[+] Wayc0de's Blog[+]

02/10/11

Windows 8 anti-virus has a long way to go

Windows 8 logoWhen Microsoft unveiled the Developer Preview of Windows 8 two weeks ago one of the items to get the most attention was it's included unmanaged anti-virus solution.

I was interested in what capabilities it might have and how it would present itself to users who stumble across something malicious.

Naturally I installed it on a virtual machine and to a spare disk on a full workstation in my lab. What to test first?
If there is one thing guaranteed to be safe and still be an effective test it would be EICAR.

According to the EICAR website the EICAR test file allows someone to safely trigger a "virus incident in order to test their corporate procedures, or of showing others in the organisation what they would see if they were hit by a virus."
That's perfect. I need a detection, but I prefer not to handle live malware. Safely testing live malware samples is scary dangerous.

There are some very thorough testing organizations that can evaluate protection much more effectively than most home grown testing operations.
That is why we always use EICAR, as every (or so I thought!) anti-virus and security product will detect EICAR to allow for safe testing.

I first tried to download the EICAR test file from eicar.org using Internet Explorer 10. IE informed me that this was a malicious download and would not allow me to save it. Pass!
I then opened notepad and pasted in the 68 magical bytes, chose Save As and named it EICAR.COM. It showed up in my explorer window with no complaints.

I then tried to click the file and it vanished!? No warning, no messages logged in Event Viewer (that I could find). Fail! EICAR should always cause an alert...
So I tried another test and inserted a USB memory stick with EICAR.COM preloaded onto it. When I tried to copy the file from the USB stick to the Documents folder it did so without complaint.

If I tried to run EICAR.COM it gives an error, which is expected as EICAR is a DOS program and cannot execute on Windows 8, but I *should* get a virus warning, shouldn't I?

Windows 8 accessing EICAR without detection

I was very confused and began to wonder whether Windows 8 really had anti-virus at this point.

I took one of my virtual machines into our lab to test it against a few samples to see what would happen.

All of the samples were between six and twelve months old, so nothing bleeding edge here. I tested Mac, Linux and Windows malware to see if it had cross-platform capabilities as well.

Windows 8 anti-virus detection

The result? It captured about 50% of the malware samples I threw at it. Clearly there is a lot of work to be done with regard to detection.

It did successfully pick up quite a few fake anti-virus samples for Mac and Windows, as well as some copies of Linux/RST-B.

It also recorded some events under the Windows Defender category in Event Viewer for the detections it alerted me to.

Windows Defender event log on Windows 8

This is an early preview and I am sure many improvements are planned. It's good to see Microsoft is detecting malicious software for the three major platforms.
Microsoft does need to fix the detection of EICAR. The way things work currently will only encourage people to take unnecessary risks with real malware samples for testing.

If you are testing Windows 8 on a live network, I would recommend you install a third-party anti-virus program as well. While Windows Defender caught some samples, it isn't ready for prime time yet.

Have an opinion on Windows 8? Why not answer our poll to see where you fit in with other Naked Security readers?

Tidak ada komentar:

Posting Komentar