App Review (Sandboxed) Windows Defender vs Zero Day Malware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
E

Eddie Morra

I'm curious how sandboxing of specific processes of WD can effect on its accuracy of detection and abilities of controlling some part of system that can be probably unavaliable to open/use for sandboxed processes. Is it possible to test it?
Windows Defender is not 100% "sandboxed" - only certain components in user-mode are "sandboxed".

Anything a "sandboxed" component will need which cannot be obtained directly from the "sandboxed" component will be provided by an "non-sandboxed" component.

Windows Defender can still do everything it could before it was "sandboxed".
 

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
@RoboMan
Please don't be angry with me. But I noticed a VERY BAD error during your test. (I also made this mistake earlier and many other testers in the HUB also make this mistake).

In minute 1:49 you can see that the Virtualbox process is running (driver).
Today you can assume that each sample checks earlier if it is in a virtual environment. So a "smart" sample in a virtual machine does not cause anything if it detects a virtual environment. If you install the virtualbox drivers and don't harden the virtual machine settings, you can assume that the sample won't do any bad things.

And if the sample doesn't do bad things, Windows Defender and all other anti-virus software can't detect anything!

You can run this program in your VM and send us the log. LordNoteworthy/al-khaser
 
F

ForgottenSeer 72227

Good job @RoboMan!

I agree, this was never designed to improve WD antimalware capabilities, it's just to protect the system from any undetected vulnerabilities that could be present in WD itself.

Personally I think all vendors should implement something like this. They all have hooks deep inside the OS, that if vulnerable, could allow hackers to compromise the system. I was browsing the Eset forum not long ago and they mentioned that they are working on something similar for their products, so we will see if this becomes the norm going forward. While WD wasn't the first to implement this, it's a good feature to have.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
not a surprise, WD is rubbish at default settings. Not better than a simple signature-based AV without BB, even worse
the only things which keep users safe are windows smartscreen and improvement of Edge's smartscreen and google safe browsing

WD must be tweaked to be better (much better)

many people keep saying WD (without tweaking) is great but they don't understand the smartscreen is the main player
 

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
@RoboMan
Please don't be angry with me. But I noticed a VERY BAD error during your test. (I also made this mistake earlier and many other testers in the HUB also make this mistake).

In minute 1:49 you can see that the Virtualbox process is running (driver).
Today you can assume that each sample checks earlier if it is in a virtual environment. So a "smart" sample in a virtual machine does not cause anything if it detects a virtual environment. If you install the virtualbox drivers and don't harden the virtual machine settings, you can assume that the sample won't do any bad things.

And if the sample doesn't do bad things, Windows Defender and all other anti-virus software can't detect anything!

You can run this program in your VM and send us the log. LordNoteworthy/al-khaser
Thanks for the great tip!
 

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
The main problem here, from my perspective, is not that Windows Defender didn't catch the malware before, at the time, or upon the execution. Problem is that Windows Defender is buggy at the times, and it is buggy that irritates to the bones. I mean, GUI glitches and inability to remove malware that signatures caught is so not 2018-like. Microsoft has the best opportunities to create and maintain the best AV infrastructure and insights from its telemetry, but it's failing to do a simple thing.

Roboman is not alone when he encountered this problem, albeit malware was test-aware, vm-aware or not, these things can happen with WeCreatedThisAV-Yesterday Total Protection 2018. Microsoft shouldn't have that privilege.
 

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,635
You can run this program in your VM and send us the log. LordNoteworthy/al-khaser
False positive?
1541703841023.png
 

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
Did you know a "zero-day" isn't actually malware ? Technically, calling "new" malware zero day is incorrect.
Are you sure you're not referring to 0-day vulnerabilities? I always referred to wild, new undetected malware as 0-day malware. Just in case I double checked at Emsisoft.
2018-11-08 16_24_53-Bandeja de entrada - gonzalomariezcurrena@gmail.com - Outlook.png
The program is harmless. Yes, it is a false positive. I would also like to know if your VM is hardened. ;)
Also blocked by Google Chrome :p
 

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
For now more GOODs than BADs... (running it in VMWare + W10 Pro RS5, KTS2019 not running/exited...)

Depends on what you have marked in red. If the program has detected VirtualBox or VMWare, then it is not so good. Roboman did this test and sent me the result per PM. The test clearly showed that it is easy for malware to detect the virtual environment of Roboman.
 
5

509322

Are you sure you're not referring to 0-day vulnerabilities? I always referred to wild, new undetected malware as 0-day malware. Just in case I double checked at Emsisoft.

Also blocked by Google Chrome :p

The terminology "zero day" only applies to vulnerabilities.

Culture has mis-applied the terminology to also mean new malware, which is not technically correct.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
The concept "zero-day malware" was used for many years, but as @Lockdown mentioned, in the context of exploits. At present it is accepted to use it in the context of general malware:
"Zero-day malware is hostile computer software, such as viruses or Trojan horses, that is not yet detectable by antivirus programs. "
Advanced persistent threat | information technology

Yet, the term "zero-day attack", seems to be realated only to exploits.
Sometimes it is hard to understand the meaning of "zero-day malware" terminology:

"Mark Russinovich
WORKSHOP - Zero Day Malware Cleaning with the Sysinternals Tools

Learn how to analyze and clean zero day malware using the Sysinternals tools directly from their author, including Process Monitor, Process Explorer, and Autoruns. By enabling deep inspection and control of processes, file system and registry activity, and autostart execution points, these utilities are useful for everything from day-to-day computer maintenance to advanced system and application troubleshooting. The tools are especially effective for malware analysis and cleaning - so much so that malware commonly tries to prevent their execution. Mark focuses on the features useful for malware hunting, demonstrates their capabilities by presenting real-world cases of the tools being used to identify and clean malware, and concludes with a live analysis of the infamous Stuxnet virus."
Black Hat ® Technical Security Conference: USA 2011 // Venue

It seems first that the above is related to the undetected, general malware samples, except the Stuxnet virus example, which is known for exploiting many zero day vulnerabilities.
 
5

509322

The concept "zero-day malware" was used for many years, but as @Lockdown mentioned, in the context of exploits. At present it is accepted to use it in the context of general malware:
"Zero-day malware is hostile computer software, such as viruses or Trojan horses, that is not yet detectable by antivirus programs. "
Advanced persistent threat | information technology

Yet, the term "zero-day attack", seems to be realated only to exploits.
Sometimes it is hard to understand the meaning of "zero-day malware" terminology:

"Mark Russinovich
WORKSHOP - Zero Day Malware Cleaning with the Sysinternals Tools

Learn how to analyze and clean zero day malware using the Sysinternals tools directly from their author, including Process Monitor, Process Explorer, and Autoruns. By enabling deep inspection and control of processes, file system and registry activity, and autostart execution points, these utilities are useful for everything from day-to-day computer maintenance to advanced system and application troubleshooting. The tools are especially effective for malware analysis and cleaning - so much so that malware commonly tries to prevent their execution. Mark focuses on the features useful for malware hunting, demonstrates their capabilities by presenting real-world cases of the tools being used to identify and clean malware, and concludes with a live analysis of the infamous Stuxnet virus."
Black Hat ® Technical Security Conference: USA 2011 // Venue

It seems first that the above is related to the undetected, general malware samples, except the Stuxnet virus example, which is known for exploiting many zero day vulnerabilities.

"Zero Day" only applies to exploits. That is the correct and proper definition.

People improperly use the terminology because they either can't say the word "new malware" or "zero day malware" just sounds better. The term "zero day" has been bastardized in every-day speak and applied to mean something for which it was never intended.
 
5

509322

Sounds to me like the anti-virus / anti-malware terminology

Basically, that's exactly it.

What we use today are anti-malware products, but in everyday language they are erroneously called anti-virus.

How many times people have called AppGuard "anti-virus" ? - when, in fact, it is SRP. There are others that call it "anti-executable", but it is software restriction policy.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top