App Review Microsoft Defender vs Magniber

[SeriousHoax]

I believe this question has been asked and answered somewhere in this forum but I'll ask it again as my memory betrays me, an individual would not be attacked by multiple malware as in the test presented by cruelsister I assume, that is probably done for expediency but if they were taken on one at a time would the security soft and the machine have a better chance at success?

She tested one by one unlike Leo of TPSC who use a script to run too many within a few seconds. So that's not the issue here.
You can ask, how one can get infected by these? To which Andy has already posted links above on how users come in contact with these malware.
For Magniber it's typosquatting and for another ransomware, it was through malicious ads on sites with pirated contents. That's how most malware for home users spreads anyway.
So avoid these, use a good adblocker like uBlock Origin or Adguard to stay out of most trouble.
In addition browser like MS Edge and DNS like NextDns has some sort of typosquatting protection.

 

[Andy Ful]

Controlled Folder is shown to be active at 2:14. As to Shadow copies, a similar variant was shown to delete (vssadmin) them at the 1:30 mark of the AppCheck Overview video (and at 2:08 of that same video WF was shown to be disabled by the malware). And although it wasn't asked, at 1:16 of the Defender and VirusTotal video UAC alerted to Task manager starting which is only done with UAC at Max. UAC did not, however alert to the malware.

The Magniber usually deletes shadow copies. I assume that in your video in the OP the UAC was bypassed and files in the protected folders were encrypted without an alert. But still, we can see the Controlled Folder Access alert that svchost.exe was prevented from making changes to the memory.
-------------------------------------------------------------------------------------------------------------------

Event ID: 1127
Symbolic name:	MALWAREPROTECTION_FOLDER_GUARD_SECTOR_BLOCK
Message:	Controlled Folder Access(CFA) blocked an untrusted process from making changes to the memory.
Description:	Controlled Folder Access has blocked an untrusted process from potentially modifying disk sectors.

-------------------------------------------------------------------------------------------------------------------

Microsoft Defender Antivirus event IDs and error codes

Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors

docs.microsoft.com

Protection against modifying disk sectors is independent of protecting files in folders. The alert from the video strongly suggests that shadow copies were not deleted (protected by CFA). If not, then Magniber could also exploit the protected disk sectors (MBR, shadow copies, etc.).

 

[Andy Ful]

Makes sense, I guess using Andy's suggested method from his post #73?

I will try to start a dispute with Microsoft on MSI issues:

1. Why some MSI samples are detected on Virus Total but undetected on the local machine?
2. Why some MSI samples are detected on Virus Total but undetected by BAFS?
3. Why some MSI samples can be detected by manual scan but undetected on execution?

A such dispute can be started via the developer submission channel.
Yesterday, Microsoft solved a similar issue on my request (sample discovered by @SeriousHoax).

 

[ForgottenSeer 69673]

And as a side note as on my weird machine, why are some samples detected with manual scan but not on Virus Total?

 

[ForgottenSeer 69673]

Interesting VT results for an MSI posted today.

VirusTotal

VirusTotal

www.virustotal.com

 

[ForgottenSeer 95367]

Different opinions and approaches are important, it brings us forward.

Microsoft has got some problems and it needs to fix them. About as simple as it gets.

 

[harlan4096]

Interesting VT results for an MSI posted today.

VirusTotal

VirusTotal

www.virustotal.com

Hello,

No malicious software was found in the attached file.

Best regards, A. M. , Malware Analyst
39A/3 Leningradskoe Shosse, Moscow, 125212, Russia Tel./Fax: + 7 (495) 797 8700 Kaspersky Cyber Security Solutions for Home & Business | Kaspersky Securelist | Kaspersky’s threat research and reports
Kaspersky Threat Intelligence Portal - get insights about suspicious files, hashes, URLs, IP addresses or domain names

 

[Andy Ful]

Some thoughts after running Magniber with UAC on MAX. I used the sample with hash:
5cec4da12bceb1975e3689e3a20178a1bdb1832296de7a2afe2d84f2e6a8bba8

1. It encrypted the protected folders.
2. In the beginning, It did not bypass UAC. The malware constantly tried to execute fodhelper.exe with high privileges so I had to close the UAC alert many times.
3. After some time, UAC prompts ended. I checked the System Restore Points - they were deleted.
4. The alert "Controlled Folder Access(CFA) blocked an untrusted process from making changes to the memory." did not happen at all.

It seems that the malware used more UAC bypasses and one of them was successful.

Post edited.

 

[wat0114]

1. It did not bypass UAC. The malware constantly tried to execute fodhelper.exe with high privileges so I had to close the UAC alert many times until the computer reboot.

Just for clarification, I guess this means you didn't allow fodhelper.exe to elevate via UAC?

EDIT

just saw your edit regarding the UAC bypass.

 

[Andy Ful]

I had to edit my previous post, because the first test was probably too short. I performed a few longer tests, and the malware after some time stopped using Fodhelper and probably used another UAC bypass successfully. I concluded this because the System Restore Points were deleted.
So finally, the malware managed to fully exploit also Controlled Folder Access.

 

[wat0114]

Does it make any difference to answer "No" to the UAC alerts as opposed to closing UAC on each elevation attempt? I'm guessing probably not.

 

[ForgottenSeer 69673]

Ah ok, FP then.

 

[Andy Ful]

Does it make any difference to answer "No" to the UAC alerts as opposed to closing UAC on each elevation attempt? I'm guessing probably not.

When you close the alert, the default action is applied. In this case, the default action is NO.

 

[ForgottenSeer 95367]

I will try to start a dispute with Microsoft on MSI issues:

1. Why some MSI samples are detected on Virus Total but undetected on the local machine?

The version\configuration of vendor detection engines used on the VT platform are not identical to the detection engine employed on the local system. That is what probably accounts for your observation.