AppGuard Defeats Weaponized Document

[XhenEd]

VT detection in the video is not the focus of the test. And so, it's irrelevant to bring into attention the unreliability of VT in testing. VT is just there to show that the file is at least detected as malicious by few AVs.

When the file is established as malicious through VT, AppGuard is then tested against it.

AppGuard is the focus of the test, that is, how it prevents a malicious file doing its actions.

 

[509322]

The definition of a zero-day is "deriving from or relating to a previously unknown vulnerability to attack in some software."

Technically, the malicious *.vbs is not a zero-day, but instead undetected by virtually all the scan engines. It can't be called fully undetected since it was rated as malicious by a few of the engines.

The term "zero-day" has become a generic descriptor for any malware newly released into the wild - and that is its meaning within the video. The intent in the video is to show that AppGuard does not rely upon file signatures or reputation ratings.

VT wasn't used for a comparative AV analysis - comparing one AV to another AV. It was used simply to lookup a single file's detection by the various VT member scan engines.

 

[tim one]

@Jeff_T - Testing Group

From what I understand you are here just to promote your software and the company for which you work.
Nothing wrong maybe, but from my point of view you, as developer or member of that company, you have to be open to all the criticism.
If this is a discussion forum, it is quite normal to discuss about topics

So by repeating what I said above: the point is that this video wants to prove that AG is blocking a zero day malware (I'm not questioning the effectiveness of AG, universally recognised).
I simply could be agree with you if you could really prove that the sample is reasonably a zero day malware, without relying just on a trivial VT analysis.
It is common opinion to bring documented evidence or at least a link where you can download and analyze the sample, but a useless task now, considering that the video is one year old (quite emblematic).

Objectively, under my eyes the video shows that AG blocks a hypothetical 0-day malware or perhaps a file that malware is not.

Computer security is a science, and as such, it has need of evidence and not assumptions.

 

[XhenEd]

@tim one

AppGuard is already tested by several testers (e.g. @cruelsister and @Lucent Warrior), not just the test shown by the OP. Besides, it's not completely relevant that a malware is zero-day. Zero-day malware or not, AppGuard will still do its thing, that is, to block, because it is signatureless anti-malware.

Of course, AppGuard is not and will never be faultless. Some tests in the past have show this case.

 

[509322]

@Jeff_T - Testing Group

From what I understand you are here just to promote your software and the company for which you work.
Nothing wrong maybe, but from my point of view you, as developer or member of that company, you have to be open to all the criticism.
If this is a discussion forum, it is quite normal to discuss about topics

So by repeating what I said above: the point is that this video wants to prove that AG is blocking a zero day malware (I'm not questioning the effectiveness of AG, universally recognised).
I simply could be agree with you if you could really prove that the sample is reasonably a zero day malware, without relying just on a trivial VT analysis.
It is common opinion to bring documented evidence or at least a link where you can download and analyze the sample, but a useless task now, considering that the video is one year old (quite emblematic).

Objectively, under my eyes the video shows that AG blocks a hypothetical 0-day malware or perhaps a file that malware is not.

Computer security is a science, and as such, it has need of evidence and not assumptions.

That a malware is "zero-day" or not is irrelevant; AppGuard will block it if it is only 1 second old or 5 years old.

All the infos anyone needs to locate and properly test the weaponized document is provided in the video. All the essential variables are clearly shown.

You can track-down the sample and test it for yourself. Then you can be fully satisfied that the sample was, indeed, malicious.

 

[XhenEd]

Or, if it's possible, one may ask for the links for Malware Hub's sets of malware, and test AppGuard against those malware one by one.

 

[tim one]

That a malware is "zero-day" or not is irrelevant; AppGuard will block it if it is only 1 second old or 5 years old.

All the infos anyone needs to locate and properly test the weaponized document is provided in the video. All the essential variables are clearly shown.

You can track-down the sample and test it for yourself. Then you can be fully satisfied that the sample was, indeed, malicious.

View attachment 122555

Perhaps I've been misunderstood and not need to be satisfied (and no need to be rude with me).

If we talk (as in your video) about AG that blocks a real and documented zero-day malware, then it is a thing.
If you say "zero-day or not is irrelevant", then you say a wrong thing.

The video clearly shows AG against a 0day sample, and who sees the video has the confidence that it is actually a 0day.
Needless to say that in the video you can see the SHA256 because no one manually writes the code by trying to search and download it.
That's why it was necessary to have the link of the sample or online analysis report.

Thanks for the explanation but for me that sample could be a false positive accidentally blocked by the restriction policy of AG because Office files are automatically guarded (default) as @XhenEd said.

 

[uncle bill]

That a malware is "zero-day" or not is irrelevant; AppGuard will block it if it is only 1 second old or 5 years old.

There's a basic error on all self promotion videos i see on MalwareTips (ok, not only on MalwareTips), the false sense of security they try to transmit you when they say "secure yourself with our product, here's a proving video of its effectiveness". If you like i can say AppGuard is a great product and certainly is, but still my first security app remains my brain and i'm one of those that won't open such an allegate just because i received it, and i'm one of those that won't ignore messages that tell me to allow execution of macros included into the document i'm opening. Do you really mean to say AppGuard will never fail so open every kind of thing you receive just because AppGuard will protect you now and in 5 years from now from everything created or to be created? Really?

 

[XhenEd]

There's a basic error on all self promotion videos i see on MalwareTips (ok, not only on MalwareTips), the false sense of security they try to transmit you when they say "secure yourself with our product, here's a proving video of its effectiveness". If you like i can say AppGuard is a great product and certainly is, but still my first security app remains my brain and i'm one of those that won't open such an allegate just because i received it, and i'm one of those that won't ignore messages that tell me to allow execution of macros included into the document i'm opening. Do you really mean to say AppGuard will never fail so open every kind of thing you receive just because AppGuard will protect you now and in 5 years from now from everything created or to be created? Really?

In fairness to Jeff, he's not saying that AppGuard will never fail. If you know Jeff's other account (now gone), you'll see that it is he who heavily criticized Blue Ridge Network for not acting on potential vulnerability of AppGuard's protection.

What he's saying is that given how AppGuard works, malware will be blocked, as long as this malware works within how AppGuard would react. So, regardless of the age of the malware, if its actions are already in AppGuard's way of protection, then it will be blocked.

 

[509322]

Perhaps I've been misunderstood and not need to be satisfied (and no need to be rude with me).

If we talk (as in your video) about AG that blocks a real and documented zero-day malware, then it is a thing.
If you say "zero-day or not is irrelevant", then you say a wrong thing.

The video clearly shows AG against a 0day sample, and who sees the video has the confidence that it is actually a 0day.
Needless to say that in the video you can see the SHA256 because no one manually writes the code by trying to search and download it.
That's why it was necessary to have the link of the sample or online analysis report.

Thanks for the explanation but for me that sample could be a false positive accidentally blocked by the restriction policy of AG because Office files are automatically guarded (default) as @XhenEd said.

These online posts are not normal person-to-person conversations. I was not being rude to you. I simply posted a reply.

The age of a malicious file - whether it is new or old - is not relevant to the way AppGuard works; AppGuard will block both new and old malware. AppGuard does not use signature, file reputation, heuristics, nor behavioral analysis to block files. It strictly blocks the execution of files based upon policies.

There are many sources of new ("zero-day" malware) where one can download samples and test them against AppGuard.

BRN does not provide download links for the samples used in videos. The information required to obtain the sample - for those inclined to do so - are all provided in the video and adheres to generally accepted industry best practices.

The malware sample was vetted by BRN staff; it was - at that time - an almost completely undetected weaponized document. The *.vbs was a downloader that would download additional software and execute it.

 

[uncle bill]

I'm sorry, i didn't want to criticize anyone, but i, somewhat, found his reply to @tim one rude and the part i quoted arrogant. Sure i don't know nothing about him but i think exactly what i wrote: that kind of videos are junk.

 

[509322]

There's a basic error on all self promotion videos i see on MalwareTips (ok, not only on MalwareTips), the false sense of security they try to transmit you when they say "secure yourself with our product, here's a proving video of its effectiveness". If you like i can say AppGuard is a great product and certainly is, but still my first security app remains my brain and i'm one of those that won't open such an allegate just because i received it, and i'm one of those that won't ignore messages that tell me to allow execution of macros included into the document i'm opening. Do you really mean to say AppGuard will never fail so open every kind of thing you receive just because AppGuard will protect you now and in 5 years from now from everything created or to be created? Really?

It is a simple demonstration video. You are reading too much into it.

BRN recommends keeping macros disabled, except in the case where a user knows that the macro containing document is safe\trusted.

That being said, if a user forgets to disable macros, introduces a macro containing document to the system, and the macro attempts to execute certain files types, then AppGuard will block.

The age of a file is not relevant to the way that AppGuard works; it will block a new or old file.

 

[Wave]

nor behavioral analysis to block files. It strictly blocks the execution of files based upon policies.

I'm not involved in the previous/current discussion however I just saw this for correction; behavioural analysis counts as part as policy blocking since you'd be monitoring the behaviour to restrict specific things from occurring/redirection/auto-block the sample upon action violation (based on the policy).

 

[509322]

I'm not involved in the previous/current discussion however I just saw this for correction; behavioural analysis counts as part as policy blocking since you'd be monitoring the behaviour to restrict specific things from occurring/redirection/auto-block the sample upon action violation (based on the policy).

Software restriction policies are just a defined set of rules to allow or block exection or allow or block access rights to protected resources.

There is no behavioral analysis of file actions by AppGuard. Behavioral analysis employs an algorithm that will allow some actions and block others based upon various parameters. AppGuard just strictly applies its defined policies and allows or blocks according to the set of rules.