Windows 8 AV Detected Only 50% of Malware Samples Thrown at It, Says Sophos

According to Chester Wisniewski, a Senior Security Advisor at Sophos Canada

By on September 30th, 2011 15:05 GMT

The built-in security solution of Windows 8, Windows Defender, managed to detect only half of the malicious code samples thrown at it in a very basic test by Chester Wisniewski, a senior security advisor at Sophos Canada.

Wisniewski revealed that he installed the Windows Developer Preview in a virtual machine and tested it against a selection of Windows, Mac OS X and Linux malware.

The conclusion? Wisniewski stresses that the Windows 8 antivirus still has a long way to go.

“All of the samples were between six and twelve months old, so nothing bleeding edge here. I tested Mac, Linux and Windows malware to see if it had cross-platform capabilities as well,” he said.

“The result? It captured about 50% of the malware samples I threw at it. Clearly there is a lot of work to be done with regard to detection. It did successfully pick up quite a few fake anti-virus samples for Mac and Windows, as well as some copies of Linux/RST-B.”

But the fact of the matter is that Wisniewski was rather playing with Windows 8 than performing an actual security test.

As such, the relevancy of his findings is arguable at best. He does not however, that Windows 8’s Windows Defender had problems dealing with the EICAR test file.

It’s worth mentioning that while Windows Defender did not detect the EICAR test file as malware, but the resource is not malicious code, it just serves to trigger virus incidents without any actual virus.

‘I first tried to download the EICAR test file from eicar.org using Internet Explorer 10. IE informed me that this was a malicious download and would not allow me to save it. Pass! I then opened notepad and pasted in the 68 magical bytes, chose Save As and named it EICAR.COM. It showed up in my explorer window with no complaints,” Wisniewski said.

“I then tried to click the file and it vanished!? No warning, no messages logged in Event Viewer (that I could find). Fail! EICAR should always cause an alert... So I tried another test and inserted a USB memory stick with EICAR.COM preloaded onto it. When I tried to copy the file from the USB stick to the Documents folder it did so without complaint.”

Try as he might, Wisniewski did not manage to get a virus warning from Windows Defender on Windows 8 when attempting to run EICAR.COM.

As such, it appears that the Redmond company might have ignored equipping Windows Defender to detect the EICAR test file.

Here is what Microsoft has to say about the built-in Windows 8 security solution in a product guide offered along with the recent Windows Developer Release:

“To ensure legitimate antimalware protection to all users, Windows 8 provides Windows Defender. It monitors and protects against viruses and other malware in real time and detects and removes malware if your computer becomes infected. With Windows 8, third-party antimalware software becomes even more effective: by loading approved antimalware drivers during the boot process, antimalware software can start from a known good state and continue its vigilant watch over your PC from that point on.”

The way I see it, Windows Defender in Windows 8 is first of all, nothing new, since this security solution has already been featured in previous Windows releases already. It does come with new capabilities, which is good news for end users, especially those that never install a proper antivirus.

At the same time, I don’t think that Windows Defender’s role has changed in any way, meaning that this continues to be a solution designed to provide only the most basic protection. It’s still designed to switch itself off completely when customers install a more advanced security solution.

“This is an early preview and I am sure many improvements are planned. It's good to see Microsoft is detecting malicious software for the three major platforms. Microsoft does need to fix the detection of EICAR. The way things work currently will only encourage people to take unnecessary risks with real malware samples for testing,” Wisniewski said.

“If you are testing Windows 8 on a live network, I would recommend you install a third-party anti-virus program as well. While Windows Defender caught some samples, it isn't ready for prime time yet.”

Windows 8 Developer Preview Build 8102 Milestone 3 (M3) is available for download here.
Windows 8
   Windows 8
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

5 Comments