- Mar 29, 2018
- 7,697
With default settings?Microsoft Defender : detected. Congrats Microsoft !
With default settings?Microsoft Defender : detected. Congrats Microsoft !
With default settings?
just checking-in... with sorta "noob" question: here, Harmony does NOT detect the file as zip, did not detect anything at 1930z or at 0300z. Should it detect the zip?In Harmony Endpoint, the āFUDā triggers not one, but 3 behavioural detections. It also launches a variety of LOLBins, all blocked under my policy.
The file will be detected by emulation if downloaded and if emulation is setup correctly. In my case it was already downloaded and extracted so upon launch, 3 different behavioural detections were triggered. These detections are very generic and cover certain tactics used. At this point the sample is already known to Check Point so it will be detected by reputation as well.just checking-in... with sorta "noob" question: here, Harmony does NOT detect the file as zip, did not detect anything at 1930z or at 0300z. Should it detect the zip?
well what can I say, I did not setup the emulation, I let Lithify do the heavy lifting So as I understand your post, CP should have (could have) blocked it during DL. It was a relatively slow DL and I saw the CP browser icon huffing & puffing, and then let it pass into \downloads... Also did a right-click scan 4+ hours later and no detection. Curious since "known"...The file will be detected by emulation if downloaded and if emulation is setup correctly. In my case it was already downloaded and extracted so upon launch, 3 different behavioural detections were triggered. These detections are very generic and cover certain tactics used. At this point the sample is already known to Check Point so it will be detected by reputation as well.
I canāt say why this is happening without checking certain logs that are only available locally, not even on the portal. My guess is, the file is just being excluded from scanning due to size. Nevertheless, Behavioural Guard and EFR terminate the file very early in its execution stage, delete all dropped components and identify it as Nova Infostealer (how deep the attack will be cleaned depends on setup as well). You are protected against the attack.well what can I say, I did not setup the emulation, I let Lithify do the heavy lifting So as I understand your post, CP should have (could have) blocked it during DL. It was a relatively slow DL and I saw the CP browser icon huffing & puffing, and then let it pass into \downloads... Also did a right-click scan 4+ hours later and no detection. Curious since "known"...
yes, I believe Harmony is protecting this VM very deeply. At this point, I'll just delete that file as I'm not in the mood to deal with unintended consequences. (aka chickenshit)I canāt say why this is happening without checking certain logs that are only available locally, not even on the portal. My guess is, the file is just being excluded from scanning due to size. Nevertheless, Behavioural Guard and EFR terminate the file very early in its execution stage, delete all dropped components and identify it as Nova Infostealer (how deep the attack will be cleaned depends on setup as well). You are protected against the attack.
The detections are:
behavioural.win.t1036_005.b
behavioural.win.suspmasquerading.c
gen.win.absvct.a
This Nova Stealer is not a novel tactic. Malware in Electron packages has been discussed many times, there is even Check Point blog post.yes, I believe Harmony is protecting this VM very deeply. At this point, I'll just delete that file as I'm not in the mood to deal with unintended consequences. (aka chickenshit)
and Bitdefender detects it ? :/
The file would still be contained for those using Xcitium
The signature on the file is also invalid
All in all... Nice find.
View attachment 284459View attachment 284460
But this is Bitdefender Free that doesnāt have memory and command line scanning. Perhaps on the paid products where these features are enabled, it would have handled the LOLBins betterā¦Yes, with ATP.
Note that I've reported it twice, Bitdefender deletes all traces left behind, but last night it didn't.
No anti-malware detection yet.
View attachment 284483
I submitted it to GDATA a few minutes ago. Unfortunately GDATA had no reaction; I was hoping a pop-up would appear showing BEAST detected it but it did not.Why on VirusTotal page it still shows that Avast, Bitdefender, Microsoft and others didn't detect it?
View attachment 284497
For McAfee it was the other way around, detected on VT but when @Shadowra tested the Endpoint Security, there was no detection.Why on VirusTotal page it still shows that Avast, Bitdefender, Microsoft and others didn't detect it?
View attachment 284497
Indeed, it is quite common that VT detection result is different from the actual AV detection, as @Trident posted.Why on VirusTotal page it still shows that Avast, Bitdefender, Microsoft and others didn't detect it?
That's because there may be differences in the versions of antivirus engines, differences in configurations, and differences in databases. The way VirusTotal operates is also different from currently installed antivirus programs.Indeed, it is quite common that VT detection result is different from the actual AV detection, as @Trident posted.
For Avast and Bitdefender, the detection was from their behavior blocker which is not present on VT. For Microsoft Defender maybe some other on-execution detection logic was triggered which once again is not the scope of Virustotal.Why on VirusTotal page it still shows that Avast, Bitdefender, Microsoft and others didn't detect it?
View attachment 284497