App Review (Sandboxed) Windows Defender vs Zero Day Malware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
E

Eddie Morra

ichito said:
I'm curious how sandboxing of specific processes of WD can effect on its accuracy of detection and abilities of controlling some part of system that can be probably unavaliable to open/use for sandboxed processes. Is it possible to test it?
Click to expand...
Windows Defender is not 100% "sandboxed" - only certain components in user-mode are "sandboxed".

Anything a "sandboxed" component will need which cannot be obtained directly from the "sandboxed" component will be provided by an "non-sandboxed" component.

Windows Defender can still do everything it could before it was "sandboxed".
 
  • Like
Reactions: Sunshine-boy, Handsome Recluse, Andy Ful and 5 others
A

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
@RoboMan
Please don't be angry with me. But I noticed a VERY BAD error during your test. (I also made this mistake earlier and many other testers in the HUB also make this mistake).

In minute 1:49 you can see that the Virtualbox process is running (driver).
Today you can assume that each sample checks earlier if it is in a virtual environment. So a "smart" sample in a virtual machine does not cause anything if it detects a virtual environment. If you install the virtualbox drivers and don't harden the virtual machine settings, you can assume that the sample won't do any bad things.

And if the sample doesn't do bad things, Windows Defender and all other anti-virus software can't detect anything!

You can run this program in your VM and send us the log. LordNoteworthy/al-khaser
 
  • Like
Reactions: Sunshine-boy, Handsome Recluse, Weebarra and 7 others
F

ForgottenSeer 72227

Good job @RoboMan!

I agree, this was never designed to improve WD antimalware capabilities, it's just to protect the system from any undetected vulnerabilities that could be present in WD itself.

Personally I think all vendors should implement something like this. They all have hooks deep inside the OS, that if vulnerable, could allow hackers to compromise the system. I was browsing the Eset forum not long ago and they mentioned that they are working on something similar for their products, so we will see if this becomes the norm going forward. While WD wasn't the first to implement this, it's a good feature to have.
 
  • Like
Reactions: Sunshine-boy, Andy Ful, In2an3_PpG and 4 others
E

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
not a surprise, WD is rubbish at default settings. Not better than a simple signature-based AV without BB, even worse
the only things which keep users safe are windows smartscreen and improvement of Edge's smartscreen and google safe browsing

WD must be tweaked to be better (much better)

many people keep saying WD (without tweaking) is great but they don't understand the smartscreen is the main player
 
  • Like
  • +Reputation
Reactions: Sunshine-boy, Andy Ful, ForgottenSeer 72227 and 6 others
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,485
askalan said:
@RoboMan
Please don't be angry with me. But I noticed a VERY BAD error during your test. (I also made this mistake earlier and many other testers in the HUB also make this mistake).

In minute 1:49 you can see that the Virtualbox process is running (driver).
Today you can assume that each sample checks earlier if it is in a virtual environment. So a "smart" sample in a virtual machine does not cause anything if it detects a virtual environment. If you install the virtualbox drivers and don't harden the virtual machine settings, you can assume that the sample won't do any bad things.

And if the sample doesn't do bad things, Windows Defender and all other anti-virus software can't detect anything!

You can run this program in your VM and send us the log. LordNoteworthy/al-khaser
Click to expand...
Thanks for the great tip!
 
  • Like
Reactions: Sunshine-boy, Weebarra, Andy Ful and 7 others
BoraMurdar

BoraMurdar

Super Moderator
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
The main problem here, from my perspective, is not that Windows Defender didn't catch the malware before, at the time, or upon the execution. Problem is that Windows Defender is buggy at the times, and it is buggy that irritates to the bones. I mean, GUI glitches and inability to remove malware that signatures caught is so not 2018-like. Microsoft has the best opportunities to create and maintain the best AV infrastructure and insights from its telemetry, but it's failing to do a simple thing.

Roboman is not alone when he encountered this problem, albeit malware was test-aware, vm-aware or not, these things can happen with WeCreatedThisAV-Yesterday Total Protection 2018. Microsoft shouldn't have that privilege.
 
  • Like
Reactions: Sunshine-boy, ForgottenSeer 72227, RoboMan and 3 others
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,910
askalan said:
You can run this program in your VM and send us the log. LordNoteworthy/al-khaser
Click to expand...
False positive?
1541703841023.png
 
  • Like
Reactions: Gandalf_The_Grey, ForgottenSeer 72227, upnorth and 4 others
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,485
Lockdown said:
Did you know a "zero-day" isn't actually malware ? Technically, calling "new" malware zero day is incorrect.
Click to expand...
Are you sure you're not referring to 0-day vulnerabilities? I always referred to wild, new undetected malware as 0-day malware. Just in case I double checked at Emsisoft.
2018-11-08 16_24_53-Bandeja de entrada - gonzalomariezcurrena@gmail.com - Outlook.png
askalan said:
The program is harmless. Yes, it is a false positive. I would also like to know if your VM is hardened. ;)
Click to expand...
Also blocked by Google Chrome :p
 
  • Like
Reactions: Gandalf_The_Grey, oldschool, AlanOstaszewski and 1 other person
A

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
harlan4096 said:
For now more GOODs than BADs... (running it in VMWare + W10 Pro RS5, KTS2019 not running/exited...)
Click to expand...

Depends on what you have marked in red. If the program has detected VirtualBox or VMWare, then it is not so good. Roboman did this test and sent me the result per PM. The test clearly showed that it is easy for malware to detect the virtual environment of Roboman.
 
  • Like
Reactions: Sunshine-boy, Weebarra, Gandalf_The_Grey and 2 others
5

509322

RoboMan said:
Are you sure you're not referring to 0-day vulnerabilities? I always referred to wild, new undetected malware as 0-day malware. Just in case I double checked at Emsisoft.
View attachment 201191

Also blocked by Google Chrome :p
Click to expand...

The terminology "zero day" only applies to vulnerabilities.

Culture has mis-applied the terminology to also mean new malware, which is not technically correct.
 
  • Like
Reactions: In2an3_PpG, Eddie Morra and noob guy
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
The concept "zero-day malware" was used for many years, but as @Lockdown mentioned, in the context of exploits. At present it is accepted to use it in the context of general malware:
"Zero-day malware is hostile computer software, such as viruses or Trojan horses, that is not yet detectable by antivirus programs. "
Advanced persistent threat | information technology

Yet, the term "zero-day attack", seems to be realated only to exploits.
Sometimes it is hard to understand the meaning of "zero-day malware" terminology:

"Mark Russinovich
WORKSHOP - Zero Day Malware Cleaning with the Sysinternals Tools

Learn how to analyze and clean zero day malware using the Sysinternals tools directly from their author, including Process Monitor, Process Explorer, and Autoruns. By enabling deep inspection and control of processes, file system and registry activity, and autostart execution points, these utilities are useful for everything from day-to-day computer maintenance to advanced system and application troubleshooting. The tools are especially effective for malware analysis and cleaning - so much so that malware commonly tries to prevent their execution. Mark focuses on the features useful for malware hunting, demonstrates their capabilities by presenting real-world cases of the tools being used to identify and clean malware, and concludes with a live analysis of the infamous Stuxnet virus."
Black Hat ® Technical Security Conference: USA 2011 // Venue

It seems first that the above is related to the undetected, general malware samples, except the Stuxnet virus example, which is known for exploiting many zero day vulnerabilities.
 
  • Like
Reactions: Tiny, Handsome Recluse, Weebarra and 4 others
5

509322

Andy Ful said:
The concept "zero-day malware" was used for many years, but as @Lockdown mentioned, in the context of exploits. At present it is accepted to use it in the context of general malware:
"Zero-day malware is hostile computer software, such as viruses or Trojan horses, that is not yet detectable by antivirus programs. "
Advanced persistent threat | information technology

Yet, the term "zero-day attack", seems to be realated only to exploits.
Sometimes it is hard to understand the meaning of "zero-day malware" terminology:

"Mark Russinovich
WORKSHOP - Zero Day Malware Cleaning with the Sysinternals Tools

Learn how to analyze and clean zero day malware using the Sysinternals tools directly from their author, including Process Monitor, Process Explorer, and Autoruns. By enabling deep inspection and control of processes, file system and registry activity, and autostart execution points, these utilities are useful for everything from day-to-day computer maintenance to advanced system and application troubleshooting. The tools are especially effective for malware analysis and cleaning - so much so that malware commonly tries to prevent their execution. Mark focuses on the features useful for malware hunting, demonstrates their capabilities by presenting real-world cases of the tools being used to identify and clean malware, and concludes with a live analysis of the infamous Stuxnet virus."
Black Hat ® Technical Security Conference: USA 2011 // Venue

It seems first that the above is related to the undetected, general malware samples, except the Stuxnet virus example, which is known for exploiting many zero day vulnerabilities.
Click to expand...

"Zero Day" only applies to exploits. That is the correct and proper definition.

People improperly use the terminology because they either can't say the word "new malware" or "zero day malware" just sounds better. The term "zero day" has been bastardized in every-day speak and applied to mean something for which it was never intended.
 
5

509322

RoboMan said:
Sounds to me like the anti-virus / anti-malware terminology
Click to expand...

Basically, that's exactly it.

What we use today are anti-malware products, but in everyday language they are erroneously called anti-virus.

How many times people have called AppGuard "anti-virus" ? - when, in fact, it is SRP. There are others that call it "anti-executable", but it is software restriction policy.
 
  • Like
Reactions: Handsome Recluse and RoboMan

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)
Replies
34
Views
3,237
Video Reviews - Security and Privacy
lokamoka820
lokamoka820
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,303
Video Reviews - Security and Privacy
tofargone
tofargone
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Eset Smart Security Premium v18
Replies
12
Views
1,118
Video Reviews - Security and Privacy
mlnevese
mlnevese

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top