Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
New video about defender on pc security Channel
Message
<blockquote data-quote="bazang" data-source="post: 1122585" data-attributes="member: 114717"><p>Rewatch the video. Leo shows the malware in the Z:\Shared\Malware folder and looks-up the detections on VirusTotal - two times/twice. It clearly shows that Microsoft has signatures for the malware, and it executed. Leo discusses what happened.</p><p></p><p>The malware is named "Unicorn" and it clearly has been downloaded in the background by PowerShell and then executed from Z:\Shared\Malware. See 1:40 of the video. Also see 4:30 of the video for the further discussion.</p><p></p><p>Microsoft already had signatures for "Unicorn-??????" but allowed it to execute. The Unicorn-named files are mostly all 0 KB with every 8th or 10th one being ~ 145 KB to 435 KB. Then there is the "update.exe" file - which was created or dropped, but there is no evidence it executes.</p><p></p><p>The 0 KB file size can be misleading, as it could be deliberate obfuscation of the actual file size. But there is no doubt that "Unicorn-??????" kept executing over-and-over. We cannot know what it was intended to do - but nevertheless it did execute. There was a GUI element on the Desktop and the file kept replicating itself. So, yes, it was executing on the system. There is no evidence that Microsoft Defender blocked it.</p><p></p><p>There are viruses out there that will do nothing except keep executing to load data into active memory (RAM) and make the system do many writes to the file system/disk. An attacker that wants to overwhelm a system can do so by having writes of 0 KB files in an endless loop - which is clearly what was happening on the test system until it froze and Leo had to reset the test virtual machine to a prior snapshot.</p><p></p><p>At 5:25 Leo shows what "Unicorn-??????" does via the VirusTotal sandbox "run" analysis and it clearly shows that it creates copy-after-copy of itself - which is the exact behavior observed on the system.</p><p></p><p>However, at 6:15 Leo says that it could have been the parent file that executed that created Unicorn-??????, but that is not consistent with what the VirusTotal sandbox analysis clearly shows. So he does not commit to anything other than "Microsoft Defender allowed a malware to execute and it rendered the system inoperable." This statement is 100% accurate.</p><p></p><p></p><p>During the video not a single Microsoft Security prompt appeared asking the user to make a decision. Every single alert that appears in the entire video from Microsoft Security is "MIcrosoft Defender Antivirus detected threats. Get Details."</p><p></p><p>There are a few notifications from Microsoft Security instructing the user to restart the system.</p><p></p><p>So Leo is not ignoring any alerts where he had to make a decision to Allow or Block a program, as there are no notifications asking him to make a decision.</p><p></p><p></p><p></p><p>Leo says at 5:35 that Microsoft Defender "detection is not too bad, which is fairly decent considering these are brand new files" and at 6:30 he says "It is not any worse than other AVs in terms of signatures." At 7:00 Leo begins talking very positively about Microsoft Defender.</p><p></p><p>The criticism of Microsoft Defender's over-reliance upon the cloud, its poor heuristics and behavioral blocking, are accurate and fair criticisms.</p><p></p><p>I have access to the full E5 Government offering that includes every single part of Microsoft Security from Microsoft Defender to EDR to Sentinel to Compliance. And even with all those Microsoft Security components properly and securely configured there are systems that get breached and infected.<strong> It is only after users are prevented from downloading or executing anything - and blocking LoLBIN execution, do the bypasses, infections, and compromises drop-off almost to zero.</strong></p><p></p><p>If it were Kaspersky or Bitdefender on Leo's same test system, the poor Defender showing is almost certainly would not have been replicated.</p><p></p><p>For users that know and prioritize security, should that matter? Perhaps, but most of the protections are coming from the user and not the security software. Nevertheless, Microsoft Defender as a standalone security solution is not adequate and sufficient for any household using Windows Home with downloading minions that know nothing about security.</p></blockquote><p></p>
[QUOTE="bazang, post: 1122585, member: 114717"] Rewatch the video. Leo shows the malware in the Z:\Shared\Malware folder and looks-up the detections on VirusTotal - two times/twice. It clearly shows that Microsoft has signatures for the malware, and it executed. Leo discusses what happened. The malware is named "Unicorn" and it clearly has been downloaded in the background by PowerShell and then executed from Z:\Shared\Malware. See 1:40 of the video. Also see 4:30 of the video for the further discussion. Microsoft already had signatures for "Unicorn-??????" but allowed it to execute. The Unicorn-named files are mostly all 0 KB with every 8th or 10th one being ~ 145 KB to 435 KB. Then there is the "update.exe" file - which was created or dropped, but there is no evidence it executes. The 0 KB file size can be misleading, as it could be deliberate obfuscation of the actual file size. But there is no doubt that "Unicorn-??????" kept executing over-and-over. We cannot know what it was intended to do - but nevertheless it did execute. There was a GUI element on the Desktop and the file kept replicating itself. So, yes, it was executing on the system. There is no evidence that Microsoft Defender blocked it. There are viruses out there that will do nothing except keep executing to load data into active memory (RAM) and make the system do many writes to the file system/disk. An attacker that wants to overwhelm a system can do so by having writes of 0 KB files in an endless loop - which is clearly what was happening on the test system until it froze and Leo had to reset the test virtual machine to a prior snapshot. At 5:25 Leo shows what "Unicorn-??????" does via the VirusTotal sandbox "run" analysis and it clearly shows that it creates copy-after-copy of itself - which is the exact behavior observed on the system. However, at 6:15 Leo says that it could have been the parent file that executed that created Unicorn-??????, but that is not consistent with what the VirusTotal sandbox analysis clearly shows. So he does not commit to anything other than "Microsoft Defender allowed a malware to execute and it rendered the system inoperable." This statement is 100% accurate. During the video not a single Microsoft Security prompt appeared asking the user to make a decision. Every single alert that appears in the entire video from Microsoft Security is "MIcrosoft Defender Antivirus detected threats. Get Details." There are a few notifications from Microsoft Security instructing the user to restart the system. So Leo is not ignoring any alerts where he had to make a decision to Allow or Block a program, as there are no notifications asking him to make a decision. Leo says at 5:35 that Microsoft Defender "detection is not too bad, which is fairly decent considering these are brand new files" and at 6:30 he says "It is not any worse than other AVs in terms of signatures." At 7:00 Leo begins talking very positively about Microsoft Defender. The criticism of Microsoft Defender's over-reliance upon the cloud, its poor heuristics and behavioral blocking, are accurate and fair criticisms. I have access to the full E5 Government offering that includes every single part of Microsoft Security from Microsoft Defender to EDR to Sentinel to Compliance. And even with all those Microsoft Security components properly and securely configured there are systems that get breached and infected.[B] It is only after users are prevented from downloading or executing anything - and blocking LoLBIN execution, do the bypasses, infections, and compromises drop-off almost to zero.[/B] If it were Kaspersky or Bitdefender on Leo's same test system, the poor Defender showing is almost certainly would not have been replicated. For users that know and prioritize security, should that matter? Perhaps, but most of the protections are coming from the user and not the security software. Nevertheless, Microsoft Defender as a standalone security solution is not adequate and sufficient for any household using Windows Home with downloading minions that know nothing about security. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
