Mercenary

Level 1
Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
Screenshot_20.jpgScreenshot_22.jpg
 

BoraMurdar

Community Manager
Verified
Staff member
You feel it that way because you had an unreal expectation, that AV will have 100% detection ratio 100% of the time.
It can happen to all these 8 AVs that detected this malicious sample.

But you fired a VM because your brain told you that something's not right.
That's the whole point of MalwareTips.
Not lockdown, not AV X vs AV Y, not layered vs unlayered...the purpose is to educate.
 
F

ForgottenSeer 823865

Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014
WD wasn't alone to not detect it anyway. Each AV has his own response time, usually ESET is one the fastest.
I have to remind you that WD (without ATP) is focused primarily on prevalent malware, not the brand new ones.

people expect 100% protection
once again, failure is the user
As usual
 

Mercenary

Level 1
even with configure defender, windows defender is not the answer
it's good, but failure-prone
SRP will solve your fear
Let's hope that they will finish it to an acceptable level, otherwise he instilled such hopes in me that I started to put it to clients and acquaintances, but apparently still too early)

WD wasn't alone to not detect it anyway. Each AV has his own response time, usually ESET is one the fastest.
I have to remind you that WD (without ATP) is focused primarily on prevalent malware, not the brand new ones.
I agree with you. I have ESET Endpoint Security on all working computers and during these 4 years no problems have arisen. And in terms of detection speed, it amazes me. There was a case when a secretary opened an archive with a new virus and ESET identified it by name and when I checked it on Virustotal, only 4 antiviruses and ESET including it detected.
 
F

ForgottenSeer 823865

@Mercenary If your security strategy rely mainly on Detection (aka AVs), ESET is the best in the field with Kaspersky followed Bit Defender Engine based AVs.
However if it rely on Prevention, then the efficiency of AVs aren't a major concern then WD or any other simple AV is good enough.

it don't matter what signature-cloud solution you use
if you want to protect people against zero-day malware then you got to use SRP and prevent them from running executable files on their systems
Totally agree.

i made edit
check it
Agree even more, i promote SUA/Guest as much as i can lol.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014
Thanks for sharing. That's a perfect example of how businesses get infected. Business environments need extra protection, and the IT admin should be notified about your findings.
But for home users, a good webmail service such as Gmail won't let an exe attachment get to your inbox in the first place.
 

Terry Ganzi

Level 25
Verified
I heard no 1 person here ask him if this was activated in WD not 1 geek or beginner.
So if WD isn't configured to check email why complain?
What miracle was suppose to happen here.
what am i missing.

 

Attachments

Last edited:

Lenny_Fox

Level 13
Verified
Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014
Thanks for sharing. COuld you give it another try with ConfigureDefender set to MAX?
 

Mercenary

Level 1
I heard no 1 person here ask him if this was activated in WD not 1 geek or beginner.
So if WD isn't configured to check email why complain?
What miracle was suppose to happen here.
what am i missing.

The first thing I did, I scanned statically and the defender did not react in any way and only then I launched the virus and defender in the same way, no alerts.
 

RoboMan

Level 30
Verified
Content Creator
Malware Tester
I'm repeating what I tell everytime: default-allow software IS NOT RELIABLE. It's a good companion for a default-deny solution. The moment you choose to rely on a defaut-allow software, however good it is, you're doomed.

For example, in my main PC I use Kaspersky Internet Security, configured to default-block all files that are not digitally signed by a Kaspersky Trusted Vendor. In my secondary laptop, I use Windows Defender, configured by ConfigureDefender, and Hard_Configurator set in "Disallowed" settings which will block everything by default, except specified files (of course it automatically whitelists critic files).

I wouldn't dare, EVER, to trust 100% on a default-allow "security software". That's playing a bet. Maybe it protects, maybe it fails. Not worth the risk.
 

RoboMan

Level 30
Verified
Content Creator
Malware Tester
True. But if the user is educated and aware, he will probably live happily ever after, even if all he has is a standard AV.
Sure. Most of us in this forum can probably wonder the vast lands of the internet without any protection and come out clean. Still, like the famous phrase says... "sh1t happens". One can never now. Malvertising. An exploit on an outdated plugin. An outdated browser. Zero day malware. Zero day vulnerabilities. Things regular antivirus will probably never catch, unless of course they possess some kind of Application Control. Cybersecurity is not static. It keeps moving and evoling, just as malware does. If you do not default-deny, you will probably sometime face a problem. And if the universe conspires against you, and the scenarios are correct, you may end up compromised. And if you're an average Joe you're definitely ending up infected.
 

RejZoR

Level 14
Verified
You feel it that way because you had an unreal expectation, that AV will have 100% detection ratio 100% of the time.
It can haplen to all these 8 AVs that detected this malicious sample.

But you fired a VM because your brain told you that something's not right.
That's the whole point of MalwareTips.
Not lockdown, not AV X vs AV Y, not layered vs unlayered...the purpose is to educate.
Maybe so, but with antiviruses like Kaspersky, it's not really unrealistic expectation. Myself and in tests, basically whatever you throw at it, it'll detect it. Though be aware that a lot of detections happen on execution. So VT isn't entirely realistic display of detection capabilities.
 

Dex4Sure

Level 2
Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014
Not very surprised to see ESET and Kaspersky among the ones who detected it... Their signatures tend to be the best in general.
 

Dex4Sure

Level 2
@Mercenary If your security strategy rely mainly on Detection (aka AVs), ESET is the best in the field with Kaspersky followed Bit Defender Engine based AVs.
However if it rely on Prevention, then the efficiency of AVs aren't a major concern then WD or any other simple AV is good enough.


Totally agree.


Agree even more, i promote SUA/Guest as much as i can lol.
Yeah I agree on that. With 3rd party AV's I prefer ESET cause its super light and has probably the best signatures in the industry. I don't quite trust any AV's behavior blocker that much + it just adds more system resource usage. Besides, I'm the type who never runs anything I don't know and even if I did I would at least upload the executable to VirusTotal before running.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Let's hope that they will finish it to an acceptable level, otherwise he instilled such hopes in me that I started to put it to clients and acquaintances, but apparently still too early)
...
If your EXE file was in the archive, then you probably uncompressed it without MOTW. If so, then the file was executed without SmartScreen and "Block At First Sight" protection. If you propose WD to your clients, then install the Bandizip archiver that preserves MOTW while uncompressing executables from archives.

Anyway, after some hours this sample was detected by most AVs (including WD), so it is not a good example for disappointment about AV detection. It should be also blocked as 0-day malware by the WD ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria", which is included only in ConfigureDefender MAX Protection Level (too many false positives).

The malware is classified as a kind of hack tool, so it is a prelude to further infection via payloads. That is why most AVs did not detect it as 0-hour malware (low level of suspicious actions). That is normal.

Almost all such infections can be avoided by simply waiting one day before opening attachments from not trusted emails. Of course, it is even better to not opening them at all.
 
Last edited:
Top