Study: 15 Percent Of Malware Bypasses Windows Defender

Windows 8 Chrome Metro

Windows 8 with Windows Defender switched on was able to block only 85 percent of this year’s most common malware, according to BitDefender

Research from security vendor BitDefender underscored recently what many Windows users already know – running a machine without antivirus can be risky.

In an analysis, the firm found 15 percent of what the security firm classifies as the malware families most favoured by cyber-criminals this year were able to successfully run on Windows 8 with Windows Defender on. That translated into 61 of the 385 malware samples the company tested.

First security updates arriving

The drop-off without Microsoft’s Windows Defender enabled was dramatic, with 234 of the 385 samples able to run successfully. Of the remainder, 138 failed to run at all, while six ran and crashed and seven were denied elevation of privileges by the User Access Control (UAC) feature.

The release of the findings comes as Windows 8 gets ready to receive its first Patch Tuesday updates next week, with three of the bulletins rated as ‘Critical’ affecting the new operating system.

“This is a great improvement over the out-of-the-box security of Windows 7, for instance, where 262 of the 385 samples ran without any problems,” said Alexandru Catalin Cosoi, chief security strategist at BitDefender. “The preinstalled Windows Defender that now ships with Windows 8 makes a difference when it comes to narrowing the impact of malware.”

In response to the BitDefender findings, Microsoft issued a prepared statement on 9 November that it “is committed to providing a trustworthy computing experience and continues to invest heavily in continuously improving our security and protection technologies”.

According to Cosoi, researchers performed an automated test using three physical machines running Windows 7, Windows 8 and Windows 8 with Windows Defender disabled. The machines booted from a network boot server. The booting process passed system control to a script inside the OS that copied a sample piece of malware from the network FTP server and tried to execute it locally.

Trojans, worms, rootkits

“After the execution attempt, we compared the process and registry differences between the initial state of the machine and the post-execution state to see if the sample that got executed spawned its own process, modified another process and/or created additional registry entries and files,” he explained. “These differences got logged into a database. Then the machine got rebooted to its clean state pending another round of tests.”

“In order to ensure the optimal conditions for the test, we synchronised the process to execute the same sample at the same time on all three machines,” he added. “Since the process was fully automated, we did not consider zero-day exploits that are usually delivered via browser, Flash or Java. We also did not include malicious non-executable scripts such as PHP files or JavaScript, as they can’t cause direct damage to the PC.”

The sample set of malware mostly consisted of Trojans, worms, file-infectors and two rootkit-based pieces of malware. Of those, the Trojans performed the best, with almost all of them obfuscated enough to prevent initial detection and some not requiring UAC elevation.

Total protection?

Despite the percentages, Cosoi argued, Windows 8 users should not be lulled into thinking they have total protection.

“The test was based on the most advantaging scenario for Windows 8: the OS had UAC and antivirus set to ‘on’, as well as any bad decisions the user may take,” Cosoi said. “We only focused on technical vulnerabilities instead of including ways of getting a system infected by manipulating the user. Windows 8 users should not have the false sentiment of security and should consider a third-party security solution.”

What do you know about UK tech leader ARM Holdings? Take our quiz!

Originally published on eWeek.