App Review Microsoft Defender vs Magniber

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
cruelsister

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
I think that will defeat the point of having "Real-time protection".
Yes, it can fail for some files. To be sure, one has to always perform a manual scan on the MSI sample and if detected then allow Defender to make actions. I noticed, that this can be sometimes necessary also after unpacking the MSI sample with Windows built-in unpacker.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
The Defender's horror of testing many MSI samples.

I tried to test 76 MSI samples packed in one archive.
  1. Unpacking the archive with enabled real-time protection failed.
  2. I disabled real-time protection and unpacked the archive into a separate folder. After enabling the real-time protection and performing the manual scan of this folder, Defender worked hard for many minutes. I saw several alerts and started the Defender actions without much progress.
  3. After half an hour, I restarted the system, but this did not help too.
  4. Finally, I gave up.
In the real world, Defender is OK when one remembers to do a manual scan of the MSI file before executing it. But, testing many samples located in one folder is probably impossible.:(

Edit (no subfolders).
There is a kinda solution:
  1. Disable real-time protection and unpack samples to the folder (no subfolders).
  2. Upload this folder to OneDrive.
  3. Download the folder from OneDrive (online) to the disk.
You will see a ZIP archive that contains the folder. There will be some undetected samples and many .txt files (every txt file includes info about the detection event).
When downloading files from OneDrive, they are checked by the online service (not by Defender installed on the computer).
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
The Defender's horror of testing many MSI samples.



Edit.
There is a kinda solution:
  1. Disable real-time protection and unpack samples to the folder.
  2. Upload this folder to OneDrive.
  3. Download the folder from OneDrive (online) to the disk.

Good grief, I'd be too lazy to embark on this kind of song and dance. Good thing I'm not a malware tester :D
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
I was talking to former MT member "McMcBrad" about it, and he told me that this behavior of MD related to MSI files is nothing new, and it's been like this since the days of Microsoft Security Essentials.
He said:
msi.jpg
So yes, that's how it is and may not change unless Microsoft sees a lot of MSI malware hurting their Enterprise customers.
So, as Andy said, if you're suspicious of a MSI file, then scan it prior to running to make sure it's safe.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
I would like to notice that the tested samples were probably actively distributed in a short time and replaced by other samples after a few hours or maybe a day. We do not know the protection of most AVs against the Magniber in this period (active period) - there were signals from other sources that protection was generally poor (with a few exceptions).

By using VirusTotal we can usually know the detections from the period when most of these samples were already dead (replaced in the wild by other samples). In other words, we know how the United States in XXI century is protected against the Persian army of Darius the Great. But, this can give us only a little information on how the United States is protected against ISIS.
 
Last edited:

Kiss

Level 4
Verified
Well-known
Oct 6, 2021
174
This has already turned into a war between the defenders of WD and the haters, time to change the personal disk :LOL:
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,613
This has already turned into a war between the defenders of WD and the haters, time to change the personal disk :LOL:
All of these discussions must be seen in not only in terms of specifics of the subject at hand, e.g. Magniber, other specific malware cases, etc. but also in the much broader context, i.e. how likely is an encounter with one of these for the home user? In the end, it doesn't matter since most people won't.

I just sit back and enjoy the back and forth, taking what I find valuable and leaving the rest.:cool:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
This has already turned into a war between the defenders of WD and the haters, time to change the personal disk :LOL:
I did not notice any haters.:unsure:
Most of the objections are valid for Defender and some for many AVs too.
The differences in opinions are related to the impact on users' security. There is no available data to confirm who is closer to the truth.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Some more information about the CPL variant (translated from the Korean language):

The ESRC has on several occasions called for caution against Magniber ransomware, which is being circulated through typosquatting. Typosquatting is when a user enters a domain address incorrectly or misspelles, registers the relevant domain in advance, and then uses that domain to attack with relatively few targets.

And recently, Magniber ransomware has been circulating to a large number of unspecified users by hacking into ad servers, requiring the extra attention of users. The attack was primarily carried out through ad servers embedded in websites that provide services such as watching videos or downloading files in an unlawful manner. Homepages that operate in an unlawful manner are exposed in a variety of ways because they earn income from illegal advertising.

In the course of using the services on these websites, users may intentionally or inadvertently click on advertisements to access the ad server. Every time a user clicks on an ad, the ad page is randomly accessed, and if the user connects to a hacked ad server, a file with the name Antivirus.Upgrade.Database.Cloud in the user's browser is automatically downloaded.

See more (use the translate feature):
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Giwisin - a more sophisticated and more targeted brother of Magniber MSI ransomware.

The cases of Gwisin ransomware attacking Korean companies are recently on the rise. It is being distributed to target specific companies. It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI.

As such, the file alone does not perform ransomware activities on security products of various sandbox environments, making it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows process. The process is different for each infected company.

https://asec.ahnlab.com/en/37483/

For now, the Magniber and Giwisin target mostly the countries around Korea, but this can change in the future due to the high efficiency of the MSI attack vector.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
620
So, as Andy said, if you're suspicious of a MSI file, then scan it prior to running to make sure it's safe.

Makes sense, I guess using Andy's suggested method from his post #73?

Simply after downloading/unpacking the sample, one has to manually perform Defender's scan on this sample and follow the Defender alert to clean the threat.(y)
You can use another sample that is undetected even with this manual scan:
33211a8202f4ad33f01cd90c6b1f51068a84ace5dd85a891efe5e6c210b0e7ef.msi
 

cruelsister

Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Controlled Folder is shown to be active at 2:14. As to Shadow copies, a similar variant was shown to delete (vssadmin) them at the 1:30 mark of the AppCheck Overview video (and at 2:08 of that same video WF was shown to be disabled by the malware). And although it wasn't asked, at 1:16 of the Defender and VirusTotal video UAC alerted to Task manager starting which is only done with UAC at Max. UAC did not, however alert to the malware.
 
F

ForgottenSeer 95367

This has already turned into a war between the defenders of WD and the haters, time to change the personal disk :LOL:
There is always the notion that Microsoft does not do enough to secure Windows users. Incompetence? Negligence? Willful disregard? Disorganization? Or whatever other negative terminology one wishes to apply to a situation like TrustedInstaller and Magniber. There are similar cases or instances where the same can be said of any security software provider.

I'm just surprised that so many people think the security problems associated with msiexec are new ones.

I did not notice any haters.:unsure:
The words bashing and hating are two of the most abused words online. When people feel strongly about a product, when any criticism of that product is levied, the claims of hating and bashing soon follow. Unfortunately, such behavior is part of the online territory.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,613
oldschool,

you are an esteemed member of this forum, and I for one would like to see you post more of your opinions rather than just just sitting back :)

Edit

please don't take this as a demand, it's just I value your opinions :D
Very kind of you to say, but the reason I don't post more in these more technical malware threads is that I don't test malware nor do I possess much of the tech knowledge that goes with it.
 

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609
I believe this question has been asked and answered somewhere in this forum but I'll ask it again as my memory betrays me, an individual would not be attacked by multiple malware as in the test presented by cruelsister I assume, that is probably done for expediency but if they were taken on one at a time would the security soft and the machine have a better chance at success?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top