Windows Defender Detected Threat At Boot Time ????

[itman 1,659]

Win 10 x(64) Home 1803, Eset IS 11.2.49

This one is both fascinating and disturbing at the same time.

I have long theorized that Microsoft is "messing" with third party AV solutions at boot time. Noticeable by the prolonged red "X" status of WD Security Center and delay of third party AV GUI on the taskbar. Most notable is if Windows Defender is set to periodic scanning, none of the preceding occurs. Could this imply something else?

Yesterday I was doing some diagnostic testing in regards to suspected malware. WD's periodic scanning was enabled during this testing. On one of the multiple system reboots I performed that day, upon initialization of the desktop I was greeted with a WD alert that it had detected and removed malware. Err …….. what? How can that be if WD's realtime scanning is disabled by virtue of Eset being installed? Could it be that in WD periodic scanning mode, WD is actually enabled in realtime mode until the WD Security Center is fully initialized? Also does this imply that Eset's realtime protection is likewise disabled during this period? Or does it indicate that for a short period of time until the WD Security Center is fully initialized, both WD and Eset's realtime protection are enabled?

Edited August 6, 2018 by itman

[Marcos 5,074]

Do you have WD periodic scanning disabled?

After activation ESET registers in the WSC and unregisters only during uninstallation or when real-time protection is turned off. Therefore my understanding is that WD's real-time protection shouldn't kick in even if there was malware undetected by ESET running.

[itman 1,659]

2 hours ago, Marcos said:

Do you have WD periodic scanning disabled?

Hum ……... Thought I was clear in my posting that periodic scanning was enabled when the WD alert manifested. That was the whole point of the posting. Specifically that it appears that WD might be running in realtime mode until WD Security Center is fully enabled. Appears to me both are running in realtime mode until this occurs. I consider this a "plus" not a "negative" unless there is some detrimental factor to Eset which I don't believe is the case.

The only way to know for sure would be to see if WD is also loading its ELAM driver at boot time. I will enable boot logging on tomorrow's first cold boot and see if that is the case. 

Note that with this fall's release, Win 10 will be doing just that, running in parallel with any AV that is not using the Win 10 ELAM driver.

Edited August 6, 2018 by itman

[itman 1,659]

2 hours ago, Marcos said:

and unregisters only during uninstallation or when real-time protection is turned off.

Unfortunately, my prior testing has shown that is not the case. In prior tests if I disable Eset's realtime protection, I get an alert from WD Security Center about the situation but WD doesn't auto switch to realtime mode as evidenced by the WD engine not loading.

However with the WD periodic scanning option enabled and since the WD engine is already loaded, WD switches almost instantly to realtime mode and creates a reg. run key to start itself as such upon the next boot. Therefore for this reason alone, I am keeping WD periodic scanning enabled. 

Edited August 6, 2018 by itman

[itman 1,659]

14 hours ago, itman said:

I will enable boot logging on tomorrow's first cold boot and see if that is the case. 

Yes indeed. With WD periodic scanning enabled at boot time, its ELAM driver is loaded at boot time. However, Eset's ELAM driver is also loaded and most importantly is loaded prior to WD's.

So I really don't see any conflict here. Also I believe my assumption that WD is actually running in realtime mode concurrently with Eset until WD Security Center fully initializes is correct.

[MasterTB 8]

16 hours ago, itman said:

 I consider this a "plus" not a "negative" unless there is some detrimental factor to Eset which I don't believe is the case.

 

So, not to be too critical but, despite you considering this a plus, which it probably is, aren't you worried that it was WD that detected malware and not Eset?

Did you check to see if it was real malware or just a False Positive? What was Eset doing in that time (considering Eset has Boot time scanning and UEFI protection)?

[itman 1,659]

23 minutes ago, MasterTB said:

Did you check to see if it was real malware or just a False Positive?

Actually, I did.

There was nothing related to the activity in WD's quarantine. However, that doesn't mean it wasn't just auto deleted. It was just an eye opener that WD could throw an alert at boot time considering that WD Security Center is not fully functional for a while due to Eset.

As far as Eset's boot and EUFI scanning, Eset's default scheduled scans only run after logon. You have to create either new scans for prior to logon; i.e. boot time, or change the existing default scans.  

[itman 1,659]

Now this is interesting.

I changed my Win 10 1803 startup options in regards to "Time to display list of OSes" and "Time to display recovery options." Previously both had been disabled. Enabled both and set appropriate time value in each setting.

Upon next subsequent boot, Eset detected suspicious files and they were auto submitted for analysis. Note that these detections occurred at boot time. Also they appear to be Eset related? Eset can now check its own files for suspicious behavior? Anyway, would love to know what Eset detailed analysis found. I searched for these file on my OS installation and they don't exist. Further proof they were hidden in the boot sector perhaps?

 

Edited August 11, 2018 by itman