App Review (Sandboxed) Windows Defender vs Zero Day Malware

[Andy Ful]

"Zero Day" only applies to exploits. That is the correct and proper definition.
...

I can agree that it was the correct and proper definition, a few years ago. Technically, the zero-day had the meaning of the day when the vulnerability was published or the vendor was informed. This definition was probably incorrectly expanded to the new areas related to the machine learning, messaging security, AV cloud, etc.
The meaning of terminology changes in time. That is the normal phenomenon in the living language. And it is normal, that many people will still understand the term in its narrow meaning.

Nowadays, the term "zero-day malware" can also have a similar meaning like "zero-hour malware". The second term may be related to:

• AV detection based on machine learning (very quick detection).
• The response time of AV cloud, when the fingerprint of the malware is quickly created after the first infection event (AV AI, detonation in the sandbox, etc.).
• Messaging security, when threats are quickly detected by analyzing large numbers of messages in the network.

AV-Test Lab, Britannica, popular websites & magazines, etc., can use the term "zero-day malware" as related to the fresh malware samples not yet detected by AV signatures. Wikipedia uses the similar meaning for the term "zero-day virus/malware".
"A zero-day virus (also known as zero-day malware or next-generation malware) is a previously unknown computer virus or other malware for which specific antivirus software signatures are not yet available...."
There also exist the term "zero-day ransomware" (not necessarily related to exploit).

When reading some articles, it is often unclear what definition is used for the term "zero-day malware". If the context is not related to AV machine learning, messaging security or AV cloud, then usually the malware uses unpatched vulnerability (by the vendor).

Edit1
I think that it would be better to keep the initial "zero-day malware" definition (related only to exploit), but this fight is already lost against the usus.

Edit2
In many cases we can see multistage "zero-day attacks". The attack can start from the infected website which exploits the web-browser and system to download and run the final payload. The exploit can use unpatched vulnerabilities (one or more) and the payload can be the "zero-day malware" (fresh sample, no AV signatures).

 

[oldschool]

I can agree that it was the correct and proper definition, a few years ago.
The meaning of terminology changes in time. That is the normal phenomenon in the living language. And it is normal, that many people will still understand the term in its narrow meaning … … When reading some articles, it is often unclear what definition is used for the term "zero-day malware". .

Absolutely this, "living language". Well said! Otherwise it is as good as dead, useless. Some cannot accept change, in language or other things. Acceptance of "what is" is difficult for humans. Other living beings adapt more readily, maybe slowly, but not because they resist!

 

[Andy Ful]

There can be a reason that the term "zero day malware" as a fresh/undetected sample, did gain popularity. Most of "drive by" - "zero-day attacks" with exploits, had to use the final payloads which were not detected by AV signatures. So, those two meanings of "zero-day" could be easily confused.

 

[Andy Ful]

Back to the topic. Has anyone experienced any problems with sandboxed WD?

 

[oldschool]

Back to the topic. Has anyone experienced any problems with sandboxed WD?

I had an issue with Windows Explorer opening on startup/restart and I had not made such a change. I disabled sandbox and found a fix for the glitch. However, I can't say the sandbox was responsible for the glitch or if it was from uninstalling H_C.

 

[ichito]

Windows Defender is not 100% "sandboxed" - only certain components in user-mode are "sandboxed".

Anything a "sandboxed" component will need which cannot be obtained directly from the "sandboxed" component will be provided by an "non-sandboxed" component.

Windows Defender can still do everything it could before it was "sandboxed".

I know...I mean such parts from official statement in wich we can see that resource usage is important issue...maybe is it even the priority in WD sandboxing topic?...I don't know but I see it's important for authors. Some interesting phrases are higlighted

"To ensure that performance doesn’t degrade, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time, only perform these interactions in key moments where their cost would not be significant, for example, when IO is being performed.
Windows Defender Antivirus makes an orchestrated effort to avoid unnecessary IO, for example, minimizing the amount of data read for every inspected file is paramount in maintaining good performance, especially on older hardware (rotational disk, remote resources). Thus, it was crucial to maintain a model where the sandbox can request data for inspection as needed, instead of passing the entire content. An important note: passing handles to the sandbox (to avoid the cost of passing the actual content) isn’t an option because there are many scenarios, such as real-time inspection, AMSI, etc., where there’s no ‘sharable’ handle that can be used by the sandbox without granting significant privileges, which decreases the security.

Resource usage is also another problem that required significant investments: both the privileged process and the sandbox process needed to have access to signatures and other detection and remediation metadata. To avoid duplication and preserve strong security guarantees, i.e., avoid unsafe ways to share state or introducing significant runtime cost of passing data/content between the processes, we used a model where most protection data is hosted in memory-mapped files that are read-only at runtime. This means protection data can be hosted into multiple processes without any overhead.

Moreover, the sandbox process shouldn’t trigger inspection operations by itself. All inspections should happen without triggering additional scans. This requires fully controlling the capabilities of the sandbox and ensuring that no unexpected operations can be triggered. Low-privilege AppContainers are the perfect way to implement strong guarantees because the capabilities-based model will allow fine-grained control on specifying what the sandbox process can do.

Lastly, a significant challenge from the security perspective is related to content remediation or disinfection. Given the sensitive nature of the action (it attempts to restore a binary to the original pre-infection content), we needed to ensure this happens with high privileges in order to mitigate cases in which the content process (sandbox) could be compromised and disinfection could be used to modify the detected binary in unexpected ways."

 

[Eddie Morra]

I know...I mean such parts from official statement in wich we can see that resource usage is important issue...maybe is it even the priority in WD sandboxing topic?...I don't know but I see it's important for authors. Some interesting phrases are higlighted

They are basically saying: "We wanted to make the sandbox container not make Windows Defender too slow and we had to take certain precautions to stop break its security so we optimised loads".

Still, Windows Defender will work fine as it would without container.

 

[Andy Ful]

I am afraid that they had to compromise some security to make it usable.
Anyway, exploiting the WD sandbox will be seen probably in the targeted attacks on Institutions and Enterprises. There exists already a black market of several AV vulnerabilities, and WD sandbox will be just another on the market.
For now, the Home users should not be afraid of it, because no one bothers to attack WD in the wild, even without the sandbox.

 

[shmu26]

"Zero Day" only applies to exploits. That is the correct and proper definition.

People improperly use the terminology because they either can't say the word "new malware" or "zero day malware" just sounds better. The term "zero day" has been bastardized in every-day speak and applied to mean something for which it was never intended.

But that's the nature of language. Since the death of the King's English, we the masses define the meaning of words. Dictionaries are always behind the times.

 

[ichito]

They are basically saying: "We wanted to make the sandbox container not make Windows Defender too slow and we had to take certain precautions to stop break its security so we optimised loads".

Still, Windows Defender will work fine as it would without container.

No...it means "we hope it will work properly...but we are not sure if our dreams will comes true"