> During testing this with an off the shelf infostealer, I used Microsoft Defender for Endpoint — which detected the off the shelve infostealer — but by the time the automated remediation kicked in (which took over ten minutes) my Recall data was already long gone.
Yeah... This is a BIG issue with the modern generation of antimalware solutions.
The old signature-based detection is great and immediate. But it has drawbacks. It only detects already-known malware. Not tailored stuff used only on one specific target. Also, malware can change its own signature adaptively. and hook into known-safe binaries.
So, a modern antimalware uses AI learning and behavioural analysis. Why is notepad.exe suddenly logging all your keywords? Ban it. The problem is: This takes a while. The tool can be configured to block it before someone looks at it, but it still takes a while. At the point that this happens, the damage is often already done.
At an enterprise level this is not a huge problem because it does mean the problem is detected, and by the time it is investigated it's possible to stop the source of the malware and ban it from all the other 100.000 PCs by using signature detection or other mitigations. On personal PCs this is more of an issue because they don't have a dedicated SOC (Security Operations Centre) jumping on to these things.
Also, the noise level is an issue in the enterprise, set the detection threshold too high and your SOC gets overwhelmed by all the detections and becomes ineffective.
Anyhow, this is indeed a good argument against Recall. When it was first introduced last week, people stated that it wasn't a big deal because malware can install its own key/screen logging. However a repository of the last 6 months of activity is indeed a very juicy target to exfiltrate quickly before detection.
Yeah... This is a BIG issue with the modern generation of antimalware solutions.
The old signature-based detection is great and immediate. But it has drawbacks. It only detects already-known malware. Not tailored stuff used only on one specific target. Also, malware can change its own signature adaptively. and hook into known-safe binaries.
So, a modern antimalware uses AI learning and behavioural analysis. Why is notepad.exe suddenly logging all your keywords? Ban it. The problem is: This takes a while. The tool can be configured to block it before someone looks at it, but it still takes a while. At the point that this happens, the damage is often already done.
At an enterprise level this is not a huge problem because it does mean the problem is detected, and by the time it is investigated it's possible to stop the source of the malware and ban it from all the other 100.000 PCs by using signature detection or other mitigations. On personal PCs this is more of an issue because they don't have a dedicated SOC (Security Operations Centre) jumping on to these things.
Also, the noise level is an issue in the enterprise, set the detection threshold too high and your SOC gets overwhelmed by all the detections and becomes ineffective.
Anyhow, this is indeed a good argument against Recall. When it was first introduced last week, people stated that it wasn't a big deal because malware can install its own key/screen logging. However a repository of the last 6 months of activity is indeed a very juicy target to exfiltrate quickly before detection.