Windows Defender - June 2019 Report

[Andy Ful]

What I have seen from the WD log is like salmonella disease when the immune system (local AV protection) tries to protect the body but in the end, the patient has to get help from health service (AV Cloud). After the treatment, the patient is still not perfectly healthy and can have some side effects (malware leftovers).
But, this model is probably the best available so far, because it was made either by God or (biological and social) Evolution.:emoji_ok_hand:
It can be also hardened by applying a kind of healthy prophylactic (OSA, SysHardener) or prophylactic + healthy diet (H_C).

Edit.
It is also probable that WD default health service is similar to that in a small village, far into the country. (joke, it is not as bad)

 

[Gandalf_The_Grey]

A bit off topic but post like these made by @Andy Ful and the tests of @Evjl's Rain make me wonder about WD in my config again... Thanks guys
That is the trouble with forums like this one

 

[Andy Ful]

A bit off topic but post like these made by @Andy Ful and the tests of @Evjl's Rain make me wonder about WD in my config again... Thanks guys
That is the trouble with forums like this one

We are talking here about malware you will never see running on your computer. Most of the samples have a very very low prevalence. If you have doubts, then simply apply H_C Recommended settings.

 

[Andy Ful]

I analyzed all missed samples with WD MAX settings and all of them (except one) were scripts, so they could be easily blocked by adding SysHardener (tweaked), OSArmor or H_C ('Allow EXE" or Recommended setup). The one missed EXE file was mitigated by WD and disappeared after reboot. Furthermore, in the real world scenario, it would be blocked by SmartScreen or prevented by blocked scripts and MS Office hardening.

When using WD HIGH or MAX settings with SysHardener, OSA or H_C ("Allow EXE" setup) the user who wants to apply extraordinary protection should only remember:

1. Run executables directly from the USB drive or upload files from USB drive to OneDrive. Copying files directly from USB drive to hard drive and running them is not safe.
2. Use BandZip to access files in archives.

 

[Gandalf_The_Grey]

I analyzed all missed samples with WD MAX settings and all of them (except one) were scripts, so they could be easily blocked by adding SysHardener (tweaked), OSArmor or H_C ('Allow EXE" or Recommended setup). The one missed EXE file was mitigated by WD and disappeared after reboot. Furthermore, in the real world scenario, it would be blocked by SmartScreen or prevented by blocked scripts and MS Office hardening.

When using WD HIGH or MAX settings with SysHardener, OSA or H_C ("Allow EXE" setup) the user who wants to apply extraordinary protection should only remember:

1. Run executables directly from the USB drive or upload files from USB drive to OneDrive. Copying files directly from USB drive to hard drive and running them is not safe.
2. Use BandZip to access files in archives.

In real life people/relatives will not follow rule 1. Any other solutions or ideas for this "problem" ?
Rule 2 is great advice and easy to do on pc's of family, relatives and friends.

 

[Andy Ful]

In real life people/relatives will not follow rule 1. Any other solutions or ideas for this "problem" ?
Rule 2 is great advice and easy to do on pc's of family, relatives and friends.

Yes. You know already one solution.
Anyway, do they need such extraordinary protection? Who shares the never seen malware via USB drive? Is it you (joke)?

Edit.
If one wants to keep WD and Windows native security, then the only solution I know is H_C.
Other good solutions without WD (less compatible with Windows) are well known on MT.

 

[blackice]

I analyzed all missed samples with WD MAX settings and all of them (except one) were scripts, so they could be easily blocked by adding SysHardener (tweaked), OSArmor or H_C ('Allow EXE" or Recommended setup). The one missed EXE file was mitigated by WD and disappeared after reboot. Furthermore, in the real world scenario, it would be blocked by SmartScreen or prevented by blocked scripts and MS Office hardening.

When using WD HIGH or MAX settings with SysHardener, OSA or H_C ("Allow EXE" setup) the user who wants to apply extraordinary protection should only remember:

1. Run executables directly from the USB drive or upload files from USB drive to OneDrive. Copying files directly from USB drive to hard drive and running them is not safe.
2. Use BandZip to access files in archives.

Just to clarify, are BandZip and BandiZip different programs? I’ve seen different spellings and am not sure if they are different software, or just variations in spelling.

 

[Andy Ful]

It is BandiZip (I skipped "i").
It has an option for MOTW.

Bandizip - How to copy Zone.Identifier information for malware protection

Home of Bandisoft

www.bandisoft.com

 

[blackice]

It is BandiZip (I skipped "i").

Thanks, with the way so many programs are spelled similarly I wouldn't want to go trying out some random soft that's the wrong one.

 

[Gandalf_The_Grey]

Yes. You know already one solution.
Anyway, do they need such extraordinary protection? Who shares the never seen malware via USB drive? Is it you (joke)?

No, I don't share anything with anybody
I was just thinking of my kids working on school projects with classmates and sharing USB drives.
In your most valued opinion HC at recommended settings and WD at high settings is enough protection for that?

 

[Andy Ful]

No, I don't share anything with anybody
I was just thinking of my kids working on school projects with classmates and sharing USB drives.
In your most valued opinion HC at recommended settings and WD at high settings is enough protection for that?

Yes, If they do not disable the protection.:emoji_pray:
If the child uses SUA and do not know the Admin password, then disabling the protection is not possible. To avoid bypassing SmartScreen, you can set SmartScreen to Block in ConfigureDefender.

 

[MalwareTypes]

BAFS can recognize malware in ZIP archives (from Internet Zone) and probably in most known archive types too. But, as @Evjl's Rain already mentioned, this does not apply for password-protected archives.

Windows natively only recognizes ZIP archives from the bunch of archive types that exist. So I would venture to guess that BAFS can see only what Windows can see, ie ZIP archives.
ISO files are a special case: Windows mounts them, not really opens them, so not really sure how the "Mark of the web" inheritance is managed in that case.
Either way, BandiZip is a great choice.

 

[Evjl's Rain]

No, I don't share anything with anybody
I was just thinking of my kids working on school projects with classmates and sharing USB drives.
In your most valued opinion HC at recommended settings and WD at high settings is enough protection for that?

according to what I saw, I believe WD on high settings is not really better than itself in default settings against exe malwares
high setting is definitely better against exploits or scripts, which some exe malwares can utilize
however for pure exe malwares, they are quite similar in both (ignore BAFS)
I also tried to test WD high in offline condition. It did trigger behavior blocker (few times) but still super weak compared to third-party AVs

most WD users are infected by password-protected archives !!! (in my country)
USB-delivered malwares are virtually never zero-day -> not really a problem
when malwares are from USB we should consider that the users also use their AVs in offline mode (otherwise they may download it from browsers)

 

[Andy Ful]

according to what I saw, I believe WD on high settings is not really better than itself in default settings against exe malwares
...

I am afraid that this statement cannot be concluded from your tests. This would require a different kind of test.
It can be done by using the WD Demo webpage:

1. Set WD to DEFAULT Protection Level by using ConfigureDefender and reboot the computer.
2. Use Edge (native not Chromium) to prepare 20 samples from WD Demo webpage which bypassed BAFS. Do not run the samples from the hard disk. On my computer, I had to create about 40 demo samples, because about half of them were detected and removed from disk by BAFS.
3. Set WD Cloud Protection Level to High by using ConfigureDefender and reboot the computer. Check that the Internet connection has been established.
4. Open the folder with samples (do not run them), many samples should be quarantined.

That was a result on my computer, which strongly suggests that HIGH settings are also much stronger for EXE files than DEFAULT settings.
This test cannot be done with ShadowDefender in Shadow mode on boot, because WD settings would be restored to DEFAULT settings after reboot.

Unfortunately, it may be not easy to repeat the similar test on the real samples, because it is not easy to separate the samples blocked by BAFS from the samples blocked by other Cloud AI features or signatures. Furthermore, Cloud detection can be different when the same samples are run at different moments of time (Cloud AI can learn).

 

[Evjl's Rain]

I am afraid that this statement cannot be concluded from your tests. This would require a different kind of test.
It can be done by using the WD Demo webpage:

1. Set WD to DEFAULT Protection Level by using ConfigureDefender and reboot the computer.
2. Use Edge (native not Chromium) to prepare 20 samples from WD Demo webpage which bypassed BAFS. Do not run the samples from the hard disk. On my computer, I had to create about 40 demo samples, because about half of them were detected and removed from disk by BAFS.
3. Set WD Cloud Protection Level to High by using ConfigureDefender and reboot the computer. Check that the Internet connection has been established.
4. Open the folder with samples (do not run them), many samples should be quarantined.

That was a result on my computer, which strongly suggests that HIGH settings are also much stronger for EXE files than DEFAULT settings.
This test cannot be done with ShadowDefender in Shadow mode on boot, because WD settings would be restored to DEFAULT settings after reboot.

Unfortunately, it may be not easy to repeat the similar test on the real samples, because it is not easy to separate the samples blocked by BAFS from the samples blocked by other Cloud AI features or signatures. Furthermore, Cloud detection can be different when the same samples are run at different moments of time (Cloud AI can learn).

testing with WD demo samples don't tell anything because they are not malwares, same for eicar/amtso
they are just a test to see if something is working properly or not but don't differ which is more effective
high setting is better than default setting, that's obvious but how much better is the question to find out

the problem is when comparing High or Default settings to BAFS, that's a very very far distance because BAFS is very aggressive and much more prone to FPs than the others. If all malwares can be checked with BAFS, it's ideal

 

[Andy Ful]

testing with WD demo samples don't tell anything because they are not malwares, same for eicar/amtso
they are just a test to see if something is working properly or not but don't differ which is more effective
high setting is better than default setting, that's obvious but how much better is the question to find out

the problem is when comparing High or Default settings to BAFS, that's a very very far distance because BAFS is very aggressive and much more prone to FPs than the others. If all malwares can be checked with BAFS, it's ideal

That is true. Demo samples can show one thing, and the real samples can show a different picture. It is much harder (and time-consuming) to test this on the real samples. But anyway, another type of test would be required. First, the samples should be tested on DEFAULT setup. Next, the test should be repeated on the same system as before testing the DEFAULT setup, but with changed Cloud Protection Level from Default to High (this is not HIGH or MAX setup). Probably, more than one tests should be done to get the right picture.

 

[ForgottenSeer 72227]

according to what I saw, I believe WD on high settings is not really better than itself in default settings against exe malwares

I know this is in relation to WD specifically, but would you say that Smartscreen improves on this, especially if it's set to block? Assuming that the file keeps the MOTW, smartscreen seems to be pretty aggressive from what I've seen. I guess this is where run by smartscreen may help?

 

[Evjl's Rain]

I know this is in relation to WD specifically, but would you say that Smartscreen improves on this, especially if it's set to block? Assuming that the file keeps the MOTW, smartscreen seems to be pretty aggressive from what I've seen. I guess this is where run by smartscreen may help?

smartscreen + syshardener/H_C blocks everything, almost. No need any AV in theory
smartscreen, a reputation checker, is works like everything is guilty until something is proven innocent

SmartScreen filtering at the desktop level, performing reputation checks by default on any file or application downloaded from the Internet, was introduced in Windows 8.[9][10] Similar to the way SmartScreen works in Internet Explorer 9, if the program does not have an established good reputation, the user is alerted that running the program may harm their computer.

Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution.

 

[ForgottenSeer 72227]

smartscreen + syshardener/H_C blocks everything, almost. No need any AV
smartscreen, a reputation checker, is works like everything is guilty until something is proven innocent

Hehe fair enough!

I guess maybe it would be fair to say that if one is using WD on W10, it's better to consider all the security options/features within the OS to compliment one another, kinda of how a 3rd part suite works. Even though something like Smartscreen will work with 3rd party products as well, it's just more important with WD, as the OS as a whole is designed like a suite in a way, as all the features work together. Like you said supplement that with Syshardener, H_C, etc... and you'll probably be covered quite well!

 

[Andy Ful]

smartscreen + syshardener/H_C blocks everything, almost. No need any AV in theory
smartscreen, a reputation checker, is works like everything is guilty until something is proven innocent

I would say (I know that you know it):
"RunBySmartScreen + SysHardener" / H_C blocks everything, almost.
SmartScreen + SysHardener (without RunBySmartScreen) does not use forced SmartScreen so it will fail for some EXE samples delivered without MOTW, which will be blocked by H_C.