Differences

This shows you the differences between two versions of the page.

--- antimalware_software [2026/05/29 06:11] – ultracomfy
+++ antimalware_software [2026/05/29 17:22] (current) – ultracomfy
@@ Line 40: / Line 40: @@
 We can use this to our advantage. If we can't find anything in the program that is obviously malicious, we can just check if the program is generally similar to other programs we already know are malicious.
-The advantage to this approach is that it can get a pretty good insight into what a program may do without loading it into memory yet. This is critical because conventional malware can remain dormant on disk without causing harm; it is when it is loaded into memory (be it through the user executing it, or because of a scheduled task or through an autorun entry) that it starts doing malicious things. Analysing software without loading it into memory lets us look at the program without worrying too much.
+All of this is called //Static Analysis//. The advantage to this approach is that it can get a pretty good insight into what a program may do without loading it into memory yet. This is critical because conventional malware can remain dormant on disk without causing harm; it is when it is loaded into memory (be it through the user executing it, or because of a scheduled task or through an autorun entry) that it starts doing malicious things. Analysing software without loading it into memory lets us look at the program without risking getting infected.
 ===== 3. Sandboxing =====
-In cybersecurity terms, a sandbox refers to a protected virtual environment segmented off from the rest of the system, filled with all the sand imaginable but, ultimately, constrained to the sandbox. The box part here is the important part, as it means that nothing from inside that box can get out. Critically, this means a sandboxed program cannot access your data. This makes it perfect as a testing ground - throw a software sample in there and let it do its thing. Observe its behavior. Does it do anything scary?
+In cybersecurity terms, a sandbox refers to a protected virtual environment segmented off from the rest of the system, filled with all the sand imaginable but, ultimately, constrained to the sandbox. Basically, it's a simulated environment in which programs can freely run //as if// it was running on your machine, without actually running on your machine. Well, of course it is running "on your machine", but it's sequestered away in a protected environment. The goal of doing this is to just.. observe. If we //let// the program run, would it do anything objectionable? The sandbox offers the advantage of testing out a program without the risk of infection((Yes yes I know actually making sure your samples don't escape the sandbox is a whole different story.)).
-Static analysis is the analysis of a program as it sits on disk - statically. Static analysis is limited by programming restraints - reverse-engineering an entire program is extremely resource-intensive, if possible at all, so the insight you can gain from it is limited. But now we are working with a live sample and can observe its behavior as it unfolds. When you actually just run the program and let it do its thing, you can log virtually everything it does. The cool thing is: if it does do anything malicious, its damage remains constrained to the sandbox and all data outside of the sandbox is safe.
+Static analysis is the analysis of a program as it sits on disk - statically. Static analysis is limited by programming restraints - reverse-engineering an entire program is extremely resource-intensive, if possible at all, so the insight you can gain from it is limited. But in the sandbow we are now working with a live sample and can observe its behavior, as it unfolds. When you actually just run the program and let it do its thing, you can log virtually everything it does. The cool thing is: if it does do anything malicious, its damage remains constrained to the sandbox and all data outside of the sandbox is safe.
 Sandboxing is already a standard in smartphones. On operating systems like Android and iOS, pretty much everything on those phones runs sequestered in individual sandboxes which can barely, if at all, interact. Since all damage is always limited to the scope of an application's sandbox, there is very little damage malware can cause on those platforms. The real threats on those platforms lies in hijacking otherwise friendly apps whose sandbox contains valuable data (your browser, for example) or socially engineering the user into doing the malicious thing themselves.\\
@@ Line 52: / Line 52: @@
 Anyway, the point of sandboxing is to give a program room to do its things so we can see what it does. There is a problem though - if we sandbox every program the user wants to open, how much time do we want to sandbox before deciding that the program is OK? What if the malware is programmed to wait for a minute? This is not acceptable and makes it one of the major weaknesses of sandboxing. Additionally, lots of malware can recognize sandbox environtments, including [[Virtual Machines]], and will refuse to execute in them. This is a recognized sign in and of itself, but it still eats into the effectiveness of sandboxing as a detection tool. Of course, doing it like smartphones do - running everything in a sandbox by default instead of only using the sandbox for analysis - would still be really useful, but that is not where we are.
-The cool thing about sandboxing, though, is that it too is able to independently identify malware, even if sample wasn't previously known.
+The cool thing about sandboxing, though, is that it too is able to independently identify malware, even if sample wasn't previously known. It's yet another layer of defense.
 ===== 4. Behavioral Detection =====
-Behavioral detection is what truly distinguishes good products from terrible ones. However, it is also the hardest to get right, if you get it working at all. Of course we as humans don't care about cybersecurity in terms of software or code. As a company, what you care about is to prevent data exfiltration, not the semantics used to get there. The malware sample used to do nefarious things is just that - a sample used to do nefarious things. We don't care about the sample, we care about what it does. If you understand this, Behavioral Detection is just for you.
+Behavioral detection is what truly distinguishes good products from terrible ones. However, it is also the hardest to get right, if you get it working at all.\\
+As humans don't care about cybersecurity in terms of software or code. The ones and zeroes in play are just a means to an end. What we are really trying to stop is hackers getting ahold of your login credentials. Your company's top secret files, or perhaps encrypting all your files and demanding money for their decryption. In short, we care about what end malware is working towards, their //behavior//.
 When Signatures, Static Analysis and Sandboxing all return negative, it probably is time to let the program execute. But, behavioral detection keeps watching. If a program acts up and starts doing funny things - for example if it starts encrypting files - it will notice and shut that program down. If a program suddenly starts deleting a bunch of shit, or gives orders to another program to delete a bunch of shit - shut it down. If a program does funny things with your boot configuration, your autoruns, downloading files from the internet or uploading stuff from your PC - very suspicious. Behavioral detection is my favorite type of detection, because it addresses the exact thing that we, you and I, are ultimately talking about: the malicious action itself.
@@ Line 84: / Line 85: @@
 There is a pervasive myth that common sense plus Windows Defender are enough to keep you safe. Or that Windows Defender is as safe or safer than other products on the market. Safety, of course, is measured in risk, and the only truth here is that different combinations of precautions lead to different levels of //risk//. But still, the idea is that common sense plus Windows Defender is enough for the risk to be "low enough" for these people.
-Maybe. In fact, that’s the setup I personally rely on. But the problem is that common sense is empty advice and, for much of its history, Windows Defender was genuinely terrible. The people who say “Common Sense + Defender” today are the same people who once said “just common sense.” The only real shift is that now we’re debating Defender itself.
+Maybe. In fact, that’s the setup I personally rely on. But the problem is that common sense is empty advice and, for much of its history, Windows Defender was genuinely terrible. The people who say “Common Sense + Defender” today are the same people who once said “just common sense.”
 Defender has been a properly horrible antimalware product for the longest time. Keeping a signature list of known malware is the most basic form of antimalware and any respectable antivirus product should ace this //by default//. However, Defender consistently missed well-known, widely publicized malware, including samples that were years old. Back then, tests showed detection rates around ~70% (([[https://www.youtube.com/watch?v=iWL9cHgYfRw|The PC Security Channel - Windows Defender vs Malware in 2021]], retrieved on 29.05.2026)), while products like Kaspersky or Bitdefender hit 98%. Despite that, people insisted Defender was “good enough", indicative of a complete lack of understanding of risk management or cybersecurity.
-Now, Defender has improved. It finally catches the obvious malware, its detection rates have climbed to around 95%, and it’s become a passable baseline product. Ironically, this means that people who were wrong for years are now accidentally right, but for the wrong reasons. Their logic hasn’t improved - the facts just shifted closer to their narrative.
+Now, Defender has improved. It finally catches the obvious malware, its detection rates have climbed to around 95%, and it’s become a passable baseline product. Ironically, this means that people who were wrong for years are now accidentally right, but for the wrong reasons. Their logic hasn’t improved - the facts just shifted closer to their narrative. It's really annoying, because the people who think Defender is enough are often the same people who would never pass up an opportunity to talk about how terrible Microsoft products are. They genuinely despise Microsoft - and for good reason. But, all of the sudden, when it comes to the antivirus, they'll turn around and say that Defender is //great//, because it's an OS level antivirus. Somehow, the possibility that Defender is deeply broken and dysfunctional because, well, it's a Microsoft product, just doesn't enter their mind. And of course it doesn't, because they don't care that much about the actual protection Defender provides. In their mind, //you// are the antivirus and Defender is a nice to have. Obviously, under these conditions it really doesn't matter whether it has a 95% detection rate like it has these days, or a 60% detection rate like back in the olden days.
-Even so, Defender still has major shortcomings. Its scanning is largely signature-based, with minimal static analysis and weak behavioral detection. There’s some anti-ransomware with protected folders, but it has questionable reliability. It's actually worse - A single shell command can disable it completely, delete Defender's its signature definition files, or set the whole PC as an exception. Registry tweaks and group policy edits allow malware to bypass it. And these are //not// obscure attacks - they’re widely known in the cybersecurity community. Most of these exploits still exist and properly advanced malware //will// get through.
+And yeah, it doesn't perform well. Its detection is largely signature-based, with minimal static analysis and weak to non-existent behavioral detection. There’s some anti-ransomware with protected folders, but it is unreliable. Protected Folder Access can be bypassed by malware using a single shell command. Defender does also not provide any resistance to malware that deletes Defender's signature definition files. It is even possible for malware to just set the whole PC as an exception. Registry tweaks and group policy edits allow malware to bypass it and, worst of all, none of the attack vectors I just named require any kind of privilege escalation or user input (beyond running the malware sample of course). And finally, these are //not// obscure attacks - they’re widely known in the cybersecurity community. Most of these exploits still exist and properly advanced malware //will// get through.
+Lastly, I would like to address a point made about Defender that supposedly sets it apart from other security vendors. I am not going to explain what these terms mean and my response I meant for the kind of people who don't need these terms explained to them. Some supporters of Defender suggest that, because it is "OS level" or even "kernel level", that it makes it a more tamper resistant and potent antimalware product.
+Now, it is true that Defender is "OS level" and "kernel level", but you may be surprised to heart that this does not mean very much. Let's disregard the fact that Defender is just a poor product and is easy to tamper with, with or without OS protection. Even if it was properly programmed software that couldn't just be bypassed by well known bypasses that have been around for years... Windows offers an API that lets other antimalware register themselves as a security vendor inside of your machine. Using this integration, third party security software can get largely similar access to protections as Defender((Some keywords here are PPL and ELAM.)). However, as far as tamper protection is concerned, third party vendors have been able to protect their own resources for a long time now.
+That brings us to the "kernel level" argument for Defender. I suspect that people misunderstand what a "kernel" is and how they are treated in the real world. Any respectable antivirus product from the last two decades that offers "real-time protection" does so, in part, by scanning the memory and activities of active processes on the machine. The antivirus has kernel level access. That's part of behavioral protection, as detailed earlier. Kernel level access has been employed in endpoint protection ever since and Defender is not special by using it. This is why the whole "OS level" idea doesn't make a lot of sense anyway. When you have kernel level, you //have// OS level.