For cybercriminals, speed is the name of the game. It takes newly released malware an average of just four hours to achieve its goal—steal financial information, extort money, or cause widespread damage. In a recent report, the Federal Trade Commission (FTC) said that cybercriminals will use hacked or stolen information within nine minutes of posting in underground forums. Stopping new malware in real-time is more critical than ever.
Approximately 96% of all malware files detected and blocked by Windows Defender Antivirus (Windows Defender AV) are observed only once on a single computer, demonstrating the polymorphic and targeted nature of modern attacks, and the fragmented state of the threat landscape. Hence, blocking malware at first sight is a critical protection capability.
To fight the speed, scale, and complexity of threats, we work to continually enhance Windows Defender AV and other security features built into Windows 10. In our white paper "The evolution of malware prevention" we discussed our advanced, predictive approach to protecting customers from threats that they face today, as well as those that will emerge in the future.
This blog continues that discussion and provides the first detailed account of one way we improve our capability to stop never-before-seen malware with new enhancements to the Windows Defender Antivirus cloud protection service.
> In Windows 10 Creators Update, the Windows Defender AV client uploads suspicious files to the cloud protection service for rapid analysis. Our ability to make a swift assessment of new and unknown files allows us to protect customers from malware the first time we see it.
We have built these enhancements on the next-gen security technologies enabling Windows Defender AV to automatically block most new, never-before-seen threats at first sight using the following methods:
In relatively rare cases, when Windows Defender AV needs additional intelligence to verify the intent of a suspicious file, it sends metadata to the cloud protection service, which can determine whether the file is safe or malicious within milliseconds using the following techniques:
In rarer cases still, when Windows Defender AV cloud protection service is unable to reach a conclusive verdict based on metadata, it can request the potential malware sample for further inspection.
In Windows 10 Creators Update, the Windows Defender AV client uploads suspicious files to the cloud protection service for rapid analysis. While waiting for a verdict, the Windows Defender AV client maintains a lock on the dubious files, preventing possible malicious behavior. The Windows Defender AV client then takes action based on the verdict. For example, if the cloud protection service determines the file as malicious, it blocks the file from running, providing instant protection.
In a recent real-life example, a Windows 10 Home customer was tricked into downloading a new variant of the Ransom:Win32/Spora family of ransomware.
The malware was disguised as a font file with the name "Chrome font.exe". It was hosted on an online learning website that had been compromised by an attacker, who attempted to trick people into downloading the malware using a social engineering tactic described by Proofpoint in this blog. In this scheme targeting Chrome users, legitimate websites were compromised to open a pop-up window indicating "The ‘HoeflerText’ font wasn’t found", requiring a supposed update to fix. The customer clicked the "Update" button in the pop-up window, which downloaded the Spora ransomware variant.
The customer’s Windows Defender AV client routinely scanned the file using on-box rules and definitions. Since it had not encountered the file before, Windows Defender AV did not detect it as malicious; however, it recognized the file’s suspicious characteristics, so it temporarily prevented the file from running. The client sent a query to the Windows Defender AV cloud protection service, which used machine-learning-powered cloud rules to confirm that the file was likely malware needing further investigation.
Within 312 milliseconds, the cloud protection service returned an initial assessment. It then instructed the client to send a sample and to continue locking the file until a more definite verdict was given.
In about two seconds, the client finished uploading the sample. By default, it’s set to wait for up to 10 seconds to hear back from the cloud protection service before letting such suspicious files run.
As soon as the sample was uploaded, a backend file-processing system analyzed the sample. A multi-class machine learning classifier determined there was more than a 95% chance that the file was malicious. The cloud protection service created a signature, which it sent back to client. All of this happened in just five seconds.
One second later, the Windows Defender AV client applied the cloud signature and quarantined the malware. It reported the results back to the cloud service; from that point on, this file was automatically blocked, protecting all Windows Defender AV customers.
From the time Windows Defender AV uploaded the sample, the cloud protection service returned the malware signature in just five seconds, as shown by these actual timestamps:
2017-04-20 03:53:21 – Cloud protection service received query from Windows Defender AV client
2017-04-20 03:53:21 – Cloud protection service assessed it hadn’t seen the file and that is was suspicious, so it requested a sample and to keep locking the file
2017-04-20 03:53:23 – Sample finished uploading
2017-04-20 03:53:28 – Cloud protection service determined file as malware, generated signature, and sent that back to client
2017-04-20 03:53:29 – Windows Defender AV client notified that it successfully detected and removed the malware
Our many years of in-depth research into malware, cyberattacks, and cybercriminal operations give us insight into how threats continue to evolve and attempt to slip past security solutions. Guided by expert threat researchers, we use data science, machine learning, automation, and behavioral analysis to improve our detection solutions continuously.
In Windows 10 Creators Update, we rolled out important updates to Windows Defender Antivirus, which uses cloud protection service that delivers real-time protection against threats. With these enhancements, we show our commitment to providing unparalleled real-time defense against modern attacks.
Our ability to make a swift assessment of new and unknown files allows us to protect even would-be patient zero against attacks. More importantly, we use this intelligence to protect the rest of our customers, who may encounter these malware in subsequent attacks or similar threats in other cybercriminal campaigns.
Cloud-based protection is enabled in Windows Defender AV by default. To check that it’s running, launch the Windows Defender Security Center. Go to Settings > Virus & threat protection settings, and make sure that Cloud-based protection and Automatic sample submission are both turned On.
In enterprise environments, cloud protection service can be managed using Group Policy or via the Windows Defender Security Center app.
When enabled, Windows Defender AV locks a suspicious file for 10 seconds by default, while it queries the Windows Defender AV cloud protection service. Administrators can configure Windows Defender AV to extend the timeout period up to one minute to give the cloud service time to perform even more analysis and apply additional techniques to detect new malware.
As the threat landscape continues to move towards more sophisticated attacks and malware campaigns that can achieve their goals in hours instead of days, it is critical to be able to respond to new attacks in real-time. With Windows 10 Creators Update and the investments we’ve made in cloud protection service, we’re able to detect brand new threat families within seconds, protect “patient zero”, and disrupt new malware campaigns before they start.
_Senior Program Manager, Windows Defender Engineering _