So far Defender has being the reigning champion for AV detection rates. Up there with McAfee somehow. Well, today Defender comes toppling down leaving McAfee at the top of the list UPDATE: McAfee is actually worse than Defender. While they pick up these samples on VirusTotal, their home product does not detect these ransomware samples and they do not prevent files in the users folder from having their contents encrypted, which Defender does do. I can honestly say I did not see that coming when I set out to test detection rates of AV programs.
Looking back to one of our first applications, we used a simple Python program to encrypt all the files in a folder:
As noted at the time though, this was and still is caught immediately by Defender and removed:
So what can we do to defeat this? There are a couple methods freely available online, PyArmor and something called development-tools.net which spits out code that looks like this:
This cleverly uses eval() to execute a series of base64 encoded functions, but unfortunately this is still caught. PyArmor returns very obfuscated code, but it is also immediately detected and removed. So what can we do that these programs can't? Well we actually only need to change very little. Below is my updated code that is fully undetected to Defender. It was able to run and encrypt the contents of a folder in my test area, C:/Test:
Fortunately, the ransomware protection included with Defender does protect the Users folder, among others, from having data over written through this method, which is what we want to see. Next in line for testing will have to be McAfee, which I cannot stress enough I never thought would be the case. This is unnecessary. A quick review of McAfee's product shows their protection is far worse for home users than Defender.
