App Review Of LoLBins, 0-Days, ESET, and Microsoft Defender

[Andy Ful]

Here is how I construed this video (I imagined @cruelsister talking):
"Hi dear MT members. I am not a fan of Microsoft Defender (see my other videos), but recently it positively surprised me by blocking on default settings a method used many times by attackers in the wild. Such behavior is uncommon among AVs on default settings (Eset AV taken as an example). Blocking such methods can help to prevent some 0-day attacks."

So, I can say that I was also positively surprised and can confirm that such blocking is uncommon among popular AVs on default settings (Avast taken as an example).
Of course, we both know that this does not make Defender the best AV in the world which is C****o in @cruelsister settings. (joke)

 

[Trident]

So, I can say that I was also positively surprised and can confirm that such blocking is uncommon among other AVs on default settings (Avast taken as an example).

I tried the same with Harmony Endpoint by quickly running a one-line command supposed to download a file via certutil.
It produced 2 different behavioural detections.
Gen.win.lolbas.something and
Gen.win.certutil.abuse

 

[Practical Response]

I'm just going to leave this here:

Of LoLBins, 0-Days, ESET

An interesting question was asked on that link: Is there a way to configure ESET to detect such LoL bin usage ? Would it be possible?

forum.eset.com

 

[blackice]

I'm just going to leave this here:

Of LoLBins, 0-Days, ESET

An interesting question was asked on that link: Is there a way to configure ESET to detect such LoL bin usage ? Would it be possible?

forum.eset.com

Good to see the legendary itman is still actively engaging.

 

[LennyFox]

The 'legendary (according to @blackice)' itman confirms that @cruelsister and @Andy Ful are right Eset should detect it

 

[rashmi]

LoLBins, 0-Days, ESET, and Microsoft Defender walk into a bar... and the regulars engage in a tech-savvy version of rock-paper-scissors!

 

[Andy Ful]

This method can be prevented by applying the firewall hardening rule (block outbound connections of certutil.exe).

 

[Andy Ful]

The 'legendary (according to @blackice)' itman confirms that @cruelsister and @Andy Ful are right

Probably yes.

 

[Practical Response]

Just going to leave these right here again, and everyone can continue on. Nothing more needs added. Zero days are not prevalent and Eset has other technologies besides signatures and keeping systems and software updated properly at all times helps negate these as well.

Bottom line was in this test, there was no malicious item attached, no payload for the product to try to detect.

 

[Andy Ful]

I think that we should not demonize that method. Several LOLBins can do the same and worse. Furthermore, it takes one minute to compile an EXE file that can download another one from the Internet, without triggering any detection.
The attack with Certutil is intended to masquerade the action. It makes sense in organizations to fool Administrators.

 

[cruelsister]

Here is how I construed this video (I imagined @cruelsister talking):
"Hi dear MT members. I am not a fan of Microsoft Defender (see my other videos), but recently it positively surprised me by blocking on default settings a method used many times by attackers in the wild. Such behavior is uncommon among AVs on default settings (Eset AV taken as an example). Blocking such methods can help to prevent some 0-day attacks."

So, I can say that I was also positively surprised and can confirm that such blocking is uncommon among popular AVs on default settings (Avast taken as an example).
Of course, we both know that this does not make Defender the best AV in the world which is C****o in @cruelsister settings. (joke)

Yeah (wish I wrote that!). Actually I just needed some video content or other that was short enough to match the length of the song...

 

[Practical Response]

I think that we should not demonize that method. Several LOLBins can do the same and worse. Furthermore, it takes one minute to compile an EXE file that can download another one from the Internet, without triggering any detection.
The attack with Certutil is intended to masquerade the action. It makes sense in organizations to fool Administrators.

The method is flawed because it's not realistic and does not test the product as designed. This is not other lolbins and the file is benign.

If there is so much faith in it, then do it justice by placing a payload in it, place it in a file sharing site where you can mimic real world route of infection by user downloading and see if the malicious code is spotted either before or even post execution once it hits the machine, then you have a legit test. If it does, I wouldn't say a word, as it's tested properly.

Faulting eset for allowing a tool that's used for security purposes that in this case is benign and calling it a strike against the product is just incorrect.

Marcos points out himself that they do not block these kind of tools and it contained no malicious code.

As already stated zero day excuse doesn't hold water either, not only are they not prevalent but there are other modules in the suite for monitoring and detecting unknowns. As well as rules that can be written considering this application has advanced features for manual rules creation.

Speaking of, I've noticed CIS always gets tweaked in these tests yet everything else is tested at defaults, why is that?

 

[LennyFox]

To anser the why question, that is because most MT-members suffer from cognitive dissonance and biassed perceptions (like most humans as discovered by Luft and Ingham link).
There are not many people blessed with an (ultimate) vision, but browsing the video section of our forum, even I can find video's of a respected MT-member @Shadowra who often does specials on request:

App Review - Microsoft Defender Antivirus with Andy Ful WHHLight

Microsoft Defender has been the standard antivirus provided by Microsoft since Windows 8. On Windows 10, Microsoft considerably improved its antivirus, and continued with Windows 11. In this test, I've been asked to add @Andy Ful WHHLight with settings predefined by the editor. I'm also adding...

malwaretips.com

Speaking for myself, for me MT is the only way to follow @cruelsister in a legal way (outside the digital world I would probably arrested for stalking CS), so I don't mind watching videos with Comodo in CS settings (wait CS publishing CIS videos in CS settings, could there be some sort of cruel correlation? )

 

[cruelsister]

If there is so much faith in it, then do it justice by placing a payload in it

Part 2 this weekend.

 

[Andy Ful]

The method is flawed because it's not realistic and does not test the product as designed. This is not other lolbins and the file is benign.

If there is so much faith in it, then do it justice by placing a payload in it, place it in a file sharing site where you can mimic real world route of infection by user downloading and see if the malicious code is spotted either before or even post execution once it hits the machine, then you have a legit test. If it does, I wouldn't say a word, as it's tested properly.

Faulting eset for allowing a tool that's used for security purposes that in this case is benign and calling it a strike against the product is just incorrect.

Marcos points out himself that they do not block these kind of tools and it contained no malicious code.

As already stated zero day excuse doesn't hold water either, not only are they not prevalent but there are other modules in the suite for monitoring and detecting unknowns. As well as rules that can be written considering this application has advanced features for manual rules creation.

Speaking of, I've noticed CIS always gets tweaked in these tests yet everything else is tested at defaults, why is that?

There was no need to refer to my post. It neither contradicts the above nor confirms it.
Your point of view can be shared by many people (like Marcos) and many people can have another opinion (like Microsoft staff).
I will not discuss who is right.

 

[Practical Response]

There was no need to refer to my post. My post neither contradicts the above nor confirms it.

You responded about the topic and conversation stating the method was being "demonized" so I responded back, it's how this works. You actually responded after stating the thread "was too long" referring I was dragging it out.

Part 2 this weekend.

Is it going to be an actual in the wild sample distributed via route of infection or are you going to modify things again to prove a point with something unrealistic. Will you be tweaking Esets protection like you do comodo or running it at default.

 

[Andy Ful]

You responded about the topic and conversation stating the method was being "demonized" so I responded back, it's how this works.

You should not take everything to yourself, except if someone makes it clear by referring to your posts or mentioning your nick.
By "we should not demonize", I had in mind that failing by Eset in this test is not so important in practice (I took your party).

 

[Practical Response]

You should not take everything to yourself, except if someone makes it clear by referring to your posts or mentioning your nick.
By "we should not demonize", I had in mind that failing by Eset in this test is not so important in practice (I took your party).

That's just it direct response are not made and jabbing ones are.

The method is not being demonized, it's being pointed out to be flawed because it's testing a product that is designed with a ruleset to allow such tools yet use other methods should that tool be abused.

In this case using a benign file to demonstrate that just reflected on the product in an improper way. It's like putting your product in a machine, not turning it on and stating it failed.

I want to point out before the "stop posting crowd starts" that I have a right to respond as much as any of you. If you are going to all gang up on one person you should expect no less.

 

[LennyFox]

Is it going to be an actual in the wild sample distributed via route of infection or are you going to modify things again to prove a point with something unrealistic.

It is quite common for vendors to provide updates and patches for vulnabilities which have been discovered by white hat security analists using a PoC (Proof of Concept) that something can be exploited in a repeatable and predictable manner. When vendors take PoC's seriously, why do you consider an "actual in the wild distributed via route of infection" as the only valid proof?

 

[Practical Response]

It is quite common for vendors to provide updates and patches for vulnabilities which have been discovered by white hat security analists using a PoC (Proof of Concept) that this vulnability can be exploited in a repeatable and predictable manner. When venodrs take PoC's sereiously, why do you consider an "actual in the wild distributed via route of infection" as the only valid proof?

Because the products modules are designed to respond a certain way to real world route of infection. Some venders harden real world route of infection modules as that's were the threats actually come from.

This vendor stated above they do not block these tools because they can be used for good and bad. Have you looked up and discovered what this tool is and how it's used. It's a security tool. This vendor also stated that if there was a payload in it, it would be detected or stopped post execution either way.

Real in the wild malware for a payload you ask, because that is what's out there. It's testing realistic.

I get it, cruelsis is popular so you all are going to gang jump me to protect this user. Hell Lenny it sounds as if you would hold that users hand walking down a beach in which I say, have at it.

All personal aside, when Marcos stated those two things above that should have been enough for all to understand this method of testing with no payload, from the wild, or no route of infection proved nothing other then MS defender nailed it with a generic signature. Which btw there is a vendors test floating on the board where defender and eset scored the same score with exception that defender had 3 false positives and eset had none. This due to those aggressive "possibility" generic signatures. They both scored pretty high on default settings.