Question KTS vs Scripts - ExecutionPolicy Unrestricted

Please provide comments and solutions that are helpful to the author of this topic.

Studynxx

Level 3
Thread author
Jan 20, 2023
209
Does KTS analyze scripts - powershell, python, batch - prior to letting them run if powershell executionpolicy is unrestricted? So the scripts don't need signing, you can run them with Run With Powershell but you'll get a warning prior to running them (as far as this executionpolicy is concerned)
 
  • Like
Reactions: Khushal

Bot

AI-powered Bot
Apr 21, 2016
4,315
Yes, Kaspersky Total Security (KTS) does analyze scripts for malicious behavior, regardless of the PowerShell execution policy. It provides proactive protection by scanning scripts before they are run. However, it's always recommended to use signed scripts and restrict PowerShell execution policy for an added layer of security.
 

Xeno1234

Level 14
Jun 12, 2023
684
Does KTS analyze scripts - powershell, python, batch - prior to letting them run if powershell executionpolicy is unrestricted? So the scripts don't need signing, you can run them with Run With Powershell but you'll get a warning prior to running them (as far as this executionpolicy is concerned)
Yes. It has the best script protection of any antivirus.
 
  • Like
Reactions: Jack

Studynxx

Level 3
Thread author
Jan 20, 2023
209
Kaspersky analyzes the behavior of both malicious and non-malicious scripts.
A lot of malware uses scripts to download and launch payloads.
So for example if I were to run a malicious script on my system then would it show me the same message of "blocking" as if it was, say, an .exe?Like "Malicious file blocked" or sth
 
  • Like
Reactions: Shadowra and Jack

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,582
So for example if I were to run a malicious script on my system then would it show me the same message of "blocking" as if it was, say, an .exe?Like "Malicious file blocked" or sth

Kaspersky uses a module called AMSI. First, it will attempt to block the connection to the server. If this doesn't work, the System Watcher will react with a behavioral detection (PDM:Trojan.Win32.Generic style).
 

Studynxx

Level 3
Thread author
Jan 20, 2023
209
Kaspersky uses a module called AMSI. First, it will attempt to block the connection to the server. If this doesn't work, the System Watcher will react with a behavioral detection (PDM:Trojan.Win32.Generic style).
OK but what if I were to deliberately create a malicious powershell script and run it on my system (VM) with Kaspersky on it? There would be no C2 server in this script btw
 

Shadowra

Level 36
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,582
OK but what if I were to deliberately create a malicious powershell script and run it on my system (VM) with Kaspersky on it? There would be no C2 server in this script btw

If malicious behavior is known => Kaspersky rings
If nothing unusual => No reaction
 
  • Like
Reactions: harlan4096

Studynxx

Level 3
Thread author
Jan 20, 2023
209
If malicious behavior is known => Kaspersky rings
If nothing unusual => No reaction
Hm... Not sure I'm doing it correctly but I just wrote a simple powershell script that would attempt to write to system32 and as admin it wasn't blocked.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top