App Review Windows Defender Bypassed | The PC Security Channel

[wat0114]

An article was referenced in another forum on how PS Constrained language mode can be bypassed by using a command to utilize and older PS v2.0 :

Mitigating PowerShell risks with Constrained Language mode

PowerShell is a robust tool that can control almost all components of Windows and applications such as Exchange. It can therefore cause great damage in the hands of attackers. Its Constrained Language mode blocks dangerous features, thereby preventing misuse.

4sysops.com

Constrained Language mode was introduced with PowerShell 3.0 and can easily be bypassed by a hacker switching to an older version. All he would need to do is enter the command:

powershell.exe -version 2.0

I've used Group Policy to remove it. Any thoughts on this?

 

[Andy Ful]

An article was referenced in another forum on how PS Constrained language mode can be bypassed by using a command to utilize and older PS v2.0 :

Mitigating PowerShell risks with Constrained Language mode

PowerShell is a robust tool that can control almost all components of Windows and applications such as Exchange. It can therefore cause great damage in the hands of attackers. Its Constrained Language mode blocks dangerous features, thereby preventing misuse.

4sysops.com

I've used Group Policy to remove it. Any thoughts on this?

This attack vector is almost dead. It could be still used in the targeted attacks on Windows 7 or 8.1.
Now, when most machines work on Windows 10, such an attack would be very noisy (in Enterprises) due to the necessity of installing an older version of the .NET Framework. Furthermore, it would not make sense in the widespread attacks, because most users do not use PS hardening at all.

 

[wat0114]

This attack vector is almost dead. It could be still used in the targeted attacks on Windows 7 or 8.1.
Now, when most machines work on Windows 10, such an attack would be very noisy (in Enterprises) due to the necessity of installing an older version of the .NET Framework. Furthermore, it would not make sense in the widespread attacks, because most users do not use PS hardening at all.

Thanks Andy. Even though PS 2.0 is enabled in Windows features as it was in my case on Win 10 Pro?

EDIT

just realized maybe an older version of .NET Framework is required to run PS 2.0?

 

[Andy Ful]

Thanks Andy. Even though PS 2.0 is enabled in Windows features as it was in my case on Win 10 Pro?

It fails if you did not install the older .NET Framework. You can test it in the CMD console:

powershell.exe -version 2.0 notepad.exe

 

[Local Host]

It is also good to keep in mind, as @Andy Ful pointed out, that these exploits are usually reserved for attacking high value targets. Home users don’t need to panic about every exploit they hear about. Practicing good internet hygiene will go much farther than any AV in protecting you. The reason this is a problem in organizations is bigger attack surfaces and undertrained users.

You besides the point, and you all seem confused on who makes malware, trying to separate hackers from malware authors is dumb. The point is, WD is extremely easy to bypass, and is only going to protect you against basic and old malware.

As @DrSnake09 said and well, trying to sell WD as solid protection will get you aughed at by malware authors.

Same way trying to ignore the danger and saying this only affects the Enterprise is also not smart, as home users fall to malware each and every day.

No one is saying third-party Anti-Virus are invulnerable, but WD takes less than 5 min. to bypass in comparison and is default on Windows so most malware is ready for it, I already shown hard evidence of this exploit still working, while everyone is arguing that this is not a problem cause is not working on their computer (of course is not working on their computer, it wasn't exploited to work on it, but it can easily be same way I did on mine without admin rights).

I even threw multiple bones on where to search for the so called exploits which were also ignored, showing lack of tech known-how and proving you folk are wasting our time here.

 

[Andy Ful]

Local Host,​

If the official Microsoft patch does not work on your computer but works well on other computers then it is your personal problem. I did not find any information that your issue is present on the computers with fully updated Windows with Defender as a primary AV. Please let me know if you know any source (except your experience).
You can also report your issue here:
https://docs.microsoft.com/en-us/answers/index.html

I also understand why you think that Defender "is only going to protect you against basic and old malware." That is probably true on your computer or on computers configured by you. For any AV, there are some people who had some bad experiences with that particular AV. But, this does not mean that the AV is "bad". If you would look at some Polls on MT about favorite AVs, you could see that your opinion about Defender is not shared by many MT members. Why? Are they stupid? Did you discover a well-hidden Defender conspiracy? Why did most people and AV testing labs have a bad opinion about Defender a few years ago, but not today?
Maybe you missed something.

Battle - Free Antivirus of the Year 2021 (Poll Phase)

From your nominations at Free Antivirus of the Year 2021 - Nominate, 5 products have been selected for the final poll phase starting today. Compared to the Poll conducted last time, we have a new contender, Avast/AVG Free Antivirus. The poll will be closed on 17th Dec 2021 and the winner...

malwaretips.com

There are probably some videos or tests that can show occasionally a poor result for Defender. You can post here the links, and I will post twice more examples that can show otherwise. The problem is that you will reject these examples and will continue to constantly repeat that Defender "is only going to protect you against basic and old malware."

Edit.
Please do not repeat that people who do not share your opinion about Defender free are fanboys and they consider Defender as a top AV (whatever it means). Defender free (on default settings) is intended for home users so people know that it can not be a top AV against hackers, targeted attacks, lateral movement, and sophisticated malware. The same is true for any free AV.

 

[DrSnake09]

You besides the point, and you all seem confused on who makes malware, trying to separate hackers from malware authors is dumb. The point is, WD is extremely easy to bypass, and is only going to protect you against basic and old malware.

As @DrSnake09 said and well, trying to sell WD as solid protection will get your laughed at by malware authors.

Same way trying to ignore the danger and saying this only affects the Enterprise is also not smart, as home users fall to malware each and every day.

No one is saying third-party Anti-Virus are invulnerable, but WD takes less than 5 min. to bypass in comparison and is default on Windows so most malware is ready for it, I already shown hard evidence of this exploit still working, while everyone is arguing that this is not a problem cause is not working on their computer (of course is not working on their computer, it wasn't exploited to work on it, but it can easily be same way I did on mine without admin rights).

I even threw multiple bones on where to search for the so called exploits which were also ignored, showing lack of tech known-how and proving you folk are wasting our time here.

Hi, Local Host.

Looks like you have the same vision I have and that's nice. You completely understand what I said about WD, which others didn't or ignored. But still being the truth.
WD can by easily bypassed and when someone call them Hackers, Programmers, Blackhat guys, Crackers, Malware Authors, when they are doing the development of malware the first thing they will do is make it easier to bypass WD. Because is the "first defense" of any computer out there who uses WD.

Curious of some arguments on this thread is THIS:

I hacked several programs (including some AVs and other well-known security applications)
«I hacked WD several times and still can recommend Defender free as protection at home»

Looks like his obviously know that WD is a #####. But still recommending it. WD doesn't do nothing.
It allows any PUP/PUA or crypto mining easily to get in your computer running in the background, you probably will only discover when you use the "other well-known security applications"

I don't will waste my time here in this thread since, every blackhat guy, skilled programmer, hackers can recognize that WD is a literally a JOKE and you can have funny with someone who uses it. Is not the case when some computer goes to "stores to be fixed" most of them are full of virus and malware running and guess what is their protection? WD.

Kinda weird, when you see WD is fully active and computer is infected with tons of malware which is persistant and WD can't deal with this.

I don't want to waste my time here with whitehat guys who only knows the "good things" and not the "bad things" you can do with simple Crypter or malware to bypass the WD Flop.

 

[Local Host]

Local Host,​

If the official Microsoft patch does not work on your computer but works well on other computers then it is your personal problem. I did not find any information that your issue is present on the computers with fully updated Windows with Defender as a primary AV. Please let me know if you know any source (except your experience).
You can also report your issue here:
https://docs.microsoft.com/en-us/answers/index.html

I also understand why you think that Defender "is only going to protect you against basic and old malware." That is probably true on your computer or on computers configured by you. For any AV, there are some people who had some bad experiences with that particular AV. But, this does not mean that the AV is "bad". If you would look at some Polls on MT about favorite AVs, you could see that your opinion about Defender is not shared by many MT members. Why? Are they stupid? Did you discover a well-hidden Defender conspiracy? Why did most people and AV testing labs have a bad opinion about Defender a few years ago, but not today?
Maybe you missed something.

Battle - Free Antivirus of the Year 2021 (Poll Phase)

From your nominations at Free Antivirus of the Year 2021 - Nominate, 5 products have been selected for the final poll phase starting today. Compared to the Poll conducted last time, we have a new contender, Avast/AVG Free Antivirus. The poll will be closed on 17th Dec 2021 and the winner...

malwaretips.com

There are probably some videos or tests that can show occasionally a poor result for Defender. You can post here the links, and I will post twice more examples that can show otherwise. The problem is that you will reject these examples and will continue to constantly repeat that Defender "is only going to protect you against basic and old malware."

Edit.
Please do not repeat that people who do not share your opinion about Defender free are fanboys and they consider Defender as a top AV (whatever it means). Defender free (on default settings) is intended for home users so people know that it can not be a top AV against hackers, targeted attacks, lateral movement, and sophisticated malware. The same is true for any free AV.

I pitty you a lot, when you manage to understand english and read the entire post, you can come back. You free to use whatever you want on your PC, and popularity contests are not a sign of effectiveness either (that argument so poor I also spilled my tea).

As stated I can bypass your so called secure setup in 5 min. using only Microsoft APIs, and no, I'm not going to report anything, this are issues Microsoft is fully aware that can't be easily fixed without breaking functionality on other parts of Windows (and they are used on home malware, not exclusive to enterprise like you state).

You stuck in 2000, thinking malware hasn't envolved whasoever, worst still, thinking that evolution only happens on the enterprise market.

If anything you said had a hint of true, we wouldn't have users getting infected by malware on daily basis, cause WD would be the holy grail that detects everything and has no exploits (according to you).

You all at MT are not protected by WD, but by your safe habits and common sense, no one here is relying on WD for real protection.

 

[PD20]

Local Host,​

If the official Microsoft patch does not work on your computer but works well on other computers then it is your personal problem. I did not find any information that your issue is present on the computers with fully updated Windows with Defender as a primary AV. Please let me know if you know any source (except your experience).
You can also report your issue here:
https://docs.microsoft.com/en-us/answers/index.html

I also understand why you think that Defender "is only going to protect you against basic and old malware." That is probably true on your computer or on computers configured by you. For any AV, there are some people who had some bad experiences with that particular AV. But, this does not mean that the AV is "bad". If you would look at some Polls on MT about favorite AVs, you could see that your opinion about Defender is not shared by many MT members. Why? Are they stupid? Did you discover a well-hidden Defender conspiracy? Why did most people and AV testing labs have a bad opinion about Defender a few years ago, but not today?
Maybe you missed something.

Battle - Free Antivirus of the Year 2021 (Poll Phase)

From your nominations at Free Antivirus of the Year 2021 - Nominate, 5 products have been selected for the final poll phase starting today. Compared to the Poll conducted last time, we have a new contender, Avast/AVG Free Antivirus. The poll will be closed on 17th Dec 2021 and the winner...

malwaretips.com

There are probably some videos or tests that can show occasionally a poor result for Defender. You can post here the links, and I will post twice more examples that can show otherwise. The problem is that you will reject these examples and will continue to constantly repeat that Defender "is only going to protect you against basic and old malware."

Edit.
Please do not repeat that people who do not share your opinion about Defender free are fanboys and they consider Defender as a top AV (whatever it means). Defender free (on default settings) is intended for home users so people know that it can not be a top AV against hackers, targeted attacks, lateral movement, and sophisticated malware. The same is true for any free AV.

How would the use of Defender Configure and Simple Windows Hardening influence Microsoft Defender's performance /protection as discussed here?

 

[upnorth]

100% sure some people will not care anyway, but this information is also 100% for sure not for them as they can't grasp and recall something so simple and basic as a official Microsoft name change that wasn't done yesterday ( 2019 ). It's 2022 today!

Personal I'm again not surprised that the specific Youtuber in this thread can't even get a software name right as it ain't the first time. Maybe start there for a change and work his way up would help avoid another, " Fatal Flaw! ".

Btw, it's : Microsoft Defender

 

[silversurfer]

Edit.
Please do not repeat that people who do not share your opinion about Defender free are fanboys and they consider Defender as a top AV (whatever it means). Defender free (on default settings) is intended for home users so people know that it can not be a top AV against hackers, targeted attacks, lateral movement, and sophisticated malware. The same is true for any free AV.

Even it's off-topic. I want just mention one point, this last part of your comment is not fully true for all free AVs:
Kaspersky Free includes stronger protection like System Watcher (same version like on K. paid versions) compared to MD on default settings.
Avast/AVG Free also includes stronger protection features (Behavior Shield, Cyber Capture, Hardened Mode) compared to MD on default settings.
Bitdefender Free includes same BB (Advanced Threat Defense like paid versions) what is stronger in terms of protection compared to MD on default settings.

That's something important what must said here as well when we are talking about true things like proven facts instead of talking about personal experience only...

I fully agree that MD with GP tweaks or tools like ConfigureDefender or DefenderUI, that helps to increase protection on same level like from me above mentioned free AVs.

 

[cruelsister]

Just a fun fact that may or may not be pertinent here, but recently the Magniber ransomware has become popular and just yesterday a newer build hit the streets. As Magniber use the direct system call execution technique in order to screw your system (and avoid AV detection), any new version for which no definition exists can be problematic.

Indeed at the time I came across the file only Kaspersky was aware of it, and others I tested (Avast, ESET) succumbed (an exception being WVSX which detected this essentially zero-day file by the mechanism alone as Real time and network access were disabled). As to Defender, with all settings maxxed out files were encrypted UNLESS Controlled Folder Access was enabled (and then the protection was extended to only those folders so protected by default).

 

[blackice]

Just a fun fact that may or may not be pertinent here, but recently the Magniber ransomware has become popular and just yesterday a newer build hit the streets. As Magniber use the direct system call execution technique in order to screw your system (and avoid AV detection), any new version for which no definition exists can be problematic.

Indeed at the time I came across the file only Kaspersky was aware of it, and others I tested (Avast, ESET) succumbed (an exception being WVSX which detected this essentially zero-day file by the mechanism alone as Real time and network access were disabled). As to Defender, with all settings maxxed out files were encrypted UNLESS Controlled Folder Access was enabled (and then the protection was extended to only those folders so protected by default).

This is a reason why, regardless of security used, I wait a couple days to execute any download I’m not 100% sure of. It’s not foolproof, but generally cloud detections are added within that time frame (though not always). The best security is good internet hygiene.

 

[Anthony Qian]

Just a fun fact that may or may not be pertinent here, but recently the Magniber ransomware has become popular and just yesterday a newer build hit the streets. As Magniber use the direct system call execution technique in order to screw your system (and avoid AV detection), any new version for which no definition exists can be problematic.

Indeed at the time I came across the file only Kaspersky was aware of it, and others I tested (Avast, ESET) succumbed (an exception being WVSX which detected this essentially zero-day file by the mechanism alone as Real time and network access were disabled). As to Defender, with all settings maxxed out files were encrypted UNLESS Controlled Folder Access was enabled (and then the protection was extended to only those folders so protected by default).

Yes. Magniber ransomware seems to be back again, after several days.

The new variant bypassed Kaspersky's HEUR detection, but fortunately, Kaspersky updated its SW rules and managed to block it from encrypting files. ESET uses "A Variant Of Win64/Injector.IA" detection to detect this variant. Norton, Avira, Avast, and Bitdefender failed, sadly. WV uses "WIBD:HEUR.DirectSyscall.A5" to deal with this ransomware, which proves very effective. Microsoft Defender also failed, and all files were encrypted.

Some IOCs:
23d3ab67beb4cdb6900f45cbfc42337a; 48833c7e7da1a58cac0a02a4f2b9f339

 

[ErzCrz]

Just a fun fact that may or may not be pertinent here, but recently the Magniber ransomware has become popular and just yesterday a newer build hit the streets. As Magniber use the direct system call execution technique in order to screw your system (and avoid AV detection), any new version for which no definition exists can be problematic.

Indeed at the time I came across the file only Kaspersky was aware of it, and others I tested (Avast, ESET) succumbed (an exception being WVSX which detected this essentially zero-day file by the mechanism alone as Real time and network access were disabled). As to Defender, with all settings maxxed out files were encrypted UNLESS Controlled Folder Access was enabled (and then the protection was extended to only those folders so protected by default).

Out of curiosity, did Comodo successfully contain it?

 

[Andy Ful]

Even it's off-topic. I want just mention one point, this last part of your comment is not fully true for all free AVs:
Kaspersky Free includes stronger protection like System Watcher (same version like on K. paid versions) compared to MD on default settings.
Avast/AVG Free also includes stronger protection features (Behavior Shield, Cyber Capture, Hardened Mode) compared to MD on default settings.
Bitdefender Free includes same BB (Advanced Threat Defense like paid versions) what is stronger in terms of protection compared to MD on default settings.

That's something important what must said here as well when we are talking about true things like proven facts instead of talking about personal experience only...

I fully agree that MD with GP tweaks or tools like ConfigureDefender or DefenderUI, that helps to increase protection on same level like from me above mentioned free AVs.

I should be more precise and write "The same is true for any free AV" on default settings.
The additional features seem do not make a practical difference in the Real-World tests. The test results are very clear. For home users, other scenarios are mostly unimportant, except for people who use pirated software, game mods, etc.
In fact, Defender includes some of these features at the cloud backend. Many malware can be detected at the post-execution stage which is often done in other AVs by behavior or advanced threat protection modules.

If you would test Microsoft Defender in Malware Hub, then probably there could be some advantage. Maybe it is time to test free AVs in Malware Hub. The MH testing scenario is closer to a business environment or using the computer for hybrid work.
It is possible that free versions of Avast, Bitdefender, and Kaspersky are better designed for hybrid work. Also, Microsoft seems to notice, that for hybrid work the Defender protection should be extended (Smart App Control).

 

[Andy Ful]

How would the use of Defender Configure and Simple Windows Hardening influence Microsoft Defender's performance /protection as discussed here?

This is not the right thread for such discussion.

 

[cruelsister]

Out of curiosity, did Comodo successfully contain it?

Yes, no issue at all. Included with these new Magnibers (some of which came with a so-far legit certificate-but not counter signed). For giggles I also tested a few others that have been very popular this week (Snake keyloggers and a fast acting MBR lockers). All were stopped without issue, barely an inconvenience.

 

[ErzCrz]

Yes, no issue at all. Included with these new Magnibers (some of which came with a so-far legit certificate-but not counter signed). For giggles I also tested a few others that have been very popular this week (Snake keyloggers and a fast acting MBR lockers). All were stopped without issue, barely an inconvenience.

Brilliant, thanks for the info!

 

[Andy Ful]

Unfortunately, such malware like Magniber has a high chance to compromise any protection. It is delivered to users who are already convinced that they are going to install a benign update. So even if it will be blocked by something like default-deny or restricted sandbox, the user will turn off the protection and will be infected. More chances can have AVs that can detect the threat as the ransomware, but even then some users can ignore the detection.

In the case of Defender, such a massive campaign can be significantly damped by post-execution detection. After successfully infecting a few computers, the unknown threat is quickly recognized as ransomware due to the telemetry sent to the cloud or via detonation in the cloud sandbox. Such behavior was explained in the Microsoft articles, and some MT members reported that it really works. In this way, the users are protected against the concrete threat several minutes after the first attack. The post-execution detections are especially effective for ransomware attacks because ransomware actions are easy to detect.
The post-execution detection is less effective in the targeted attacks, because the first victim can be also the last one.

Edit.
If I correctly remember also Kaspersky and Bitdefender can use post-execution detection against ransomware, but I am not sure if the free versions can do it (probably yes).