I was able to download it yesterday afternoon with no issues.Thank you for letting me know... I checked it and tried to reshare it but it looks like we just have to wait 24 hours before they make it available again.
Please provide comments and solutions that are helpful to the author of this topic.
I was able to download it yesterday afternoon with no issues.Thank you for letting me know... I checked it and tried to reshare it but it looks like we just have to wait 24 hours before they make it available again.
Hi, do you mind explaining the result in a few words? Pardon me, I'm non-technical. Thanks.
Need somebody else to test VirusCope's abilities. Had no time to run hundreds of files one by one.
They won’t be located in common malware hiding spot, because they are the first part of the attack chain. User would have downloaded them either on the desktop, or in %userprofile%\downloads.Hmmm, very interesting. What obfuscator do you recommend? I would love to play around with this. My initial thought is that is that it would not produce a diverse enough (or even realistic / effective) training data set, but I would like to play around with it out of curiosity.
Scripts and fileless malware in general are odd compared to PE32. I have read from various sources that ROUGHLY 33% of all PE32 files are malicious.
Whereas both malious and Safe scripts are far less common, and the ratio of malicious scripts to Safe scripts that an end user will encounter is likely higher. In other words, I believe the best practice is to auto allow the obviously safe scripts (high file rep, spawned from a Safe process, etc.), and block the rest, especially if they are located in a common malware hiding spot.
I ran everything remaining after AVG scan (Folder: “Malware”), monitoring what’s going on.First off, my compliments to Dan for providing the samples. It must have been a pain to do, and I think I speak for all here that he has both our Thanks and continuing Respect!
That being said, although in general running malware against a favorite product is always quite a Hoot, it is nice to be aware of the nature of the malware being run as things like Mechanism of Action and Age of samples are important to consider in order to reasonably evaluate the effectiveness of a given product in any testing scenario.
So for those with neither the time nor inclination to actually run and analyze the samples provided, it may be enlightening to take a random sample of the files in the Malware section, send them to VT and note the initial submission date (hint).
m
None of these vulnerable processes should be whitelisted or even blocked globally, it should depend individually on the attack chain.Treating scripts spawned from a trusted process as “safe” is the biggest mistake that could be made. This is what attackers usually rely on. In my opinion they’ve started using scripts only to bypass reputation checks. Same is with Java malware.
You have a process already whitelisted (wscript, cscript, cmd, powershell, javaw), but their behaviour is variable.
Thank you CS, but I cannot take credit for creating these samples, they were created by another vendor to test static ML/Ai malware detection, and they are 3+ years old.First off, my compliments to Dan for providing the samples. It must have been a pain to do, and I think I speak for all here that he has both our Thanks and continuing Respect!
That being said, although in general running malware against a favorite product is always quite a Hoot, it is nice to be aware of the nature of the malware being run as things like Mechanism of Action and Age of samples are important to consider in order to reasonably evaluate the effectiveness of a given product in any testing scenario.
So for those with neither the time nor inclination to actually run and analyze the samples provided, it may be enlightening to take a random sample of the files in the Malware section, send them to VT and note the initial submission date (hint).
m
Please remember, this is a static ML/Ai benchmark and efficacy test. If this was a dynamic ML/Ai benchmark and efficacy test, I would not expect a static test to perform well.I ran everything remaining after AVG scan (Folder: “Malware”), monitoring what’s going on.
One sample was deleted by AVG IDP (behavioural blocker).
Many others were perfectly harmful cracks and patches, that didn’t drop any files, didn’t register autoruns and system remained clean.
VT had very few vendors classifying them as PUP/PUA
One of the samples was a game, which I’ve highlighted (VT 1/72) on a 6-month old file.
Rest was just corrupted and looking for files that don’t exist (which is a great sign it’s not actually an infection)
In the clean folder, I immediately noticed files that are far cry from “clean”. These files are
1. Very small in size . No developer can bring you a safe and beneficial program in 50 kb of size (even if they used OOP and recycled code with extreme effectiveness). Even cracks/patches/keygens are larger than that. Small size suggests high-compression, which is usually used to evade detection. It also shows lack of resources/UX, which is again, sign of malware.
2. Icon is a representation of the software and helps users to remember, and identify the program. No developer would use low-size, low-quality weird icons. If they do, I wouldn’t execute their software, even if it was a free rival of Adobe Photoshop.
3. Metadata wasn’t really convincing.
I submitted these files to VT and they were all malware, as my intuition suggested.
It is best, but it’s not always possible. Behavioural blockers have greater visibility, as opposed to static and dynamic emulation, which I personally as an amateur attacker/tester have managed to bypass. Once you execute something, it reveals its true form and many times it’s not possible to block it prior to this moment.It is much better to detect malware before it executes instead of relying completely on behavior analysis.
That's contrary to the best practices of the entire industry. You can't argue that vendors don't disable them because they shouldn't be disabled. Those vendors would like to disable them, but don't so as to prevent a deluge of support requests from consumers. It's a matter of practicality for support operations, and not one of "this stuff should not be disabled."None of these vulnerable processes should be whitelisted or even blocked globally, it should depend individually on the attack chain.
This issue is limited to less than 0.01 % of all users, so it is an irrelevant criticism to say Windows Defender is dreadfully slow when 99.99 % of all users never face the issue. In fact, some users already have huge sized folders, used only Windows Defender, and never once experience your unsubtantiated claim of Windows Defender scan "would take many, many days."Do you guys know how if you scan a lot of files with WD it becomes overwhelmed (because it was designed to protect the computer and not test malpaks)?
I totally agree.That's contrary to the best practices of the entire industry. You can't argue that vendors don't disable them because they shouldn't be disabled. Those vendors would like to disable them, but don't so as to prevent a deluge of support requests from consumers. It's a matter of practicality for operations, and not one of "this stuff should not be disabled."
In your own product, it's been proven that people cannot distinguish between blocked safe and malicious command lines and respond appropriately. When they have to reply to an alert, and make the wrong choice and allow the malicious command line, you are notorious for blaming the end user.
So much for your claim that VS is so easy any novice can figure it out.
We have discussed this multiple times on multiple threads with your multiple accounts. Where is this proof of best practices? All you have to do is provide a link and you will have proven your point. Since I am such a HUGE fan of evidence, here is some that demonstrates why permanently disabling these items is a VERY bad idea... please read the entire thread.That's contrary to the best practices of the entire industry. You can't argue that vendors don't disable them because they shouldn't be disabled. Those vendors would like to disable them, but don't so as to prevent a deluge of support requests from consumers. It's a matter of practicality for support operations, and not one of "this stuff should not be disabled."
In your own product, it's been proven that people cannot distinguish between blocked safe and malicious command lines and respond appropriately. When they have to reply to an alert, and make the wrong choice and allow the malicious command line, you are notorious for blaming the end user.
So much for your claim that VS is so easy any novice can figure it out.
This is not even worth responding to, but well, you know, Covid "lockdown" and everything...This issue is limited to less than 0.01 % of all users, so it is an irrelevant criticism to say Windows Defender is dreadfully slow when 99.99 % of all users never face the issue. In fact, some users already have huge sized folders, used only Windows Defender, and never once experience your unsubtantiated claim of Windows Defender scan "would take many, many days."
A 20 minute scan is not a big deal except for the tiny minority that just can't cope with it and those that want to bash Windows Defender for their own gain.
Not only that, folders can be excluded from Windows Defender scans very easily. People do that and yet they don't gripe that Windows Defender is so difficult to figure out and user unfriendly. Relative to your own product, Windows Defender is a lot easier to work with for the average computer user.
I think there is a misunderstanding here. mazskolnieces believes all vulnerable process should be permanently disabled... like ps, regedit, cmd, etc. What he has never understood is that ALL windows files are vulnerable... some more than others. So if you want to narrow down the list of vulnerable processes, you could include script interpreters, regedit, rundll32, vssadmin to name a few. But the problem is that every 3 or so months malcoders find a new windows process to commonly abuse. Instead of leaving the user vulnerable, VS assumes that all windows processes are vulnerable (which was not an easy task) and protects them accordingly. The only question is, how do you handle the prompts?I totally agree.
These processes should be and always are whitelisted. If you wanna block their abuse, there are plenty of ways to do it. Generic blocks and alerts (specially the latter), won’t help a bit.
Sorry for the late reply.I tested WiseVector against malware I created myself (obfuscated PowerShell loader) and WV did great.
“Scan for safe files instead” is nothing new and nothing original/next-gen. These are tricks that “old mice”, such as Symantec/Norton, Trend Micro and many others have learned long time ago. These “tricks” are not bad, but you can’t rely solely on them, they have to be combined with other approaches as well.
What’s your opinion on using set of clean files as a training set and then using this both as anomaly detection and as a way to reduce fps?
What techniques WV currently supports to exclude safe files from constant scans and reduce FPs?
I only have a single account.We have discussed this multiple times on multiple threads with your multiple accounts.
There is no burden of prove on me when I know what the industry best practices are. Either you know, based upon real world professional experience or you don't. You have to figure it out.Where is this proof of best practices? All you have to do is provide a link and you will have proven your point.
You are not providing any compelling evidence here that suggests it "is a VERY bad idea" to block Windows Script Host full-time.Since I am such a HUGE fan of evidence, here is some that demonstrates why permanently disabling these items is a VERY bad idea... please read the entire thread.
Advice Request - Wscript trying to run
About a week ago i started getting blocks from Appguard for wscript. I have not installed any new software. I have only got a few insider updates. Any ideas? it appears to be trying to run svhost.exemalwaretips.com