- Jun 21, 2011
- 376
AVG has a better UI I think ... I always liked it better been using it from 2008 and on but quit using in 2017 and now i am back again.... kindda
User Feedback AVG Ultimate
- Thread starter McMcbrad
- Start date
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
It blocks them by behaviour if they are obfuscated. If they are not, it considers the scripts user-made and either blocks C&C server or IDP blocks secondary payload by behaviour. The script and the server will then be reported and blacklisted.McMcbrad,
Could you test AVG against scripting attacks? In my tests (trojan downloaders), AVG did not block almost anything (far worse than Norton). The files could be downloaded and run without problems. So, there is probably no additional script control in AVG.
tipo
Level 6
- Jul 26, 2012
- 286
@McMcbrad
do you consider the free version of avg as being enough in terms of protection, covering all sorts of malware types? file shield, web shield, ransomware shield, behaviour shield- are these shields enough to secure a novice user`s (let`s say my mom
) laptop? is it a hassle free, install and forget antivirus? (i know we`re talking about the ultimate version here, sorry for the off topic)
do you consider the free version of avg as being enough in terms of protection, covering all sorts of malware types? file shield, web shield, ransomware shield, behaviour shield- are these shields enough to secure a novice user`s (let`s say my mom
) laptop? is it a hassle free, install and forget antivirus? (i know we`re talking about the ultimate version here, sorry for the off topic)
Last edited:
- Dec 23, 2014
- 5,727
I can confirm that. I obfuscated the below script:
WScript.Echo "Hello world"
WScript.Quit
After obfuscation, It has been immediately detected as malware VBS:Agent-BDV[Trj].
Not especially complex, but can be very efficient in the home environment.
Last edited:
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
You don’t need to be sorry, as your topic is at the right place. Yes, the free version offers enough protection, specially if you increase heuristics sensitivity to max (as I do). It shows *some* alerts from time to time, but these are not so annoying and most people can live with them.@McMcbrad
do you consider the free version of avg as being enough in terms of protection, covering all sorts of malware types? file shield, web shield, ransomware shield, behaviour shield- are these shields enough to secure a novice user`s (let`s say my mom
These shields will be more than enough to secure a user like your mum and also, the AVG browser extension (if installed) blocks trackers and displays user ratings on sites, similar to WOT. This boosts web-protection slightly.
@Andy Ful yes, or if not detected by that, they trigger IDP.Fileless.25 or something of this sort after execution. The behaviour shield is very well trained against these. Sometimes they trigger IDP.Generic. They will shortly after be added to definitions via streaming update and detected as Trojan Generic (don’t remember the exact formatting of the detection). Attackers will never leave their scripts in plain text, as it makes heuristic analyses too easy. So closing that door will prevent most of the attacks, if not all. Blocking C&C servers contributes as attacker might host 100 updated scripts on a single server and all of them will be blocked. Blocking the script itself will block many new C&C servers where attacker might host it or its secondary payload.
A behavioural profile of the script can then be created to block what other attackers might attempt to do.
All other malware that somehow connects to the C&C server will be prevented from working properly and will be quickly identified.
It also seems to intercept calls from a legit app to a script interpreter when code is passed as an argument. E.g CMD PowerShell.exe -e <base64 malicious code>.
The more you over-complicate a solution, the more variable and fuzzy result it will produce for you. The proof is in Kaspersky Application Control and Norton Insight. They are expensive to execute and maintain, but they revolve around one very simple concept, where user should work only with trusted code and are both very effective.
Avast’s simple way of dealing with scripts is more than enough in a home environment.
Avast seems to extract a lot of intelligence from one single threat quickly and that helps a lot.
Last edited:
- Mar 29, 2018
- 4,833
@tipo you may minimize AVG ads/annoyances by blocking AVGUI.exe outbound connection in Windows Firewall. Configure AVG @ High Sensitivity + Hardened Mode for your mom and it's set-and-forget protection.
Or use Windows Defender + ConfigureDefender @ High setting. Easy, no hassle.
Or use Windows Defender + ConfigureDefender @ High setting. Easy, no hassle.
tipo
Level 6
- Jul 26, 2012
- 286
- Dec 23, 2014
- 5,727
I like it as a solution in the home environment. In fact, I was curious for a long time if any AV would adopt it for protection. Of course, it will not be sufficient in the targeted attacks.
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
The fileless Tesla I discovered is part of a targeted attack. PowerPoint presentation named “Wired Payment” with malicious Macro downloads an obfuscated JS script. The script in turn downloads another JS script, which downloads 2 PS scripts, ensuring their persistence(scheduled task and startup entry). The final payload is injected into msbuild.exe and cvtres.exe and is a version of Agent Tesla.
AVG first blocked the PowerPoint presentation from executing the macro. After downloading the JS script manually, it was deleted. After browsing the host I found the 2 PowerShell scripts and executed them. Password Protection Shield blocked Agent Tesla from stealing my credentials and IDP kicked in, suspending cvtres and msbuild. Connection to the C&C (second server, not the host) prior to removal was blocked by Web Shield. Minutes later, all 3 scripts (Scheduled Tasks Creator + PS Tesla) were blocked and the host was blacklisted. Sensitive data access could be prevented by ransomware shield, if initiated. Password Protection shield is a knock-off of this component, protecting browser repositories instead of user-selected folders.
Of course targeted attacks will be carried out against businesses and I am not sure what other protection Avast offers there, but I’m pretty sure it excels.
Last edited:
- Dec 23, 2014
- 5,727
I can use Base64 encoded script (trojan downloader) and it is allowed by AVG.
$base64="here is encoded script"
$a = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))
iex $a
So one can possibly use obfuscated PowerShell script, encode it via Base64 and use the above script to bypass AVG.
$base64="here is encoded script"
$a = [Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($base64))
iex $a
So one can possibly use obfuscated PowerShell script, encode it via Base64 and use the above script to bypass AVG.
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
To execute this script attacker will need to bypass execution policy so they will call PowerShell from another app (most likely *bat file CMD-> PowerShell) or Word/Excel. The attack chain will be suspended. Even if it’s not, final payload delivered via this method will look very suspicious to IDP and will be removed. I’ve tested it.
The only way to bypass it will be to deliver final payload directly to the memory and without too much suspicious behaviour (without accessing credentials, etc.). Then again, it will require quite a lot of testing of what wouldn’t trigger a behavioural detection.
- Dec 23, 2014
- 5,727
Probably not if the script will inject the code filelessly. By allowing the scripting code, there are many ways to skirt around the heuristics, web shield, and behavior-based protection. So, AVG will have a hard time with fileless attacks. Of course, many such attacks will be detected and blocked, but many new ones will not.
The script execution policy can be easily bypassed in many ways. The simplest is via shortcut.
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
In the event that you are patient 0 and everything has failed, ransomware shield and Password Protection shield can prevent exfiltration to some extent. They can also prevent encryption (if the purpose of the attack is to plant ransomware). So the overall harm will be reduced.
Ransomware Shield doesn’t have too many whitelisted apps in normal mode and in strict mode user will be prompted regardless of the app. Injecting in a trusted process won’t help.
It will not be like King Kaspersky protection, but it’s still sufficient to a home user and beats other big names. Additional IoCs will also be available if the threat has to be persistent so the attack will be easier to spot.
All technologies against scripts can be bypassed via unpatched AMSI vulnerability. Since script scanning is mostly done via AMSI, once you get around that, very little can be done afterwards if the final code is injected in another process space. However, this is all very complex and not worth applying in a home user environment.
Last edited:
- Dec 23, 2014
- 5,727
Unfortunately, Base64 encoding/decoding is commonly used by several kinds of malware. There is another possibility that can help in business environment. One can restrict PowerShell to Constrained Language Mode. This will prevent most of the advanced PowerShell methods, including Base64 encoding/decoding. It can be applied via Windows built-in SRP, Applocker, and Application Control.
Last edited:
- Dec 23, 2014
- 5,727
There is an interesting AVG feature that can block an executable by other protection features like:
Using the Blocked & Allowed apps settings screen in ... | AVG Support
- Ransomware protection,
- Webcam Protection,
- Sensitive Data Shield,
- Password Protection.
Using the Blocked & Allowed apps settings screen in ... | AVG Support
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
I freshly downloaded and installed AVG for a test.Unfortunately, Base64 encoding/decoding is commonly using by several kinds of malware. There is another possibility that can help. One can restrict PowerShell to Constrained Language Mode. This will prevent most of the advanced scripting methods, including Base64 encoding/decoding. It is applied in Windows built-in SRP, Applocker, and Application Control.
I grabbed few base-64 encoded strings and pasted them in PowerShell.
One of them triggered that:
Another one triggered that:
Third one triggered these 2 reactions:
4th one:
The code starts with POwersheLL -w hidden -ENCOD
I suspected initially that that -w hidden might be the trigger, so I removed it, but the same detection occurs.
Not sure what distinguishes this in-the-wild malware from custom-based one.
Of course, blocking constrained language completely would be even more secure, but it doesn't look like Avast is inefficient.
I tried pasting this same code in scheduled task and shortcut, but the outcome is the same. Scheduled task gets deleted after detection.
I decoded and cleared one of them code as much as I could. It might be the additional obfuscation that triggers detection, as I have tried obfuscated loaders with BITS and other methods and it blocks them. Obfuscation is the only thing they have in common.
Last edited:
- Dec 23, 2014
- 5,727
In your case, 2 samples are blocked by the Web Shield (blacklisted URL detected). Others are blocked by detecting the command line (probably POwersheLL -w hidden -ENCOD is detected).
Try something like the below (in shortcut):
Code:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'c:\RunRemote\VBSObfuscator\encoded.ps1'"I do not use ENCOD in the command line, but in the script like in my previous post:
User Feedback - AVG Ultimate | MalwareTips Community
I use the shortcut and script (2 files).
Last edited:
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
- Dec 23, 2014
- 5,727
It is also easy to use an innocent unobfuscated script (PowerShell or Windows Script Host) to run another script that uses obfuscated code encoded via Base64. This can be done from infected Pendrive or via packed email attachment (password protected). Anyway, in my tests, most AVs could be bypassed because they use only anti-script protection against very popular methods and there are many possibilities open to attackers.
In the home environment, the AVG protection is very promising and anti-scripting protection is above average.
In the home environment, the AVG protection is very promising and anti-scripting protection is above average.
McMcbrad
Level 23
- Oct 16, 2020
- 1,252
It's good that attackers haven't yet discovered these methods
You are one step ahead of them. They only know the -encod method and have been using it for ages. Maybe that's the reason companies haven't gone beyond that.
Similar threads
