Advice Request MOTW dilemma

Please provide comments and solutions that are helpful to the author of this topic.
Parkinsond said:
A couple of hours ago, I performed full scan with MD.
It came out with a backdoor in Edge cache.

I recalled I was testing fresh samples from URLhaus and some of them triggered download which I have aborted immediately, but seems some code was residing in Edge cache.

I wondered, if MD could detect it by on-demand scan, why it did not detect it once it was downloaded in cache.
Looked for MOTW, it was absent; this explains why BAFS did not work.

Is there any method to make Edge add MOTW to files stored in cache?View attachment 288735
Click to expand...

Such file artefacts were probably created by SmartScreen in Edge (download was prevented, so MotW is absent). They cannot be directly executed.
 
  • +Reputation
Reactions: piquiteco, simmerskool and Parkinsond
Andy Ful said:
Such file artefacts were probably created by SmartScreen in Edge (download was prevented, so MotW is absent). They cannot be directly executed.
Click to expand...
SmartScreen did not stop download; it was aborted manually.
Actually SS was disappointing with URLhaus samples; no single detection.
McAfee webadvisor was good, followed by TrafficLight, and they were not perfect though; missed some URLs.
 
Parkinsond said:
SmartScreen did not stop download; it was aborted manually.
Click to expand...

In this way, you did not test BASF and SmartScreen for downloads. You only tested the SmartScreen URL blocking of samples from the URLhaus website.
The URLs you tested were not used in the wild, so SmartScreen ignored them (even if the in-the-wild URL was blocked by SmartScreen).
 
Last edited:
  • Like
  • +Reputation
Reactions: piquiteco, simmerskool, oldschool and 1 other person
Andy Ful said:
In this way, you did not test BASF and SmartScreen for downloads. You only tested the SmartScreen URL blocking of samples from the URLhaus website.
The URLs you tested were not used in the wild, so SmartScreen ignored them (even if the in-the-wild URL was blocked by SmartScreen).
Click to expand...
SS did not react, either by blocking page load or blocking download; it only block download of simplewall installer 🙄
 
Parkinsond said:
No; I stopped it manually.
SS, for example, stops simplewall installer from starting download, even before I intervene.
Click to expand...

You cannot test SmartScreen in this way. You must wait until it stops downloading (successfully or not).
If you want to test URLs, you should use the in-the-wild URL used in the attack and not the URLhaus URL (which stores the file for download).

1748016480783.png


When connecting with in-the-wild URLs, the computer should be protected by a VPN.
Downloading/testing malware is dangerous - should be done in a special testing environment (specially prepared Virtual Machine) by trained users.
 
Last edited:
  • +Reputation
  • Like
  • Thanks
Reactions: piquiteco, simmerskool, Digmor Crusher and 2 others
Tried the same scenario with K; it detected threats immediately in Edge cache, without the need to perform a scan.
I have noticed that disabling encrypted connection scan without installing the extension render safe browsing functionless, inspite of being enabled.
 

You may also like...