App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Shadowra

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Are you stating that when a true route of infection is presented that security products such as the built in one will respond differently?

No.
Can you be more specific?
 
  • Like
Reactions: Khushal
F

ForgottenSeer 114834

No.
Can you be more specific?
You stated without the motW the lnk Malware executed where as with it preserved SAC can block the file by default, so hence you stated the motW made a difference of the products ability to block by default and action different then without.
 
Last edited by a moderator:
  • Like
Reactions: Khushal

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
You stated without the motW the lnk Malware executed where as with it preserved SAC can block the file by default, so hence you stated the motW made a difference of the products ability to block by default and action different then without.
Yes. SAC will block some files (like LNK shortcuts) if they originate from the Internet Zone and will not block the same files when dropped/created locally.
So, mainly the malicious shortcut will be blocked as an initial attack vector, but will not be blocked when used in lateral movement or as a persistence method.
The EXE, DLL, and MSI files are blocked by SAC independently of MotW.
 
F

ForgottenSeer 114834

Yes. SAC will block some files (like LNK shortcuts) if they originate from the Internet Zone and will not block the same files when dropped/created locally.
So, mainly the malicious shortcut will be blocked as an initial attack vector, but will not be blocked when used in lateral movement or as a persistence method.
The EXE, DLL, and MSI files are blocked by SAC independently of MotW.
Do you feel its important to test a products full abilities to block things based upon true routes of infection? To be fair to the products design and abilities I should say. Or at the very least be aware of these abilities and list that those abilities could have stopped a sample but were not tested/deployed?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Do you feel its important to test a products full abilities to block things based upon true routes of infection?

The most important tests should be done against true (in the wild) routes of infection, but it is hard to perform such tests. The test in this thread is made so, with some understandable shortcomings. An additional problem is constantly improving/changing Windows built-in and Microsoft software protection.
Other tests (ransomware tests, EXE tests, etc.) can also be interesting but are supplementary and it is hard to evaluate how they can affect real-world protection. Unfortunately, the results of those tests are usually misunderstood by readers.
 
F

ForgottenSeer 114834

The most important tests should be done against true (in the wild) routes of infection, but it is hard to perform such tests. The test in this thread is made so, with some understandable shortcomings. An additional problem is constantly improving/changing Windows built-in and Microsoft software protection.
Other tests (ransomware tests, EXE tests, etc.) can also be interesting but are supplementary and it is hard to evaluate how they can affect real-world protection. Unfortunately, the results of those tests are usually misunderstood by readers.
Most certainly agree especially with the latter part.

Do you feel that a file sharing site could be one good/easy method to reproduce a real world route of infection by downloading the sample from?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Do you feel that a file sharing site could be one good/easy method to reproduce a real world route of infection by downloading the sample from?

This is an easy method. I cannot say how good it is. This can depend on the chosen samples.
The best method is using web crawlers. However, such a method is used only by well-known AV testing Labs.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
The main problem with testing is that only a small fraction of in-the-wild samples are tested. If you have 1000000 cue balls, where 2000 balls are black (missed samples in the wild) and the rest are white, you can get very different results when randomly choosing 100 balls. Unfortunately, all known AV tests are based on unclear statistics and their methodology can be questioned. They are probably less reliable than the President's Exit Polls.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Currently, the protection (at home) of Defender + SAC is close to highly tweaked Kaspersky like in @harlan4096 settings (executables unknown to KSN run as Untrusted). This can change in the future, if the attackers will start using more properly signed malware in the widespread attacks.
The protection against malware from flash drives (shortcuts, scripts, etc.) is not so good, as we can see from the @Shadowra test.
 
F

ForgottenSeer 114834

This is an easy method. I cannot say how good it is. This can depend on the chosen samples.
The best method is using web crawlers. However, such a method is used only by well-known AV testing Labs.
Its certainly worth looking into or considering as additional methods to test other modules of a product more accurately. Although you are correct in both posts, as the number of samples has a lot to do with it as well. Then again the chances of typical users running into that much malware would probably be like hitting the lottery although I do account for the variables that you are referring too with such a large sample. Either way, all testing has its purpose and I would never claim other wise, but I feel its unfair to products and companies to state a product has failed if it has not been proven to have run the full gauntlet of its design and modules.

Disclaimer: @Shadowra this has no bearing on your test above, I just took the opportunity to ask one of the forum professionals his take on testing products.
 
Last edited by a moderator:

cartaphilus

Level 11
Verified
Top Poster
Well-known
Mar 17, 2023
536
Yes sorry, my sarcasm can be easily misunderstood, but I was applauding this actually, as it demonstrates for users that are not able to handle advanced security that they can indeed stay safe also.
Dont' worry I initially fell into the same Trap as @Shadowra; I was about to be my usual smart ass self and answer that no security have survived a senior citizen with a suicidal digital tendencies but then I realized you stated "Good habits" so that negated my argument. So basically with nearly perfect security comes great responsibility. But honestly a LOL blocker or windows hardening by @Andy Ful combined with this solution should be fairly sufficient for 90% of users. Extra 8% can be increased by adding VooDooshield to that solution. The last 2% can't be saved by anything besides a true positive detection with autodelete setting. Because those 2% of users are the "Damn the torpedo's full speed ahead" crowd that click YES RUN IT on any prompt.
 

nickstar1

Level 10
Verified
Well-known
Dec 10, 2022
452
How come MS defender does not detect files on access anymore? you have to execute a file for it to be detected this was changed recently? it works similar to Malwarebytes now which it does not detect files when downloaded only executed.
 
F

ForgottenSeer 114834

Dont' worry I initially fell into the same Trap as @Shadowra; I was about to be my usual smart ass self and answer that no security have survived a senior citizen with a suicidal digital tendencies but then I realized you stated "Good habits" so that negated my argument. So basically with nearly perfect security comes great responsibility. But honestly a LOL blocker or windows hardening by @Andy Ful combined with this solution should be fairly sufficient for 90% of users. Extra 8% can be increased by adding VooDooshield to that solution. The last 2% can't be saved by anything besides a true positive detection with autodelete setting. Because those 2% of users are the "Damn the torpedo's full speed ahead" crowd that click YES RUN IT on any prompt.
Well that escalated quickly. Went from pretty much stock security could protect you to add more 3rd party applications so most everyone can stay safe.

Wouldn't it be easier to take the telephones away from the seniors so they don't answer spam calls, monitor any usage that involves financial transactions, and unplug the 2% that just absolutely clicks on everything no matter what you tell them or simply let them learn a hard lesson that they are not God and can not just go at things they way they feel. I mean isn't using the Internet a responsibility just like driving.

Sorry my smart arse side kicked in too, although I pulled on the reins.

On a serious note I have seen many people use nothing but windows defaults, with a good ad blocker in the browser behind a router be perfectly fine and malware free.
 

Shadowra

Level 37
Thread author
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,630
How come MS defender does not detect files on access anymore? you have to execute a file for it to be detected this was changed recently? it works similar to Malwarebytes now which it does not detect files when downloaded only executed.

I've noticed that it only does this on certain files (like scripts), otherwise MS Defender detects as usual.
(We're not at Avira's level yet :p )
 

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,487
Currently, the protection (at home) of Defender + SAC is close to highly tweaked Kaspersky like in @harlan4096 settings (executables unknown to KSN run as Untrusted). This can change in the future, if the attackers will start using more properly signed malware in the widespread attacks.
The protection against malware from flash drives (shortcuts, scripts, etc.) is not so good, as we can see from the @Shadowra test.
Actually, Kaspersky needs to have the vendor that signs the file as a Trusted Vendor in its list. Does MD have the same approach? Or does it allow all signed files no matter who signs it? Do you know anything about Microsoft's approach to unknown files?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Actually, Kaspersky needs to have the vendor that signs the file as a Trusted Vendor in its list. Does MD have the same approach? Or does it allow all signed files no matter who signs it? Do you know anything about Microsoft's approach to unknown files?

As far as I know, Microsoft Defender does not use something comparable to the Trusted Vendor List in Kaspersky, Comodo, etc.
SAC will allow any properly signed EXE files, except those blacklisted in Microsoft's ISG.
 

Sandbox Breaker

Level 11
Verified
Top Poster
Well-known
Jan 6, 2022
530
As far as I know, Microsoft Defender does not use something comparable to the Trusted Vendor List in Kaspersky, Comodo, etc.
SAC will allow any properly signed EXE files, except those blacklisted in Microsoft's ISG.
Can the ASR rule that blocks untrusted executables also be used instead of SAC? I've had differing results with that rule.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Can the ASR rule that blocks untrusted executables also be used instead of SAC? I've had differing results with that rule.
It can, but the protection rate is probably greater with SAC.
The ASR rule will block most malicious 0-day EXE malware and some techniques that use DLLs.
Currently, SAC blocks slightly fewer EXE malware, but much more fileless attacks (including many initial fileless attacks with EXE payloads).
For example, by blocking one shortcut, SAC can block several EXE payloads stored on the malicious domain (malware replaced frequently by another morphed sample).
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top