Is this real?

[HexagonT]

 

https://inv.riverside.rocks/watch?v=7QBlckCZtbw

 

Edited June 23, 2022 by AdvancedSetup
Disabled live hyperlink

[Porthos]

I stopped watching due to the testers methodology. A normal user would not have a folder of pre downloaded samples to run. That alone bypasses web protection and exploit protection right there.

All "testers" that do it this way are just wrong. And are just doing it to make Malwarebytes look bad for clicks and views.

[HexagonT]

Very thank you! I already thought that is not how experts do the testings.

[HexagonT]

How do I mark your answer as the solution on mobile?

[HexagonT]

I am sure experts would mimic normal users.

[HexagonT]

I am feeling a little embarrassed now. 

[EndangeredPootisBird]

2 hours ago, Porthos said:

I stopped watching due to the testers methodology. A normal user would not have a folder of pre downloaded samples to run. That alone bypasses web protection and exploit protection right there.

All "testers" that do it this way are just wrong. And are just doing it to make Malwarebytes look bad for clicks and views.

To be fair, indendent labs like AV-TEST and AV-Comparatives use the same methodology for some of their tests.

[AdvancedSetup]

33 minutes ago, EndangeredPootisBird said:

To be fair, indendent labs like AV-TEST and AV-Comparatives use the same methodology for some of their tests.

Yes, they're still quite unrealistic, but since everyone wants to see these sorts of comparisons the AV companies try to comply and make their software do well on them if possible.

We have reached out to review the ryuk sample used to check and see why it was missed.

Thanks

 

[HexagonT]

5 hours ago, AdvancedSetup said:

why it was missed.

 

Brilliant idea!

Also can you tell me how an expert will do the test? Very thank you!

8 hours ago, HexagonT said:

 

I am feeling a little embarrassed now. 

 

I remembered a quote from somebody:

"Asking a question is embarrassing for a moment, but not asking is embarrassing for a lifetime."

So it is good to ask this question!

Edited June 23, 2022 by HexagonT
Change from “Good idea!” to “Brilliant idea!”

[HexagonT]

3 hours ago, HexagonT said:

 

https://inv.riverside.rocks/watch?v=7QBlckCZtbw

 

Edited 2 hours ago by AdvancedSetup
Disabled live hyperlink

Also why did you disable live hyperlink? The link is not malicious.

Edited June 23, 2022 by HexagonT

[AdvancedSetup]

We don't allow many hyperlinks to sites that are not well known. We don't support SEO or marketing, etc for remote sites.

 

[HexagonT]

Is this real too? This looks a lot more realistic since it uses a different method and the results are good.

https://inv.riverside.rocks/watch?v=lEiQVIP9gmg

 

[EndangeredPootisBird]

14 minutes ago, HexagonT said:

Is this real too? This looks a lot more realistic since it uses a different method and the results are good.

https://inv.riverside.rocks/watch?v=lEiQVIP9gmg

 

Directly executing scripts and files from the disk is never an realistic scenario, an realistic scenario would require starting from the beginning of the attack chain, be it an drive-by-download attack, malicious macros, exploitation of vulnerabilities, you also need to launch files from directories like network drives, file sharing folders, etc.

[HexagonT]

Why do they still use these unrealistic methods? 
In an actual real scenario, my relative got Trojans, adwares on her laptop but Microsoft Defender did nothing. Malwarebytes blasted them out once it got installed. :D

 

Edited June 23, 2022 by HexagonT
Change from “a” to “an”

[David H. Lipman]

Best simulation they could arrive at.

 

[EndangeredPootisBird]

Antivirus software are woefully inadequate nowadays, its exactly why the results from independent lab are so dangerous, because it causes people to think antiviruses actually somehow provide 100% protection, meaning they dont bother using common sense when they surf on the internet or open emails.

Even the most advanced security products that the worlds largest businesses use can be easily bypassed, as shown by an retired penetration tester

 

https://vanmieghem.io/blueprint-for-evading-edr-in-2022/

 

The way forward in terms of protection is via an Default-Deny/Zero Trust approach, only allowing trusted code to run on an device while blocking anything unknown, its exactly what I am running on my computer,

 

Windows Defender, thanks to the tool Hard_Configurator 
 

https://github.com/AndyFul/Hard_Configurator

 

I can lock down certain aspects of my system, such as blocking any script (JavaScript, Visual Basic Script, Powershell, etc) which can be used to bypass protection.

and with the tool ConfigureDefender

https://github.com/AndyFul/ConfigureDefender

I can configure Windows Defender to block anything unknown with the

Attack Surface Reduction rule

Block executable files from running unless they meet a prevalence, age, or trusted list criterion
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion

and the Cloud Protection Level set to "Block". I also have had no false positives as I have always stayed to trusted programs.

 

Edited June 23, 2022 by AdvancedSetup
Corrected font issue

[AdvancedSetup]

Thank you for your feedback @EndangeredPootisBird

Something great for more advanced users to experiment with but well beyond the skill set of the average computer user.

 

[EndangeredPootisBird]

@AdvancedSetup

The learning curve isnt too difficult even for people with little knowledge on how the tools work, as the tools I mentioned doesnt require knowing everything, for Hard_Configurator you just have to allow EXE, TMP and MSI files in Whitelist By Path to allow executiom of executables like .exe and .msi installers, while blocking scripts that legitimate applications very rarely require for them to work.

And for ConfigureDefender its just setting the Cloud Protection Level to Block and setting Block executable files from running unless they meet a prevalence, age, or trusted list criterion to On/Warn, latter of which is more user friendly as it allows unblocking files via an notifications from Defender.

You can also exclude files via either Windows Defender's Exclusions if it detects something legitimate as malicious, or ConfigureDefender's ASR Exclusions if the Block executable files from running unless they meet a prevalence, age, or trusted list criterion rule or other ASR rules blocks something legitimate, which only takes like 15 seconds to do.

Edited June 23, 2022 by AdvancedSetup
Corrected font issue

[AdvancedSetup]

7 minutes ago, EndangeredPootisBird said:

The learning curve isnt too difficult even for people with little knowledge on how the tools work,

Once you've supported millions of users you'll quickly change your mind on that thought. I've been doing computer support for over 30 years now and you see a lot of people that cannot even find or launch Notepad on their own. Using forum software is beyond the scope of the vast majority of users on a computer.

Anyways... no need to beat a dead horse over this

 

 

[HexagonT]

Very thank you for your tip! I might try the the tool ConfigureDefender.

Hard_Configurator might be too advanced.

[EndangeredPootisBird]

FYI: If you're gonna try it, set the Protection Level to "High", then click on Refresh, then restart your computer, which will set it to the recommended configuration.

[HexagonT]

Where is Protection Level? This is so insanely advanced than what I expected! :0

Edited June 24, 2022 by HexagonT
Add a exclamation mark and a surprised face

[HexagonT]

I might have to potentially uninstall it to prevent the chances that I accidentally brick my computer. Or I will only change the settings that you tell me to change.

Edited June 24, 2022 by HexagonT
Add the full stop

[HexagonT]

Just immediately blocked UniKeyNT after I installed it with the following message: "Contact your system administrator for more info." . Sadly, I might have to remove it.

 

[HexagonT]

Oh! It turned out that I accidentally installed Hard_Configurator  instead of ConfigureDefender! Oops!