App Review Microsoft Defender vs a ransomware Scriptor

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
Ophelia
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
So Defender is finally blocking Magniber by behaviour?
At least this is good news.
I‘m actually also excited about SAC.
Of course nothing new to the security world, but being a default part of Windows (even in the „free“ Home version - upgraded from 10 -> 11, activated itself silently) sounds great to me if it works out and does not generate too many FP.
Mine is currently evaluating, since i fresh-installed Win11 22H2 yesterday.
 
  • Like
  • +Reputation
Reactions: Sorrento, Brahman, Nevi and 11 others
Shadowra

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,586
Der.Reisende said:
So Defender is finally blocking Magniber by behaviour?
At least this is good news.
I‘m actually also excited about SAC.
Of course nothing new to the security world, but being a default part of Windows (even in the „free“ Home version - upgraded from 10 -> 11, activated itself silently) sounds great to me if it works out and does not generate too many FP.
Mine is currently evaluating, since i fresh-installed Win11 22H2 yesterday.
Click to expand...

And what do you think of SAC if you have tested it? :)

I installed W11 22h2 yesterday on VM in fresh install, but didn't have time to test SAC against scripts and other malwares yet
 
  • Like
Reactions: Sorrento, Brahman, Nevi and 10 others
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
Shadowra said:
And what do you think of SAC if you have tested it? :)

I installed W11 22h2 yesterday on VM in fresh install, but didn't have time to test SAC against scripts and other malwares yet
Click to expand...
I did not test it yet, too, after setting everything up yesterday and today, I noticed the feature scrolling trough Updates and later Defense settings.
As I have understood from articles, it would mostly default-deny unless app is trusted, like AppGuard (?) and others?
I‘d wish for an option to still run like in SmartScreen, in case of FP. So you don’t need to deactivate SAC?
I understood from articles you can only enable from fresh installs and not re-enable?
Thats kinda limiting factor for now, even i understand the intention behind.

What is Smart App Control? - Microsoft Support

Smart App Control is a feature of Windows 11 that helps to block malicious, untrusted, or potentially unwanted apps from running on your device.
support.microsoft.com support.microsoft.com
 
  • Like
Reactions: Sorrento, Nevi, simmerskool and 8 others
cruelsister

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Der.Reisende said:
So Defender is finally blocking Magniber by behaviour?
Click to expand...
Well, no, it failed quite well. And as to SAC it is extremely limited as how many ONLY have fresh installs without anything else being on the system? And even then if disabled only another fresh install will enable it.

Further SAC seems to obsess over only allowing legitimately signed applications while rejecting those that are not. This would be an issue for many common programs (like Seamonkey browser) which would not be allowed. This kind of protection routine would leave the final decision in the hands of the user as one would not know what is real and what isn't, never a good thing.
 
  • Like
  • +Reputation
Reactions: Brahman, Nevi, simmerskool and 14 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
What follows from the video?
  1. Microsoft did not improve the Controlled Folder Access to block the technique used by Magniber.
  2. Scripts are usually more dangerous than other popular file types.
It would be interesting if this malicious script is blocked by Defender's ASR rules + highest Cloud Protection Level. If not, then it would mean that Microsoft still does not treat Magniber as really dangerous in the wild.
 
Last edited:
  • Like
  • +Reputation
Reactions: Brahman, Nevi, simmerskool and 10 others
D

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
cruelsister said:
Well, no, it failed quite well. And as to SAC it is extremely limited as how many ONLY have fresh installs without anything else being on the system? And even then if disabled only another fresh install will enable it.

Further SAC seems to obsess over only allowing legitimately signed applications while rejecting those that are not. This would be an issue for many common programs (like Seamonkey browser) which would not be allowed. This kind of protection routine would leave the final decision in the hands of the user as one would not know what is real and what isn't, never a good thing.
Click to expand...
Almost expected, as blocking happened instant in your video.
Sad M$ still doesn‘t care…

Agree on that 💯
And i bet some blackhats will find a way to override.
Signed malware has always been weak point in AVs.
 
  • Like
Reactions: Dave Russo, Sorrento, Nevi and 8 others
Shadowra

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,586
Andy Ful said:
What follows from the video?
  1. Microsoft did not improve the Controlled Folder Access to block the technique used by Magniber.
  2. Scripts are usually more dangerous than other popular file types.
It would be interesting if this malicious script is blocked by Defender's ASR rules + highest Cloud Protection Level. If not, then it would mean that Microsoft still does not treat Magniber as really dangerous in the wild.
Click to expand...

I just tested :)

2022-09-24_19h38_26.png

I didn't touch the script, MD detected it
2022-09-24_19h40_05.png

I rebuilt Magniber in .JS by killing the Microsoft Defender detection.
ASR / High rules are still on... no detection!
2022-09-24_19h42_03.png
 
  • Like
  • +Reputation
Reactions: Dave Russo, Sorrento, Brahman and 13 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Shadowra said:
I just tested :)

I didn't touch the script, MD detected itView attachment 269528
Click to expand...

Could you look in the ConfigureDefender at the <Defender Security Log> to identify the detection details?

Shadowra said:
I rebuilt Magniber in .JS by killing the Microsoft Defender detection.
ASR / High rules are still on... no detection!
View attachment 269529
Click to expand...

Yes, that is a common issue with AV script detection.
 
  • Like
Reactions: Dave Russo, Brahman, Nevi and 5 others

Similar threads

NB InfoTech
    • Like
App Review Want to try? | Comodo Antivirus Test & Review | Comodo Internet Security vs Ransomware | 2024
Replies
4
Views
404
Video Reviews - Security and Privacy
bazang
bazang
L
    • Like
App Review Windows Defender Controlled Folders bypassed by ransomware
Replies
1
Views
364
Video Reviews - Security and Privacy
oldschool
oldschool
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,309
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top