Windows Defender Is Becoming the Powerful Antivirus That Windows 10 Needs

Discussion in 'other anti-virus software' started by Secondmineboy, Jan 30, 2016.

  1. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
    As far as WD's ASR blocking execution of potentially obfuscated script execution testing goes, I believe I have found out what the issue is. For this test, I am referring back to a link I posted in reply #1492: https://www.darkoperator.com/blog/2...nder-exploit-guard-asr-obfuscated-script-rule .

    One of the tests performed by the author of the article was to use a VBS script code snippet used by the Kryptik Trojan shown in the following screen shot:

    VBS_ObF_1.png

    He then proceeded to obfuscate this code as shown in the following screen shot:

    VBS_ObF_2.png

    When I tried to create a .vbs file containing the above obfuscated code, Eset immediately detected the .vbs code snippet as malicious via its DNA signature capability and prevented the file from being created as shown in the following screen shot:

    Eset_VBS_ObF_Kryptik.png

    My test has lead to the following conclusions:

    1. It is possible the obfuscated script was capable of being fully un-obfuscated by WD's use of AMSI at file creation time. If this was the case, the ASR rule to block execution of potentially obfuscated scripts would be non-applicable. The detection failure in this case was due to WD's AMSI signature detection. I believe this likelihood is high since WD's signatures are not to the standard used by other major AV vendors. If the script remained fully/partially obfuscated after file creation, you can count that as failure no. 2 of WD's real-time scanner. It should have never allowed that file to be created.

    2. At file creation time, the script after Eset's AMSI un-obfuscation processing and regardless of obfuscation state afterwards was detectible by Eset's DNA signatures which flagged the code snippet as malicious.

    3. The only way to fully know for sure if WD's ASR rule to block execution of potentially obfuscated scripts failed in this test is for someone using WD with the ASR rule enabled, verify the status of the .vbs file after it was created but prior to executing it. If the script is fully/partially obfuscated after file creation and executes w/o ASR rule detection, then it is a true failure of this detection capability.

    -EDIT- A question to ponder:

    Just what is a potentially obfuscated script?
    Based on my review of a Microsoft researcher's work on script un-obfuscation techniques a few years back, it appears to be some statistical probability analysis of the script based on characters used and positioning of same within the script: http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/
     
    Last edited: Dec 10, 2017
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
    All blocked.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
    Here are some additional WD ASR mitigations tests. Basically a "mixed bag" as far as results go.
    https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule

    https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
     
    Last edited: Dec 11, 2017
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
    Iobit Unistaller is detected as a trojan.
     
  7. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    520
    Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses.
    Link : https://blogs.technet.microsoft.com...ivirus-and-layered-machine-learning-defenses/
     
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
    Hi itman.

    Who wants to do a test can create a simple batch file:

    echo off
    calc.exe

    upload this file on:

    http://www.filedropper.com/

    download this batch file in your HD.

    Run it.
     
    Last edited: Dec 11, 2017
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
    OK ....... First, you will get a warning from SmartScreen( I use IE11 ) that the file is unknown on download. You will likewise get an alert from SmartScreen when you try it run it since it has the MOTW and the publisher is unknown. All this was previously known to me and not a point of contention.

    BTW - care to elaborate a bit on this one?
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
    As far as relying on the Mark of the Web, there are a number of ways around it. I assume everyone is aware of 7-Zip archives and the like. However, there are more innovated ways around it as in this actual malware delivery example:
    https://blog.didierstevens.com/2017/04/20/malicious-documents-the-matryoshka-edition/
     
  11. Dave Russo

    Dave Russo Registered Member

    Joined:
    Jul 9, 2016
    Posts:
    5
    Location:
    Norwalk CT. USA
    The improved windows Defender,has Av vendors really lowering there prices,at least Kaspersky,I cant believe how cheap you can buy it on E-Bay,also have seen low price for Emsisoft,is there a panic? I think so
     
  12. jima

    jima Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    102
    It may go like Avast free

    I have been a long time user, and in the early days people were leery about using it - but eventually it gained a reputation, and once the masses got wind of it - it became one of the most used out there.

    Likewise I believe once the masses realize that windows defender now offers at least as good protection as many of the others (and better than some) doesn't cost anything, and doesn't have advertisements or break the operating system, they will inevitably come to WD.

    (after all, it runs silently in the background, doesn't really need any complicated settings, and takes care of itself - just what they like)
     
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
    No problem today.
     
  14. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,044
    Are you sure it isn't some sort of Christmas discount?
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    22,685
  16. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,355
    Location:
    USA
    That would be my assumption. This is why all of my subscriptions end this time of year.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
    I did some additional testing with ver. 1709 SmartScreen. Overall, it is a pretty good reputational scanner; better in fact that that employed in a number third party AV scanners including Eset's. It can be bypassed but more on that latter.

    First up is a clarification/confirmation on a couple of points:

    1. It does do a cloud lookup for any unknown process not included in the local black/white list.
    2. The lookup is not dependent on the file being marked with the mark of the web.

    So far, so good. Now for the bypasses. SmartScreen's mechanism for validating an 0-day unknown process is publisher's code signing certificate. This is also its "Achilles heel." It's a known fact that malware can be validity signed; usually by hijacking/stealing a legit code signing cert..

    But there is another issue with SmartScreen in regards to its code signing signature validation processing. That is the lack of verification of the certificate itself. Recently published research found the following:
    https://acmccs.github.io/papers/p1435-kimA.pdf

    In the above scenario, it appears SmartScreen will perform validition of the cert. itself for executables but for other files, it does not.

    Next up is Matt Graeber's recent research along the same vein as the above bypass that was recently presented at DerbyCon 2017:
    https://pentestlab.blog/2017/11/06/hijacking-digital-signatures/

    Although the presentation is directed at Powershell scripts, it can also be used for executables. A bit more work is needed to make the cert. signature 100% legit and you will have to read the full article on how that is done. Also, full admin privileges are needed but as shown in recent attacks, getting those is no big deal.

    Overall though, ver. 1709 SmartScreen as a reputational scanner offers pretty good security. Just remember that nothing security-wise is or will ever be 100% malware bullet-proof. But most importantly, realize that reputational scanning is only the first line of defense in a comprehensive security solution.

    -EDIT- I will make this recommendation to Microsoft. Provide an option in SmartScreen to disable the publisher's certificate validation for unknown processes. In other words if SmartScreen classifies the process as "unknown" via reputation, generate an alert.
     
    Last edited: Dec 13, 2017
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
    In regards to the link ref. posted in reply #1515, Microsoft clarified ASR network protection. So let's examine that:
    First and foremost, note that HTTPS traffic is not being monitored. Given the huge spike in phishing and malware being delivered via HTTPS, it appears what you have here is a 50% mitigation. Also clarified is that this feature is strictly based on URL and IP address reputation. For me given this feature has a TCP/IP stack kernel level filter, it really is of marginal use. This filter does however have the potential to allow WD to monitor all inbound communication including HTTPS, if Microsoft provided a root CA store certificate to do so. With this capability, malware downloads could be signature scanned prior to ever hitting your disk storage.

    -EDIT- I just test this and as best as I can determine, it only works if WD real-time scanning is enabled. So it can protect third party browsers but is N/A if using a third party AV solution.
     
    Last edited: Dec 14, 2017
  19. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    520
    AV-Comparatives Real-World Protection Test chart with November 2017 test and also the summary report and chart for July-November 2017 are published.

    All tests on fully patched Windows 10. 1703 Creators Update for July-October tests. 1709 Fall Creators Update for November test.

    Microsoft in November 2017 test with zero undetected samples, 4 user-dependent samples and everything else auto-blocked.
    Very, very nice. :thumb:

    Chart for November 2017 : http://chart.av-comparatives.org/chart1.php?chart=chart2&year=2017&month=11&sort=1&zoom=4

    Microsoft results for July-November 2017 where a total of 1769 malicious test cases was run, showed 1754 samples auto-blocked, 14 user dependent and only one sample undetected.
    Very, very nice. :thumb:

    Chart for July-November 2017 : http://chart.av-comparatives.org/chart1.php?chart=chart2&year=2017&month=Jul_Nov&sort=1&zoom=4

    Summary report for July-November 2017 : https://www.av-comparatives.org/wp-content/uploads/2017/12/avc_prot_2017b_en.pdf

    Also pay attention to the False Positive section of the Summary Report.

    All of Microsofts FP's are in the "Very Low"-category and only one FP in the "Low"-category.
    "Very Low"-category affects fewer than a hundred users, "Low"-category affects several hundred users.
    This is very important to take notice of.

    There are products that had a fewer number of FPs in total - but some of their FPs are in "Medium" and "High" categories.
    Those products FPs affects tens of thousands of users.

    AV-Comparatives currently only look at number of FPs and not number of affected users.

    Microsoft had a total of 48 FPs during July-November 2017 testing, and even if using max values of each category - then only a few thousand users would be affected.

    I see vendors on that list that may only have had half as many FPs during July-November 2017 testing - but since they are represented in "Medium" and "High" categories, then many, many tens of thousands of users would be affected in total by vendors with such results.

    Something to keep in mind when reading last section of summary report, because the rating at the end of the report doesn't take this into consideration.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
    Since this has been commented upon, let's explore in further detail.

    AMTSO is a security policy and standards organization which most of the major AV vendors and AV testing labs are members of. Through mutual discussion and agreement, policies, procedures, and standards are developed which govern both what security protections should be incorporated into AV software and also by what methods AV labs should employ in testing the software. AMTSO has a detailed publication in regards to false positives here: https://www.amtso.org/download/amtso-false-positive-testing-guidelines/?wpdmdl=1136. The material is copyrighted so I can't post excepts of it here. So I will summarize as follows.

    The standards criteria AMTSO has developed in regards to false positives covers the spectrum of "Importance versus Prevalence." Software importance covers the range of system critical processes (highest) through data file/non-executable, non-critical (lowest). Prevalence is pretty much self-explanatory; low to highly known by reputation. Overall, a false positive in a system critical low prevalent process is as bad as one for a data file/non-executable highly prevalent one. Therefore drawing any conclusion on false positive impact based solely on reputation status alone is erroneous.

    Pertaining to Windows Defender, I will say this. Personally and I believe most Wilders forum members will agree to, its current "aggressiveness" in alerting/blocking on unknown processes is a desired action. We are all "in the camp" that it is better to "err on the side of caution than to pay the price for not doing so." However, frame of reference is critical in this assumption. We have the I.T. and security technical knowledge to be able to further explore whether a false positive detection is indeed malicious or not.

    However, the average PC user does not have this background. The impact of a high false positive detection by the security product they are deploying is to lose faith in the product overall. Case in point was the previous and in many cases current instance where they have disabled SmartScreen due to the hindrance it gave them when blocking a low reputation but safe app they wanted to download. Ditto for other security features of the product they were using if it likewise impended their browsing or other PC use experience. Finally, multiple research has shown that any user decision making into allow/deny execution status is undesirable since they will in the majority of cases, make the wrong decision. Hence, AMTSO's policy in regards to false positives is they must be avoided. In other words, zero detection is the goal and stated objective in regards to false positives.
     
    Last edited: Dec 15, 2017
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,317
    Location:
    The Netherlands
    You gotta be kidding me. I'm surprised that nobody commented on this. If WD's cloud service labeled "Bad Rabbit" as only 81.6% malicious, then there is something seriously wrong with it. Also, this finally answers my question about WD's behavior blocking abilities. Apparently it did identify Bad Rabbit as suspicious, which is cool. But after it was allowed to run, it didn't try to block any suspicious behavior, so you can definitely NOT count on Win Defender alone, you still need to combine it with a true HIPS/behavior blocker that can block stuff post-execution.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
    Appears you misread the report:
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,822
    Location:
    U.S.A.
    This needs further clarification.

    AV-C actually runs two tests in this Real World test series. The first test is a malware test and the second is a false positive test. Different samples are used in each test. In regards to the false positive test, the results are aggregated on page 11 for the test period; in this case July through November, 2017. WD wrongly blocked 10 samples with user interaction required for 38 samples. This yielded a wrongly blocked score of 29; the second highest score of all products tested. Actually, AV-C was quite generous in its wrongly blocked score by assuming only a 50% wrong response to user interaction alerts. Also as best as I can determine, AV-C did not factor into its malware detection rates a far worse user alert situation. That is when the user allows a malicious process to execute. I would have added 19 cases to the missed malware detection category overall and for the Nov. test 7 cases; half of 14 user dependent cases.

    Also no conclusions can be drawn as to app use frequency as a mitigating factor to a high false positive detection rate. It may very well be that the app is specialized and not widely used. Additionally all newly created software starts out in zero reputation state. You don't want your security software blocking it falsely until at least a few thousand like users have it occur to them. Windows Defender is not anti-exec software. Until such capability is added, it needs to lower its false positive and user interaction rates.
     
    Last edited: Dec 16, 2017
  24. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,150
    This score of 81,6 % malicious was made pre-execution, it was made in seconds.

    And you have this:

    With detonation chamber:
    14 minutes to have full default protection against zero day malware is amazing in my opinion, it shouldnt be underestimated.

    Ps: This number is even more impressive for home users.
     
    Last edited: Dec 16, 2017
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,317
    Location:
    The Netherlands
    No I didn't misread, only after a second cloud scan it labeled it as 90% malicious. For example, in some other thread I posted about Endgame being able to block it in only seconds. Even after it was allowed to run, Endgame could still block or at least interfere with most malicious actions.

    https://www.endgame.com/blog/technical-blog/falling-trap-how-endgame-platform-stops-badrabbit

    In 14 minutes a lot of bad stuff can happen, lots of files could have been stolen or encrypted. That's why I would never rely on an AV without a true behavior blocker that blocks stuff both pre and post execution. I'm not saying that it's all bad, but not good enough for me.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.