- Apr 13, 2013
- 3,224
Note that this video was condensed from 30 min to 5 minutes so as not to waste your time. The malware actually had lag time built in.
A Fileless Malware Primer
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Note that this video was condensed from 30 min to 5 minutes so as not to waste your time. The malware actually had lag time built in.
- Oct 22, 2016
- 409
Wow, wow and still wow. The most interesting video ever seen. Thank you.
- Dec 28, 2016
- 86
Great Video
Great Song
Thank you very much! Looking forward watching part 2.
Great Song
Thank you very much! Looking forward watching part 2.
- May 9, 2017
- 159
Simply beautiful! Excellent video (and music).
The part where the Anti Malware's display Your system is clean? LoL
The part where the Anti Malware's display Your system is clean? LoL
Yep, download an email with an attachment, open the attachement, and allow the content. But this puppy is still easy to defeat.
Thanks .
Very interesting video.
Very interesting video.
- May 9, 2017
- 159
I bet your thinking like me that ERP would have rapidly snatched up powershell and wscript launches.
Simply beautiful! Excellent video (and music).
The part where the Anti Malware's display Your system is clean? LoL
Security solutions do not scan Scheduled Tasks. Once a task is created, they do not know if it is safe or malicious.
This attack is called fileless, but technically it is not. There are scheduled tasks created and the files that are executed by the tasks are created in c:\users\<user>.
Last edited by a moderator:
ERP would have generated launch alerts for cmd.exe, powershell.exe, and wscript.exe
Yes. Quite.
- May 9, 2017
- 159
ThumbsUp.
I suppose I should have also mentioned there are certainly others which would/could do the same but ERP was the first anti-exe that came to mind.
- Anti-executables that monitor cmd\powershell\wscript
- SRP in which a user has manually created deny policies for cmd\powershell\schtasks\wscript (e.g. AppGuard > User Space - YES)
- Emsisoft's behavior blocker (when WinWord.exe attempts to access cmd.exe (launch of unprotected document), the exploit protection will terminate WinWord.exe)
- A security soft in which a user has manually created deny or restricted policies for cmd\powershell\schtasks\wscript (e.g. Kaspersky's Application Control > Untrusted)
- Run such documents sandboxed\virtualized
- HIPS - do not create permanent rules for interpreters; the HIPS will alert when an interpreter is launched; a user might have to move interpreters to certain file groups in certain products to generate alerts for their launch - for example Unrecognized in COMODO or low\high restricted in Kaspersky
Last edited by a moderator:
- Mar 15, 2011
- 13,070
With so many different vectors, those secondary components like HIPS, BB and even Anti-exe should be more aggressive on possible exploit holes.
Powershell and other common programs that known for security holes must act seriously from the business enterprise, cause it will just kill the system easily.
Today's security strategy should not rely on one tool only.
Powershell and other common programs that known for security holes must act seriously from the business enterprise, cause it will just kill the system easily.
Today's security strategy should not rely on one tool only.
- May 9, 2017
- 159
It's almost dizzying the multiple curves that Microsoft continues to cram into each new release when most folks haven't finished quite yet charting the previous ones all the way.
It's a cover the basics strategy for most users. Anti-Malware along with a dedicated AV or vice versa/together etc.
This video is yet another example of just what CAN and DOES happen and without much of a peep for most.
With so much and so many ways to disrupt your good machine you have to admonish the efforts of Cruelsister in showcasing Comodo FW for those many people who just want a safer way to get around the block (so to speak) without running into time wasting "easy avenue malwares" coming at them.
Anxiously awaiting that next follow-up to this.
Attacks are fundamentally the same. Protecting a system against an attack is not that difficult. For home use protection scenarios, the real limitation - or hindrance if you will - is the user - on so many levels.
- May 9, 2017
- 159
Almost always so, which begs for a little push in the right direction which can go a long way in a short amount of time in reducing the limitations.
And to that end, and specifically geared to the newest of people/users not anywhere near having a handle on their systems yet, the results of CS's ComodoFW videos (per CS settings) seems a really reasonable and immensely helpful starting point for any of them.
Let's hope some of them catch on soon enough and then gain that confidence to look over all the other available programs and prevention methods they can see clearer in which to choose from.
Even if you paid some people to protect their systems, they still would not do it.
- Oct 22, 2016
- 409
It would be interesting to know if the same scanners would detect something with real-time active protection.
Kaspersky and a few others detect menu.rtf upon extraction from the archive or upon opening the document, while others detect it only during a scan.
menu.rtf has been around for a while so there are signatures for it.
If it were newly released within the past hour, then you would need something that blocks it from executing wscript.exe, which in turn attempts to launch cmd.exe. Prevent WinWord.exe from launching wscript.exe and the infection run is broken.
Similar threads
