Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Security Statistics and Reports
Modern protection without signatures – comparison test on real threats (Advanced In The Wild Malware Test)
Message
<blockquote data-quote="Andy Ful" data-source="post: 978181" data-attributes="member: 32260"><p>You probably have meant SmartScreen for Explorer instead of UAC. UAC ignores MOTW, but SmartScreen is triggered for EXE files with MOTW. The MOTW is embedded in the file Alternate Data Stream (Zone.Identifier) which is added to files downloaded by the web browser (to NTFS disk). One has to remove this ADS, or use the right-click Explorer context menu to unlock the file (this removes this ADS).</p><ol> <li data-xf-list-type="ol">Disabling SmartScreen does not remove MOTW.</li> <li data-xf-list-type="ol">When the settings are like those in the screenshots from your previous posts (default Windows settings), then the MOTW is added.</li> </ol><p>In both cases, the Defender's BAFS, Avast CyberCapture, etc., can still work. The Defender behavior with working BAFS is very different from the case without BAFS. In the first case, the L3 blocks are very rare and related to Defender's post-infection protection. The initial malware must bypass all protection in the cloud, except detonation in the Sandbox:</p><ol> <li data-xf-list-type="ol">The file is allowed after bypassing cloud protection, but blocked after several seconds. The advanced analysis in the cloud (file is uploaded to the cloud) took more time than the default 10 seconds.</li> <li data-xf-list-type="ol">The file is allowed after bypassing cloud protection, but blocked after several seconds/minutes. The advanced analysis in the cloud detected the post-execution behavior as potentially malicious.</li> <li data-xf-list-type="ol">The file is allowed after bypassing cloud protection, but blocked after several minutes. The detonation in the sandbox (can last several minutes) recognized the file as malicious.</li> <li data-xf-list-type="ol">The payloads downloaded/dropped/executed via the undetected initial malware were blocked (post-infection protection).</li> </ol><p>All these cases are rare even for 0-day malware. BAFS was intended by Microsoft to block 0-day malware. For totally unknown and innovative malware the first victim will be infected, but usually, after a few minutes, all users are protected against this malware via BAFS.</p><p>If BAFS works properly then almost all samples are blocked at Level 1. If BAFS does not work properly, then the cloud backend is not used at Level 1, so most of the samples can be blocked only at Level 2 or 3.</p><p></p><p></p><p></p><p>Yes, this cmdlet removes MOTW, by removing Zone.Identifier from the file. Does AVLab use it to unblock all the samples downloaded by Google Chrome?</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 978181, member: 32260"] You probably have meant SmartScreen for Explorer instead of UAC. UAC ignores MOTW, but SmartScreen is triggered for EXE files with MOTW. The MOTW is embedded in the file Alternate Data Stream (Zone.Identifier) which is added to files downloaded by the web browser (to NTFS disk). One has to remove this ADS, or use the right-click Explorer context menu to unlock the file (this removes this ADS). [LIST=1] [*]Disabling SmartScreen does not remove MOTW. [*]When the settings are like those in the screenshots from your previous posts (default Windows settings), then the MOTW is added. [/LIST] In both cases, the Defender's BAFS, Avast CyberCapture, etc., can still work. The Defender behavior with working BAFS is very different from the case without BAFS. In the first case, the L3 blocks are very rare and related to Defender's post-infection protection. The initial malware must bypass all protection in the cloud, except detonation in the Sandbox: [LIST=1] [*]The file is allowed after bypassing cloud protection, but blocked after several seconds. The advanced analysis in the cloud (file is uploaded to the cloud) took more time than the default 10 seconds. [*]The file is allowed after bypassing cloud protection, but blocked after several seconds/minutes. The advanced analysis in the cloud detected the post-execution behavior as potentially malicious. [*]The file is allowed after bypassing cloud protection, but blocked after several minutes. The detonation in the sandbox (can last several minutes) recognized the file as malicious. [*]The payloads downloaded/dropped/executed via the undetected initial malware were blocked (post-infection protection). [/LIST] All these cases are rare even for 0-day malware. BAFS was intended by Microsoft to block 0-day malware. For totally unknown and innovative malware the first victim will be infected, but usually, after a few minutes, all users are protected against this malware via BAFS. If BAFS works properly then almost all samples are blocked at Level 1. If BAFS does not work properly, then the cloud backend is not used at Level 1, so most of the samples can be blocked only at Level 2 or 3. Yes, this cmdlet removes MOTW, by removing Zone.Identifier from the file. Does AVLab use it to unblock all the samples downloaded by Google Chrome? [/QUOTE]
Insert quotes…
Verification
Post reply
Top
