Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.
A small test:
You need to check this out. Eset detected a PUA. Upon blocking, I then get redirected to a porn web site. At least that woke me up this morning .............
Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’
I wouldn't put a lot of weight on AMSI protection combined with WD. MRG did an ad hoc test a while back and WD failed miserably: https://www.mrg-effitas.com/current-state-of-malicious-powershell-script-blocking/ . The problem is WD and most of the AVs tested have issues with obfuscated scripts. Appears AMSI is effective unpacking scripts but if they are also obfuscated, that detection is left to the AV engine to unobfuscate.
UBO blocks the redirect.
The problem only occurs when the browser is first opened.
The scan at VT is clean.
Absolutely nothing of that are correct.
The OS, interpreters, AMSI, Windows Defender and Windows Defender ATP does not work the way you claim.
Reading the blogs that the various teams write, following for example the flow of information from key PowerShell developers and keeping an eye on builds would have been great if wanting to comment on AMSI.
Allow me to quote from article :
Above from blogpost linked to here
About the test you reference. Yes, MRG did a test of AMSI on Windows 10 - 1511.
Windows 10 - 1511
Windows 10 - 1607 Anniversary Update.
Windows 10 - 1703 Creators Update.
Windows 10 - 1709 Fall Creators Update.
MRG test are of a two year old and four branches old Windows edition.
The test has ZERO value in december 2017.
Even when MRG tested a two year old and four branches old Windows edition, Windows Defender and AMSI did very well and was one of the few vendors capable of blocking test 1 and 2.
But now fast forward to December 2017. Two years later and four Windows 10 branches later.
So much has happened with AMSI across the four branches.
So much has happened to Windows Defender and Windows Defender ATP across the four branches.
Doing your Bing or Google trip and digging up tests of antique builds or even months old reports of this or that findings are worthless in todays development cycle.
With Windows-as-a-Service we have two new branches every year and 1-2 new stable public builds every month on each branch.
Forget the history books. They can't keep up with todays development pace. Always stay informed on latest builds instead.
Show some proof to this statement. I have seen no evidence that AMSI has changed since its initial Win 10 release. I believe you are confusing this with the fact that the MS products that interface with AMSI have changed.
Microsoft states that AMSI de-obfuscates scripts. If it actually did, every AV vendor that uses the AMSI interface including WD would have been able to pass the Mimikatz tests.
So much documentation on this over the years. Much of it already in this very thread.
Furthermore a good starting point is reading the latest blog post linked to a little higher up on this page. That will highlight some of the important changes in FCU.
Here's a recently posted i.e. last month, pen test tool to defeat AMSI including that used in FCU: https://cobbr.io/PSAmsi-Minimizing-Obfuscation-To-Maximize-Stealth.html . As the author notes at the end of the article, AMSI itself is not sufficient and additional mitigations need to be employed.
Does the PUA / PUP Registry key work in Win8.1?
You misunderstood what Ryan Cobb writes and who he is.
Research like this from Ryan Cobb, Daniel Bohannon, Matt Graeber, Jared Haight, Lee Holmes and many more extremely talented researchers are exactly what the Microsoft blog post is about.
All of them pro-AMSI people.
Yes, it does.
(and I will not ask what you are doing back on Win 8.1, since I have seen your posts about your update nightmare elsewhere on forum . Hope everything works out for you.)
Well, the upgrade problem isn't really it - different machine.
My little second hand laptop came with Win8.1 installed and I upgraded it immediately to Win10 for the activation, then replaced the HDD with a SSD and upped the RAM to 8GB. I just thought I'd give Win8.1 a try to see what I've been missing. After a bit of a learning curve and uninstalling most of the OEM bloat I am surprised that this machine seems to run quicker than with Win10 on the SSD. Weird!
Yes it does,
and my impression is that WD is more aggressive against PUPs, than it was a few month ago.
It looks like your not alone.
What he states is first and foremost AMSI un-obfuscation methods are in inadequate and can be bypassed. He states:
This is a great idea but I believe this only applies to Office apps as far as WD goes?
does anyone ever test Network protection feature ? i activated it but failed when try to tested via MS website
It worked fine here last time I tested using Firefox.
when i tried it never blocked by WD.
Here's a few to try. Start at this post and read on.
I'm in the same boat as cupez80. The remaining functional link opens without a warning from WD (ignoring the FF warning). I've even tried in a clean VM 1709 with only this setting changed and still nothing:
Prevent users and apps from accessing dangerous websites; Enabled; Block
As far as this link goes: http://cxoficialnet.com/home/pages/inter/ , SmartScreen will block it if you are using IE or Edge. None of those other links were functional for me. Appears my DNS provider is blocking them.
look similar at this one: https://arstechnica.com/information...indows-defender-nscript-remote-vulnerability/
Separate names with a comma.