Windows 8 anti-virus has a long way to go

Filed Under: Featured, Malware, Microsoft

Windows 8 logoWhen Microsoft unveiled the Developer Preview of Windows 8 two weeks ago one of the items to get the most attention was it's included unmanaged anti-virus solution.

I was interested in what capabilities it might have and how it would present itself to users who stumble across something malicious.

Naturally I installed it on a virtual machine and to a spare disk on a full workstation in my lab. What to test first?

If there is one thing guaranteed to be safe and still be an effective test it would be EICAR.

According to the EICAR website the EICAR test file allows someone to safely trigger a "virus incident in order to test their corporate procedures, or of showing others in the organisation what they would see if they were hit by a virus."

That's perfect. I need a detection, but I prefer not to handle live malware. Safely testing live malware samples is scary dangerous.

There are some very thorough testing organizations that can evaluate protection much more effectively than most home grown testing operations.

That is why we always use EICAR, as every (or so I thought!) anti-virus and security product will detect EICAR to allow for safe testing.

I first tried to download the EICAR test file from eicar.org using Internet Explorer 10. IE informed me that this was a malicious download and would not allow me to save it. Pass!

I then opened notepad and pasted in the 68 magical bytes, chose Save As and named it EICAR.COM. It showed up in my explorer window with no complaints.

I then tried to click the file and it vanished!? No warning, no messages logged in Event Viewer (that I could find). Fail! EICAR should always cause an alert...

So I tried another test and inserted a USB memory stick with EICAR.COM preloaded onto it. When I tried to copy the file from the USB stick to the Documents folder it did so without complaint.

If I tried to run EICAR.COM it gives an error, which is expected as EICAR is a DOS program and cannot execute on Windows 8, but I *should* get a virus warning, shouldn't I?

Windows 8 accessing EICAR without detection

I was very confused and began to wonder whether Windows 8 really had anti-virus at this point.

I took one of my virtual machines into our lab to test it against a few samples to see what would happen.

All of the samples were between six and twelve months old, so nothing bleeding edge here. I tested Mac, Linux and Windows malware to see if it had cross-platform capabilities as well.

Windows 8 anti-virus detection

The result? It captured about 50% of the malware samples I threw at it. Clearly there is a lot of work to be done with regard to detection.

It did successfully pick up quite a few fake anti-virus samples for Mac and Windows, as well as some copies of Linux/RST-B.

It also recorded some events under the Windows Defender category in Event Viewer for the detections it alerted me to.

Windows Defender event log on Windows 8

This is an early preview and I am sure many improvements are planned. It's good to see Microsoft is detecting malicious software for the three major platforms.

Microsoft does need to fix the detection of EICAR. The way things work currently will only encourage people to take unnecessary risks with real malware samples for testing.

If you are testing Windows 8 on a live network, I would recommend you install a third-party anti-virus program as well. While Windows Defender caught some samples, it isn't ready for prime time yet.

Have an opinion on Windows 8? Why not answer our poll to see where you fit in with other Naked Security readers?

, , , , ,

You might like

32 Responses to Windows 8 anti-virus has a long way to go

  1. Steve · 1098 days ago

    So the options in the poll are basically: "no", "maybe", or "yes but only because its a free product"? Come on.

    I'm also hedging my bets on whether this comment gets posted.

  2. theron g · 1098 days ago

    Where can a person download a copy of the Win8 beta from ?

    Theron G

  3. So just how butthurt are you guys about anti-virus finally being included with a Windows OS? Seriously, your already trashing a developer preview, that isn't even intended for day to day usage!

    Totally ridiculous. The only thing that has a long way to go is the quality control of this blog.

    • Did you read this bit of Chet's article?

      "This is an early preview and I am sure many improvements are planned. It's good to see Microsoft is detecting malicious software for the three major platforms... Microsoft does need to fix the detection of EICAR. The way things work currently will only encourage people to take unnecessary risks with real malware samples for testing."

      Read this article by yours truly about whether anti-virus built into Windows 8 is good news or bad news: http://nakedsecurity.sophos.com/2011/09/14/window...

      • Paul · 1097 days ago

        One qualifier in an otherwise extensively negative review is hardly enough to absolve you of any wrongdoing here.

        • Lets not get our knickers in a twist here.

          Just because Sophos produces an anti-virus product for corporations means that we can't show an interest in an anti-virus product that is likely to be used by millions of home users? I think it's of great interest to people to hear how the Windows 8 anti-virus works and as Chet details, he began simply by seeing what happened with the EICAR test file.

          His intention was not to do a proper anti-malware test. In fact, he wasn't intending to use malware in his exploration at all. It's only because use of the EICAR test file resulted in such strange results that he tried it with any malware.

          I don't think Chet is suggesting that the malware detection part of his test is in anyway comprehensive, and nobody should assume that it will reflect the eventual detection rates of Microsoft's anti-virus when it ships with Windows 8.

          Clearly, however, anyone who *is* already using this development version of Windows 8 *would* be interested in how it handles malware. And they may find that the lack of support for EICAR leads them towards testing with real malware. Not something we would recommend.

          We know lots of the guys who work in Microsoft's anti-virus team - and they have some excellent staff with years of anti-malware experience. We have no disrespect for their abilities - and are confident that when the product ships for real it's detection rate will be much improved.

          But iet's not think that it's forbidden to talk about the product's current weak detection or lack of support for EICAR. The software is free for anyone to download, and it shouldn't be verboten to discuss its current apparent weakness.

  4. Mich72 · 1098 days ago

    I'm running Win 8 and that is one of the suspicions I had when I installed it. Even on Win 7 Windows Defender did not seem up to snuff. I wondered if they take security seriously enough to actually make a formidable AV or not. I guess you answered my question fully. THX!

  5. bob · 1098 days ago

    Surprised it did not perform better. Have had really good luck with their MSE app. See how it goes.

  6. char1661 · 1098 days ago

    Its basically just MSE in Windows Defender. I tried it out for Youtube

  7. Christoph · 1097 days ago

    Yeah, and the poll options are a little bit lopsided, aren't they?

  8. Christoph · 1097 days ago

    Download Windows Developer Preview: http://dev.windows.com/

    @Chester: Which version of Windows did you test EICAR with? 64-Bit or 32-Bit? If you try and run EICAR.COM on 64-Bit, then EICAR won't execute, or will it?

    • Chester Wisniewski · 1097 days ago

      I did use the 64 bit edition. I didn't expect it to actually run, but I did expect to receive an alert like the one I got when I tried to copy MacDefender to Windows 8.

  9. Pal70 · 1097 days ago

    The problem other than MS probably couldn't make a grown up working solution, is that if they actually managed it....... the resulting class action would be a juggernaut.

  10. Mike · 1097 days ago

    But is Defender really the Windows AV or just an adjunct to MS Security Essentials?

    I was under the impression that Defender was being phased out and MSSE was taking over the heavy lifting on the AV front.

    They really should make it a default in the install for W8 - just as long as there is an option to NOT install it if you deselect it in the W8 intaller.

  11. since it is a beta, it may have some limitations or bugs. i wish windows 8 is coming up with some breakthrough antivirus solution this time. Anyways thanks for giving us a demo of this new beta.

  12. It's a dev build. It's bound to have holes in it - it's not even a beta yet. I'm not sure it's really fair to complain about this in a dev build, cos after all nobody (unless they're a total nutter) will be using it as their primary OS. If it were poor in a public beta, then yes, there's something to flag up and worry about, but I suspect it will be a lot better by the time it gets to that stage, never mind by RTM.

    • I'm sure it will improve too. I think Chet's post is still worthwhile, though, as some people may be relying upon it for defence - and it's surely interesting that there seems to be a problem detecting EICAR (the industry standard test file for checking your anti-virus is installed properly)

  13. Machin Shin · 1097 days ago

    One option your poll is missing. What about "Yes I will leave it turned on along side my other product"? It is free, comes on windows and does add at least some protection. So long as it is not a resource hog then I would just leave it running. There is always the chance they might catch something someone else missed. No anti-virus is 100% so it can't hurt to have a little free one backing up your main AV.

    • I think I'm correct in saying that the built-in anti-virus in Windows 8 will disable itself if it detects the presence of another anti-virus product.

      That makes sense actually - running more than one anti-virus can cause clashes.

  14. Tuxplorer · 1097 days ago

    Sophos is a joke of a company. I won't touch any security software other than Windows Defender or MSE ever again. For the last 2 years I have been using MSE on Windows 7, and have never had any security problems. Fact of the matter is, Windows Vista/7/8 are so secure that you don't need too much extra. Windows 7/8 is more secure than Mac OS X and Linux. So, MSE and Windows 8's Defender are MORE than good enough to protect users. Almost all third-party antivirus softwares are worse than viruses.

  15. Mihu · 1097 days ago

    @theron g here you can choose what type of installer do you want . http://msdn.microsoft.com/en-us/windows/apps/br22...

    enjoy

  16. AdamM · 1097 days ago

    So a beta product tested by a security firm that has most to lose doesn't test well.

    If I have to explain the built in AV is obviously going to improve before shipping and secondly doesn't anyone else see the massive conflict of interest here?

    It's like trusting the oil companies to investigate their own spills.

  17. Slim · 1097 days ago

    I'm surprised by Sophos to even allow this sort of FUD to be blogged. First off, Win8 is a Developer Beta - by no stretch of the imagination does anyone recognize that Win8 is "complete". Shame on you Sophos!!!!!

  18. Mark · 1097 days ago

    Thanks for the heads up. This is concerning.

  19. Jim · 1097 days ago

    I agree with others here, this is a very disappointing article. Testing an AV in an OS which is all still in early dev stage...really?? What did you expect?

    MSE has been proven effective in every test since its release - the fully developed, up-to-date MSE that is!

    Ditto to Slim's comments - you undermine your credibility publishing rubbish like this.

    • What did we expect?

      I wouldn't expect it's anti-virus definitions to be up-to-date necessarily, but I *would* have expected it to detect the EICAR test file!

      Does it matter? Not much. Like you said, it's not the final version of the software. But it's interesting to hear how the software currently acts (remember, it is what Microsoft will be building into their next major version of their software) and presumably many developers are trying it out.

      Chet's article makes some great points about being careful about trusting the anti-virus at present - especially as you apparently can't test what it's *meant* to do with EICAR.

      • I agree with you. At least an antivirus SHOULD warn with the EICAR test file! Doesn't matter if the file could run or not!

        Also, I think this article gives a fair review. If it fails, it fails. Doesn't matter if its beta or not.

        Yes, beta software should give some leverage but all this article is doing is calling a duck is duck.

  20. DarkSnake-Kobra · 1097 days ago

    I have to agree with many of the comments here. This is still a dev build of Windows and not even close for daily usage. This is to give access to developers the latest Windows API and a preview of what's to come for developers. Antivirus companies or testing originations shouldn't even be testing this as it's not a fare test. This is very unprofessional.

    Shame on you Sophos!!!

  21. Nigel · 1096 days ago

    I don't see this article as FUD. It states (correctly) that Windows 8 anti-virus has a long way to go. Whether that's an expectable condition for a dev version is arguable, but the FACT that it doesn't currently detect EICAR is beyond dispute. Presumably that fact will change in the release version.

    I think the article is reasonably balanced. After all, it applauds Microsoft for including detection of some cross-platform malware. I take that as a positive sign that Windows 8 anti-virus is headed in the right direction. The fact that its journey toward a releasable product is incomplete isn't bothersome. The fact that it (so far) has overlooked EICAR is puzzling at best.

  22. genezgate · 1071 days ago

    i do use it daily. i have a dual boot with windows 7 and i have little reason to go back. i have tried my best to get a virus on this thing and i havent as of yet. so far it is rock solid. i also run ubuntu and i really dont see much of a difference between the two of them as far as reliability. except i can run windows programs on the 8. they shed tons of problems when they gave the ax to browser add ons. my only complaint is some login websites will give an issue unless you use compatibility mode. i repair these things for a living and i can almost say for my job securitys sake its too good.

  23. Rob · 697 days ago

    Now the Win8 is officially released, could you post another test result based on the released version?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.