Jump to content

Microsoft "Ups the Bar" - Windows Defender 0-day Realtime Detection


itman

Recommended Posts

Today Microsoft announced that for WIn 10 CE, all unknown processes will be scanned in Windows Defender via behavior analysis on their cloud servers . An interesting option is scan duration is configurable to allow for more thorough scanning.

Ref.: https://blogs.technet.microsoft.com/mmpc/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/?platform=hootsuite

"Time will tell" on its overall effectiveness. But this does "up the bar" for third party AV vendors including Eset to do so the same in their reputational scanners.

One problem I do see is "sleeper" malware that for example delays its execution of malicious activities for a set interval of time. Case in point is recent ransomware strains that perform like activities.

Edited by itman
Link to comment
Share on other sites

  • Administrators

We've been doing that for a quite long time already :) Suspicious files are sent via LiveGrid and replicated. If malware is recognized, detection is provided to all users via LiveGrid within a couple of minutes.

Link to comment
Share on other sites

1 minute ago, Marcos said:

We've been doing that for a quite long time already :)

Yes, I realize that. The difference is MS is using the latest AI/Next Gen probabilistic algorithims to arrive at a "safe" decision.

Again like I said, "time will tell" on its effectiveness. 

Link to comment
Share on other sites

  • Administrators

As for "next-gen" products and AI, read more about ESET's standpoint on this presented by J.D. at https://forum.eset.com/topic/12303-any-deep-learning-techniques-in-eset-products.

These terms are rather buzzwords nowadays and are marketed more like an ultimate solution to malware infections. Here are some examples of new malware that emerged today and how ESET's technologies both in the product and on the backend enable us to quickly react to them and also add DNA detections. Of course, the results don't tell if a particular AV would protect against the malware on execution but ESET's detections ensure that the malware is also detected on systems where malware is not executed (e.g. gateways, mail servers, etc.) or by the online scanner or SysRescue Live:

hxxp://www.tuttXXXXXXXXXpaese.com/q.exe
gF3Vd+AXFQSZgAAAABJRU5ErkJggg==

hxxp://finishXXXXXXXXXXXXXXXhard.com/filesok/666.exe

2+jVpg2GRFMAAAAASUVORK5CYII=

hxxp://workXXXXXXXXXorme.com/get/4/icq.exe

ACcff7hgl5yCAAAAAElFTkSuQmCC

Link to comment
Share on other sites

  • Most Valued Members

MS from what i can see are just playing catch up against other vendors and not really bringing anything new to the table. Looked at a few things after they announced they will be upping the stakes with protection in the fall update.

Lets be honest, there are about 12 security patches for office per month and at least 2 for windows itself.

If you cant code something secure to start with, then doing the cleaning up operations are going to be a bit more messy. Who's going to entrust a whole system to the master at failing in the first place ??

Just don't think that having all your eggs in one basket is a good idea.

Link to comment
Share on other sites

  • Administrators

Monoculture is not good neither in agriculture nor in IT security and diversity is needed as a security measure. Otherwise pests could spoil the entire crop easily and it's likewise with security; if there's one pre-dominant security vendor, it's enough for attackers to focus on bypassing just one AV in order to get big profit from attacks.

Adding some fresh samples seen at VirusTotal (mainly Nymaim downloader that has been released in at least 10 variants today), now with LiveGrid detection that will change to DNA detection after the next update:

Win32_Filecoder.HydraCrypt.N.temporary\81b6309679ce392748c6300b5733bc95 - a variant of Win32/GenKryptik.APJD trojan
Win32_GenKryptik.APJY.temporary\winx_maylo_19_07_17______indstro.exe - Suspicious Object
Win32_GenKryptik.APKA.temporary\framer-1.exe - Suspicious Object
Win32_GenKryptik.APKC.temporary\infrared-76.exe - Suspicious Object
Win32_GenKryptik.APKG.temporary\megabits-04.exe - Suspicious Object
Win32_GenKryptik.APKL.temporary\output.111806120.txt - Suspicious Object

Link to comment
Share on other sites

  • Most Valued Members
5 minutes ago, Marcos said:

Monoculture is not good neither in agriculture nor in IT security and diversity is needed as a security measure. Otherwise pests could spoil the entire crop easily and it's likewise with security; if there's one pre-dominant security vendor, it's enough for attackers to focus on bypassing just one AV in order to get big profit from attacks.

Exactly ! and something that people should take into consideration. Multiple targets are always going to be harder to hit than a single one. Plus competition always drives innovation in every industry and keeps it healthy :)

Link to comment
Share on other sites

2 hours ago, Marcos said:

Of course, the results don't tell if a particular AV would protect against the malware on execution

Unfortunately, "that the rub."

No one has to convince me that Eset has the best generic signature detection in the business. However, there are malware that are coded from scratch and the only way those can be monitored for suspicious activities is via execution; not just initially but continuously until sufficient reputational data can be gained to deem the process safe.

As far as next gen/AI monitoring as the sole anti-malware mechanism, it is not recommended today and will not be so until enough empirical data over time has proven its effectiveness. However other AV vendors; Symantec, Bitdefender, and Kaspersky to name a few, are using it currently as supplemental detection against unknown processes in exactly the same as Windows Defender is on Win 10 CE. 

Link to comment
Share on other sites

  • Administrators
1 minute ago, itman said:

However, there are malware that are coded from scratch and the only way those can be monitored for suspicious activities is via execution.

If somebody creates malware intended to be used in a targeted attack, I assume they most likely already know what security software the victim uses and what weaknesses it has so that they can focus on how to bypass even behavior blocker or sandbox upon execution.

Link to comment
Share on other sites

28 minutes ago, Marcos said:

If somebody creates malware intended to be used in a targeted attack, I assume they most likely already know what security software the victim uses and what weaknesses it has so that they can focus on how to bypass even behavior blocker or sandbox upon execution.

More likely, they would instead try to bypass the AV protection; either by not running the malware itself or disabling the AV protection. On the later point, Eset has that well covered on Win 10.

We'll have to see how this recent Windows Defender feature plays out. There is already active discussion on the various security forums that based on recent AV lab tests alone, many are seriously considering or are "dumping" their paid third party AV solutions for WD. This "plays nicely" strategy-wise for them since many of those folks are presently using a paid anti-exec solution such as AppGuard.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...