App Review (Sandboxed) Windows Defender vs Zero Day Malware

[RoboMan]

Content source

https://www.youtube.com/watch?v=OHXuuBsBYFU&feature=youtu.be

I was advised that the new sandbox in Windows Defender would provide an awsome higher protection (LOL), so thanks to @silversurfer providing me some really good malware sources links, I could access to various zero day samples and decided to test Defender against one.

Just wanted to show how really sandboxed Defender behaves at the end against malware and have some laughs :=)

EDIT: I know sandbox doesn't provide higher protection, that's what the "LOL" means. I got told numerous times on the internet this was an amazing move and now Defender would be so much better. I did this test to prove this doesn't affect the final results.

 

[509322]

Sandboxed Windows Defender and un-sandboxed Windows Defender provide the same level of AV protection. The sandbox does not increase WD protection. The sandboxing of WD processes protects against Windows Defender scan engine exploits of certain types.

 

[shmu26]

I was advised that the new sandbox in Windows Defender would provide an awsome higher protection

You were not advised correctly. The main purpose of sandboxing WD is not to improve zero-day detection. It is for self-protection of WD. As is well known, a compromised AV is very dangerous, since it has high privelages. Sandboxing is meant to address that issue.

Also, please note that WD sandboxing has not even been tested yet by Insiders. It hasn't really been born yet.

EDIT: Indeed, @RoboMan already knows everything I wrote. His LOL is directed to those who foolishly think that this feature awesomely improved WD antimalware protection, when that was never its purpose.

 

[Eddie Morra]

Windows Defender was sandboxed to prevent vulnerabilities which affect the user-mode components such as the privileged Windows Service from being exploited in a way that would allow the attacker to gain additional privileges (e.g. through a Local Privilege Escalation vulnerability present in the scanning engine used by a privileged Windows Defender process).

If you were to exploit other areas of Windows Defender which will not be sandboxed, such as the kernel-mode software, then the sandbox would be of no use. Specific vulnerabilities were being reported to Microsoft consistently (e.g. Google Project Zero) and Microsoft preferred to implement a sandbox container for some user-mode components instead of addressing the elephant in the room about how they needed to follow their own secure guidelines and if they already were... do better.

Of course a sandbox container is a good idea but it shouldn't be a substitute for fixing the real underlying issues. It's only a good addition if the underlying problems are also considered properly and effectively fixed... and if you never learn from your mistakes then you'll mess up whatever you do as a substitute sooner or later. Only time will tell.

If someone driving stupidly accidentally injures someone but gets let off the hook from prison and sent to driving classes again (e.g. instead of losing their license), it won't make a difference if they didn't care to fix the main issue... which is to focus properly, listen to what they are told and drive safely in the future. Otherwise, no matter how many classes they attend, the same issues will eventually happen.

The Windows Defender experimental sandboxing will not affect malware protection (e.g. detection levels, behavioural prevention, etc.). It will only make Windows Defender safer in the event of exploitation which affects a sandboxed component (limiting what an attacker can or cannot do without an additional exploit for the sandbox container escaping) and potentially make it more resistant against vulnerabilities in general (possibly).

 

[RoboMan]

I know how sandboxed defender works, I'm just stating I tested it because I got told numerous times it would provide higher protection. So I tested it to prove otherwise. Hence the "LOL" on my first post

 

[Nestor]

And they say Comodo is buggy, which is, but at least protect you.

 

[Local Host]

You were not advised correctly. The main purpose of sandboxing WD is not to improve zero-day detection. It is for self-protection of WD. As is well known, a compromised AV is very dangerous, since it has high privelages. Sandboxing is meant to address that issue.

Also, please note that WD sandboxing has not even been tested yet by Insiders. It hasn't really been born yet.

This ^
Neither the sandbox was properly tested nor is ready for public use.

 

[RoboMan]

Is it that hard to understand that I'm not testing the sandbox

 

[In2an3_PpG]

Is it that hard to understand that I'm not testing the sandbox

With your edit, i think people coming over to this thread will understand now. I guess its just the way you had it worded earlier caught people off guard. That's all. No big deal.

 

[RoboMan]

With your edit, i think people coming over to this thread will understand now. I guess its just the way you had it worded earlier caught people off guard. That's all. No big deal.

Yeah, it seems like. To sum up, over Facebook groups and forums people were claiming that the new sandbox would make Windows Defender a fantastic AV and would seriously improve the protection. If you guys actually watch the whole video you'd understand the purpose is to show that the recent addition doesn't affect at all how Windows Defender works or is: garbage.

If it protects its processes from malware or exploits that's another whole thing.

 

[In2an3_PpG]

To sum up, over Facebook groups and forums people were claiming that the new sandbox would make Windows Defender a fantastic AV and would seriously improve the protection.

Whatever group or forum that was, i would advise you to leave . Not worth dealing with them. You might lose some brain cells if you have not already.

 

[Moonhorse]

One word generates that much hype around WD

Thanks for posting, well detailed + simple to watch

 

[RoboMan]

One word generates that much hype around WD

Thanks for posting, well detailed + simple to watch

Yeah LOL, and they weren't even the first ones to implement it. Sadly it seems hype is generated quickly on the security products and misleads people to mix facts; like sandbox for processes will provide a better protection

 

[Mahesh Sudula]

Good test..A Big LOL from my end as well.
WD - I expect these video should be seen by AV authorities..a big difference in their charts and our tests!
One que:- Have you enabled INet..Since their cloud seem to be a bit aggressive ..Thanks to VT

 

[ichito]

Sandboxed Windows Defender and un-sandboxed Windows Defender provide the same level of AV protection. The sandbox does not increase WD protection. The sandboxing of WD processes protects against Windows Defender scan engine exploits of certain types.

I'm curious how sandboxing of specific processes of WD can effect on its accuracy of detection and abilities of controlling some part of system that can be probably unavaliable to open/use for sandboxed processes. Is it possible to test it?

 

[Mahesh Sudula]

Yeah LOL, and they weren't even the first ones to implement it. Sadly it seems hype is generated quickly on the security products and misleads people to mix facts; like sandbox for processes will provide a better protection

This is true not only to sand box nor WD.
What an user thinks before he buys a security suite, as usually he glance through their web site
It would be filled with sexy paintings , and scripts from Av tests authority along side their own author driven scripts about new new mouth watering features..Aka Machine learning, ATP, Advanced heuristics, Enter prise cloud bla bla , sand box + AI driven. How evr a normal user believes these, and know the truth once sys gets infected..In reality it's nothing than a 2000 year AV technically..
I really pity many users who are commercially being exploited by those
liars losing their money , time , hard work.
Truth:- AV works when user does the same work from their end, else he would be exploitable by outside guys!~

 

[oldschool]

Whatever group or forum that was, i would advise you to leave . Not worth dealing with them. You might lose some brain cells if you have not already.

!

@RoboMan - I'm curious, were you using WD default or ConfigureDender highest settings? Not that I'm relying on it for zer0-days, just wondering!
Great video BTW but please don't post this good stuff on FB or Twitter - you might insult them in their ignorance & those people absolutely don't deserve you! You are OUR robot!

 

[shmu26]

Windows Defender at default settings is meant to be used in a typical environment, where Windows Smartscreen will block zero-day downloads.

As for torrenters who download their warez in zip files, in which case Windows Smartscreen won't work, Microsoft doesn't have a lot of love for those people, anyways.
But seriously, torrenters will anyways turn off their AV and their firewall when they run their crack, so it doesn't really matter.

 

[RoboMan]

!
@RoboMan - I'm curious, were you using WD default or ConfigureDender highest settings? Not that I'm relying on it for zer0-days, just wondering!
Great video BTW but please don't post this good stuff on FB or Twitter - you might insult them in their ignorance & those people absolutely don't deserve you! You are OUR robot!

I tried to simulate the most realistic enviroment possible:

• Windows Defender at default settings
• Telemtry and other services untouched
• Random documents (doc, mp3, mp4) on desktop and documents folders
• Extra installed programs like video players
• Installed updates
• A few extensions on Chrome

Windows Defender at default settings is meant to be used in a typical environment, where Windows Smartscreen will block zero-day downloads.

As for torrenters who download their warez in zip files, in which case Windows Smartscreen won't work, Microsoft doesn't have a lot of love for those people, anyways.
But seriously, torrenters will anyways turn off their AV and their firewall when they run their crack, so it doesn't really matter.

+1, no protection available for pirates. Been there, done that. AV is always turned off. Anti-executables always set to "allow". It's useless to try to protect them

This is true not only to sand box nor WD.
What an user thinks before he buys a security suite, as usually he glance through their web site
It would be filled with sexy paintings , and scripts from Av tests authority along side their own author driven scripts about new new mouth watering features..Aka Machine learning, ATP, Advanced heuristics, Enter prise cloud bla bla , sand box + AI driven. How evr a normal user believes these, and know the truth once sys gets infected..In reality it's nothing than a 2000 year AV technically..
I really pity many users who are commercially being exploited by those
liars losing their money , time , hard work.
Truth:- AV works when user does the same work from their end, else he would be exploitable by outside guys!~

Cannot say I'm not a fan of flashy websites! I strongly believe a nice, attractive website is a must have to sell a good product. But it's not what people should look at to decide

 

[509322]

Zero-Days !

Did you know a "zero-day" isn't actually malware ? Technically, calling "new" malware zero day is incorrect.