App Review Windows Defender Bypassed | The PC Security Channel

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
ErzCrz

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,023
Andy Ful said:
In the case of Defender, such a massive campaign can be significantly damped by post-execution detection. After successfully infecting a few computers, the unknown threat is quickly recognized as ransomware due to the telemetry sent to the cloud or via detonation in the cloud sandbox. Such behavior was explained in the Microsoft articles, and some MT members reported that it really works. In this way, the users are protected against the concrete threat several minutes after the first attack. The post-execution detections are especially effective for ransomware attacks because ransomware actions are easy to detect.
Click to expand...
That certainly shows on VT with the samples quoted earlier on post #74 and Microsoft being 1 of a handful showing detected when I looked some 6 hours ago. (y)
 
  • Like
Reactions: Nevi, oldschool and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
The post-execution detection is not a perfect solution, but it often works well for widespread attacks. Let's consider an example. The popular ransomware attack can start with a weaponized document or the URL embedded in the email. In both cases, the malware is delivered via a link to a malicious website. The malware on the website can change each hour to avoid AV detection. If the AV can recognize the ransomware after 10 minutes (on average) via post-execution detection, then only a 1/6 of users will be infected, compared to the case without post-execution detection. So, we have protection against one-hour malware which is far more effective than possible protections against 0-day malware. This may be one of the reasons, why Defender can compete with other AVs in Real-World tests. The second reason is probably related to decent Machine Learning modules in the cloud. This is possible because of the massive telemetry from many computers in the world. It would not be possible if Defender was less popular.

Both post-execution detection and Machine Learning are not so effective in targeted attacks or lateral movement. That is why in Real-World tests Defender free can score well, but the scoring can be worse in the tests with many payloads, often used in the wild at the later infection stage (not as an initial malware).
 
Last edited:
  • Like
  • +Reputation
Reactions: wat0114, Nevi, oldschool and 1 other person
L

Local Host

Andy Ful said:
Unfortunately, such malware like Magniber has a high chance to compromise any protection. It is delivered to users who are already convinced that they are going to install a benign update. So even if it will be blocked by something like default-deny or restricted sandbox, the user will turn off the protection and will be infected. More chances can have AVs that can detect the threat as the ransomware, but even then some users can ignore the detection.

In the case of Defender, such a massive campaign can be significantly damped by post-execution detection. After successfully infecting a few computers, the unknown threat is quickly recognized as ransomware due to the telemetry sent to the cloud or via detonation in the cloud sandbox. Such behavior was explained in the Microsoft articles, and some MT members reported that it really works. In this way, the users are protected against the concrete threat several minutes after the first attack. The post-execution detections are especially effective for ransomware attacks because ransomware actions are easy to detect.
The post-execution detection is less effective in the targeted attacks, because the first victim can be also the last one.:)

Edit.
If I correctly remember also Kaspersky and Bitdefender can use post-execution detection against ransomware, but I am not sure if the free versions can do it (probably yes).
Click to expand...
I though you were supposed to be a Windows Defender expert, the Cloud is sevelery delayed for Home Users, with Business under ATP taking priority (is actually one of the selling points), I guarantee you it will you more than a few minutes.

The rest I don't need to waste my time replying to, cruelsister said it all already.
 
cruelsister

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,148
Andy Ful said:
the users are protected against the concrete threat several minutes after the first attack
Click to expand...
Depending on how often they are being pounded with the sample and the overall prevalence of the specific attack the response from MSFT is often quick but varies widely. A variant put into the Wild earlier this week (identified by having a valid certificate from YWB Consulting) took over 48 hours before a signature was available.
 
  • Like
Reactions: Local Host, Azure, Andy Ful and 1 other person
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
Andy Ful said:
I should be more precise and write "The same is true for any free AV" on default settings.
The additional features seem do not make a practical difference in the Real-World tests. The test results are very clear. For home users, other scenarios are mostly unimportant, except for people who use pirated software, game mods, etc.
In fact, Defender includes some of these features at the cloud backend. Many malware can be detected at the post-execution stage which is often done in other AVs by behavior or advanced threat protection modules.
Click to expand...
I see, it’s always the same debate when certain people here talking about MD, so obviously makes no sense further discussing about this points of MD protection on tweaked settings only, otherwise this thread is another endless discussion as we seen for several times in the past on other MD threads in different forums sections...

Andy Ful said:
If you would test Microsoft Defender in Malware Hub, then probably there could be some advantage. Maybe it is time to test free AVs in Malware Hub. The MH testing scenario is closer to a business environment or using the computer for hybrid work.
It is possible that free versions of Avast, Bitdefender, and Kaspersky are better designed for hybrid work. Also, Microsoft seems to notice, that for hybrid work the Defender protection should be extended (Smart App Control).
Click to expand...
Well, in the Hub, we are already testing even "free AVs“ for example, Bitdefender Free new version has been tested first by @Faybert and recently myself does the job, I will continue testing it on the long run over more months of this year.
Avast Free has been tested by @Andrew3000 for a long time period, and now Avast One offers same main protection modules/features like Avast Free.
@harlan4096 also testing regularly even free AVs like this time: Comodo Antivirus (Free).

There is a "problem" with MD testing in the Hub, I guess MD users want to see rather tweaked protection settings of MD, but as same as for the most official AV-Test-Labs,
Hub testers should testing AVs mainly on default settings, just check MT Hub tests, even for almost all AVs paid versions are tested on default settings.
 
  • Like
  • +Reputation
Reactions: Virtuoso, oldschool, Faybert and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
cruelsister said:
Depending on how often they are being pounded with the sample and the overall prevalence of the specific attack the response from MSFT is often quick but varies widely. A variant put into the Wild earlier this week (identified by having a valid certificate from YWB Consulting) took over 48 hours before a signature was available.
Click to expand...
I think that you refer to local or cloud signatures. But, the protection I posted about is not based on malware signatures (local or cloud). The malware is blocked when the user is trying to run the malware and metadata from the client (including the hash of the file) is sent to the cloud. This works even if there is no signature in the cloud. The malware signature is created later. One has to run the malware on the machine with Microsoft Defender connected to the cloud to see if the malware is blocked. Of course, post-execution detection can fail for many malware, but it can be very efficient for ransomware.
The readers can look at the Microsoft article for more details:
www.microsoft.com

Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses | Microsoft Security Blog

Windows Defender Antivirus uses a layered approach to protection: tiers of advanced automation and machine learning models evaluate files in order to reach a verdict on suspected malware. While Windows Defender AV detects a vast majority of new malware files at first sight, we always strive to...
www.microsoft.com www.microsoft.com

Edit1.
If the malware is directly downloaded from the Internet then it can be recognized by Defender via Block At First Sight feature. But it is often downloaded in the archive, disk image, etc., so it will be often blocked on execution (BAFS does not support archives, disk images, and many others).

Edit2.
In some cases, the block can happen several hours after the first attack in the wild, but it still will be only several minutes after the first attack on Defender users. Such protection requires many Defender users (which is happily true).
 
Last edited:
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
silversurfer said:
There is a "problem" with MD testing in the Hub, I guess MD users want to see rather tweaked protection settings of MD, but as same as for the most official AV-Test-Labs.

Hub testers should testing AVs mainly on default settings, just check MT Hub tests, even for almost all AVs paid versions are tested on default settings.
Click to expand...
I do not see a reason to treat Defender users differently from 3rd party AV users. Microsoft Defender is just another AV. There is a free version and some commercial versions. Of course, the MH tests are voluntary and the testers can choose the AV they like. I think that testing free AVs together, on the same samples, would be interesting. We already know, how is the detection in the Real-World scenario. Maybe the MH tests can show any real difference. I suspect that 3rd party AVs can score better in MH tests, for reasons I posted in this thread.
 
Last edited:
You must log in or register to reply here.

Similar threads

Dark Knight
    • Like
    • Wow
Security News Windows Hello Auth Bypassed On Microsoft, Dell and Lenovo Laptops
Replies
3
Views
1,244
Security News
Dark Knight
Dark Knight
vtqhtr413
    • Like
    • +Reputation
    • Wow
  • Sticky
Hot Take Windows 11 24H2 to Enforce New Hardware Requirement
Replies
17
Views
1,296
Windows 11
vtqhtr413
vtqhtr413
Gandalf_The_Grey
    • Like
    • Wow
Microsoft pulls Edge 123 from the Stable Channel with its 'Microsoft Copilot' app
Replies
1
Views
235
Microsoft Edge
TairikuOkami
TairikuOkami

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top