Eddie Morra

Level 8
Content Creator
Joined
Aug 28, 2018
Messages
374
#21
I'm curious how sandboxing of specific processes of WD can effect on its accuracy of detection and abilities of controlling some part of system that can be probably unavaliable to open/use for sandboxed processes. Is it possible to test it?
Windows Defender is not 100% "sandboxed" - only certain components in user-mode are "sandboxed".

Anything a "sandboxed" component will need which cannot be obtained directly from the "sandboxed" component will be provided by an "non-sandboxed" component.

Windows Defender can still do everything it could before it was "sandboxed".
 

askalan

Level 12
AV-Tester
Verified
Joined
Jul 27, 2017
Messages
599
OS
Arch Linux
Antivirus
Isolation
#22
@RoboMan
Please don't be angry with me. But I noticed a VERY BAD error during your test. (I also made this mistake earlier and many other testers in the HUB also make this mistake).

In minute 1:49 you can see that the Virtualbox process is running (driver).
Today you can assume that each sample checks earlier if it is in a virtual environment. So a "smart" sample in a virtual machine does not cause anything if it detects a virtual environment. If you install the virtualbox drivers and don't harden the virtual machine settings, you can assume that the sample won't do any bad things.

And if the sample doesn't do bad things, Windows Defender and all other anti-virus software can't detect anything!

You can run this program in your VM and send us the log. LordNoteworthy/al-khaser
 

Raiden

Level 4
Verified
Joined
May 7, 2018
Messages
180
OS
Windows 10
Antivirus
Emsisoft
#24
Good job @RoboMan!

I agree, this was never designed to improve WD antimalware capabilities, it's just to protect the system from any undetected vulnerabilities that could be present in WD itself.

Personally I think all vendors should implement something like this. They all have hooks deep inside the OS, that if vulnerable, could allow hackers to compromise the system. I was browsing the Eset forum not long ago and they mentioned that they are working on something similar for their products, so we will see if this becomes the norm going forward. While WD wasn't the first to implement this, it's a good feature to have.
 

Evjl's Rain

Level 38
Content Creator
AV-Tester
Verified
Joined
Apr 18, 2016
Messages
2,763
OS
Windows 8.1
Antivirus
Avast
#25
not a surprise, WD is rubbish at default settings. Not better than a simple signature-based AV without BB, even worse
the only things which keep users safe are windows smartscreen and improvement of Edge's smartscreen and google safe browsing

WD must be tweaked to be better (much better)

many people keep saying WD (without tweaking) is great but they don't understand the smartscreen is the main player
 

RoboMan

Level 24
Content Creator
Verified
Joined
Jun 24, 2016
Messages
1,370
OS
Windows 10
Antivirus
Bitdefender
#26
@RoboMan
Please don't be angry with me. But I noticed a VERY BAD error during your test. (I also made this mistake earlier and many other testers in the HUB also make this mistake).

In minute 1:49 you can see that the Virtualbox process is running (driver).
Today you can assume that each sample checks earlier if it is in a virtual environment. So a "smart" sample in a virtual machine does not cause anything if it detects a virtual environment. If you install the virtualbox drivers and don't harden the virtual machine settings, you can assume that the sample won't do any bad things.

And if the sample doesn't do bad things, Windows Defender and all other anti-virus software can't detect anything!

You can run this program in your VM and send us the log. LordNoteworthy/al-khaser
Thanks for the great tip!
 

BoraMurdar

Super Moderator
MalwareTips Staff
Verified
Joined
Aug 30, 2012
Messages
6,077
OS
Windows 10
Antivirus
Emsisoft
#27
The main problem here, from my perspective, is not that Windows Defender didn't catch the malware before, at the time, or upon the execution. Problem is that Windows Defender is buggy at the times, and it is buggy that irritates to the bones. I mean, GUI glitches and inability to remove malware that signatures caught is so not 2018-like. Microsoft has the best opportunities to create and maintain the best AV infrastructure and insights from its telemetry, but it's failing to do a simple thing.

Roboman is not alone when he encountered this problem, albeit malware was test-aware, vm-aware or not, these things can happen with WeCreatedThisAV-Yesterday Total Protection 2018. Microsoft shouldn't have that privilege.
 

RoboMan

Level 24
Content Creator
Verified
Joined
Jun 24, 2016
Messages
1,370
OS
Windows 10
Antivirus
Bitdefender
#31
Did you know a "zero-day" isn't actually malware ? Technically, calling "new" malware zero day is incorrect.
Are you sure you're not referring to 0-day vulnerabilities? I always referred to wild, new undetected malware as 0-day malware. Just in case I double checked at Emsisoft.
2018-11-08 16_24_53-Bandeja de entrada - gonzalomariezcurrena@gmail.com - Outlook.png
The program is harmless. Yes, it is a false positive. I would also like to know if your VM is hardened. ;)
Also blocked by Google Chrome :p
 

askalan

Level 12
AV-Tester
Verified
Joined
Jul 27, 2017
Messages
599
OS
Arch Linux
Antivirus
Isolation
#32
For now more GOODs than BADs... (running it in VMWare + W10 Pro RS5, KTS2019 not running/exited...)
Depends on what you have marked in red. If the program has detected VirtualBox or VMWare, then it is not so good. Roboman did this test and sent me the result per PM. The test clearly showed that it is easy for malware to detect the virtual environment of Roboman.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,179
#35
Are you sure you're not referring to 0-day vulnerabilities? I always referred to wild, new undetected malware as 0-day malware. Just in case I double checked at Emsisoft.

Also blocked by Google Chrome :p
The terminology "zero day" only applies to vulnerabilities.

Culture has mis-applied the terminology to also mean new malware, which is not technically correct.
 

Andy Ful

Level 32
Content Creator
Verified
Joined
Dec 23, 2014
Messages
2,115
OS
Windows 10
Antivirus
Microsoft
#36
The concept "zero-day malware" was used for many years, but as @Lockdown mentioned, in the context of exploits. At present it is accepted to use it in the context of general malware:
"Zero-day malware is hostile computer software, such as viruses or Trojan horses, that is not yet detectable by antivirus programs. "
Advanced persistent threat | information technology

Yet, the term "zero-day attack", seems to be realated only to exploits.
Sometimes it is hard to understand the meaning of "zero-day malware" terminology:

"Mark Russinovich
WORKSHOP - Zero Day Malware Cleaning with the Sysinternals Tools

Learn how to analyze and clean zero day malware using the Sysinternals tools directly from their author, including Process Monitor, Process Explorer, and Autoruns. By enabling deep inspection and control of processes, file system and registry activity, and autostart execution points, these utilities are useful for everything from day-to-day computer maintenance to advanced system and application troubleshooting. The tools are especially effective for malware analysis and cleaning - so much so that malware commonly tries to prevent their execution. Mark focuses on the features useful for malware hunting, demonstrates their capabilities by presenting real-world cases of the tools being used to identify and clean malware, and concludes with a live analysis of the infamous Stuxnet virus."
Black Hat ® Technical Security Conference: USA 2011 // Venue

It seems first that the above is related to the undetected, general malware samples, except the Stuxnet virus example, which is known for exploiting many zero day vulnerabilities.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,179
#37
The concept "zero-day malware" was used for many years, but as @Lockdown mentioned, in the context of exploits. At present it is accepted to use it in the context of general malware:
"Zero-day malware is hostile computer software, such as viruses or Trojan horses, that is not yet detectable by antivirus programs. "
Advanced persistent threat | information technology

Yet, the term "zero-day attack", seems to be realated only to exploits.
Sometimes it is hard to understand the meaning of "zero-day malware" terminology:

"Mark Russinovich
WORKSHOP - Zero Day Malware Cleaning with the Sysinternals Tools

Learn how to analyze and clean zero day malware using the Sysinternals tools directly from their author, including Process Monitor, Process Explorer, and Autoruns. By enabling deep inspection and control of processes, file system and registry activity, and autostart execution points, these utilities are useful for everything from day-to-day computer maintenance to advanced system and application troubleshooting. The tools are especially effective for malware analysis and cleaning - so much so that malware commonly tries to prevent their execution. Mark focuses on the features useful for malware hunting, demonstrates their capabilities by presenting real-world cases of the tools being used to identify and clean malware, and concludes with a live analysis of the infamous Stuxnet virus."
Black Hat ® Technical Security Conference: USA 2011 // Venue

It seems first that the above is related to the undetected, general malware samples, except the Stuxnet virus example, which is known for exploiting many zero day vulnerabilities.
"Zero Day" only applies to exploits. That is the correct and proper definition.

People improperly use the terminology because they either can't say the word "new malware" or "zero day malware" just sounds better. The term "zero day" has been bastardized in every-day speak and applied to mean something for which it was never intended.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,179
#39
Sounds to me like the anti-virus / anti-malware terminology
Basically, that's exactly it.

What we use today are anti-malware products, but in everyday language they are erroneously called anti-virus.

How many times people have called AppGuard "anti-virus" ? - when, in fact, it is SRP. There are others that call it "anti-executable", but it is software restriction policy.