- Dec 23, 2014
- 8,129
Evjl's Rain,
Did the sample BitmapCase.exe from Malware Samples #15 (4/07/2019) trigger SmartScreen?
Did the sample BitmapCase.exe from Malware Samples #15 (4/07/2019) trigger SmartScreen?
Windows Defender - June 2019 Report
- Thread starter Evjl's Rain
- Start date
I don't know. I didn't test smartscreen
but if you want, I can check it out now
edit: it does trigger smartscreen (signed exe)
- Dec 23, 2014
- 8,129
Thanks.
I have asked, because you use Defender max settings and I assumed that they were configured by ConfigureDefender. But, then the file with MOTW would be blocked (SmartScreen set to Block).
If the file was not blocked in ConfigureDefender MAX settings, then it did not have MOTW (with some rare exceptions). So, also BAFS was not tested.
If so, then this is a special kind of test (but common on Malware Hub), like in the situation of downloading the files from the FAT32 pen drive to the hard disk and running them from the hard disk. Such a test is different from real-world tests performed by AV Labs, so the user should not compare the results.
Anyway, it is a very interesting test for detecting the strength of other WD features (Cloud Protection Level, ASR rules, Network Protection, etc.).:emoji_ok_hand:
I prefer testing products in extreme condition so they can show their strengths because one day we might be in the same situation, not as ideal as downloading a file from the internetThanks.
I have asked, because you use Defender max settings and I assumed that they were configured by ConfigureDefender. But, then the file with MOTW would be blocked (SmartScreen set to Block).
If the file was not blocked in ConfigureDefender MAX settings, then it did not have MOTW (with some rare exceptions). So, also BAFS was not tested.
If so, then this is a special kind of test (but common on Malware Hub), like in the situation of downloading the files from the FAT32 pen drive to the hard disk and running them from the hard disk. Such a test is different from real-world tests performed by AV Labs, so the user should not compare the results.
Anyway, it is a very interesting test for detecting the strength of other WD features (Cloud Protection Level, ASR rules, Network Protection, etc.).:emoji_ok_hand:
This is also a real-world test because I see it everyday in my country (download a password-protected archive, extract with winrar)
every kind of test is real-world at some point
I do prefer malware protection test from AV-C or from MRG than real-world tests because they are more extreme and correctly reflect the true power of an AV in any condition
real-world test is kind of boring because most of the links they test are not zero-day anymore, I assume
- Dec 23, 2014
- 8,129
Evjl's Rain,
I have an idea. Would be a problem for you to attach the "Defender Security Log" from ConfigureDefender, as an addition to the performed tests?
It has the advantage to show what feature was used to block/mitigate the malware.
I have an idea. Would be a problem for you to attach the "Defender Security Log" from ConfigureDefender, as an addition to the performed tests?
It has the advantage to show what feature was used to block/mitigate the malware.
- Aug 17, 2014
- 10,165
- Dec 23, 2014
- 8,129
It is, as can be seen from the test if the file would have the MOTW (SmartScreen was triggered).
Only EV signed files can automatically bypass SmartScreen check.
yes I will do it in the next tests. I will find out how to use it
- Dec 23, 2014
- 8,129
This is the most comprehensive test about WD detection I have ever seen, made by one person.:emoji_ok_hand:
:emoji_ok_hand:
- Mar 29, 2018
- 7,106
Signed malware: Excellent work @Evjl's Rain!
I'm starting to get tired of testing WD because the context scan (local offline signatures and heuristics) has been extremely poor, which forces testers to test more dynamic samples. almost every pack results in infection
it's clearly that the context scan has no cloud implementation, only in on-access and on-execution
on-access has cloud support only if it has mark-of-the-web
next test I will try out if WD has has any offline protection or it's fully dependent on cloud => sometimes, the cloud connection can be unstable => you're finished
it's clearly that the context scan has no cloud implementation, only in on-access and on-execution
on-access has cloud support only if it has mark-of-the-web
next test I will try out if WD has has any offline protection or it's fully dependent on cloud => sometimes, the cloud connection can be unstable => you're finished
- Dec 23, 2014
- 8,129
That is also my observation. Windows Defender detection of never seen samples strongly depends on the cloud (except ASR rules and Controlled Folder Access). Furthermore, the best protection (BAFS) is available only when files are recognized as downloaded from the Internet.
People who use FAT32 sources (flash drives, USB disks) for sharing files with other people are not so well protected, except when they will upload the files to OneDrive or execute the files directly from the USB source (protected by very aggressive ASR rule). If so, then the file downloaded to the hard disk from OneDrive will be automatically checked by BAFS.
It is also crucial to use the Windows built-in ZIP archiver or Bandzip archiver, which can preserve MOTW after decompressing files from archives (downloaded from the Internet).
With the above precautions, WD + ConfigureDefender can achieve similar protection for fresh samples, as any commercial AV on default settings. This protection can be even stronger when applying SysHardener restrictions or maximize the protection with Hard_Configurator.
People who use FAT32 sources (flash drives, USB disks) for sharing files with other people are not so well protected, except when they will upload the files to OneDrive or execute the files directly from the USB source (protected by very aggressive ASR rule). If so, then the file downloaded to the hard disk from OneDrive will be automatically checked by BAFS.
It is also crucial to use the Windows built-in ZIP archiver or Bandzip archiver, which can preserve MOTW after decompressing files from archives (downloaded from the Internet).
With the above precautions, WD + ConfigureDefender can achieve similar protection for fresh samples, as any commercial AV on default settings. This protection can be even stronger when applying SysHardener restrictions or maximize the protection with Hard_Configurator.
I guess that's the downfall of how WD is designed and implemented. The HUB testing methodology doesn't allow it to be tested necessarily how MS designed and implemented it. Not making excuses at all, nor am I saying your doing it wrong @Evjl's Rain, I just mean that the hub doesn't necessarily test how one uses a computer, ie downloading malware through a browser. This is just a minor flaw in the testing methodology that applies to all products, not just WD. Whether this makes a difference remains to be seen, but it's still a part that is missed. Don't get me wrong, I know it's not done due to complexity and being dangerous, but it's still a flaw.
Again due to the way WD is designed and implemented there will be some gaps. Aside from USB malware, I would hazard to guess that in real world use there may be a different outcome, as it seems like MS designed it to work a certain way. Again not making excuses, just something to think about
@Evjl's Rain I know you want to stop testing WD, but I am wondering if you wanted to test it maxed out with configure defender running along side OSA, or syshardener? I know this isn't testing WD specifically, but rather how a setup may do over all.
Last edited by a moderator:
- Apr 1, 2019
- 2,776
I would also like to see WD tested with OSA as I run that on some machines. But, I can see how it is exhausting. Whatever you decide to test next I appreciate the effort!I guess that's the downfall of how WD is designed and implemented. The HUB testing methodology doesn't allow it to be tested necessarily how MS designed and implemented it. Not making excuses at all, nor am I saying your doing it wrong @Evjl's Rain, I just mean that the hub doesn't necessarily test how one uses a computer, ie downloading malware through a browser. This is just a minor flaw in the testing methodology that applies to all products, not just WD. Whether this makes a different remains to be seen, but it's still a part that is missed. Don't get me wrong, I know it's not done due to complexity and being dangerous, but it's still a flaw.
Again due to the way WD is designed and implemented there will be some gaps. Aside from USB malware, I would hazard to guess that in real world use there may be a different outcome, as it seems like MS designed it to work a certain way. Again not making excuses, just something to think about
@Evjl's Rain I know you want to stop testing WD, but I am wondering if you wanted to test it maxed out with configure defender running along side OSA, or syshardener? I know this isn't testing WD specifically, but rather how a setup may do over all.
@Andy Ful just out of curiosity, I know WD has archive scanning, so doesn't WD scan inside the archive before its extracted? If so should it be irrelevant if you use 7zip which removes MOTW, or is it because the cloud/BAFS does not work on scanning with archives, only after the file has been extracted?
- Dec 23, 2014
- 8,129
I noticed in the WD log, that in most cases of infections, WD initially allows running the malware, but the suspicious actions and payloads are blocked anyway. After several seconds the cloud is alarmed about malicious actions, so the malware is blocked and often removed from disk, but sometimes is not killed (still active in memory). After reboot, the system is protected, although WD often leaves leftovers in the registry startup locations. These startup entries produce alerts because they cannot find the malware which was already removed from disk.
most archives are password-protected => untouchable for all AVs
when they are extracted, MOTW is already removed
Bandizip rocks :emoji_pray: and will save us from a lot of infections thanks to smartscreen with all AVs including panda or webroot
Thanks and that makes sense.
I have to admit I like 7-zip, its a great program, but I am going to give Bandizip and try, especially since it's based of 7-zip if I'm not mistaken.
I will try to test WD with syshardener maxed outI guess that's the downfall of how WD is designed and implemented. The HUB testing methodology doesn't allow it to be tested necessarily how MS designed and implemented it. Not making excuses at all, nor am I saying your doing it wrong @Evjl's Rain, I just mean that the hub doesn't necessarily test how one uses a computer, ie downloading malware through a browser. This is just a minor flaw in the testing methodology that applies to all products, not just WD. Whether this makes a difference remains to be seen, but it's still a part that is missed. Don't get me wrong, I know it's not done due to complexity and being dangerous, but it's still a flaw.
Again due to the way WD is designed and implemented there will be some gaps. Aside from USB malware, I would hazard to guess that in real world use there may be a different outcome, as it seems like MS designed it to work a certain way. Again not making excuses, just something to think about
@Evjl's Rain I know you want to stop testing WD, but I am wondering if you wanted to test it maxed out with configure defender running along side OSA, or syshardener? I know this isn't testing WD specifically, but rather how a setup may do over all.
I don't like OSA to be honest because it produced some FPs and used a noticeable amount of CPU on my PC
- Dec 23, 2014
- 8,129
BAFS can recognize malware in ZIP archives (from Internet Zone) and probably in most known archive types too. But, as @Evjl's Rain already mentioned, this does not apply for password-protected archives.
