AVLab.pl Modern protection without signatures – comparison test on real threats (Advanced In The Wild Malware Test)

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
As I mentioned above there is no such thing after downloading the file. No MOTW indicator.

So why it is here, when I download files via Google Chrome? The screenshots from my previous posts were done after downloading the file via Google Chrome.:)
Please check if you have the default Windows settings.(y)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
Please look here for more info about MOTW and web browsers:
https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/
https://blogs.msmvps.com/alunj/2020/06/24/revisiting-ntfs-alternate-data-streams/

Nowadays all major software on the Windows platform that deals with attachments or downloaded files generates a Zone.Identifier ADS, including Internet Explorer, Edge, Outlook, Chrome, FireFox, etc. How do these programs write this ADS? Either by creating the ADS directly or via the system’s implementation of the IAttachmentExecute interface. The behavior of the latter can be controlled via the SaveZoneInformation property in the Attachment Manager.

If I correctly remember also files downloaded from OneDrive and GoogleDrive do have MOTW.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
If the files would be run without MOTW in the AVLab tests, then results for Avast would be even more anomalous than for the Webroot. It is impossible that Avast did not miss any single sample in all AVLab tests (over 19 000 samples) - please let me know if it is not true). This would also strongly suggest that there are not many unknown samples in AVLab tests. The 0-missed result is possible (still slightly unusual) if the files were run with MOTW. In this case, Avast uses CyberCapture sandbox - so the samples are analyzed similarly to what is done by AVLab (to check if the samples are malicious). So even such a perfect result does not exclude using many unknown samples in AVLab.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
@omidomi

Please help me. Webroot SecurityAnywhere uses the option "Enable enhanced heuristics based on behavior, origin, age, and popularity of files".
  1. Is this strong protection against EXE files?
  2. Does it work only for files directly downloaded (as an EXE, not packed) from the Internet (files with MOTW), or it can work for all EXE files (also extracted from the archives)?
 

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
117
Ok, thanks all commenters for interesting discussion!

This sparked an effort to think about changing the methodology to keep MOTW and SmartScreen at the same time as enabled.

I think a compromist was found to ensure that malware downloaded from the browser would have MOTW indicator and at the same time that the automatic malware launch routines would not display warning messages.

Smart Screen technology is not that important because we are checking the AV program response anyway, and we want to bypass the other system messages. The most important thing is MOTW so that we do it better.

We will test this internally and I will let you know what worked.

Thank you, I am also learning new things because of you :)
 

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,244
That's better, good to know. Disabling SmartScreen or ignoring SmartScreen prompt is fine. @Andy Ful also agrees. But MOTW should never be disabled/removed. It's the default configuration, it's the norm. Many AV product's post execution components takes MOTW into consideration. Even a professional malware analyst on the forum briefly talked about it.
 

Adrian Ścibor

From AVLab.pl
Thread author
Verified
Well-known
Apr 9, 2018
117
Okay, here's the deal...

We've updated very quickly the SANDBOX machine (without antivirus) to a state with Smart Screen and MOTW enabled. If you've read our methodology, you already know that at SANDBOX we investigate malware before it goes into TESTING.

I want to be precise, that's why I'm going to the point:

1. We will update all machines with tested AVs in the near future.

2. This month in March 2022 we are not testing Microsoft Defender, so you will have to wait until the May 2022 edition for the exact results of the change in metdology.

3. I was supposed to hear from someone in April to help me prepare a special manual configuration for Microsoft Defender testing. We will be able to compare default and overclocked configuration.

4. We will update the methodology description on webiste in the coming week.

On the attached image you can see the terminal of our test application - Node.JS output terminal, which manages Vmware via API. You can also see the Windows 10 configuration + SS enabled + MOTW active.

I hope these changes will inspire even more trust to AVLab Cybersecurity Foundation.
 

Attachments

  • sandbox state.png
    sandbox state.png
    1.7 MB · Views: 24
F

ForgottenSeer 92963

@omidomi

Please help me. Webroot SecurityAnywhere uses the option "Enable enhanced heuristics based on behavior, origin, age, and popularity of files".
  1. Is this strong protection against EXE files?
  2. Does it work only for files directly downloaded (as an EXE, not packed) from the Internet (files with MOTW), or it can work for all EXE files (also extracted from the archives)?
In the past it worked for all, origin was just one of the markers since not all browsers (e.g. Firefox) added the MOTW. In early versions users could set the triggering limits by chosing out of predefined options (e.g. less than one day old, less than two weeks old, etc). Like your best safe hex habit advice just wait a day before executing any downloaded program.
 
Top