made a difference of the products ability to block by default and action different then without.
Last edited by a moderator:
- Dec 23, 2014
- 8,458
Yes. SAC will block some files (like LNK shortcuts) if they originate from the Internet Zone and will not block the same files when dropped/created locally.
So, mainly the malicious shortcut will be blocked as an initial attack vector, but will not be blocked when used in lateral movement or as a persistence method.
The EXE, DLL, and MSI files are blocked by SAC independently of MotW.
Do you feel its important to test a products full abilities to block things based upon true routes of infection? To be fair to the products design and abilities I should say. Or at the very least be aware of these abilities and list that those abilities could have stopped a sample but were not tested/deployed?
- Dec 23, 2014
- 8,458
The most important tests should be done against true (in the wild) routes of infection, but it is hard to perform such tests. The test in this thread is made so, with some understandable shortcomings. An additional problem is constantly improving/changing Windows built-in and Microsoft software protection.
Other tests (ransomware tests, EXE tests, etc.) can also be interesting but are supplementary and it is hard to evaluate how they can affect real-world protection. Unfortunately, the results of those tests are usually misunderstood by readers.
Most certainly agree especially with the latter part.
Do you feel that a file sharing site could be one good/easy method to reproduce a real world route of infection by downloading the sample from?
- Dec 23, 2014
- 8,458
This is an easy method. I cannot say how good it is. This can depend on the chosen samples.
The best method is using web crawlers. However, such a method is used only by well-known AV testing Labs.
- Dec 23, 2014
- 8,458
The main problem with testing is that only a small fraction of in-the-wild samples are tested. If you have 1000000 cue balls, where 2000 balls are black (missed samples in the wild) and the rest are white, you can get very different results when randomly choosing 100 balls. Unfortunately, all known AV tests are based on unclear statistics and their methodology can be questioned. They are probably less reliable than the President's Exit Polls.
Last edited:
- Jun 24, 2016
- 2,483
Excellent test! Thank you, friend.
It seems to be that SAC was a good adition to Microsoft's antivirus
It seems to be that SAC was a good adition to Microsoft's antivirus
- Dec 23, 2014
- 8,458
Currently, the protection (at home) of Defender + SAC is close to highly tweaked Kaspersky like in @harlan4096 settings (executables unknown to KSN run as Untrusted). This can change in the future, if the attackers will start using more properly signed malware in the widespread attacks.
The protection against malware from flash drives (shortcuts, scripts, etc.) is not so good, as we can see from the @Shadowra test.
The protection against malware from flash drives (shortcuts, scripts, etc.) is not so good, as we can see from the @Shadowra test.
Its certainly worth looking into or considering as additional methods to test other modules of a product more accurately. Although you are correct in both posts, as the number of samples has a lot to do with it as well. Then again the chances of typical users running into that much malware would probably be like hitting the lottery although I do account for the variables that you are referring too with such a large sample. Either way, all testing has its purpose and I would never claim other wise, but I feel its unfair to products and companies to state a product has failed if it has not been proven to have run the full gauntlet of its design and modules.
Disclaimer: @Shadowra this has no bearing on your test above, I just took the opportunity to ask one of the forum professionals his take on testing products.
Last edited by a moderator:
- Mar 17, 2023
- 496
Dont' worry I initially fell into the same Trap as @Shadowra; I was about to be my usual smart ass self and answer that no security have survived a senior citizen with a suicidal digital tendencies but then I realized you stated "Good habits" so that negated my argument. So basically with nearly perfect security comes great responsibility. But honestly a LOL blocker or windows hardening by @Andy Ful combined with this solution should be fairly sufficient for 90% of users. Extra 8% can be increased by adding VooDooshield to that solution. The last 2% can't be saved by anything besides a true positive detection with autodelete setting. Because those 2% of users are the "Damn the torpedo's full speed ahead" crowd that click YES RUN IT on any prompt.
- Dec 10, 2022
- 400
How come MS defender does not detect files on access anymore? you have to execute a file for it to be detected this was changed recently? it works similar to Malwarebytes now which it does not detect files when downloaded only executed.
Well that escalated quickly. Went from pretty much stock security could protect you to add more 3rd party applications so most everyone can stay safe.
Wouldn't it be easier to take the telephones away from the seniors so they don't answer spam calls, monitor any usage that involves financial transactions, and unplug the 2% that just absolutely clicks on everything no matter what you tell them or simply let them learn a hard lesson that they are not God and can not just go at things they way they feel. I mean isn't using the Internet a responsibility just like driving.
Sorry my smart arse side kicked in too, although I pulled on the reins.
On a serious note I have seen many people use nothing but windows defaults, with a good ad blocker in the browser behind a router be perfectly fine and malware free.
- Sep 2, 2021
- 2,582
I've noticed that it only does this on certain files (like scripts), otherwise MS Defender detects as usual.
(We're not at Avira's level yet
)
- Jun 24, 2016
- 2,483
Actually, Kaspersky needs to have the vendor that signs the file as a Trusted Vendor in its list. Does MD have the same approach? Or does it allow all signed files no matter who signs it? Do you know anything about Microsoft's approach to unknown files?
MD screams loudly with just opening folder containing famous scripts for activating Windows and Office; the same applies to Kaspersky and Bitdefender.I've noticed that it only does this on certain files (like scripts), otherwise MS Defender detects as usual.
(We're not at Avira's level yet
Only Avast/AVG ignore such "innocent
" scripts.
- Dec 23, 2014
- 8,458
As far as I know, Microsoft Defender does not use something comparable to the Trusted Vendor List in Kaspersky, Comodo, etc.
SAC will allow any properly signed EXE files, except those blacklisted in Microsoft's ISG.
- Jan 6, 2022
- 519
Can the ASR rule that blocks untrusted executables also be used instead of SAC? I've had differing results with that rule.
- Dec 23, 2014
- 8,458
It can, but the protection rate is probably greater with SAC.
The ASR rule will block most malicious 0-day EXE malware and some techniques that use DLLs.
Currently, SAC blocks slightly fewer EXE malware, but much more fileless attacks (including many initial fileless attacks with EXE payloads).
For example, by blocking one shortcut, SAC can block several EXE payloads stored on the malicious domain (malware replaced frequently by another morphed sample).
Last edited:
Similar threads
