Win 10's Windows Defender Machine Learning - Err What?

[itman 1,659]

Appears Microsoft is attempting to "piggyback" on the "Next Gen" security software craze by referring to the machine learning capability employed in Windows Defender when running on Win 10.

MS just published a report on this: https://blogs.technet.microsoft.com/mmpc/2017/04/20/combating-a-wave-of-java-malware-with-machine-learning-in-real-time/ on TechNet in reference to some Java based malware that arrives as a Word document .jar attachment. Throughout the article, the author makes multiple references to "machine learning" and advanced detection capability. Of note is he was careful not to mention anything in regards to "artificial intelligence" capability. So let's analyze this .jar malware.

For starters and clarification, you cannot run executable code directly from a .jar file as for example, can be done from a .hta file. You have to create the executable code outside of JAVA RTE and run it from the .jar file as done below:

•Get InputStream for the file with ClassLoader.getResourceAsStream()
•Write this InputStream to tmp dir

   File.createTempFile("prefix", "suffix")
   File.deleteOnExit();

•Execute it with Runtime.getRuntime().execute(..)

Ref.: http://stackoverflow.com/questions/11339979/how-to-execute-script-from-jar-file

The Microsoft article shows the execution of .vbs script malware. If you're on Win 10 and using an AV product such as Eset that uses the AMSI interface which Windows Defender also uses, the script would be intercepted and scanned for malware signature prior to execution.

As far as this "radical" new machine learning capability of Windows Defender, what we are talking about here is pattern matching machine learning; something AV vendors like Eset have been doing for years. I guess Microsoft is taking queues from a Next Gen vendor who makes a ruckus wherever it goes. That is if you create enough noise, people will listen regardless if you are saying anything of substance.

Edited April 21, 2017 by itman