Jump to content

Archived

This topic is now archived and is closed to further replies.

MartinPe

Can ESET also take advantage of Microsoft AV sandboxing?

Recommended Posts

ESET has leveraged self-defense for ages which is not the case of Defender so MS had to obviously had to eventually address the Achilles heel.

Share this post


Link to post
Share on other sites

Microsoft security propaganda grows exponentially with each passing day.

Only Microsoft would publish along the lines that its WD sandboxing feature is something "revolutionary" in the security industry. Whereas in fact, it is a patch to correct WD's abysmal lack of self-protection as @Marcos stated previously. Additionally, its current status environmental variable implementation "hack" can be easily disabled by malware.

Share this post


Link to post
Share on other sites

Actually my answer was not accurate since self-defense protects the AV itself as well as crucial system processes. However, an isolated scanner prevents potential (ie. not yet known) vulnerabilities in the AV itself from being exploited. This is crucial because AVs run with highest system privileges and exploiting vulnerabilities would give attackers highest privileges to do further malicious operations on a compromised system.

As I've read, the sandbox feature is disabled by default in Defender. This is understandable since it will likely have adverse effect on performance.
I'm also glad to inform you that we should add support for isolated scanning relatively soon as well, hopefully with negligible impact on performance which, however, takes a lot of time.

Share this post


Link to post
Share on other sites

I will also note that AppContainer sandboxing does not guaranty that the sandbox cannot be bypassed as illustrated in this Edge example:

A Link to System Privilege

Quote

A successful Pwn of Microsoft Edge consists of two essential parts: Browser RCE(Remote Code Execution) and browser sandbox bypass. Browser RCE is typically achieved by exploiting a Javascript vulnerability, while browser sandbox bypass can be achieved in different ways, logical sandbox escape or EoP(Escalation of Privilege) through kernel vulnerabilities.

Sandbox of Microsoft Edge is built upon the access check mechanism. In Windows operating system, resources are shared in system-wide range, for example, a file or device can be shared across different processes. Some resources contain sensitive informations, some others are critical to the whole system’s well-functioning, corruptions of those resources will crash the whole system. For those reasons, there should be strict checks when a process want to access a specific resource, this is called access check. When a resource is opened, token of the subject process will be checked against security descriptor of the object resource. Access check consists of several elementary checks in different dimensions, such as ownership and group membership check, privileges check, integrity level and trust level check, capabilities check, etc. The previous generation sandbox is based on integrity level check, where the sandboxed application runs in low integrity level, thus it can not access resources protected by medium or higher integrity level. Microsoft Edge adopts new generation sandbox based on AppContainer, where additional capabilities check will be conducted when accessing resources, besides basic integrity level check. For more details about access check mechanism, refer to my talk at ZeroNights 2015: Did You Get Your Token?

The most common approach of a sandbox bypass is EoP though kernel vulnerabilities, with DKOM(Direct Kernel Object Manipulation) on token objects.

https://keenlab.tencent.com/en/2016/11/18/A-Link-to-System-Privilege/

Share this post


Link to post
Share on other sites
2 hours ago, Marcos said:

Actually my answer was not accurate since self-defense protects the AV itself as well as crucial system processes. However, an isolated scanner prevents potential (ie. not yet known) vulnerabilities in the AV itself from being exploited. This is crucial because AVs run with highest system privileges and exploiting vulnerabilities would give attackers highest privileges to do further malicious operations on a compromised system.

As I've read, the sandbox feature is disabled by default in Defender. This is understandable since it will likely have adverse effect on performance.
I'm also glad to inform you that we should add support for isolated scanning relatively soon as well, hopefully with negligible impact on performance which, however, takes a lot of time.

Cool. 

Share this post


Link to post
Share on other sites
On 11/2/2018 at 9:55 AM, itman said:

Microsoft security propaganda grows exponentially with each passing day.

Propaganda or not, Windows Defender (from Microsoft) scored 100% on latest AV Comparatives, while ESET only 98.5%.

Share this post


Link to post
Share on other sites
9 minutes ago, novice said:

Propaganda or not, Windows Defender (from Microsoft) scored 100% on latest AV Comparatives, while ESET only 98.5%.

I still don't get it, and you never answered me! Why you pay for Antivirus while you think there's another better one and it's free ?!

You keep believe/saying Defender is better, why don't use it ?

BTW same tests say number 1 products is 100% performance so please try how 100% performance looks like, i don't need to say the product name

Share this post


Link to post
Share on other sites

@novicewe kindly ask you to stop trolling. You were already warned before and we won't tolerate such behavior any more. If you don't like ESET and think that Windows Defender is better for you, you have the right to use it instead of ESET.

Share this post


Link to post
Share on other sites
23 minutes ago, Marcos said:

@novicewe kindly ask you to stop trolling. You were already warned before and we won't tolerate such behavior any more. If you don't like ESET and think that Windows Defender is better for you, you have the right to use it instead of ESET.

It is not about liking or disliking ESET, but comments from a senior contributor ,  like " Microsoft security propaganda grows exponentially with each passing day"  when in fact Defender from Microsoft  performed better than ESET in the last 12 months in various third party test , should be sanctioned by you.

Share this post


Link to post
Share on other sites
5 minutes ago, novice said:

It is not about liking or disliking ESET, but comments from a senior contributor , 

The problem, my man, is you're fixated on AV lab tests as being the "ultimate authority" in security product capability. You seem to forget they are nothing more than just that …. tests. And many of those "tests" are currently being closely scrutinized by the security community for impartiality.

To add to my "propaganda" comment in regards to Microsoft is no other security vendor has close to the financial resources and the resultant influence those resources can gain than Microsoft has.

Share this post


Link to post
Share on other sites
17 minutes ago, novice said:

It is not about liking or disliking ESET, but comments from a senior contributor ,  like " Microsoft security propaganda grows exponentially with each passing day"  when in fact Defender from Microsoft  performed better than ESET in the last 12 months in various third party tests , should be sanctioned by you.

itman, I am talking about decency here....

Share this post


Link to post
Share on other sites
15 minutes ago, novice said:

I am talking about decency here....

That's a moral concept. Business ethics is for all practical purposes today some archaic concept delegated to the dung heap.

Share this post


Link to post
Share on other sites
11 minutes ago, itman said:

That's a moral concept. Business ethics is for all practical purposes today some archaic concept

Then so be it: let's continue blabbering about how ESET is the best thing since sliced bread and how the rest are using "propaganda" to justify their existence...

Share this post


Link to post
Share on other sites
On ‎11‎/‎2‎/‎2018 at 9:55 AM, itman said:

Microsoft security propaganda grows exponentially with each passing day.

Only Microsoft would publish along the lines that its WD sandboxing feature is something "revolutionary" in the security industry. Whereas in fact, it is a patch to correct WD's abysmal lack of self-protection as @Marcos stated previously. Additionally, its current status environmental variable implementation "hack" can be easily disabled by malware.

Well... no, even a guy from Google is praising this move publicly. WD is no longer the laughing stock like before.  They get 100% detection, but at the cost of false positives. If I wanted to use the best month over month of best protection, I would be using Bitdefender. But I stick with Eset even at 98% each months it's pretty incredible with no FP. It's blazing fast, very low footprint compared to Bitdefender and I don't get annoyed like Bitdefender or WD with Protected Folders active when I do Delphi (yes I still use Delphi) programming.  All that in a very competitive price.

Small company like Eset are working harder with less resources compared to Bitdefender with their so 500 millions customers.  

Share this post


Link to post
Share on other sites
10 hours ago, MartinPe said:

Well... no, even a guy from Google is praising this move publicly. WD is no longer the laughing stock like before.  They get 100% detection, but at the cost of false positives. If I wanted to use the best month over month of best protection, I would be using Bitdefender. But I stick with Eset even at 98% each months it's pretty incredible with no FP. It's blazing fast, very low footprint compared to Bitdefender and I don't get annoyed like Bitdefender or WD with Protected Folders active when I do Delphi (yes I still use Delphi) programming.  All that in a very competitive price.

Small company like Eset are working harder with less resources compared to Bitdefender with their so 500 millions customers.  

But still WD can be disabled by adding a Registry to the Windows and then Windows Defender will stop working , and then giving you a message that it's controlled by your System Administrator , you need to contact the Sys Admin so you can run Defender again , while it's only disabled by a registry key.

I've been using ESET for a very long time , I used to use Norton back in 2005-6 , I know what a resource hungry AV can do to your PC , that when I have switched to NOD32 and never left because it never failed me with it's lightness and detection , even though that it doesn't score 100% like the free AVs in comparisons , but still I prefer ESET over anything else , and I do know if an AV got 100% it doesn't mean that it will protect me against everything in the wild.

So I prefer to stick with ESET even though that all of other AVs are now not that much dependent on resources and also light , but I'm just used to ESET after years of usage.

And also I hate the amount of false positives that WD will throw at you, and I still don't believe that Windows Defender is able to defend itself.

Just google " Your Virus & threat protection is managed by your organization" and see how much results you see like this , and this is the message of Windows Defender when it's being disabled by a registry key whether it was the malware or the user did disable it, and generally it's disabled by typing this in a administrator CMD :

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware

But still if the malware was smart enough , it will deny your removal , or it will re-install the key , unless you remove the malware before.

Share this post


Link to post
Share on other sites

Another disturbing trend in AV lab testing in regards to WD is its not running with default settings. This is after the fact evidence of Microsoft's "influence" over the labs.

First, a bit of supplementary information about most AV realtime tests. The majority of AV labs do not penalize for false positives on these tests. The labs do penalize for then on their more advanced "full spectrum" tests that are performed less frequently.

I know of at least two AV labs that have modified WD's "block at first sight" option to run at the highest, or maximum protection level, on their realtime tests. With this setting, WD will block almost all unknown processes. This setting also significantly raises the number of false positives by WD.

Starting "to get the big picture" folks of what is going on?

Next is the most recent SE Labs realtime test where WD tied both Eset and Symantec for second place standings. You have to dig in to the Appendix section of the test report to find that WD was using the recently introduced WD plug-in for Chrome; the browser selected for the test. This plug-in is for all practical purposes the same as the SmartScreen option that is auto enabled in both IE11 and Edge. The problem here is this is not a default configuration for Chrome. The user must first know the option exists and then, configure Chrome to use the plug-in.  Again, we see evidence of Microsoft's "influence" against this lab.

Starting "to get the big picture" folks of what is going on?

Share this post


Link to post
Share on other sites
7 hours ago, itman said:

Another disturbing trend in AV lab testing in regards to WD is its not running with default settings. This is after the fact evidence of Microsoft's "influence" over the labs.

First, a bit of supplementary information about most AV realtime tests. The majority of AV labs do not penalize for false positives on these tests. The labs do penalize for then on their more advanced "full spectrum" tests that are performed less frequently.

I know of at least two AV labs that have modified WD's "block at first sight" option to run at the highest, or maximum protection level, on their realtime tests. With this setting, WD will block almost all unknown processes. This setting also significantly raises the number of false positives by WD.

Starting "to get the big picture" folks of what is going on?

Next is the most recent SE Labs realtime test where WD tied both Eset and Symantec for second place standings. You have to dig in to the Appendix section of the test report to find that WD was using the recently introduced WD plug-in for Chrome; the browser selected for the test. This plug-in is for all practical purposes the same as the SmartScreen option that is auto enabled in both IE11 and Edge. The problem here is this is not a default configuration for Chrome. The user must first know the option exists and then, configure Chrome to use the plug-in.  Again, we see evidence of Microsoft's "influence" against this lab.

Starting "to get the big picture" folks of what is going on?

falsealarms.png.15d0caea26f4bc1c4180f631be3ac101.png

Screenshot taken from Malware Tests September 2018 AV-Comparatives

https://www.av-comparatives.org/tests/malware-protection-test-september-2018/

It's funny when the AV is relying more on the cloud more than the local virus database , so when having a PC without internet some AVs fail to do it's job because they rely on the cloud.

falsepoistive.png.ae6389f9a9dda117567ed532b362b5d7.png

Screenshot is taken from False Alarm Test

https://www.av-comparatives.org/tests/false-alarm-test-september-2018/

Share this post


Link to post
Share on other sites
44 minutes ago, Rami said:

It's funny when the AV is relying more on the cloud more than the local virus database , so when having a PC without internet some AVs fail to do it's job because they rely on the cloud.

As evidenced by Panda and TrendMicro offline detection rates which are heavily cloud based solutions.

What might puzzle some is WD's 78.6% offline detection rate. No surprise here in that WD's signatures are not on par with the other major vendors. WD's block at first sight uses the cloud. Also SmartScreen which is WD's blacklist detection only updates periodically and also goes to the cloud for most recent updates. Add to this SmartScreen is most effective against phishing and substandard on everything else. I have used it on IE11 for years and can count on one hand the number of alerts I ever received from it. Non-browser based Win 10 native SmartScreen runs as an unprotected medium integrity process and as such, can be easily disabled by malware. At least now, the kernel will detect this and restart it but malware only needs microseconds to run itself. 

Bottom line is offline protection capability is extremely important since the first thing any decent malware will do is to try to tamper with your network settings.

Share this post


Link to post
Share on other sites

Getting back on topic, one noted security researcher has strongly hinted that a bypass of WD's sandbox is possible. He also issued a call to penetration testers to do just that. Now its just a matter of time, not long I suspect, that we will have a bypass POC to review: 

Quote

Don't run the sandbox as the SYSTEM user would be a good start :-D In all seriousness this is good work on the sandbox but running under SYSTEM risks hitting bad coding patterns which only check the authentication ID, for example the exploit for https://bugs.chromium.org/p/project-zero/issues/detail?id=1439 https://twitter.com/epakskape/status/1055909122057457664 

James

https://twitter.com/tiraniddo/status/1059680151330525185

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...