Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

The payload was just a generic Miner- nothing special really. The important thing is the mechanism, which while not new, is dangerously getting popular (and THAT is new). That mechanism was seen step-wise in the last video (that exclusion command was written in Python).

 

I'm not following you, did this miner perhaps had both capabilities? I did read about the XRM Miner and RedLine Stealer that were delivered with the boobytrapped MSI Afterburner app. Wait a minute, I just read about Black-T which is an ''all in one'' miner and stealer, see first link.

But I can't remember reading about this WD bypass last year, I mean it has been around for years but perhaps I ignored it? Very weird and M$ should be ashamed that they didn't fix this in Win 10. And back in 2019 the GootKit malware also made use of another WD exclusion trick, see second link.

https://decrypt.co/44005/a-monero-malware-has-been-upgraded-and-can-now-steal-passwords
https://www.bleepingcomputer.com/ne...-windows-defender-by-setting-path-exclusions/

 

BTW, how can you explain why this ''exclusion bypass'' method still worked in your test, because it's supposed to be fixed in both Win 10 and 11? Is it perhaps some variant of this technique that's being used by this miner + stealer?

https://www.bleepingcomputer.com/ne...-flaw-letting-hackers-bypass-antivirus-scans/

 

Here's another one: https://resecurity.com/blog/article/shortcut-based-lnk-attacks-delivering-malicious-code-on-the-rise .

 

Yes, there are of course more exotic WD and AV bypasses in general, I can somewhat live with that. But the recent WD bypasses were quiet embarrassing.

And about your link, it involves powershell.exe but a firewall should normally speaking block even system processes from connecting out. To me it's scarier if malware doesn't need to be downloaded in the background, but gets installed right away together with a legitimate file. Like what happened with the boobytrapped MSI Afterburner for example.

 

Not by default. Not the Windows one anyway.

 

you missed the point that such software need to get on victims computer. if it has reached, anything before failed a lot.

 

Other than in real world, testers have the malware sitting on their Desktop.

 

Actually you bring up a really good and important point. @Rmus used to ask this question often, but most people don't seem interested. The first line of defense should be a person's awareness and common sense when handling email links, attachments and downloads from questionable sources such as YouTube links and torrents.

 

Although you guys are absolutely correct in hoping people would be more security aware, blaming the lack of efficacy of a security application on the user reminds me if the old joke:

Patient: "Doctor, my arm hurts when I do this"
Doctor: "Well, don't do that"

 

Agreed. If all users were capable then we wouldn't need these products at all. I am confident in my own skills but have to maintain PCs at work for folks that are less than savvy so I need this stuff to work. I can also tell then "Well, don't do that" but it doesn't work.

 

If the end user is a reasonably effective first line of defense, then the security application doesn't have to be counted on to be infallible and peerless. I am not yet aware of an infallible and peerless security application, even the paid products. Windows Defender for the home user base is free, so you get what you pay for. I use free Defender augmented with free H_C and paid OSArmor, free ad blocker in the browser, yet I don't faithfully rely on this combination to always bail me out if I screw up handling an unknown email link or attachment, or download from a sketchy source.

 

Well, I'm one of those people who doesn't respond well to lecturing and preaching to the choir. At times I need a little "brush with death" (OK, mild exaggeration) to galvanize into a better online posture.

Somewhat recently, I downloaded a software that years ago was trusted and respected. I didn't read the dialog, just clicked thru. Next thing I know, I had a PUP in the form of Google Chrome. Not exactly "malicious" but def. unwanted. Lesson learned.

 

No correct, I'm using TinyWall. It blocks all apps without showing annoying alerts, except for the ones that you allow. And it also allows certain system processes like svchost.exe and stuff related to Win Update and Win Defender. Of course this approach won't work if you like to use the auto-update feature of your apps, but I think this is a bad idea anyway.

LOL, good one.

 

Yes everyone knows this, but this hasn't got anything to do with WD being easy to bypass! That's why I also don't understand it when people say they have been using WD for years and never got infected, without giving any extra information.

But my question to these people is, how many times has WD saved you? Most likely zero times, because of the simple fact that they have never encountered any malware. But IF you ever do encounter malware, you want to make sure that your AV isn't easy to bypass. This ''exclusion bypass'' trick has been around for at least 8 years, I feel so silly.

 

I don't get it, why does this matter? I have also seen someone say in this thread that malware first need admin access. Well, that's the whole thing, if you have downloaded some app and your AV stays silent, you are going to give it admin access, otherwise it won't install.

 

BTW, I think I'm going to install another AV, because today WD annoyed the hell out of me. I was making a back up of my most used apps and I also removed less used apps, and WD started to scan both the recylce bin and my external SSD. Of course it slowed down the system quite a lot. These were apps that it had already seen, so it keeps scanning the same files, very annoying.

 

Apparently WD isn't the only one easy to bypass

From a very recent post, New attacks use Mark of the Web (MoTW) Windows security feature bypass zero-day to drop malware, a quote taken from the Kaspersky link regarding the BlueNorff group:

Underlining added by me.

 

Well here: yup, zero times. To date.

It's OK. My front-line workers of hardened Sandboxie et al.do the heavy lifting. Defender can sit back and relax: nothing is required or expected of it.

BUT, I'd rather have an overall halfway decent antivirus at the core (which I think Defender is most of the time, just not the object of perfection it's hyped to be) than say: Panda free which was just tested on the "other forum" and did really, really badly.

 

So the malware detects these names. But the article isn’t very clear regarding Kaspersky and Sophos bypass

I assume it’s the point stated as “other cases” but I’m not completely sure.

 

Zero for me as well. And I agree that's it's halfway decent, and even has some deficiencies handling some malware as cruelsister has proven, but it's, as I've said before: "good enough for me". It's free, so I don't expect perfection. I counter that with OSA, browser ad blocker, and a dose of cyber security savvy and common sense, and of course a recent system backup image just in case.

True, but I seems clear on the other products, and I said "apparently", so...

Years ago I used to pay for AV solutions, but I never unexpectedly came across malware infections, so I deemed it a waste of money after WD became available for free and built in to the OS. I do pay for OSArmor, but it's only $17/year and their development and support of an excellent security solution is top shelf, so I'm more than happy to support them.

 

I have exactly the same approach and with Macrium Reflect as backup, I feel relatively safe.

 

Exactly. Every product has saved me zero times. Also every product I have used has broken my PC with a bug or false positive.

 

So why bother paying top $$$ for something that protects you zero times? You might as well stick with free security solutions. Your brain is undoubtedly part of that free security solution, because you have the savvy and common sense to avoid malicious content.

 

Hey, I see that CruelSister's video is making the rounds here.

Nothing is infallible. I would highly recommend running at least one whitelisting application along side MSD.

SecureAge Catchpulse and Voodooshield play nice with MSD now. I use MBAM for a little bit of web-blocking and PUP-detection.