- Apr 13, 2013
- 3,143
WSA versus the Scriptor. Special Guest appearance by UAC.
Webroot Secure Anywhere vs Zero Day Scriptor
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Jan 22, 2014
- 1,804
At least it did better then Norton. Btw wut is wild malware? Is it means known malware? Also test it against Emsisoft Antimalware, ESET & AVG.
Last edited:
- May 1, 2015
- 314
He has already done emsi & eset.A disappointment from emsisoft..
Last edited by a moderator:
good job 
Imho , I think AVG will do worse IDP and AV will catch 2 or three , at the most. detection rates are dropping heavilly lately.
Imho , I think AVG will do worse IDP and AV will catch 2 or three , at the most. detection rates are dropping heavilly lately.Most AVs will not prevent any scriptor from running unless it is detected by "signature."
Kaspersky and Comodo are only one's that can be configured to block malicious scripts via default-deny rules.
Only current alternative is to use anti-executable.
Kaspersky and Comodo are only one's that can be configured to block malicious scripts via default-deny rules.
Only current alternative is to use anti-executable.
- Dec 24, 2011
- 480
Thank you for testing WSA.
I only miss in the video that you could have right clicked on the taskbar icon and choose "Control Active Processes", just to see if the scriptor was monitored? If it were it would be nice to see if you could block it and see if the rollback feature would bring your docs and pics back?
But then again, it did not boot witch in my book is the biggest fail...
/W
I only miss in the video that you could have right clicked on the taskbar icon and choose "Control Active Processes", just to see if the scriptor was monitored? If it were it would be nice to see if you could block it and see if the rollback feature would bring your docs and pics back?
But then again, it did not boot witch in my book is the biggest fail...
/W
Last edited by a moderator:
Theoretically it could reverse the scripter's actions - after Webroot determined it to be malicious. That determination time might realistically take a few hours to days, weeks or even months.
The WSA user also has the option to reverse the scriptor actions manually - if it is monitored.
Instead of going through all that rigmarole - I just prefer to use AE to block scriptors. That is just me... too lazy - so I don't have to do anything - or - think too hard...
WSA can be configured like an anti-executable (so does with D+) but i'm not sure how it will react with scriptors.
Basically the setting in WSA is to disallow any files that are not rated as safe in the Webroot Intelligence Network. I tried using that setting - and it did block a lot of files - but at the same time - it also allowed a lot of Adware, including "Install Monsters" (just like Kaspersky) - since these files are rated as safe in both file rating databases.
So, yes, WSA can be used as an anti-executable for Unknown (= not a single WSA user has allowed the file to run). To me that isn't enough protection - because, if there are even only a few users that allow it, then it will be permitted to run. That is also how Kaspersky Security Network functions. Plus, it applies Trusted status to installers from Trusted vendors... really bad news as malware writers fake digital signatures from Trusted vendors all the time.
A good combo is WSA + AE (a lot of WSA fanboys use VS).
as i keep saying, Detection is a feature of the past , prevention and virtualization rules. WSA is a good example of it.
- May 11, 2014
- 1,639
The problem with anti-executable software i.e., VoodooShield is that it disables Windows own User Account Controls. Surly a feature that’s built in to Windows is more powerful left enabled than disabled.
So, only Comodo and Kaspersky can block (Scriptor's) such malicious actions? Wow that's a big let down in the AV industry, and ultimately their customers.
So, only Comodo and Kaspersky can block (Scriptor's) such malicious actions? Wow that's a big let down in the AV industry, and ultimately their customers.
- Apr 13, 2013
- 3,143
A few things- Please note that although I term this type of malware a Scriptor (I hope this catches on!), it is not actually a script, but has script-like properties, Something like a vbs script normally will spawn in Roaming and can be detected; a batch file, even if converted to an executable will also just spawn the original batch file into Temp where it can also potentially be detected (and neither would bypass UAC). This malware is sadly much more insidious.
1). Umbra- I know that you are aware of the complexities of setting up SEP properly, the discussion of which would be over the top for MT. I can assure you though that SEP failed, mainly because it was initially discovered bringing down endpoints of SEP protected organizations. But the SEP bypass should come as no surprise- the last two extreme beaches of US retailers, namely target and Home Depot, were caused by basic targeted scripts on SEP protected networks (Personally I love Symantec- cleaning up their messes keeps me in jimmy choo's).
2). Regarding the Webroot Rollback feature- I have chosen not to add any code to the malware that would force a Shutdown/Reboot (mainly to do other things while the malware is working). But this would have been rather simple to do. It would have also rendered any chance of Webroot Rollback from working, as the system is totally trashed. Note that the malware is invisible, so after clicking on the file a user not aware of what it was would be smiling up until the time the system shut down.
3). Umbra (again)- Thank you for the comment:
That was actually my only point. Not so much that people should switch to anything now, but instead should be outraged that the security protection currently used is inadequate for malware attacks that are on the horizon. Many vendors are aware of this "flaw" in their products, but choose not to close it because they may get False Positive deductions on the major AV test sites, or else blow off further development due to financial expediency. Not sure which is more contemptible.
1). Umbra- I know that you are aware of the complexities of setting up SEP properly, the discussion of which would be over the top for MT. I can assure you though that SEP failed, mainly because it was initially discovered bringing down endpoints of SEP protected organizations. But the SEP bypass should come as no surprise- the last two extreme beaches of US retailers, namely target and Home Depot, were caused by basic targeted scripts on SEP protected networks (Personally I love Symantec- cleaning up their messes keeps me in jimmy choo's).
2). Regarding the Webroot Rollback feature- I have chosen not to add any code to the malware that would force a Shutdown/Reboot (mainly to do other things while the malware is working). But this would have been rather simple to do. It would have also rendered any chance of Webroot Rollback from working, as the system is totally trashed. Note that the malware is invisible, so after clicking on the file a user not aware of what it was would be smiling up until the time the system shut down.
3). Umbra (again)- Thank you for the comment:
That was actually my only point. Not so much that people should switch to anything now, but instead should be outraged that the security protection currently used is inadequate for malware attacks that are on the horizon. Many vendors are aware of this "flaw" in their products, but choose not to close it because they may get False Positive deductions on the major AV test sites, or else blow off further development due to financial expediency. Not sure which is more contemptible.
Last edited:
i think that SEP if properly setup , should have block it. i knw that some ITs in some corporation are quite lazy.
- Apr 13, 2013
- 3,143
In the two public breaches that I referred to above SEP kinda-sorta caught it. SEP allowed the malware, no doubt about that. But the Firewall logs did show connections to Eastern Europe a few times a week (when the stolen data was transmitted). Although obvious on post-mortem analysis, at the time these transmissions were buried in millions of other data points, so really impossible for anyone other than Superman to pick out (SEP doesn't alert to aberrations such as this).
That is weird , because any connections is alerted to me, as well as unknown files; this is how i setup it.
Last edited by a moderator:
While you are right that these kind of attacks are a pain in the rear currently and that it needs to be addressed, then you are wrong when you state that nobody does anything and thereby paints a picture of certain doom.
With Windows 10 just around the corner and since Microsoft has built in features to deal with exactly these problems, then the marathon series of "scriptor"-tests seems a bit rushed.
The industry are well aware of the problem and Microsoft provides a way to deal with it.
One more reason to update to Windows 10.
http://blogs.technet.com/b/mmpc/arc...lication-developers-new-malware-defenses.aspx
http://blogs.technet.com/b/srd/arch...otection-in-windows-10-and-powershell-v5.aspx
Similar threads
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
