- Apr 9, 2018
- 182
As I mentioned above there is no such thing after downloading the file. No MOTW indicator.
Modern protection without signatures – comparison test on real threats (Advanced In The Wild Malware Test)
- Thread starter Adrian Ścibor
- Start date
As I mentioned above there is no such thing after downloading the file. No MOTW indicator.
- Dec 23, 2014
- 8,135
So why it is here, when I download files via Google Chrome? The screenshots from my previous posts were done after downloading the file via Google Chrome.
Please check if you have the default Windows settings.
- Dec 23, 2014
- 8,135
Please look here for more info about MOTW and web browsers:
https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/
https://blogs.msmvps.com/alunj/2020/06/24/revisiting-ntfs-alternate-data-streams/
If I correctly remember also files downloaded from OneDrive and GoogleDrive do have MOTW.
https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/
https://blogs.msmvps.com/alunj/2020/06/24/revisiting-ntfs-alternate-data-streams/
If I correctly remember also files downloaded from OneDrive and GoogleDrive do have MOTW.
Last edited:
- Dec 23, 2014
- 8,135
If the files would be run without MOTW in the AVLab tests, then results for Avast would be even more anomalous than for the Webroot. It is impossible that Avast did not miss any single sample in all AVLab tests (over 19 000 samples) - please let me know if it is not true). This would also strongly suggest that there are not many unknown samples in AVLab tests. The 0-missed result is possible (still slightly unusual) if the files were run with MOTW. In this case, Avast uses CyberCapture sandbox - so the samples are analyzed similarly to what is done by AVLab (to check if the samples are malicious). So even such a perfect result does not exclude using many unknown samples in AVLab.
Last edited:
- Dec 23, 2014
- 8,135
@omidomi
Please help me. Webroot SecurityAnywhere uses the option "Enable enhanced heuristics based on behavior, origin, age, and popularity of files".
Please help me. Webroot SecurityAnywhere uses the option "Enable enhanced heuristics based on behavior, origin, age, and popularity of files".
- Is this strong protection against EXE files?
- Does it work only for files directly downloaded (as an EXE, not packed) from the Internet (files with MOTW), or it can work for all EXE files (also extracted from the archives)?
- Apr 9, 2018
- 182
Ok, thanks all commenters for interesting discussion!
This sparked an effort to think about changing the methodology to keep MOTW and SmartScreen at the same time as enabled.
I think a compromist was found to ensure that malware downloaded from the browser would have MOTW indicator and at the same time that the automatic malware launch routines would not display warning messages.
Smart Screen technology is not that important because we are checking the AV program response anyway, and we want to bypass the other system messages. The most important thing is MOTW so that we do it better.
We will test this internally and I will let you know what worked.
Thank you, I am also learning new things because of you
This sparked an effort to think about changing the methodology to keep MOTW and SmartScreen at the same time as enabled.
I think a compromist was found to ensure that malware downloaded from the browser would have MOTW indicator and at the same time that the automatic malware launch routines would not display warning messages.
Smart Screen technology is not that important because we are checking the AV program response anyway, and we want to bypass the other system messages. The most important thing is MOTW so that we do it better.
We will test this internally and I will let you know what worked.
Thank you, I am also learning new things because of you
- Mar 16, 2019
- 3,635
That's better, good to know. Disabling SmartScreen or ignoring SmartScreen prompt is fine. @Andy Ful also agrees. But MOTW should never be disabled/removed. It's the default configuration, it's the norm. Many AV product's post execution components takes MOTW into consideration. Even a professional malware analyst on the forum briefly talked about it.
- Apr 9, 2018
- 182
Okay, here's the deal...
We've updated very quickly the SANDBOX machine (without antivirus) to a state with Smart Screen and MOTW enabled. If you've read our methodology, you already know that at SANDBOX we investigate malware before it goes into TESTING.
I want to be precise, that's why I'm going to the point:
1. We will update all machines with tested AVs in the near future.
2. This month in March 2022 we are not testing Microsoft Defender, so you will have to wait until the May 2022 edition for the exact results of the change in metdology.
3. I was supposed to hear from someone in April to help me prepare a special manual configuration for Microsoft Defender testing. We will be able to compare default and overclocked configuration.
4. We will update the methodology description on webiste in the coming week.
On the attached image you can see the terminal of our test application - Node.JS output terminal, which manages Vmware via API. You can also see the Windows 10 configuration + SS enabled + MOTW active.
I hope these changes will inspire even more trust to AVLab Cybersecurity Foundation.
We've updated very quickly the SANDBOX machine (without antivirus) to a state with Smart Screen and MOTW enabled. If you've read our methodology, you already know that at SANDBOX we investigate malware before it goes into TESTING.
I want to be precise, that's why I'm going to the point:
1. We will update all machines with tested AVs in the near future.
2. This month in March 2022 we are not testing Microsoft Defender, so you will have to wait until the May 2022 edition for the exact results of the change in metdology.
3. I was supposed to hear from someone in April to help me prepare a special manual configuration for Microsoft Defender testing. We will be able to compare default and overclocked configuration.
4. We will update the methodology description on webiste in the coming week.
On the attached image you can see the terminal of our test application - Node.JS output terminal, which manages Vmware via API. You can also see the Windows 10 configuration + SS enabled + MOTW active.
I hope these changes will inspire even more trust to AVLab Cybersecurity Foundation.
Attachments
In the past it worked for all, origin was just one of the markers since not all browsers (e.g. Firefox) added the MOTW. In early versions users could set the triggering limits by chosing out of predefined options (e.g. less than one day old, less than two weeks old, etc). Like your best safe hex habit advice just wait a day before executing any downloaded program.
Similar threads
