Windows Defender Disappointment

Mercenary

Mercenary

Level 1
Thread author
Aug 9, 2019
21
Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
Screenshot_20.jpgScreenshot_22.jpg
 
  • Like
  • Wow
Reactions: ebocious, Antus67, DDE_Server and 14 others
BoraMurdar

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
You feel it that way because you had an unreal expectation, that AV will have 100% detection ratio 100% of the time.
It can happen to all these 8 AVs that detected this malicious sample.

But you fired a VM because your brain told you that something's not right.
That's the whole point of MalwareTips.
Not lockdown, not AV X vs AV Y, not layered vs unlayered...the purpose is to educate.
 
  • Like
  • Applause
  • +Reputation
Reactions: ForgottenSeer 77207, simmerskool, Parsh and 37 others
F

ForgottenSeer 823865

Mercenary said:
Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014
Click to expand...
WD wasn't alone to not detect it anyway. Each AV has his own response time, usually ESET is one the fastest.
I have to remind you that WD (without ATP) is focused primarily on prevalent malware, not the brand new ones.

DCK247 said:
people expect 100% protection
once again, failure is the user
Click to expand...
As usual
 
  • Like
Reactions: simmerskool, Parsh, Antus67 and 19 others
Mercenary

Mercenary

Level 1
Thread author
Aug 9, 2019
21
DCK247 said:
even with configure defender, windows defender is not the answer
it's good, but failure-prone
SRP will solve your fear
Click to expand...
Let's hope that they will finish it to an acceptable level, otherwise he instilled such hopes in me that I started to put it to clients and acquaintances, but apparently still too early)

Umbra said:
WD wasn't alone to not detect it anyway. Each AV has his own response time, usually ESET is one the fastest.
I have to remind you that WD (without ATP) is focused primarily on prevalent malware, not the brand new ones.
Click to expand...
I agree with you. I have ESET Endpoint Security on all working computers and during these 4 years no problems have arisen. And in terms of detection speed, it amazes me. There was a case when a secretary opened an archive with a new virus and ESET identified it by name and when I checked it on Virustotal, only 4 antiviruses and ESET including it detected.
 
  • Like
Reactions: simmerskool, DDE_Server, Dave Russo and 7 others
F

ForgottenSeer 823865

@Mercenary If your security strategy rely mainly on Detection (aka AVs), ESET is the best in the field with Kaspersky followed Bit Defender Engine based AVs.
However if it rely on Prevention, then the efficiency of AVs aren't a major concern then WD or any other simple AV is good enough.

DCK247 said:
it don't matter what signature-cloud solution you use
if you want to protect people against zero-day malware then you got to use SRP and prevent them from running executable files on their systems
Click to expand...
Totally agree.

DCK247 said:
i made edit
check it
Click to expand...
Agree even more, i promote SUA/Guest as much as i can lol.
 
  • Like
Reactions: ebocious, DDE_Server, Dave Russo and 10 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Mercenary said:
Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014
Click to expand...
Thanks for sharing. That's a perfect example of how businesses get infected. Business environments need extra protection, and the IT admin should be notified about your findings.
But for home users, a good webmail service such as Gmail won't let an exe attachment get to your inbox in the first place.
 
  • Like
  • +Reputation
Reactions: DDE_Server, Dave Russo, Nevi and 14 others
Terry Ganzi

Terry Ganzi

Level 26
Verified
Top Poster
Well-known
Feb 7, 2014
1,540
I heard no 1 person here ask him if this was activated in WD not 1 geek or beginner.
So if WD isn't configured to check email why complain?
What miracle was suppose to happen here.
what am i missing.

docs.microsoft.com

Configure scanning options for Microsoft Defender Antivirus

You can configure Microsoft Defender Antivirus to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
docs.microsoft.com
 

Attachments

  • Not 1 Person.PNG
    Not 1 Person.PNG
    1.6 KB · Views: 293
Last edited:
  • Like
Reactions: DDE_Server, Dave Russo, Nevi and 5 others
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Mercenary said:
Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014
Click to expand...
Thanks for sharing. COuld you give it another try with ConfigureDefender set to MAX?
 
  • Like
Reactions: Dave Russo, Nevi, [correlate] and 7 others
Mercenary

Mercenary

Level 1
Thread author
Aug 9, 2019
21
Terry Ganzi said:
I heard no 1 person here ask him if this was activated in WD not 1 geek or beginner.
So if WD isn't configured to check email why complain?
What miracle was suppose to happen here.
what am i missing.

docs.microsoft.com

Configure scanning options for Microsoft Defender Antivirus

You can configure Microsoft Defender Antivirus to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
docs.microsoft.com
Click to expand...
The first thing I did, I scanned statically and the defender did not react in any way and only then I launched the virus and defender in the same way, no alerts.
 
  • Like
Reactions: DDE_Server, Dave Russo, Nevi and 5 others
RoboMan

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,400
I'm repeating what I tell everytime: default-allow software IS NOT RELIABLE. It's a good companion for a default-deny solution. The moment you choose to rely on a defaut-allow software, however good it is, you're doomed.

For example, in my main PC I use Kaspersky Internet Security, configured to default-block all files that are not digitally signed by a Kaspersky Trusted Vendor. In my secondary laptop, I use Windows Defender, configured by ConfigureDefender, and Hard_Configurator set in "Disallowed" settings which will block everything by default, except specified files (of course it automatically whitelists critic files).

I wouldn't dare, EVER, to trust 100% on a default-allow "security software". That's playing a bet. Maybe it protects, maybe it fails. Not worth the risk.
 
  • Like
Reactions: ForgottenSeer 77207, Parsh, DDE_Server and 11 others
RoboMan

RoboMan

Level 35
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,400
shmu26 said:
True. But if the user is educated and aware, he will probably live happily ever after, even if all he has is a standard AV.
Click to expand...
Sure. Most of us in this forum can probably wonder the vast lands of the internet without any protection and come out clean. Still, like the famous phrase says... "sh1t happens". One can never now. Malvertising. An exploit on an outdated plugin. An outdated browser. Zero day malware. Zero day vulnerabilities. Things regular antivirus will probably never catch, unless of course they possess some kind of Application Control. Cybersecurity is not static. It keeps moving and evoling, just as malware does. If you do not default-deny, you will probably sometime face a problem. And if the universe conspires against you, and the scenarios are correct, you may end up compromised. And if you're an average Joe you're definitely ending up infected.
 
  • Like
Reactions: Parsh, simmerskool, DDE_Server and 5 others
RejZoR

RejZoR

Level 15
Verified
Top Poster
Well-known
Nov 26, 2016
699
BoraMurdar said:
You feel it that way because you had an unreal expectation, that AV will have 100% detection ratio 100% of the time.
It can haplen to all these 8 AVs that detected this malicious sample.

But you fired a VM because your brain told you that something's not right.
That's the whole point of MalwareTips.
Not lockdown, not AV X vs AV Y, not layered vs unlayered...the purpose is to educate.
Click to expand...

Maybe so, but with antiviruses like Kaspersky, it's not really unrealistic expectation. Myself and in tests, basically whatever you throw at it, it'll detect it. Though be aware that a lot of detections happen on execution. So VT isn't entirely realistic display of detection capabilities.
 
  • Like
  • +Reputation
Reactions: fabiobr, DDE_Server, Dave Russo and 10 others
Dex4Sure

Dex4Sure

Level 3
Verified
Well-known
May 14, 2019
116
Mercenary said:
Today I received a suspicious letter with an attachment came to the work mailbox. I decided to check it in a virtual machine on the defender. What was my disappointment, the Windows defender did not react at all to the new virus. Although updated and defender settings are set to high using ConfigureDefende.
View attachment 233013View attachment 233014
Click to expand...

Not very surprised to see ESET and Kaspersky among the ones who detected it... Their signatures tend to be the best in general.
 
  • Like
Reactions: DDE_Server, Dave Russo, Mercenary and 8 others
Dex4Sure

Dex4Sure

Level 3
Verified
Well-known
May 14, 2019
116
Umbra said:
@Mercenary If your security strategy rely mainly on Detection (aka AVs), ESET is the best in the field with Kaspersky followed Bit Defender Engine based AVs.
However if it rely on Prevention, then the efficiency of AVs aren't a major concern then WD or any other simple AV is good enough.


Totally agree.


Agree even more, i promote SUA/Guest as much as i can lol.
Click to expand...

Yeah I agree on that. With 3rd party AV's I prefer ESET cause its super light and has probably the best signatures in the industry. I don't quite trust any AV's behavior blocker that much + it just adds more system resource usage. Besides, I'm the type who never runs anything I don't know and even if I did I would at least upload the executable to VirusTotal before running.
 
  • Like
Reactions: fabiobr, DDE_Server, Dave Russo and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,118
Mercenary said:
Let's hope that they will finish it to an acceptable level, otherwise he instilled such hopes in me that I started to put it to clients and acquaintances, but apparently still too early)
...
Click to expand...
If your EXE file was in the archive, then you probably uncompressed it without MOTW. If so, then the file was executed without SmartScreen and "Block At First Sight" protection. If you propose WD to your clients, then install the Bandizip archiver that preserves MOTW while uncompressing executables from archives.

Anyway, after some hours this sample was detected by most AVs (including WD), so it is not a good example for disappointment about AV detection. It should be also blocked as 0-day malware by the WD ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria", which is included only in ConfigureDefender MAX Protection Level (too many false positives).

The malware is classified as a kind of hack tool, so it is a prelude to further infection via payloads. That is why most AVs did not detect it as 0-hour malware (low level of suspicious actions). That is normal.

Almost all such infections can be avoided by simply waiting one day before opening attachments from not trusted emails. Of course, it is even better to not opening them at all.
 
Last edited:
  • Like
  • +Reputation
Reactions: Parsh, simmerskool, DDE_Server and 14 others

Similar threads

O
    • Like
Serious Discussion Windows Defender scan when offline
Replies
13
Views
755
Microsoft Defender
ForgottenSeer 103564
F
simmerskool
AI Assist Windows Sandbox vs VMware security
Replies
3
Views
197
AI-Powered Dedicated Forum
Bot
Bot
C
    • Like
Question What does MPSUPPORT.CAB contains? For Microsoft Defender log
Replies
9
Views
601
Microsoft Defender
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top