- Jan 4, 2016
- 1,022
Good morning.. Today, I want to share with you a strange experience I had yesterday with Microsoft security software. A user of my home pc received a spam email containing a zipped worm. She tried to download the file, but she got two warnings: one from Edge (something like: this file can be dangerous for your computer) and an other from Defender, Which found malware and removed it. When I came at the pc infact, I found "Worm Gamarue" in WD detected items, but there were few strange facts: 1 the zip file was still in the download folder. I removed it without checking if the malware was still inside. 2 In the details of the worm gamarue, WD was indicating three files in appdata local instead of the malware inside the zip. Strange because the malware wasn't executed. I re-download the file to investigate in the same computer, and I got no notifications. Edge was asking if I wanted to open the zip file, and Defender was silent. I uploaded the zip file to Virus Total and there were 6-7 detection, but I decided to upload also the tiny js file of only 20 kbytes in it. In a rush, instead of extracting the malware, I executed it by mistake... No notifications by defender, UAC or smartscreen. I decided to immediatly switch of the router and the computer.. I switch the computer back on again without Internet connection and Defender caught worm gamarue and a trojan (probably dropped by the worm). Since there were no strange processes in memory, I turned the router on back again and run some scans. HMP found some malware in appdata local, not active (detected only by hitman pro engine). I scanner with defender that area and It was able to find the same threats and remove them. Malwarebytes didn't find anything. I decided to make a clean install of Windows on that PC. It seemed that everything was safe. Data was left untouched (I had a backup anyway) and no account were compromised. My question is: why in the first time both smartscreen and Defender blocked the malware on download, and When I tried again to download it It wasn't blocked by Edge and Defender let me execute it, and it was removed only after system restart? When the file was downloaded the fist time I wasn't using the computer, but the Edge notification prevented the user from even opening the zip file, so I'm sure the first time wasn't executed.
Last edited: