Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.
Delete files? I have never seen that on any of my eight computers.
Nothing beats Norton for that but it comes closer than anything else I have used over the years. Software development and AV that deletes unknown files is a bad combination.
Never happened to me either so far.
I agree. I just never had WD do that. But granted I never ran it for long periods of time.
Windows 10: HOSTS file blocking telemetry is now flagged as a risk
August 3, 2020
Wow. Now that is crazy.
Microsoft Defender (nee Windows Defender) throwing error Events 7000, 7001
Thank you, Minimalist. I was getting a few of these errors mentioned in the above Ask Woody article per day. Just got a platform update via Windows Update so that the newest versions are here:
Should be good now. Should be....
Edit: Sorry, I thought this was about a different error. The new platform version does not fix the "network inspection service failed to start" error if Memory Integrity is turned on. I still got the errors in Event Viewer/Application but all is serene again if I shut it off. Would rather have Nis.service running so I shut Memory Integrity off again in Device Health.
You can say that again. This makes Win Defender questionable.
LOL good one. But it's very unclear to me how Win Def's behavior blocker exactly works, probably because they keep mentioning Win Def ATP. I would put more trust in third party tools like AppCheck and HitmanProAlert when it comes to behavior blocking. This cloud based stuff is way too vague.
A little reading and research would help with that.
MS's documentation is not the best but cloud protection is not really vague since most of WD's protection comes via the cloud. Check out the threads at Malwaretips where you may also check test results too.
I agree. HitmanPro.Alert is a great example of seeing such things in action. As we use Windows Defender at work (you get the budget you get) I am exposed to it on a daily basis. I've never seen it detect anything based on behavior.
This would make it even slooowwweer than it is
Don t give them ideas, you never know what "behavior" is in the brains of the OS Defender AI (the telemetry thingy seems to be under protection too ) It defends the OS and it s purpose, no doubt about it.Users files and privacy protection is another story though.
I have done some reading, and apparently, the behavior blocker from Win Def AV is quite advanced, would love to see it being tested. I actually forgot to save the link, will post it later. But from what I understood, it should be able to block malicious behavior post-execution, for example stuff like process hollowing. However, it relies on the cloud, probably to avoid false positives, but I rather see pure "local based" behavior blocking without any need for the cloud. So weird that I can't find the link anymore.
As far as I am aware of, real behavior detection capability only exists in WD ATP Enterprise version: https://docs.microsoft.com/en-us/wi...microsoft-defender-advanced-threat-protection
More detail here: https://www.microsoft.com/security/...ion-of-behavior-signals-for-threat-detection/
As far as plain WD, ASR mitigations are pretty much it when it comes to behavior detection.
Makes sense. This is more in line with what I expected.
Guess I should add the plain WD does have some baked in behavior rules in regards to Accessibility Tool Backdoors as noted here: https://www.bleepingcomputer.com/ne...nder-can-detect-accessibility-tool-backdoors/ . I on the other have a HIPS rule to detect any debugger use.
Behavior blocker, behavior detection, behavior blocking, etc. are terms that are evolving.
For example, see some of these:
As for Windows Defender, some elements of WD ATP have been integrated into consumer versions of WD but it is difficult to tell from the documentation. It describes ATP but MS never clearly discusses the relationship to WD.
"From the below infection chain it follows that it should be detected by behavior-based and AMSI ML models. These models are trained and optimized on the very large sample of malware before they are included in WD. Many malware samples use similar infection chains.
Please note, that the above picture is related to preventing the infection - not to detecting the final Astaroth payload, which is reflectively injected as DLL."
The WD offline/online detection (without BAFS and without proactive features, default settings applied) was tested in AV-Comparatives Malware Protection tests. The test-set used contained 10970 recent/prevalent samples from the last few weeks. So, this test was very different from Zero-Day Protection tests on Malware Hub (not comparable). The results here, are from the latest test:
Malware Protection Test March 2019 - AV-Comparatives
The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution.
WD Offline detection rate: 68.5%
WD Online detection rate: 88.3%
The results of detection based on signatures are significantly lower as compared to other AVs. The above results are related to on-access (on-demand) scans without executing the samples. Samples were scanned from USB and network drives (no BAFS).
The comparison with other AVs:
When the samples were executed while online (no BAFS but triggered proactive features), then the result was:
WD Online Protection rate: 99.98% which was similar to other AVs.
I would not take seriously the small differences among AVs in Online Protection Rate column. One could probably get the opposite scoring when choosing another pule containing 10970 samples from millions of in-the-wild samples."
"SUMMARY of WD offline non-signature detection/blocking on Windows Home and Pro.
WD offline non-signature detection uses Machine Learning models, behavior-based algorithms, generics (based on similarities to known malware), and heuristics.
AMSI is used to log/detect unobfuscated script actions.
Most of these features apply to images in memory and are optimized to detect suspicious behavior and trigger the cloud backend.
WD can be configured to use also ASR rules and Controlled Folder Access to block locally, malicious behaviors.
It seems that WD main offline protection is based on malware signatures, and can be extended by using ASR rules and Controlled Folder Access. Other features are mostly the interlude to the cloud backend.
Of course, in the home environment, offline protection is supported by cloud protection even when the user is offline! The main malware delivery is due to the Internet, so if the user is well protected online (web protection, BAFS, etc.), then there is usually no malware on disk when being offline. This may work well for many users, but there are some exceptions, for example when downloading/unpacking files without MOTW (like from USB drives, via 7-ZIP unpacker, etc.)"
People will believe what they want to believe, but one cannot say that WD's only behavior detection is a result of ASR rules.
Of course, this leaves aside entirely the question of WD's ability to protect, especially against unknown or zer0-day malware.
Malware Protection Test March 2020 - AV-Comparatives
WD Offline detection rate: 70.5%
WD Online detection rate: 85.3%
The thing to note is WD was the 4th lowest scoring in offline detection and lowest scoring in online detection.
So what does this test really show?
First, WD scored 99.88% in online protection. This illustrates WD is very much dependent upon its cloud block-at-first-sight sandbox scanning.
The problem is any decent malware will try to disable the target's network connection prior to executing its dropped payload. This can easily be done for example but not exclusively via:
or via PowerShell;
It should be noted that the major AV vendors also employ cloud scanning for malware detection in some fashion. However, they don't rely on it for their primary malware detection method for this reason.
-EDIT- What this test illustrates is an issue that has plague Microsoft since the Security Essential days. That is it's local real-time signature, hueristics, and behavior detection for that matter are deficient to that provided by the major AV solutions.
Microsoft in its famous "public disclosure" postings points out that its emphasis is on detection of recently discovered malware. Hence WD's very decent scoring on the AV labs real-time protection tests. The problem here is "old malware never dies, it will just resurface in its original or a variant version."
As you said, not exclusively. I am unsure if WD reaches its cloud by hostname or IP. If by hostname it would probably be just as easy to set an invalid IP for the connection to Microsoft while leaving the rest of the internet working, making it more difficult to determine that something is wrong until it is way too late.
Almost all antivirus solutions nowadays depends on the cloud for better coverage, this isnt Microsoft Defender exclusive issue/fault (imo it isnt a problem at all).
This doesnt make sense, while there are many malwares that tries to disable network connection, there are much more that depends on it do its damage (trojans/spyware/adware/banking trojans/many ransomwares families).
Block at first sight is totally adequate, not only that, it is pretty powerful, specially considering the volume of malware created each day, after all it can prevent the malware that tries to disable the target network and bla bla bla at first place; anyway those scenarios are totally irrelevant for home users, if you think otherwise you are just being paranoid and frankly I am tired of this after so many years visiting security forums. (true zero-day fileless malware with exploits against home users? ha-ha-ha ! )
There are too much misinformation about Microsoft Defender capabilities and for this I have to thank @Bertazzone for that informative post above, it was very clarifying.
In the real world, Windows 10 up-to-date users are pretty safe by default and this is something amazing, nowadays it is hard to find a infected machine, when in the past it was the norm.
Or just disable Internet connectivity but leave the rest of the LAN alone: https://www.youtube.com/watch?v=OMQ49_PlLD0
That would be good for running an encryptor on the local network drives.
Here's something to check out.
Since WD is so dependent upon block-at-first-sight detection cloud scanning, does WD actually issue an alert if it can't connect to MS cloud servers as major AV solutions do?
Now I did come across this:
The first sentence implies that Mark-of-the-Web is the major trigger mechanism in the cloud scanning process. Since MOTW is actually a file NTFS ADS, we can strip that off the file prior to execution.
The above quoted reference is for WD ATP ..... of course. But it very much appears WD cloud scanning is a two step process. The first cloud look up is to determine if the file has been previously scanned. I assume that some type of yes/no status value is being returned to the originating device. So all we have to do is intercept that transmission and always return a yes value.
If not previously scanned, a second cloud look up occurs that uploads the file to MS servers for detailed analysis. Now for that file locking bit. Unless things have changed, the file is only locked for a set period of time on non-WD ATP versions; believe that is for a default of 10 seconds. Appears WD ATP provides for up to an additional 50 secs of cloud scan time. So I design my malware to perform a NOP loop to wait out the cloud scan time. Or just build in a required user input response in the process.
You can also set a Group Policy to stop it from ever being written in the first place. If you were able to set that with a malicious script the end user would never notice the difference.
Much easier is using PowerShell: https://winaero.com/blog/how-to-unblock-files-downloaded-from-internet-in-windows-10/
Or, just use a trusted alternate data stream utility if PowerShell use is blocked:
AlternateStreamView v1.56 - View/Copy/Delete NTFS Alternate Data Streams
Alternate Data Stream Manager (ADS Manager)
-EDIT- Based on this: https://www.winitor.com/pdf/NtfsAlternateDataStreams.pdf, SmartScreen is ADS aware which really somewhat obvious. It appears it can be configured; assume GP here, to generate a Win Event Audit log entry when ADS is accessed but that appears to be the extent of it.
Separate names with a comma.