- Dec 23, 2014
- 8,158
I think that @wat0114 used the term "brain" not for the intellect but probably for knowledge + safe habits. Several MT members often use it in this meaning.
Probably most MT members used the pirated content from time to time.
Microsoft Defender vs Magniber
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Probably most MT members used the pirated content from time to time.
- Dec 23, 2014
- 8,158
My strictly personal opinion about the best anti-ransomware protection "for all users" is for the advantage of Comodo Antivirus with a low or medium level of auto-containment (tested by @cruelsister).
The ransomware is not blocked in the sandbox, so the user can see the destructive actions and the final ransomware request. Furthermore, the ransomware cannot upload files (due to the firewall restrictions) in the double extorsion attacks. Such protection is not so strong as Comodo Firewall with CS settings, but in many cases, it will prevent the users from disabling the protection in the socio-technical attacks. Unfortunately, the protection based on auto-containment has got a few cons that make it unpopular.
The Comodo Firewall with CS settings (and similar solutions) can be probably better in the "home administrator" scenario, where the family members use Comodo Firewall, but only the advanced user can change the settings when this is necessary.
Another good solution for all users can be Kaspersky, but if I correctly recall, in the default settings it cannot fully prevent stealing the files in the double extorsion attacks. But, I can be wrong.
The anti-ransomware protection of Defender free can be very efficient in widespread attacks, but it is not so comprehensive as that of Comodo or Kaspersky. It is based on the assumption that by making the ransomware "very-short-living", the number of victims can be significantly reduced. The protection can be better when using ConfigureDefender HIGH settings, but still not as good as Comodo with auto-containment. With MAX settings almost all ransomware will be blocked, but like in the case of Comodo Firewall with CS settings, such a solution is better suited to the "home administrator" scenario (and still slightly worse than CF with CS settings).
The ransomware is not blocked in the sandbox, so the user can see the destructive actions and the final ransomware request. Furthermore, the ransomware cannot upload files (due to the firewall restrictions) in the double extorsion attacks. Such protection is not so strong as Comodo Firewall with CS settings, but in many cases, it will prevent the users from disabling the protection in the socio-technical attacks. Unfortunately, the protection based on auto-containment has got a few cons that make it unpopular.
The Comodo Firewall with CS settings (and similar solutions) can be probably better in the "home administrator" scenario, where the family members use Comodo Firewall, but only the advanced user can change the settings when this is necessary.
Another good solution for all users can be Kaspersky, but if I correctly recall, in the default settings it cannot fully prevent stealing the files in the double extorsion attacks. But, I can be wrong.
The anti-ransomware protection of Defender free can be very efficient in widespread attacks, but it is not so comprehensive as that of Comodo or Kaspersky. It is based on the assumption that by making the ransomware "very-short-living", the number of victims can be significantly reduced. The protection can be better when using ConfigureDefender HIGH settings, but still not as good as Comodo with auto-containment. With MAX settings almost all ransomware will be blocked, but like in the case of Comodo Firewall with CS settings, such a solution is better suited to the "home administrator" scenario (and still slightly worse than CF with CS settings).
Last edited:
- Apr 17, 2021
- 448
I assume that Microsoft's automatic analysis system cannot detect Magniber because I submitted several samples to Microsoft Security Intelligence, and after several minutes the samples were still undetected (samples submitted to this platform are analyzed automatically and then manually if the automation cannot make a decision.)
As for the prevalence of Magniber in China, please take a look at the below picture (published by Qihoo, one of the largest security vendors in China):
- Dec 23, 2014
- 8,158
Unfortunately, your procedure is not valid for testing BAFS:
- If the MSI file is submitted, we do not know if it is going to be tested immediately in the sandbox. So, you cannot expect that the BAFS detection will work after several minutes.
- The file is scanned once just after the download. So, you have to download it again after several minutes to trigger BAFS.
This chart shows the spread of Magniber and not the confirmed infections. Furthermore, the chart can be related to 360 antivirus detections.
Win11 users beware! Magniber ransomware has been upgraded again, aiming at win11 | 360 Total Security Blog
At the end of April this year, the Magniber ransomware disguised as a Windows 10 upgrade patch package and spread widely, and 360 Security Center...
blog.360totalsecurity.com
Last edited:
Stelica
Level 2
- Sep 27, 2021
- 97
Hi,
I have Windows 10 Pro 21H2, Windows Defender default settings, but I use Sandboxie inside Shadow Defender. Can it be a good solution?
I have Windows 10 Pro 21H2, Windows Defender default settings, but I use Sandboxie inside Shadow Defender. Can it be a good solution?
- Sep 2, 2021
- 2,324
It all depends on your use
If it's basic surfing, yes it's more than enough (you can also virtualize your browser in Sandboxie).
On the other hand, if you go on risky sites, I would advise you to modify Windows Defender with DefenderUI or ConfigureDefender
Stelica
Level 2
- Sep 27, 2021
- 97
I use always Sandboxie for both browsers (firefox and edge) inside Shadow Defender and I don't go to dubious sites!It all depends on your use
If it's basic surfing, yes it's more than enough (you can also virtualize your browser in Sandboxie).
On the other hand, if you go on risky sites, I would advise you to modify Windows Defender with DefenderUI or ConfigureDefender
- Sep 2, 2021
- 2,324
I use always Sandboxie for both browsers (firefox and edge) inside Shadow Defender and I don't go to dubious sites!
So don't touch anything, it's enough
- Dec 23, 2014
- 8,158
@Anthony Qian,
I made some testing that included points 1 and 2 from my previous post. Your suspicion about BAFS was correct. The MSI samples of Magniber (and probably any MSI malware) are not detected by BAFS.
Last edited:
- Apr 13, 2013
- 3,149
Just wanted to clear up any misconceptions.
Where A and B the same file? If so, does it matter if you click start actions before running it a second time?
- Mar 16, 2019
- 3,637
This is a good demonstration. I've known this for a long time. It's the same when you submit samples to Microsoft. Their submission portal might show the cloud detection name but it doesn't guarantee that the file is detected. Usually, the Final Determination part is the important one.
It's probably something like that MD's VT engine is set to a lower threshold so it's more aggressive than regular. But yes this gives the user the wrong idea. I never trust MD's results on VT unless I check it myself on my device.
- Dec 23, 2014
- 8,158
The second sample is also detected by Defender when doing it in the way I described here:
https://malwaretips.com/threads/a-microsoft-defender-follow-up.115026/post-998527
Simply after downloading/unpacking the sample, one has to manually perform Defender's scan on this sample and follow the Defender alert to clean the threat.
You can use another sample that is undetected even with this manual scan:
33211a8202f4ad33f01cd90c6b1f51068a84ace5dd85a891efe5e6c210b0e7ef.msi
Last edited:
Like I said, you have to click start actions before running the same file againThe second sample is also detected by Defender when doing it in the way I described here:
https://malwaretips.com/threads/a-microsoft-defender-follow-up.115026/post-998527
Simply after downloading/unpacking the sample, one has to manually perform Defender's scan on this sample and follow the Defender alert to clean the threat.
You can use another sample that is undetected even with this manual scan:
33211a8202f4ad33f01cd90c6b1f51068a84ace5dd85a891efe5e6c210b0e7ef.msi
- Dec 23, 2014
- 8,158
The video uses two different samples. The second sample is not automatically detected until you manually scan it.
- Apr 13, 2013
- 3,149
The only difference is the web address where to send the ransom payment, otherwise identical- the mechanism is the same which is why this should be particularly troubling. This is similar to what is being done currently with some info stealers (where the data is sent).
- Apr 19, 2017
- 237
I think that will defeat the point of having "Real-time protection".
This is a great idea. I use Sanboxie Plus's Browser inside Shadow Defender, with SD set to use cache (1 Gig ) . Only wish more people would do this.
- Oct 22, 2018
- 435
Not a malware tester, but I think Comodo will contain and isolate both.
Similar threads
