Windows Defender Disappointment

[Mercenary]

Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.

 

[BoraMurdar]

You feel it that way because you had an unreal expectation, that AV will have 100% detection ratio 100% of the time.
It can happen to all these 8 AVs that detected this malicious sample.

But you fired a VM because your brain told you that something's not right.
That's the whole point of MalwareTips.
Not lockdown, not AV X vs AV Y, not layered vs unlayered...the purpose is to educate.

 

[ForgottenSeer 823865]

Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014

WD wasn't alone to not detect it anyway. Each AV has his own response time, usually ESET is one the fastest.
I have to remind you that WD (without ATP) is focused primarily on prevalent malware, not the brand new ones.

people expect 100% protection
once again, failure is the user

As usual

 

[Mercenary]

even with configure defender, windows defender is not the answer
it's good, but failure-prone
SRP will solve your fear

Let's hope that they will finish it to an acceptable level, otherwise he instilled such hopes in me that I started to put it to clients and acquaintances, but apparently still too early)

WD wasn't alone to not detect it anyway. Each AV has his own response time, usually ESET is one the fastest.
I have to remind you that WD (without ATP) is focused primarily on prevalent malware, not the brand new ones.

I agree with you. I have ESET Endpoint Security on all working computers and during these 4 years no problems have arisen. And in terms of detection speed, it amazes me. There was a case when a secretary opened an archive with a new virus and ESET identified it by name and when I checked it on Virustotal, only 4 antiviruses and ESET including it detected.

 

[ForgottenSeer 823865]

@Mercenary If your security strategy rely mainly on Detection (aka AVs), ESET is the best in the field with Kaspersky followed Bit Defender Engine based AVs.
However if it rely on Prevention, then the efficiency of AVs aren't a major concern then WD or any other simple AV is good enough.

it don't matter what signature-cloud solution you use
if you want to protect people against zero-day malware then you got to use SRP and prevent them from running executable files on their systems

Totally agree.

i made edit
check it

Agree even more, i promote SUA/Guest as much as i can lol.

 

[shmu26]

Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014

Thanks for sharing. That's a perfect example of how businesses get infected. Business environments need extra protection, and the IT admin should be notified about your findings.
But for home users, a good webmail service such as Gmail won't let an exe attachment get to your inbox in the first place.

 

[Terry Ganzi]

I heard no 1 person here ask him if this was activated in WD not 1 geek or beginner.
So if WD isn't configured to check email why complain?
What miracle was suppose to happen here.
what am i missing.

Configure scanning options for Microsoft Defender Antivirus - Microsoft Defender for Endpoint

You can configure Microsoft Defender Antivirus to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).

docs.microsoft.com

 

[oldschool]

Static signatures are one of WD's weaknesses. Cloud and BAFS are its strengths. And isn't its email scanning only for Outlook and not webmail?

 

[Lenny_Fox]

Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014

Thanks for sharing. COuld you give it another try with ConfigureDefender set to MAX?

 

[Mercenary]

I heard no 1 person here ask him if this was activated in WD not 1 geek or beginner.
So if WD isn't configured to check email why complain?
What miracle was suppose to happen here.
what am i missing.

Configure scanning options for Microsoft Defender Antivirus - Microsoft Defender for Endpoint

You can configure Microsoft Defender Antivirus to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).

docs.microsoft.com

The first thing I did, I scanned statically and the defender did not react in any way and only then I launched the virus and defender in the same way, no alerts.

 

[RoboMan]

I'm repeating what I tell everytime: default-allow software IS NOT RELIABLE. It's a good companion for a default-deny solution. The moment you choose to rely on a defaut-allow software, however good it is, you're doomed.

For example, in my main PC I use Kaspersky Internet Security, configured to default-block all files that are not digitally signed by a Kaspersky Trusted Vendor. In my secondary laptop, I use Windows Defender, configured by ConfigureDefender, and Hard_Configurator set in "Disallowed" settings which will block everything by default, except specified files (of course it automatically whitelists critic files).

I wouldn't dare, EVER, to trust 100% on a default-allow "security software". That's playing a bet. Maybe it protects, maybe it fails. Not worth the risk.

 

[shmu26]

I'm repeating what I tell everytime: default-allow software IS NOT RELIABLE.

True. But if the user is educated and aware, he will probably live happily ever after, even if all he has is a standard AV.

 

[RoboMan]

True. But if the user is educated and aware, he will probably live happily ever after, even if all he has is a standard AV.

Sure. Most of us in this forum can probably wonder the vast lands of the internet without any protection and come out clean. Still, like the famous phrase says... "sh1t happens". One can never now. Malvertising. An exploit on an outdated plugin. An outdated browser. Zero day malware. Zero day vulnerabilities. Things regular antivirus will probably never catch, unless of course they possess some kind of Application Control. Cybersecurity is not static. It keeps moving and evoling, just as malware does. If you do not default-deny, you will probably sometime face a problem. And if the universe conspires against you, and the scenarios are correct, you may end up compromised. And if you're an average Joe you're definitely ending up infected.

 

[RejZoR]

You feel it that way because you had an unreal expectation, that AV will have 100% detection ratio 100% of the time.
It can haplen to all these 8 AVs that detected this malicious sample.

But you fired a VM because your brain told you that something's not right.
That's the whole point of MalwareTips.
Not lockdown, not AV X vs AV Y, not layered vs unlayered...the purpose is to educate.

Maybe so, but with antiviruses like Kaspersky, it's not really unrealistic expectation. Myself and in tests, basically whatever you throw at it, it'll detect it. Though be aware that a lot of detections happen on execution. So VT isn't entirely realistic display of detection capabilities.

 

[Dex4Sure]

Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014

Not very surprised to see ESET and Kaspersky among the ones who detected it... Their signatures tend to be the best in general.

 

[Dex4Sure]

@Mercenary If your security strategy rely mainly on Detection (aka AVs), ESET is the best in the field with Kaspersky followed Bit Defender Engine based AVs.
However if it rely on Prevention, then the efficiency of AVs aren't a major concern then WD or any other simple AV is good enough.


Totally agree.


Agree even more, i promote SUA/Guest as much as i can lol.

Yeah I agree on that. With 3rd party AV's I prefer ESET cause its super light and has probably the best signatures in the industry. I don't quite trust any AV's behavior blocker that much + it just adds more system resource usage. Besides, I'm the type who never runs anything I don't know and even if I did I would at least upload the executable to VirusTotal before running.

 

[BoraMurdar]

Maybe so, but with antiviruses like Kaspersky, it's not really unrealistic expectation

Then you are delusional. Nothing is invincible.

 

[Andy Ful]

Let's hope that they will finish it to an acceptable level, otherwise he instilled such hopes in me that I started to put it to clients and acquaintances, but apparently still too early)
...

If your EXE file was in the archive, then you probably uncompressed it without MOTW. If so, then the file was executed without SmartScreen and "Block At First Sight" protection. If you propose WD to your clients, then install the Bandizip archiver that preserves MOTW while uncompressing executables from archives.

Anyway, after some hours this sample was detected by most AVs (including WD), so it is not a good example for disappointment about AV detection. It should be also blocked as 0-day malware by the WD ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria", which is included only in ConfigureDefender MAX Protection Level (too many false positives).

The malware is classified as a kind of hack tool, so it is a prelude to further infection via payloads. That is why most AVs did not detect it as 0-hour malware (low level of suspicious actions). That is normal.

Almost all such infections can be avoided by simply waiting one day before opening attachments from not trusted emails. Of course, it is even better to not opening them at all.

 

[ForgottenSeer 823865]

what am i missing.

Configure scanning options for Microsoft Defender Antivirus - Microsoft Defender for Endpoint

You can configure Microsoft Defender Antivirus to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).

docs.microsoft.com

This seems to be only in Windows Defender ATP... (not WD for home users).

 

[Lenny_Fox]

Bandizip archiver that preserves MOTW while uncompressing executables from archives.

Thanks for the info

I thought that the default Windows Explorer uncompression of ZIP files, skipped EXE files when the ZIP-file had MOTW?