Malware Research Group 360 Assessment & Certification – Q1

Win 10 Exploit protection is AV independent; i.e. whatever AV used has no effect on it. Therefore it is not an AV lab test consideration per se. If anything, the lab might try to disable the protections to just test the like third party AV protection. I beleive, the labs just keep the default exploit protections as is.

As far as ASR goes, appears MS wanted to leave open the option of using the mitigations with third party AVs. Hence them being configured via OS mechanisms and not within WD itself.

As I have stated repeatedly, MS's solution to security protection is the "Band Aid" approach with nothing really fully integrated as exists in third party AV solutions. At least with this approach, MS can publish endless "security-babble" articles that lead the uninformed to the conclusion that MS security solutions are "the greatest thing since sliced bread."

 

I will also add for Enterprise level installations, Eset does offer a pro-active malware detection product titled Eset Dynamic Threat Defense. This product can be configured to block execution of unknown processes and auto submit them to Eset cloud servers for a full detailed analysis that usual takes 5 mins. or less. Likewise, the same processing with auto blocking is performed automatically when suspicious activities are detected during known process pre-execution AV scanning. In contrast, the max. time WD's block-at-first-sight w/cloud scanning for unknown processes can be configured for is 50 secs..

 

To me testing AVs are all about detection whatever forms it takes, so ATP should have been used.

 

Microsoft has a blog article on Windows Defender ATP that should "demystify" what protections it provides:

Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV
https://www.microsoft.com/security/...ith-behavior-monitoring-amsi-and-next-gen-av/
​

For those to lazy to read the full article, I will summarize the protections noted; AMSI, memory scanning, and boot sector protection. Note that AMSI is repeatedly referenced in the article.

As is typical "double speak" so common of Microsoft these days, AMSI scanning is actually performed by Windows Defender. All WD ATP is doing is interfacing with WD after a malware or suspicious script detection is made for the purpose of providing analysis of the activity. Ditto for the other noted "protections;" they are actually being performed by WD.

Additionally, all these supposed ATP protections are offered by the major AV vendors products.

Which gets us again to what does WD ATP really offer? That again is answered in a prior posting in this thread. That is, it provides a mechanism to allow for detailed analysis of post-execution breach activities. This will enable installations so employing WD ATP the ability to apply the appropriate security mechanisms to prevent like activity from reoccurring. Is this a valuable feature? Yes it is. AV malware detection will block the acitivity and remove the immediate instance of it. However, you really have no idea of the sequence of events that lead to the execution of the malware. This is what WD ATP provides.

Finally, should AV labs be testing WD ATP? The answer is no since again as noted in a prior posing, it does not prevent malware execution. It only monitors its activities.

 

Source:
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2O8jv


So could you explain those differences there? Is it really all about monitoring?

 

Yes. The first chart shows WD ATP cloud analysis capability after post breach detection triggered.

As far as the second chart, appears WD ATP auto enables WD network protection option. As far as IDS protection, I do believe that is HIPS based and manually configured. That would however, count as a pre-execution mitigation if enabled and properly configured. Eset IDS protection for example, is enabled and preconfigured requiring no user intervention although the option for "tweaking" does exist.

 

Advanced machine learning and advanced cloud protection are pre-execution too, the file is allowed to be executed only after detonation results.

 

All the major AVs employ the same.

block-at-first-sight pre-execution and post-execution via WD's AMS detection, etc..

Again without WD ATP, all a user is going to get from WD when post-execution suspect activity is detected is a suspicious activity alert. It's up to the user then to block or allow. With ATP installed, the process will be submitted to the cloud for detailed analysis with a confidence verdict on the activity rendered in short order.

 

1- What others major AVs do isnt relevant for this discussion (Windows Defender home x Defender ATP with E5 license).

2- You are just running circles here, my argument is that Windows Defender has different mechanism protections when it is deployed in Windows Enterprise with E5 and ATP licenses (and thats for all means Windows Defender "business edition") and you didnt prove me wrong, albeit you are saying that official Microsoft document is misleading or is just full of "lies".


My point is that they tested a domestic free solution against more robust business editions and if they had deployed Windows Defender with ASR rules (Microsoft guidelines) it should had a very different result in the exploit/filess malware, just that.

I am far from being a Windows Defender fanboy, anyone can see in my past posts in this forum that my antivirus choices are ESET, Emsisoft and Kaspersky; I just think that this test doesnt show the real protection offered by the enterprise solution from Microsoft.

I really dont know why people has this double standard against Windows Defender, if it isnt perfect in all metrics its simply mediocre and when it gets the perfect results the test itself is biased or wrong.

 

Test Lab sucks anyway, more i see results, more it confirmed my opinion.

 

No it shouldn't have been used, this is what I'm trying to explain. Win Def ATP will always use the same Win Def AV that comes with Win 10 consumer versions for malware protection. So that isn't the issue. The issue is that Exploit Guard and Attack Surface Reduction should also be enabled when testing, it's not clear whether MRG did this or not. I'm guessing they didn't, so then it's unfair.

 

This is also done by Win Def AV. I think the best way to explain is by looking at this chart from CrowdStrike. It's all about the modules that are available. Normally, only the largest corporations will choose to use all of the EDR modules. But I think this test was more geared to small and mid-sized businesses that like to rely on business editions of AV's, because it's cheaper. Of course, some of the AV's that were tested may include "EDR-lite" features.

https://www.crowdstrike.com/endpoint-security-products/

 

They have made it too confusing. If Exploit Guard and ASR are features related to Win Def, why not make them manageable via the Win Def main GUI? But you already explained that they are both available even with third party AV, so this perhaps explains it a bit.

 

In the context of this thread if we're going to discuss WD and WD ATP, then it's also appropriate to include other endpoint solutions; especially those specifically tested by MRG.

Here's a specific example.

Early last year Microsoft got a lot of free Internet press coverage on their "supposed" discovery of a previous unknown 0-day malware via WD ATP. Not disclosed in their press release but so noted in their subsequent detail technical analysis is the following. At least a handful of WD ATP installations were actually infected by the malware prior to Azure cloud positively identifying the sample as malware and pushing appropriate migration to WD ATP installations. "Smelling a rat" here, I performed my own investigation in regards to the malware sample. It turns out that Eset and possibly other AV vendors had signature detection dates for this malware that preceded the date Microsoft publicly stated they had initially "discovered" it. Simply put, this certainly wasn't a 0-day malware detection by WD ATP.