Windows Defender Sandbox Test vs Malware

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

I'm sceptical only because their YouTube channel sells av programs on their website

👍︎︎ 5 👤︎︎ u/Trip_2 📅︎︎ Jan 13 2020 🗫︎ replies

Every legitimate testing lab currently rates Defender on par with Bitdefender, Kaspersky, and Norton. I use Defender with Malwarebytes Premium and would not go back to a paid AV.

👍︎︎ 1 👤︎︎ u/skywalker505 📅︎︎ Jan 13 2020 🗫︎ replies
Captions
hello and welcome to you the PC security channel it's finally time for one of the most anticipated videos of the year revisiting Windows Defender but there's an additional catch this time we'll be testing it with the sandbox this is a change that was first introduced in October 2018 primarily I think to protect Windows Defender against exploitation by malware because there have been attacks in the past where malware has managed to get past the self defense and this is primarily a response to that but what it also claims to be able to do is isolate applications that you run in the app container thereby limiting its effects on the rest of the system now I've been waiting for this to be enabled by default in any Windows release but I don't think that has happened yet but we're gonna do it anyway I already have it enabled on this system and you can do it on yours you just have to run a simple command in PowerShell this is what you want to be typing to disable you just use 0 instead of 1 now once you have it enabled this is what it should look like and I'll show you that on this system that is indeed the case so we have the anti-malware service executable which is the primary process it's running at system level and then we have the app container both of these combined seem to take between maybe a hundred and sixty megabytes to I'd like to say maybe 250 which I think is perfectly reasonable and today we'll finally get to see it in action against malware other than that Windows has been doing a lot of stuff with its malware signatures lately they've outsourced it to a lot of companies there's more on this later but for now what you need to know is that they've been adding a lot more signatures than before so we should see the detection ratio go up I will show you that everything is up-to-date as you can see in last check just a few minutes ago and now we're ready for the test but wait Windows Defender hasn't exactly had a great track record at TPS see I think it's never managed a clean sheet so far in this test obviously we're not testing it in the default configuration we're testing it in the ultra secure mode with the sandbox but I still think that might not be enough so you know what in all to give it some encouragement I'm actually giving Windows Defender an unfair advantage that I don't give any other product which is to actually have its wallpaper on the system maybe it's nervous maybe it doesn't feel at home at TPS see I just wanted to make it feel comfortable so there you have it you have the nice Microsoft logo it's shining it's shining on our tools you'll be shining on the malware as soon hopefully that's gonna be enough to you protect our system now I'm going to follow standard procedures for those of you who are not familiar with TPS see test way I usually run these as I turn the product off for a second just so I can grab my malware don't worry this is only temporary I will actually enable it before we execute anything it's just to give me a window of time to be able to grab my malware without it interfering so in this folder I have I think 15 81 items all of this is fresh malware I collected it a few minutes ago as you can see there's tons of stuff here and I've actually renamed the false differently after some of the concerns that you guys phrased in the last video so we're no longer using malware 1 2 3 and so on we're actually using just the sha-1 hash that each of these Falls have as the file name which is just good research practice anyway now of course I'm not going to be executing these one by one so we have a script that's going to automate all of that which is Malik's it's on the desktop and all I have to do is say Python malloc stop py and that's going to launch it as you can see we have a check in place here just make sure the real time protection is turned on so that is exactly what I'm going to do and now I'm going to say yes and it should start executing the malware I will open task manager just so you can see the resource usage in real time we're just sorting by highest CPU activity as you can see it is Windows Defender here anti-malware service executable interestingly there to process they both seem to be at similar CPU activity so far the test seems to be progressing all right but it's fairly slow in comparison to a lot of the other bollocks that I test of course that's not significant it just tells you how it deals with the malware maybe Windows Defender does more in-depth analysis before it quarantine stuff but the proactive detection interestingly is sitting at 88% which is quite low we'll see if that goes up as the test progresses we do have some processes that have already managed to successfully execute this is where the sandbox is going to be tested we'll see if that is able to contain the damage or if malware is able to run riot wind f dot exe interesting malware is already masquerading as Windows Defender and that was not intentional uh-oh we have cascading io errors this reminds me of Windows XP again those were the good old days there was no Windows Defender back then and I guess there isn't one now at least no one that can stop this look at that oh my goodness this is actually so much fun I'm not gonna lie I don't get to see this kind of action on daily basis anymore usually it's just boring threats financial malware no good old wreck the system did this one's good we've got a nice waterfall over here again we'll see if there's any permanent damage from this or if this is just gonna go away on restart but it's also interesting to note that we're only at 6% and the system is completely slowed down hopefully it's not going to crash that is my worst fear that will not be able to complete a task again that's one of the issues I've had with Windows Defender in the past which is part of why I don't have a solid proactive detection rate for it like I do for most of the other products it's just because I haven't been able to complete a test from start to finish because the system dies somewhere in between I'm really hoping that today that's not going to happen we'll be able to get 200% and then do our analysis you not sure if you guys saw that but there are actual a couple of interesting alerts popped up by the AV on my main system which is connected to the virtual machine of course and we do have a shared folder that this VM can access so there were a couple of VBS scripts it's just something interesting to note that this is how a malware can spread it isn't always because someone on the computer itself goes on the network and does something sometimes it's just that there's one infected computer let's say in the entire enterprise or in your home network or in a school or whatever and it creates infected copies in the network drives for the other computers and that's how the infection spreads sometimes it can be tricked into some kind of an autorun situation sometimes it's just accidental execution there are a lot of ways in which malware can propagate between computers of course these days attacks are much more targeted but keep in mind the targeted attacks do attempt to infect other computers in specific organizations so even though they might not be generalized to the entire public if one of the machines on your enterprise gets infected you're in a very high-risk situation so you want to have your policies in such a way that you can isolate systems when that happens that's why it's really important to have good security practices across the board [Music] okay so it looks like for some reason the tasks stopped abruptly at 77% but at the moment the proactive detection is sitting at ninety two point five six percent I think this is what we'll have to go by for the final numbers because the test was incredibly slow and I know it's becoming a bit of a cliche but this literally took forever luckily for you future leo will put you in fast-forward mode but let's see what is the state of the system I don't think we need a lot of second opinions to figure that out honestly doesn't look very nice to me if we take a look at our data it's actually being encrypted let's try and open it see if it's actually gone or if it's just renamed no it's it's actually gone so before encryption this would say something like your faults are safe if you can read this nothing as being encrypted but as you can see that has been overwritten with a ransom message so we have active ransomware on the system what else have we got something happened to our cascading waterfall that's a bit of a shame now I think I'm going to restart the system and get into the full analysis mode run ccleaner delete the false on the desktop not the new false obviously but the false I dragged in in the classified folder after that once we've cleaned out the temp files we'll start doing our second opinion scans and let's see what they tell us the last trick that Windows Defender might have and it's sleeve is the sandbox so maybe if I restart the system a lot of the malware is gonna go away but here's the thing my data has already been encrypted so I don't think that worked out the we'll see if any of the other damage is mitigated or if this is a full-blown infected system with all sorts of startup items we'll just have to wait and find out okay so now the sandbox didn't prevent stuff from starting up by default that's for sure okay so we're still detecting malware it's funny because I got this alert a long time ago as well Windows Defender is still removing threats I'm gonna try and delete the classified folder needless to say this is a complete mess threats from start actions okay so I can't even delete the folder of malware again if you're new to the PC security Channel and you haven't seen a lot of my tests this is not how it usually goes I would strongly recommend that you watch some of the other videos I've done recently for some context because I use the exact same procedure for all the products that I test it's the same script same number of files and usually it's not this hard you know things are bad when you have to type Explorer dot exe to open file explorer just to be able to navigate somewhere in your system and you know things are worse when even that doesn't work okay the system just black screened task manager is still running and Windows Explorer is taking up all the resources there's only one thing left to do and that is reset the system again okay managing expectations now I'll be happy if it starts up and if I can do my second opinion scans at this point if I can just do the second opinion scans I'm really happy all right let's go second opinion scanners hitman pro Norton Power Eraser I'm not gonna do you malwarebytes because it takes a lot longer and I have a feeling we might not need a lot of second opinions to tell us what's going on on this system okay interestingly Norton Power Eraser can even finish the scan because its definitions were corrupt maybe the viruses are messing with it actively but we did manage to get hitman pro to complete so we'll just take a look at that it seems we have a lot of things running at startup all of this is active malware active malware and program data we have a new drivers folder and your services folder or resource this a lot of DLLs a lot of active stuff in temp we can update a roaming Trojan malware this looks like it's some kind of cryptocurrency miner more active malware bin dot exe running from app data roaming app launched on Exe tons and tons of random name service tasks dot exe that's a good one system properties performance dot exe and a folder just created in my users we still have one file in classified that we cannot delete because it is active cloud experience host broker now there's another interesting thing I noticed I think the malware infected onedrive and a lot of the stuff associated with it so I was getting some weird pop-ups from that and then the picture seemed to be overridden with exe this is interesting this is not very common behavior even the icons weren't spared if we keep going more images that have been converted to pharmacist essentially cinqo study XE inside Chrome it'sit's all over the place really I mean nothing got spared I'm surprised the systems even running at this stage and this one we saw it pop up a few times Java update Don exe so overall this is essentially the polar opposite of what I like to call a clean sheet we didn't even get to finish the scans I guess it just gave up because it was taking too long but yeah those are the final results it's quite incredible considering we had cloud delivered protection tamper protection all of this enabled and active it's almost like real time protection didn't even work well it did it did lock a good like 91 percent of the malware but the other 9 percent which is a pretty significant number given the number of samples we tried they just completely ran over the system like a bulldozer so I'm curious to hear your thoughts on this I'm well aware that Windows Defender has got some good results in other lab tests recently but well what you see is what you get with the PC Security Channel I just do the tasks live on video and I comment on what I see and based on what I see these are not very good results I'm curious to find out why as far as I can guess and keep in mind I'm not in any way shape or form involved with the building of Windows Defender so I have no idea how this works but I'm just guessing that the problems we're seeing have more to do with the way it's engineered rather than just the fact that it's missing files I think there's something more important going on maybe the protection is too reactive I'm not sure but if you work at Microsoft or you're part of the core development team and you think you might know why I'm more than happy to assist in any way I can and I know some of you at this point are probably questioning the test and the test method but again what you need to keep in mind about that is this is not an isolated test I run dozens of tests just like this and not all products seem to react the same way and even if they did that would be a problem now for the extended segment which I almost forgot I'm gonna switch to the clean system from the previous snapshot and I'll show you a couple of things okay so what I was supposed to show you was a few Falls that are detected but Windows Defender in isolation in virustotal when it's not detected by any other Fe engine there's some examples of false positives but it seems like they've removed those so I'll just tell you about what I've been noticing so one of the things you might be thinking when comes to Windows Defender is that it's exclusively maintained by Microsoft and that is actually not true the malware analysis or reverse engineering adding signature stuff like that is actually outsourced to a lot of software consultancy as many of which are in India how do I know this firmly enough one of my friends actually works in one of those companies now recently Windows has been adding a lot of machine learning to their process I think they mentioned that there are next-gen avyon that article I showed you earlier they've been hitting a lot of false positives similar to what do you see a lot of the anti engines hit of course they're manually whitelisting at a pretty good pace as you can see here this is no longer detected but at some point this was actually detected by Microsoft I think it was detected by some kind of ransom signature but the point is on one hand it's great that Microsoft has a lot more people working on it than just people at Microsoft but what that also means is that signature quality isn't particularly very good and the worst thing is I trusted you I gave you your own wallpaper and you couldn't even keep it for the whole test it was replaced by ransomware at some point so that is definitely sad again I'm more than open if you're someone on the windows defender team and you're watching this feel free to reach out I'm happy to help in any way possible thank you all so much for watching it's been a pleasure don't forget to like and share the video if you enjoyed it subscribe to the PC security channel to stay on top of cyber security this is leo and as always stay informed stay secure [Music] yeah I mean he's fairly low [Music] I'm not sure if he's doing up Thanks for thinking
Info
Channel: The PC Security Channel
Views: 315,199
Rating: 4.8809128 out of 5
Keywords: TPSC, The PC Security Channel, security, cybersecurity, Internet Security, test, malware, detection, AntiMalware, tutorial, virus, trojan, PUP, Ransomware, finance, antivirus, review, free, 2019, backup, protection, Windows Defender, Windows Defender Sandbox, Microsoft Windows Defender, Windows Defender best antivirus, Windows Defender Test vs Malware, Windows Defender TPSC Test, Windows Defender Review, Windows 10, Does Windows 10 need Antivirus?, Windows 10 Security Test, Windows Defender Antivirus
Id: sE-xdb9hTqY
Channel Id: undefined
Length: 19min 54sec (1194 seconds)
Published: Fri Aug 23 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.