Defender not picking up any malware infestations

[Guest]

I found yesterday that my machine was infected with a bunch of malware. The
only reason I knew something was wrong was due to a bunch of popups on my
screen when I came home.

Windows defender claimed my system was running normally. I did a forced
full scan with the same results.

I loaded Spybot Search and Destroy and it found like 30 pieces of malware
ranging from executables, to other file types (i.e. *.ico), toolbar browser
extensions, IE favorites, etc.

I finally removed all pieces of spyware but I decided to run a test. With
spybot running, I added a startup program to my registry
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN key via regedit. As soon
as I created the key, Spybot complained that something was trying to set a
run key like it should have. Defender did nothing.

I shut off the spybot completely and reran the test. Defender still did not
pick this attempt up.

This test alone shows Defender is not working on my machine, at all. Please
help!

 

[Dave M]

Sorry to hear you've had that experience, but in order to get it to the
attention of the WD development team, you'll need to let them know what OS
your on, and the versions of Windows Defender that your on, since we don't
know right now if you've ever updated it. The version numbers are found on
Help / About

Also I'm sure the definitions team would be more than interested in exactly
what specific executables, etc... otherwise, how could they ever add
anything missing to their signature updates. I'm guessing you have real
time protection and all the security agents under it as well as both notify
options checked? What about apply default actions to items detected during
a scan and what are your 3 defaults actions set to? They also might want
to hear about what the Event Viewer says happened in "System" at the time
you ran the Defender scans, View > Filter on Event source "WinDefend" makes
this process a only a bit easier for us Beta Testers.

 

[Guest]

Sorry for leaving out pertinent information. I tend to update my machine
very regularly if autoupdate doesn't pick up something. I'm an update fiend.

Windows Defender Version: 1.1.1347.0
Engine Version: 1.1.1508.0
Definition Version: 1.14.1532.14

**I have all of the necessary options set.
**Everything is set at Definition recommended action.
**It's set to apply default actions during scan and to check for updated
defs before scan.
**Realtime is checked with all options.
**Even to check for software not even classified for risks.
**Notifications are turned on for everything.

I also have another issue. Not sure if it's already a known bug or not, but
I have two drives set to "not" scan. My floppy drive and my second hard
drive that is used primarily for storage. Even though they are set not to
scan, a full scan still scans these directories.

I would assume it's highly unlikely that WinDefender didn't pick up any of
the 30 or so malware infections due to them being newer than the signatures'
awareness. Afterall Spybot picked it up and I'm assuming Microsoft has a
bigger team dedicated to rooting out all forms of new malware signatures.

I think mine is just broken. Again I mention that simple test. I created a
run key in the registry, yet WinDefender did not see it at all, not even as
an unclassified piece of software, unless it could tell that the file didn't
really exist. Maybe it's smarter than that? Regardless there has to be a
way I can "test" the real-time scanning portion of this software. Any ideas?

 

[Guest]

I also looked at my event logs. There are quite a few windefend warnings.
Most of them benign as they reference my system tools (i.e. procexp, filemon,
regmon... all from sysinternals.com).

There are entries too for the spyware that was supposedly caught on my
system. Apparently the engine saw the spyware but failed to report it on
screen to give an attempt to classify/block it. One example is:

Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date: 7/20/2006
Time: 6:08:51 PM
User: N/A
Computer: JACKAL
Description:
Windows Defender Real-Time Protection agent has detected spyware or other
potentially unwanted software.
For more information please see the following:
http://www.microsoft.com
Scan ID: {040379E5-411B-42DC-B270-72A701015524}
User: JACKAL\Matthew McDonald
Name: Unknown
ID:
Severity ID:
Category ID:
Path Found:
regkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\kernel32.dll;runkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\\kernel32.dll;file:C:\WINDOWS\system32\atmclk.exe
Alert Type: Unknown
Detection Type:


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Dave M]

Up until very recently, there's been no equivalent of the EICAR Anti-Virus
test for Anti-Spyware. However, in the last few months Spycar has been
released. What is Spycar? A suite of tools designed to mimic spyware-like
behavior, but in a benign form. Intelguardians created Spycar so anyone
could test the behavior-based defenses of an anti-spyware tool. Thanks to
your thread, I decided to give Windows®Defender the test, and I'd urge you
to do the same, but note that WD is mostly signature based not behavior
based. The control for that behavior should be in having Use Heuristics
checked.

http://www.spycar.org/Welcome to Spycar.html

I'll have more to say about my experience later after I run this for
SpySweeper too, but I'd like to hear from other people also. My settings
are similar to yours, but I do not let WD apply default actions during a
scan. Make sure you turn any other Anti-Spyware or Hosts manager off so
your only testing WD, and of course have RealTimeProtection on, and make
sure you have a restore point (just in case). I believe this will answer
your questions about the run key or maybe generate more questions...

 

[Guest]

Thanks Dave. I'll give it a test and post my results when I can. I also took
your suggestion and disabled the "apply default action" on automatic scan.
I'm not very fond of the available "options" for this product. It seems they
like to hide a lot from the more experienced end users. I want an "advanced
mode".

It kinda scares me that Defender isn't more behavior based. I guess I'd
feel better if I knew exactly how Defender worked in detail, but of course
that's proprietary so I have to just "hope" it does what it should lol. The
old Antispyware seemed to have a higher emphasis on behavior based items. At
least I think I remember it as such. I liked all of the detailed options,
i.e. checking for script launching. "Script tried to run, is it ok?
yes|no". I like that.