Deceptive Bytes found detection issues in Microsoft’s Windows Defender

Symantec’s Endpoint Protection is not the only Anti-malware engine that has issues related to detection, as we stated before.

We have found issues with Microsoft’s Windows Defender engine, which is integrated into Windows since Vista.

Test-case: Microsoft Windows Defender

Let’s look at Windows Defender and cases where it missed detecting potential threats.

Malicious macros

In the first example, Windows Defender blocked our attempt of downloading Pafish-Macro, a malicious document demonstration by JoeSecurity.

As you can see from the video, if you create a new document that contains the same macro code that was blocked in the download attempt, the new document executes the macro without any limitation.

If it were a real malicious document, it could have infiltrated the machine by other means (email attachment, USB drive, network shares, etc…) and damage the machine without Defender preventing its operation.

Pafish demo

In the second example, we used the original Pafish, another known demonstration program of malware behavior and evasion techniques (similar to Al-Khaser from our previous post on SEP 14).

As seen in the video, the behavior was similar to Pafish-Macro, the download was blocked by Windows Edge by their SmartScreen technology but the executable itself was allowed to run uninterrupted.

This indicates that even if Microsoft systems already have previous knowledge on certain threats, they might still miss blocking them and the same threats can infiltrate by other means.

Source code

In the third example, we used a C source code file that is intended for Linux operating system. Windows Defender detects the file as malicious although it can’t do any actual damage in its source form, even if Windows Subsystem for Linux (which allows to execute Linux executables natively in Windows) is installed.

As you can, changing the file (but keeping its functionality) yields an undetected file.

This indicates that polymorphic code, which is commonly used by threat actors to avoid detection, can bypass their engine.

Microsoft’s response

Microsoft response was different than we anticipated. In our first attempt, it seems they only referred to the Pafish related issues and stated that it is the desired functionality (only block the download by SmartScreen), ignoring the rest of the reported issues.

In the second attempt (excluding Pafish), they did not give a new or relevant response, only repeated a similar response as the first time.

Conclusion

Traditional Anti-malware products, even if induced with machine learning and AI capabilities, aren’t enough to fight today’s and tomorrow’s threats.

In the next post we’ll reveal some of the tricks used by threat actors when creating malware and how endpoint deception is far more equipped to tackle the malware epidemic…