Randy Treit (MSFT) on 10 seconds

Background

What is 10 seconds to you?

In a blog posting MSFT’s Randy Treit talks about the constraints Microsoft’s places on itself to quickly identify, classify, and get in the way of targeted virus penetration.

 

Windows Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware

Link

For cybercriminals, speed is the name of the game. It takes newly released malware an average of just four hours to achieve its goal—steal financial information, extort money, or cause widespread damage. In a recent report, the Federal Trade Commission (FTC) said that cybercriminals will use hacked or stolen information within nine minutes of posting in underground forums. Stopping new malware in real-time is more critical than ever.

Approximately 96% of all malware files detected and blocked by Windows Defender Antivirus (Windows Defender AV) are observed only once on a single computer, demonstrating the polymorphic and targeted nature of modern attacks, and the fragmented state of the threat landscape. Hence, blocking malware at first sight is a critical protection capability.

To fight the speed, scale, and complexity of threats, we work to continually enhance Windows Defender AV and other security features built into Windows 10. In our white paper “The evolution of malware prevention” we discussed our advanced, predictive approach to protecting customers from threats that they face today, as well as those that will emerge in the future.

This blog continues that discussion and provides the first detailed account of one way we improve our capability to stop never-before-seen malware with new enhancements to the Windows Defender Antivirus cloud protection service.

In Windows 10 Creators Update, the Windows Defender AV client uploads suspicious files to the cloud protection service for rapid analysis. Our ability to make a swift assessment of new and unknown files allows us to protect customers from malware the first time we see it.

We have built these enhancements on the next-gen security technologies enabling Windows Defender AV to automatically block most new, never-before-seen threats at first sight using the following methods:

  • Lightweight client-based machine learning models, blocking new and unknown malware
  • Local behavioral analysis, stopping file-based and file-less attacks
  • High-precision antivirus, detecting common malware through generic and heuristic techniques

In relatively rare cases, when Windows Defender AV needs additional intelligence to verify the intent of a suspicious file, it sends metadata to the cloud protection service, which can determine whether the file is safe or malicious within milliseconds using the following techniques:

  • Precise cloud-based machine learning models that can make an accurate assessment based on signals from the client
  • Microsoft Intelligent Security Graph that monitors threat data from a vast network of sensors

In rarer cases still, when Windows Defender AV cloud protection service is unable to reach a conclusive verdict based on metadata, it can request the potential malware sample for further inspection.

In Windows 10 Creators Update, the Windows Defender AV client uploads suspicious files to the cloud protection service for rapid analysis. While waiting for a verdict, the Windows Defender AV client maintains a lock on the dubious files, preventing possible malicious behavior. The Windows Defender AV client then takes action based on the verdict. For example, if the cloud protection service determines the file as malicious, it blocks the file from running, providing instant protection.

Windows Defender Antivirus instant protection from the cloud

Instant protection at work: A few seconds can make a lot of difference in protection

In a recent real-life example, a Windows 10 Home customer was tricked into downloading a new variant of the Ransom:Win32/Spora family of ransomware.

The malware was disguised as a font file with the name “Chrome font.exe”. It was hosted on an online learning website that had been compromised by an attacker, who attempted to trick people into downloading the malware using a social engineering tactic described by Proofpoint in this blog. In this scheme targeting Chrome users, legitimate websites were compromised to open a pop-up window indicating “The ‘HoeflerText’ font wasn’t found”, requiring a supposed update to fix. The customer clicked the “Update” button in the pop-up window, which downloaded the Spora ransomware variant.

The customer’s Windows Defender AV client routinely scanned the file using on-box rules and definitions. Since it had not encountered the file before, Windows Defender AV did not detect it as malicious; however, it recognized the file’s suspicious characteristics, so it temporarily prevented the file from running. The client sent a query to the Windows Defender AV cloud protection service, which used machine-learning-powered cloud rules to confirm that the file was likely malware needing further investigation.

Within 312 milliseconds, the cloud protection service returned an initial assessment. It then instructed the client to send a sample and to continue locking the file until a more definite verdict was given.

In about two seconds, the client finished uploading the sample. By default, it’s set to wait for up to 10 seconds to hear back from the cloud protection service before letting such suspicious files run.

As soon as the sample was uploaded, a backend file-processing system analyzed the sample. A multi-class machine learning classifier determined there was more than a 95% chance that the file was malicious. The cloud protection service created a signature, which it sent back to client. All of this happened in just five seconds.

One second later, the Windows Defender AV client applied the cloud signature and quarantined the malware. It reported the results back to the cloud service; from that point on, this file was automatically blocked, protecting all Windows PC customers.

From the time Windows Defender AV uploaded the sample, the cloud protection service returned the malware signature in just five seconds, as shown by these actual timestamps:

2017-04-20 03:53:21 – Cloud protection service received query from Windows Defender AV client

2017-04-20 03:53:21 – Cloud protection service assessed it hadn’t seen the file and that is was suspicious, so it requested a sample and to keep locking the file

2017-04-20 03:53:23 – Sample finished uploading

2017-04-20 03:53:28 – Cloud protection service determined file as malware, generated signature, and sent that back to client

2017-04-20 03:53:29 – Windows Defender AV client notified that it successfully detected and removed the malware

Stay protected with Windows 10 Creators Update

Our many years of in-depth research into malware, cyberattacks, and cybercriminal operations give us insight into how threats continue to evolve and attempt to slip past security solutions. Guided by expert threat researchers, we use data science, machine learning, automation, and behavioral analysis to improve our detection solutions continuously.

In Windows 10 Creators Update, we rolled out important updates to Windows Defender Antivirus, which uses cloud protection service that delivers real-time protection against threats. With these enhancements, we show our commitment to providing unparalleled real-time defense against modern attacks.

Our ability to make a swift assessment of new and unknown files allows us to protect even would-be patient zero against attacks. More importantly, we use this intelligence to protect the rest of our customers, who may encounter these malware in subsequent attacks or similar threats in other cybercriminal campaigns.

Cloud-based protection is enabled in Windows Defender AV by default. To check that it’s running, launch the Windows Defender Security Center. Go to Settings > Virus & threat protection settings, and make sure that Cloud-based protection and Automatic sample submission are both turned On.

In enterprise environments, cloud protection service can be managed using Group Policy or via the Windows Defender Security Center app.

When enabled, Windows Defender AV locks a suspicious file for 10 seconds by default, while it queries the Windows Defender AV cloud protection service. Administrators can configure Windows Defender AV to extend the timeout period up to one minute to give the cloud service time to perform even more analysis and apply additional techniques to detect new malware.

As the threat landscape continues to move towards more sophisticated attacks and malware campaigns that can achieve their goals in hours instead of days, it is critical to be able to respond to new attacks in real-time. With Windows 10 Creators Update and the investments we’ve made in cloud protection service, we’re able to detect brand new threat families within seconds, protect “patient zero”, and disrupt new malware campaigns before they start.

Randy Treit

Senior Program Manager, Windows Defender Engineering

Anti Virus – Free and Inexpensive AV for Windows Server

Background

These days the top tier AntiVirus tools are free for Desktop computers.

 

Server

As Vendors have to make money somehow they usually charge a bit for server products.

And, more for corporate deploy and management.

Here are some products that can be run on servers dating back to Windows 2003.

Vendor Product OS Link Price
Avast  
 Avast For Business Endpoint Security Microsoft Windows XP/Vista/7/8/8.1/10 (32/64 bit)
Windows Server 2003, 2008, 2012/R2, 2016
Product
Link
 $31.99/Year
Comodo  
 Comodo Cloud Antivirus XP (32bit), Win7/Win8/Win8.1/Win10 (32 bit & 64 bit) Product
Link
 Free
 Immunet  
 Immunet Windows XP, Windows Vista, Windows 7, Windows 8,
Windows 10, Windows 2003, Windows 2008, Windows 2012
 Link  Free
 Panda
 Panda Free AntiVirus  Link  Free

 

 

References

Vendors

  1. Avast
    • Avast For Business Endpoint Security – PC and server
      • Security Features
        Link
      • System Requirements
        Link
  2. Comodo
    • Introduction to Comodo Cloud Antivirus
      Link
    • System Requirements
      Link
    • Download
      Link
  3.  Panda
    • Operating System
      • What are the minimum installation requirements for Panda Security for Desktops?
        Link
    • Cloud Cleaner
      Link

 

Blogs

  1. Solvps
    • Top 3 Free Antivirus Compatible with Windows Server or VPS (Updated 2017)
      Link

RansomWare – Support.com-techsupport513.com

Background

Playing around with Chrome earlier today and ran into this RansomWare.

Chrome

Textual:


** STOP: 0x0000007E (0xFFFFFFFFFC000000047, 0xFFFFFF800002EB5B48)
Serious security threats have been detected on your computer. Your personal photos, credit card information and passwords may be compromised.

It is highly recommended you do NOT continue using your computer until you've contacted an official technician. Your IP 10.0.1.4 may be under attack.

Please call this number as soon as possible.
CALL 855-464-6657 (PRESS 1)
An official technician will help you remove any adware/spyware on your computer.

Image:

supportCropped

 

 

Firefox

The same error appears in Mozilla Firefox, but it is not nearly as imposing as the dialog box is not modal and one can close the tab.

 

Site

The URL of the site that was menacing me is support.com-techsupport513.com

 

Immediate Help

Chrome

Chrome Task Manager

Here is how to close the RansomWare Tab.

  1. In Chrome, try to access Chrome’s Task Manager by clicking the Shift-Esc key combination
  2. In our case, that key combination is already in-use by the “Intel Management and Security Software”.  More later on configuring the Intel Tool to use an alternate key combination
  3. If by chance, you are able to bring up Chrome’s task manager it might not be visible or quickly overlaid by the Ransomware.  If so, please re-arrange your windows and look for it
  4. Another way of accessing Chrome’s Task Manager is to try launching a new Chrome Application\Window altogether and accessing the Task Manager from that window.
    • One of the many good things about Chrome is that it’s Task Manager lists all opened Tabs, not just the ones in the current application
    • But, the chances of you being able to launch a new Chrome Application is a bit slim, as the message box is quite modal for all Chrome Apps
  5. If you are able to access the Task Manager
    • Select the “Tab:Security Warning” row
    • Once the troubling tab is selected, Click the “End Process” button

 

Task Manager – Google Chrome

taskmanager-SecurityWarning

 

Brute Force Kill

If you are on unable to access Google Task Manager and close the specific Tab, I will suggest that you use Windows Task Manager and kill your Chrome’s processes.

Though one can use Microsoft Spy++ to identify the Windows handle and convert the App’s Process ID from Hex to Decimal and attempt to close of a singular process, it seems all Google’s processes are often terminated.

 

Workaround

Network

One possible work-around for malfeasance web sites is to null them out via your local hosts file.

To your C:\Windows\System32\drivers\etc\hosts file, add support.com-techsupport513.com and set the IP Address to 127.0.0.1.

hosts

 

Thankfully some routers and Wireless Access Points allow one to generalize this for all hosts using that gateway.

 

Chrome

Only Allow Pop-Ups for specific Web Sites

It is a good practice to return your Chrome Settings to only allowing Pop-ups from specific web sites.

Advanced Setting

  1. In Chrome, access Advanced Settings/Content Page ( chrome://settings/content )
  2. In the Pop-ups group-box, select the “Do not allow any site to show pop-ups (recommended )
  3. Explicitly add sites that you will like to permit pop-ups by clicking the “Manage exceptions…” button

 

Pop-ups

ContentSettings-Popups-After

 

Pop-ups Exceptions

PopUpException

 

KeyStroke Combination Struggle

Unfortunately, identical KeyStroke combinations can be preferred by various Vendors and Applications.

Google Chrome wanted to register Shift-Esc.

keyStrokeCombinationShiftEscCropped

But, “Intel Management and Security Status” launched prior to Google Chrome, and it already requested and registered that key combination.

Our options included preventing the Intel’s tool from auto-starting or changing it’s hotkey.

The default hotkey is shown below:

WhatIsIntelAMT

 

We changed it to Shift-F10.

ShiftF10.20151230.0729PM

Anti-Virus Boot CD – Avira

Background

These days family and friends call every so often saying that their computer has a Virus, and they need help right this very moment.

Connect and Fix Problem

If they are far away, they might want you to connect remotely and fix the problem.

That works, but I will suggest that you take this has a teaching opportunity for youself and a learning experience for the person in need.

Anti-Virus Boot CDs

Thankfully, there is a slew of Anti-virus Boot CDs available today.

Tim Fisher has a good list.

Name GUI/ Text? Functionality Tutorial
Anvi Rescue CD  GUI 1) Nice familiar MS Windows type interface
2) Check Memory
3) Check Disk for defects
AVG Rescue CD  Text  1) Network How it works

http://www.avg.com/us-en/avg-rescue-cd

Avira Rescue System  GUI 1) Auto-updates Virus definitions before initiating Virus Scan
2) Definition Updates can not be scanned
How to use the Avira Rescue System
BitDefender  GUI 1) Supports installation of Remote Access program
Comodo Rescue CD GUI and Text 1) Download Virus signature updates
2) Browse Internet
3) Access File and Folder Explorer
Introduction to Comodo Rescue CD
Dr. Web LiveDisk  GUI 1) Choice in whether to download updates How does to work
F-Secure Rescue CD  Text 1) Cannot skip automatic updates of Virus signatures (-)
2) No GUI ( – )
3) Textual Only – Does not allow mouse interaction ( – )
Kaspersky Rescue CD  GUI 1) Virus signatures have to be downloaded Create Boot CD and Boot Computer

Start a Scan

Lab

What use is reviewing a Virus cleansing tool without actual viruses.

Can’t ship and load actual viruses, but we can play with placebos.

Eicar.Org

Thankfully, Eicar.org have some available @ http://www.eicar.org/85-0-Download.html.

VirusFileList

Download

On the computer that we are using, we have an active virus detection tool.

It is Microsoft’s System Center Endpoint Protection.

Microsoft’s System Center Endpoint Protection

We need to disable real-time protection and exclude our targeted folder.

Real-time protection
Before

SettingsAndRealTimeProtection-Current

After

SettingsAndRealTimeProtection-Post

Excluded Files And Locations

We excluded E:\downloads\eicar.org

ExcludedFilesAndLocations
With the changes summarized above taken, we were able to download the fake viruses.

Avira Rescue System

Here is a quick summary on my recent experience with the Avira Rescue System.

Boot Options

When the Avira Disk is booting, we are presented with the option of :

  1. Avira Scan
  2. Check Memory
  3. Check Disk for Defects

Welcome

The first screen is the Welcome screen.

Please click on the “Start Wizard”.

Welcome

Wizard – Step 1 of 3: Partition Selection

Thankfully, unlike some other tools, the Avira tool displays the actual Windows Disk drives (C:, D:, E:).

This makes it easy to know that the drives are actually present and allow us to narrow our processing to specific drives or a combination of drives.

WhatDoYouWantToScan

Wizard – Step 2 of 3: Scan and Repair

Here is what we see as the drive is being scanned…

ScanAndRepair-Detections

Wizard – Step 2 of 3: Scan and Repair ( Wizard finished successfully )

Once the scanning is completed, we get a definite view of the number of files actually infected.

WizardFinishedSuccessfully

On the next screen we reviewed the list of files identified and chose to delete the ones that were actual viruses.

Please keep in mind that there were some false positives, as well.

As this is a public forum, will not disclose the false positives.

Other Functionalities

gparted

The tool comes with gparted.

The Windows drives are exposed and mounted as /target; i.e. /target/C: and /target/E:

GParted

With this knowledge we can directly explore our Windows Drive:

Folder

I will suggest that screenshots and downloads are kept in your exposed Windows Drives.

Screen Shots

Screenshots can be captured via Alt-PrtSc.

Network, Internet and Browser

As discussed, we get Network, Internet, and Firefox access.

Summary

Found the Avira tool to be capable and easy to use.

I especially like the fact that it comes bundled with a Disk and Memory checker modules; the reason being that Disk and memory issues can sometimes be confused with Virus bouts .

Kaspersky – Rescue CD – Stuck at “Creating Swap file”

Background

Having a slow PC day on one of the servers in our LAB.  Unfortunately, it is a left over MS Windows 2003 Server.

And, so I am thinking it could honestly be anything; including viruses.

Kaspersky Rescue-CD

Brought out my old and very reliable Kaspersky Rescue CD.

Boot Into

Rebooted the computer, as it is a Dell, clicked F-12 to access the “Boot into” menu.

Chose CD Room.

Clicked on a few other options to ensure that I will actually boot into the Rescue CD.

Stuck

But, as happens, more so lately, I am stuck again..

Textual

Creating Swap file

Image

CreatingSwapFile

Clear Storage

Linus – X File Manager

Via the Linux File Manager, X File Manager, that comes with the Rescue Cd, accessed each MS Windows Drive and removed obvious clutter.

Btw, the underlying MS Windows folders are under the root\discs and are labelled C:, D:, E: based on the drives.

XFileExplorer

Microsoft – MS Windows – File Explorer

Shutdown the Rescue CD, booted into Windows, and cleared more file clutter.

Same Error

Same error “Creating Swap file“.

I love Lionel, but I am not rich.

And, so time is money.

What is running?

GUI

The bottom right panel of the screen has an indicator that shows high CPU Usage.

From that gauge, accessed the “Process Status” application.

2015-08-04_17.24.45

Quick Explanation:

  • We can see that the application responsible for creating the swap file is beating up our machine
  • The name of the application is ntfs-3g

Terminal Mode

Note that we can also get tabulate the most expensive applications via accessing the Terminal mode, and running top.

Abruptly Terminate “Swap File Creator” process

Launched a terminal window.

Noted that the process ID for the process that is creating the swapfile is 16201.

And, so issued:

Syntax:


   kill [process-id]

Sample:


    kill 16201

On to the Next One

The next step, post Swap file creation, kicks in.

That next step is the Network Configuration.

KillProcess

The Network Configuration is very important.

  1. It gets you back online
    • You really do need to be online to download latest security updates.  Please make sure you download these updates before running a virus check
    • You also have access to Google, blogs, and emails
  2. Unfortunately, the browser that is bundled is a bit dated and all the major email providers will complain.  Thankfully, Google will allow you access to a leaner HTML email reader

Microsoft – Windows – Start Up Warning – There was a problem starting “c:\Users\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll The specified module could not be found”

 

Prelude

My parent’s called last night and I knew I had to call them back.  They don’t call much as I am usually the one who needs them and initiate calls.

The only time they ever need help me is when they have computer problems.

 

Error Message

 

So yes they do have a problem.  Upon logging on they get an error stating:

There was a problem starting c:\Users\<user>\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll
The specified module could not be found.


Configuration

System Configuration – Autoruns

 

Background

Autoruns is published by Microsoft’s SysInternals “subsidiary”.   To fetch it, please access http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx and click on the “Download Autoruns and Autorunsc” link.

 

Scheduled Tasks

Let us review and possibly modify the Scheduled Tasks; to do so, please:

  • Run Autoruns
  • Access the “Scheduled Tasks” Tab
    • Look closely at any items that have “File not found” in their “Image Path” column
    • If you find any of them, please un-check them by clicking on the checkbox checkbox

 

ScheduledTasks

 

  • Access the “Logon” Tab
    • Look closely at any items that have “File not found” in their “Image Path” column
    • If you find any of them, please un-check them by clicking on the checkbox checkbox

 

Logon

 

 

  • Find everywhere
    • Access the Application Menu
    • Click on the menu item File \ Find…
    • In the Find dialog, enter container and make sure that “Matchwhole word only” and “Match case” are unchecked
    • Initiate the search by clicking on FindNext
    • Unchecked any found items

MenuItem--File-Find

 

 

Microsoft – Windows – Task Scheduler

Access Task Scheduler by do doing the following

  • From the Start menu, access “Control Panel”
  • In Control Panel, launch Administrative Tools and “Task Scheduler
  • In Task Scheduler, transverse to “Task Scheduler Library
  • On the top menu bar, click on the Triggers menu bar to order by the Triggering event
  • Ordering by the Triggering event will allow us to narrow down on the more likely “source” events, which are
    • At log on any user
    • At log on of <user>
    • At system startup
  • Our culprit probably has empty for “Last Run Result”
  • Jot down each likely item, right click on it, and from the drop-down menu select disable

 

 

Initial

TaskSchedulerLibrray

 

Disabled

Once disabled you will notice that have Disabled in their status column.

 

TaskSchedulerLibrray-Disabled

 

 

Summary

Please try to restart your system and see if the problems goes away.

 

 

References

Question & Answer (Q/A)

 

Microsoft – Windows – Startup Apps

 

 

 

 

Kaspersky: Rescue Disk (v10): Error – Malfunction … Error code 9ABE0003

Introduction

A friend has this hard to remove virus and I know I hard to send him an Anti-Virus Rescue CD. I like Kaspersky for this type of issues.

Error

Before sending the CD, I tried it out on one of my PCs.

So I launch and clicked on “Start Objects Scan”.

But, getting the error pasted below:

Malfunction <> minutes ago, error code 9ABE0003.

Error-9ABE0003

To Fix

Get new virus definition files.

  • Access the tab “My Update Center”
  • The “Database Status” item will read “corrupted” and that is the tell tale sign that you need to remedify by updating your Virus Signature Datbase
  • Please click on the “Start update” button

It will likely a while to get the new Virus database signatures.

Once you have the new signatures, please retry your scan.