AV-Comparatives: Real-World Protection Test February-June 2018

Discussion in 'other anti-virus software' started by anon, Jul 13, 2018.

  1. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    mid range heavy, not Norton/BD heavy but deffo not ESET light
    it provides a decent overall protection
     
    Last edited: Jul 15, 2018
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Neither do most other security products. Rep scanning is performed against executables. AppContainer on the other hand gives the ability to restrict their use; for example, only signed scripts are allowed to be executed by their respective script engine.

    Win 10 AMSI gives AV products including WD the ability to examine script code after they unpack and decrypt in memory. Where WD and some other AV products had an issue on the MRG ad hoc test was when scripts are obfuscated. This allows malware to insert select characters within the script code. PowerShell ignores these characters when parsing a script. Obfuscation is a way to defeat code signature analysis. Only a few AV products on the MRG test last year were able to detect highly obfuscated malware PowerShell scripts.

    Also don't assume your AV product supports Win 10 AMSI; verify that it does so.
     
    Last edited: Jul 15, 2018
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Kaspersky 2019 supports it.
    https://forum.kaspersky.com/index.php?/profile/553694-xzz123/
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    One more point about Win 10 AMSI. It is not bulletproof as holds true for all Microsoft security mitigations. For starters, it will only scan scripts run by PowerShell v5+:
    https://www.scip.ch/en/?labs.20180111

    -EDIT- A more recent bypass is here: https://www.bleepingcomputer.com/ne...ypass-windows-10-anti-malware-scan-interface/

    My favorite is deploying this to bypass any PowerShell Constrained language mode restrictions or attempts to block System.Management.Automation use: https://h4wkst3r.blogspot.com/2018/07/dissecting-net-download-cradle.html and then using this: https://github.com/cobbr/PSAmsi
     
    Last edited: Jul 15, 2018
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    One final comment on PowerShell obfuscated scripts.

    Microsoft current has a WDEG ASR mitigation on Win 10 1709+ that will block the execution of any PowerShell obfuscated script. Great if you're using WD and malware hasn't disabled it or AMSI since it uses it to determine if the script is obfuscated. This also for me is a "defacto" admission by Microsoft that they have "thrown in towel" in regards to being able to detect obfuscated malware scripts via AMSI.
     
    Last edited: Jul 15, 2018
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I think we should stop expecting AVs to do what they can't, which is give great protection from scriptors. Even Kaspersky won't save you all the time.
    Better to employ an alternative method for blocking/monitoring script interpreters, and let your AV + a reputation service handle the .exe files.
     
  7. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    At the very least they should use what's available for them. Some use AMSI, others don't.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    :thumb: With the caveat that sometimes, it might be impossible to do so. Case in point, malware drops Powershell v2 on your PC. Renames it or file downloaded under a different name. It then moves it to a folder your not monitoring .exe startup from; e.g. C:\Program Files, etc..
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    As far as Windows Defender goes, its "Achilles heel" is targeted attacks where it scored a dismal 28% detection rate in the last SE Labs quarterly comparative:

    SE_Labs_Q1-2018.png
     
  10. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    That, and the fact that malware can shut it down without a peep.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, you don't have to go to such lengths. Malware can just add itself as an exception to WD scanning:D:
    https://www.hybrid-analysis.com/sam...48e2d081095e954833fdf06f1e4?environmentId=100
     
  12. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Yup, Yup, Yup! Windows Defender and Windows Firewall are certainly enough...
     
  13. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Not many forum members believe that WD at default settings can beat zero days. If you want to provoke a revolt, you need to show that ASR is worthless.
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Just to clarify what I am really getting at: the folks who speak highly of WD are, in truth, fans of the whole package of native Windows security mechanisms.
    I would love to see how such a setup performs against a couple good packs of nasty zero days.
    Any testers out there?
    Set up your VM like this:
    Windows 10 x64 1803
    Standard (limited) user account
    UAC at max
    Windows Defender configured with Andy Ful's ConfigureDefender at max settings.
    Powershell in constrained language.
    Harden the OS just a little bit, for instance by running NVT SysHardener at default settings.

    A test like this should show whether native Windows security stands or falls, no?
    (I am not saying to enable SRP, because then it wouldn't be a fair test.)
     
  16. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    someone already did that on MT, turned out to be just smartscreen popping up with "i dont know what this is, probably malicious"
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Could you please link me, or tell me how to search for it? Maybe it will help rid me of false beliefs.
     
  18. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
  19. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    This is an interesting test, but not exactly what I had in mind. The tester disabled WD completely, and was testing SmartScreen's strength as an anti-exe. Since SmartScreen is not smart enough to screen scripts, it is doomed to fail.
     
  20. guest

    guest Guest

    so they are wrong. If you talk about a real-time engine efficiency, you don't put auxiliary native security features in the mix.

    that doesn't make WD better, that makes the OS overall security better; and i bet if you replace WD in this setup by any other AVs they will still perform better than WD.
     
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Depends what risks you face. If you use MS Office a lot, then ASR rules are just right.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Some comments about ASR.

    For starters, its protection features are not part of Windows Defender. They are enhanced Windows Defender Exploit Guard mitigations. Windows Defender in this regard is a backend interface with mitigation detections allowing for limited user interaction when a mitigation is triggered. Note that WDEG does not have desktop interaction like its predecessor, EMET, did and only records detection via Event log entries. As such, their effectiveness will never be tested by an AV Lab since ASR is not part of the default WD configuration.

    Officially, WDEG ASR is only supported by Microsoft in the Enterprise version. This is a clear indicator that Microsoft believes this is an enterprise level mitigation. Yes, Wilders folks have experimented and found out that ASR mitigations appear to work on non-Enterprise OS versions. However, there is no guaranty this will be so in the future.

    Finally as noted below, ASR was designed to work at maximum protection with Windows Defender Advanced Threat Protection feature:
    https://docs.microsoft.com/en-us/wi...-guard/attack-surface-reduction-exploit-guard
     
  23. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    I don't think ASR is going away, on the contrary, with RS5/1809, it is supposed to become integrated into the Windows Security app, making it easily available to regular users on consumer versions of Windows 10,
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    On that regard, Microsoft will be incorporating all relevant ASR "tweaks" into the WD GUI interface via one setting:
    https://pureinfotech.com/windows-10-redstone-5-version-1809-new-features/

    Just what ASR mitigations will be included remains to be determined. I strongly suspect, they will not include all the ASR mitigations available on the Win 10 Enterprise version.

    The big question is if Microsoft "is opening up" the WDEG ASR interface to third party AV vendors due this RS5 restriction:
    https://docs.microsoft.com/en-us/windows-insider/at-home/whats-new-wip-at-home

    The above is "translated" as, the vendors must now use the Win 10 ELAM driver.
     
    Last edited: Jul 16, 2018
  25. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Probably not all of them, because at least one -- the protection for lsass.exe -- is incompatible with a lot of software.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.