Windows Defender Disappointment

Lenny_Fox

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Mark Of The Web, right mouse click any downloaded file and select properties

1580368559754.png
 
  • Like
  • Thanks
Reactions: Handsome Recluse, [correlate], Dave Russo and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Lenny_Linux said:
Thanks for the info

I thought that the default Windows Explorer uncompression of ZIP files, skipped EXE files when the ZIP-file had MOTW?
Click to expand...
The Windows built-in compression feature is OK (preserves MOTW), but it works only for ZIP files. So, many users install 3rd party archivers - most of them do not preserve MOTW.
 
Last edited:
  • Like
  • Thanks
Reactions: Handsome Recluse, [correlate], Dave Russo and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
RKRN3 said:
What's MOTW?
Click to expand...

textslashplain.com

Downloads and the Mark-of-the-Web

Last update: October 4, 2024 Background To help protect the user and their device, Windows and its applications will often treat files originating from the Internet more cautiously than files gener…
textslashplain.com textslashplain.com

Simply it is information added to the file downloaded from the Internet when using popular web browsers, OneDrive, and some other online services. MOTW can be added to the file only on the NTFS drive (so it is lost on most flash drives, and also on CD/DVD drives, CD/DVD images, Memory Cards). File downloaders, application auto-updates, malware, etc. usually download files without MOTW. Most archivers (but not Windows built-in and Bandizip) do not preserve MOTW.(y)
Some security solutions like SmartScreen integrated with Explorer and CyberCapture feature in Avast, require MOTW to work properly. The documents with MOTW trigger the Protected View feature in MS Office and Adobe Acrobat Reader.
Adding the MOTW before file execution (like in Hard_Configurator and RunBySmartScreen) can force the SmartScreen check also for files stored on flash drives, CD/DVD drives, CD/DVD images, Memory Cards, etc.
 
Last edited:
  • Like
  • Thanks
Reactions: DDE_Server, Nevi, [correlate] and 10 others
Mercenary

Mercenary

Level 1
Thread author
Aug 9, 2019
21
Andy Ful said:
If your EXE file was in the archive, then you probably uncompressed it without MOTW. If so, then the file was executed without SmartScreen and "Block At First Sight" protection. If you propose WD to your clients, then install the Bandizip archiver that preserves MOTW while uncompressing executables from archives.

Anyway, after some hours this sample was detected by most AVs (including WD), so it is not a good example for disappointment about AV detection. It should be also blocked as 0-day malware by the WD ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria", which is included only in ConfigureDefender MAX Protection Level (too many false positives).

The malware is classified as a kind of hack tool, so it is a prelude to further infection via payloads. That is why most AVs did not detect it as 0-hour malware (low level of suspicious actions). That is normal.

Almost all such infections can be avoided by simply waiting one day before opening attachments from not trusted emails. Of course, it is even better to not opening them at all.
Click to expand...
Today I received exactly the same letter as yesterday, only the sender is different, the name of the files is the same, but the hash the sum of the files is different)
The virus that arrived yesterday is already identified by 36 antivirus engines, a new file of 15 antiviruses. Although antiviruses detect it with the same name.
Screenshot_25.jpgScreenshot_26.jpg
 
  • Like
Reactions: DDE_Server, Nevi, [correlate] and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Mercenary said:
Today I received exactly the same letter as yesterday, only the sender is different, the name of the files is the same, but the hash the sum of the files is different)
The virus that arrived yesterday is already identified by 36 antivirus engines, a new file of 15 antiviruses. Although antiviruses detect it with the same name.
View attachment 233038View attachment 233039
Click to expand...
Your IT admin should not allow exe attachments to be received by email. That is leaving the door wide open to attacks. If it is a small business, and you are the admin, either switch to a more secure email provider, such as Outlook.com or Gmail, or figure out how to block suspicious file attachments with the service you have.
 
  • Like
  • +Reputation
Reactions: DDE_Server, Nevi, [correlate] and 11 others
Mercenary

Mercenary

Level 1
Thread author
Aug 9, 2019
21
shmu26 said:
Your IT admin should not allow exe attachments to be received by email. That is leaving the door wide open to attacks. If it is a small business, and you are the admin, either switch to a more secure email provider, such as Outlook.com or Gmail, or figure out how to block suspicious file attachments with the service you have.
Click to expand...
Our mail is located on Gmail, we use G Suite and Gmail did not send them to spam. The virus was archived in .lzh format and it was not attached to the letter, there was a link to google drive.
 
  • Like
Reactions: Parsh, DDE_Server, Nevi and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Mercenary said:
Our mail is located on Gmail, we use G Suite and Gmail did not send them to spam. The virus was archived in .lzh format and it was not attached to the letter, there was a link to google drive.
Click to expand...
Ah, thanks for the update. That makes sense. Links will always be a problem. @Andy Ful's suggestion to use BandiZip is a good one. The more recent versions of Windows will be able to apply SmartScreen filtering to it, since the MarkOfTheWeb will still be present.
AV detection on email-delivered malware will always be hit-and-miss, because email tends to deliver zero-days. But SmartScreen is not easily fooled by zero-days. On the contrary, it is very suspicious of new samples, unless they bear a high-quality digital signature. That latter case is pretty rare, barring cases of high-level targeted attacks.
 
  • Like
Reactions: Mercenary, oldschool, DDE_Server and 7 others
P

plat

Level 29
Top Poster
Sep 13, 2018
1,793
How about configuring the specific ASR rule "block executable content from email client and webmail?" According to MS Docs, exclusions can be made. Not sure if gmail would be included, though, as I don't have a virtual machine at the moment. Someone else know for sure? Regardless, I would not place 100% faith in just one mitigation, for anything.

docs.microsoft.com

Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint

Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
docs.microsoft.com
 
  • Like
Reactions: Mercenary, DDE_Server, Nevi and 7 others
RejZoR

RejZoR

Level 15
Verified
Top Poster
Well-known
Nov 26, 2016
699
BoraMurdar said:
Then you are delusional. Nothing is invincible.
Click to expand...

You may call it delusional, I call it "have thrown enough ##### at it for years" to know it's not a delusion but real world experience with it. Basically ever since they introduced behavior PDM module and cloud system it's been basically bullet proof. Something I can't really say for any other antivirus. Maybe Comodo Internet Security, but it's plagued by so many problems, usability issues and stagnating development that I can't really recommend it to anyone coz of that. But these two are actually the only ones I'd trust them to such extent.
 
  • Like
Reactions: Mercenary, DDE_Server, [correlate] and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
RejZoR said:
You may call it delusional, I call it "have thrown enough **** at it for years" to know it's not a delusion but real world experience with it. Basically ever since they introduced behavior PDM module and cloud system it's been basically bullet proof. Something I can't really say for any other antivirus. Maybe Comodo Internet Security, but it's plagued by so many problems, usability issues and stagnating development that I can't really recommend it to anyone coz of that. But these two are actually the only ones I'd trust them to such extent.
Click to expand...
Over the last few months, Kaspersky has not always been getting 100% in the commercial testing.
 
  • Like
Reactions: Mercenary, DDE_Server, Nevi and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
plat1098 said:
How about configuring the specific ASR rule "block executable content from email client and webmail?" According to MS Docs, exclusions can be made. Not sure if gmail would be included, though, as I don't have a virtual machine at the moment. Someone else know for sure? Regardless, I would not place 100% faith in just one mitigation, for anything.

docs.microsoft.com

Use attack surface reduction rules to prevent malware infection - Microsoft Defender for Endpoint

Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
docs.microsoft.com
Click to expand...
This will work only for Outlook.
 
  • Like
  • Thanks
Reactions: Mercenary, DDE_Server, harlan4096 and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,510
Azure said:
90% is still way better 20%
Click to expand...
If you meant WD (20%), then If I correctly recall most of the exploit methods were tested on Windows 7. Anyway, the WD free features protection (no ATP) in businesses, cannot be good because many computers in local networks are not connected to the Internet. So, the main WD free protection is useless because it highly depends on the cloud backend (Cloud delivered protection, BAFS, SmartScreen). The computers can be infected remotely from a single compromised machine connected to the local network.
 
  • Like
Reactions: Parsh, Nevi, Mercenary and 7 others
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Andy Ful said:
If you meant WD (20%), then If correctly recall most of the exploit methods were tested on Windows 7. Anyway, the WD free features protection (no ATP) in businesses, cannot be good because many computers in local networks are not connected to the Internet. So, the main WD free protection is useless because it highly depends on the cloud backend (Cloud delivered protection, BAFS, SmartScreen).(y)
Click to expand...
"Kaspersky has not always been getting 100%"

Which is fine as long as the percentage is high enough and there's some consistency among various testing organizations
 
  • Like
Reactions: Mercenary, DDE_Server, harlan4096 and 5 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Azure said:
"Kaspersky has not always been getting 100%"

Which is fine as long as the percentage is high enough and there's some consistency among various testing organizations
Click to expand...
I agree, I was just responding to @RejZoR's comment that Kaspersky gets it right every time. This may well be true in his personal testing, but the commercial testers didn't have exactly the same findings.
 
  • Like
Reactions: Nevi, Mercenary, DDE_Server and 5 others

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)
Replies
34
Views
3,257
Video Reviews - Security and Privacy
lokamoka820
lokamoka820
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,309
Video Reviews - Security and Privacy
tofargone
tofargone
Lymphocyte
    • Like
    • Wow
Security News Microsoft Defender adds detection of unsecure Wi-Fi networks
Replies
0
Views
1,518
Security News
Lymphocyte
Lymphocyte

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top