Home Defeating Defender
Post
Cancel

Defeating Defender

     So far Defender has being the reigning champion for AV detection rates. Up there with McAfee somehow. Well, today Defender comes toppling down leaving McAfee at the top of the list UPDATE: McAfee is actually worse than Defender. While they pick up these samples on VirusTotal, their home product does not detect these ransomware samples and they do not prevent files in the users folder from having their contents encrypted, which Defender does do. I can honestly say I did not see that coming when I set out to test detection rates of AV programs. 

    Looking back to one of our first applications, we used a simple Python program to encrypt all the files in a folder:


    As noted at the time though, this was and still is caught immediately by Defender and removed:

 So what can we do to defeat this? There are a couple methods freely available online, PyArmor and something called development-tools.net which spits out code that looks like this:

    

    This cleverly uses eval() to execute a series of base64 encoded functions, but unfortunately this is still caught. PyArmor returns very obfuscated code, but it is also immediately detected and removed. So what can we do that these programs can't? Well we actually only need to change very little. Below is my updated code that is fully undetected to Defender. It was able to run and encrypt the contents of a folder in my test area, C:/Test:

 
    So what did we actually change? We made almost all the variables some form of 'bleh' and encoded all the paths in base64. Due to the base64 encoding there was one additional change, we had to change the '\' in the file paths to a '/' because of some weird formatting that occurred after decoding that would make file paths look like 'C:\\\\Test\n\r\'. Like I said though, we didn't have to change much to make this work and be undetected. Below is our detection rate on VirusTotal, again with the only well known brand being McAfee that picks this up.
 

    When I scanned this on the test VM even after running, Defender didn't flag it and nor did it offer ransomware protection rollback for the file affected. 
 
 
 

    Fortunately, the ransomware protection included with Defender does protect the Users folder, among others, from having data over written through this method, which is what we want to see. Next in line for testing will have to be McAfee, which I cannot stress enough I never thought would be the case. This is unnecessary. A quick review of McAfee's product shows their protection is far worse for home users than Defender.


 

 

This post is licensed under CC BY 4.0 by the author.