Microsoft Explains How Its Antivirus Blocks Unknown Malware in Just 10 Seconds

SumG

Level 2
Thread author
Verified
Apr 26, 2017
89
Windows Defender has evolved a lot in the latest versions of Windows, and while third-party security vendors badmouth the antivirus, Microsoft keeps praising it occasionally, with an in-depth analysis published today detailing the way it can block unknown malware.

Screenshot_1.png


Microsoft says it takes a maximum of 10 seconds for Windows 10 to analyze a file that might be infected with a never-before-seen malware, which then helps protect not only the user who submits the sample, but also all the other users who rely on Windows Defender to keep systems protected.

The software giant highlights that the cloud power is what makes Windows Defender react so quickly and efficiently in the case of unknown malware, explaining that while it inspects files for possible infections, it also prevents possible malicious behavior on target systems.​

10-second malware analysis process
As described in the infographic that you can see here, when suspicious files are detected, they can be submitted to the cloud for an in-depth analyst and once the cloud assesses that the file is unknown, it requests a sample for future inspection. The client holding the file then uploads the sample automatically, with Microsoft’s cloud systems processing it and checking against machine learning classifiers.

The cloud then generates a signature and sends it to the client, with the Windows 10 system blocking the file and reporting back to the cloud to help protect all the other users.

The whole process takes place in less than 10 seconds, Microsoft explains, and the full protection is offered once the cloud analysis is enabled from the Settings app.

“When enabled, Windows Defender AV locks a suspicious file for 10 seconds by default, while it queries the Windows Defender AV cloud protection service. Administrators can configure Windows Defender AV to extend the timeout period up to one minute to give the cloud service time to perform even more analysis and apply additional techniques to detect new malware,” Microsoft says.

It goes without saying that these features are only available in the latest version of Windows 10, which right now is the Creators Update, but with more improvements coming in the next update due in September.

Source: Microsoft Explains How Its Antivirus Blocks Unknown Malware in Just 10 Seconds




 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
The WD Engineers have presented a scenario (the Google Font example) demonstrating the enhanced abilities of their product:
The malware was disguised as a font file with the name "Chrome font.exe". It was hosted on an online learning website that had been compromised by an attacker,....

Since WD had not encountered the file before, Windows Defender AV did not detect it as malicious; however, it recognized the file’s suspicious characteristics, so it temporarily prevented the file from running. The client sent a query to the Windows Defender AV cloud protection service, which used machine-learning-powered cloud rules to confirm that the file was likely malware needing further investigation.

Within 312 milliseconds, the cloud protection service returned an initial assessment. It then instructed the client to send a sample and to continue locking the file until a more definite verdict was given.

In about two seconds, the client finished uploading the sample. By default, the client’s set to wait for up to 10 seconds to hear back from the cloud protection service before letting such suspicious files run (this timeout can be changed by the administrator).

As soon as the sample was uploaded, a backend file-processing system analyzed the sample. A multi-class machine learning classifier determined there was more than a 95% chance that the file was malicious. The cloud protection service created a signature, which it sent back to client. All of this happened in just five seconds.

One second later, the Windows Defender AV client applied the cloud signature and quarantined the malware. It reported the results back to the cloud service; from that point on, this file was automatically blocked, protecting all Windows PC customers.
One important challenge for Microsoft would be to minimize the amount of FPs by their multi-layered ML predictions. It will be awful for the built-in security supposedly used by (and be increasingly adopted by) a large no of Windows users to be prone to raise false alarms on less known but benign files (that may have some sensitive/low-level functioning), considering the often wicked scores delivered by famous AI/ML based programs in such cases.
 
  • Like
Reactions: ravi prakash saini

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top