Serious Discussion Can Anti-Viruses stop RATS that have their connection established?

[Xeno1234]

Can Anti-Viruses stop RATS that have their connection established? For example, stopping rats from taking cookies or files from your PC, even if the connection is established.

 

[Kongo]

Can Anti-Viruses stop RATS that have their connection established? For example, stopping rats from taking cookies or files from your PC, even if the connection is established.

They can block the malicious connection to the C&C server if thats what you mean. At least if they have a firewall with IPS for example. Norton for example can do that. You can even harden windows firewall with blocking LOLBins that are often abused by hackers for that purpose.

 

[Xeno1234]

They can block the malicious connection to the C&C server if thats what you mean. At least if they have a firewall with IPS for example. Norton for example can do that. You can even harden windows firewall with blocking LOLBins that are often abused by hackers for that purpose.

What about like if that fails - and the people with the remote access try to do stuff like taking your files, stealing cookies, etc - would you AV pick up on that?

 

[Kongo]

What about like if that fails - and the people with the remote access try to do stuff like taking your files, stealing cookies, etc - would you AV pick up on that?

Maybe by behavioural analysis. But as behavioural analysis happens after execution and only as an reaction to malicious behaviour of the malware, it might be too late in cases of Ransomware or stealers.

Real world scenario:

The police is looking for a killer but has only few clues on who he might be. So they need profilers to analyze the behaviour of the killer to determine who the killer could be. While they are investigating, the killer can already kill various other victims, till the police finds the necessary clues and can finally arrest the suspect. (10/10 story telling)

So malware can do damage while behavioural analysis is analyzing it's behaviour until it can determine that it's unsafe and finally block it.

 

[Xeno1234]

Maybe by behavioural analysis. But as behavioural analysis happens after execution and only as an reaction to malicious behaviour of the malware, it might be too late in cases of Ransomware or stealers.

For me atleast with Harmony or Kaspersky, that shouldnt be a problem. I just wonder if they protect from things like taking files from your pc or reading them and whatnot

 

[Xeno1234]

Maybe by behavioural analysis. But as behavioural analysis happens after execution and only as an reaction to malicious behaviour of the malware, it might be too late in cases of Ransomware or stealers.

Real world scenario:

The police is looking for a killer but has only few clues on who he might be. So they need profilers to analyze the behaviour of the killer to determine who the killer could be. While they are investigating, the killer can already kill various other victims, till the police finds the necessary clues and can finally arrest the suspect. (10/10 story telling)

So malware can do damage while behavioural analysis is analyzing it's behaviour until it can determine that it's unsafe and finally block it.

Yeah, but for Kaspersky/Harmony detection of the behaviors should be blocked at earlier stages before damage is done without a problem.

 

[Kongo]

For me atleast with Harmony or Kaspersky, that shouldnt be a problem. I just wonder if they protect from things like taking files from your pc or reading them and whatnot

Again.

1. Malware can be blocked pre-execution by signatures for example. So the malware in detected before it can even start. ---> Malware has no way of infecting the system and therefor no chance to steal any data.

2. Malware can be blocked post-execution by behavioural analysis. The malware runs in memory and can perform its malicious actions until the antivirus determines wether it's unsafe or not. If it's determined unsafe, it will be blocked. But the malware could potentially already have stolen the data before it was detected.

3. Malicious connection to the malicious C&C is blocked by the firewall, so the malware can't connect to the hackers server and therefor not send the stolen data of the victims system.

 

[Kongo]

Yeah, but for Kaspersky/Harmony detection of the behaviors should be blocked at earlier stages before damage is done without a problem.

It depends on which part of the infection chain the antivirus kicks in. Sometimes it's detected at an early stage, and sometimes not.

 

[Xeno1234]

Again.

1. Malware can be blocked pre-execution by signatures for example. So the malware in detected before it can even start. ---> Malware has no way of infecting the system and therefor no chance to steal any data.

2. Malware can be blocked post-execution by behavioural analysis. The malware runs in memory and can perform its malicious actions until the antivirus determines wether it's unsafe or not. If it's determined unsafe, it will be blocked. But the malware could potentially already have stealen the data before it was detected.

3. Malicious connection to the malicious C&C is blocked by the firewall, so the malware can't connect to the hackers server and therefor not send the stolen data of the victims system.

So even if theres a runtime bypass, there's still hope?

 

[Kongo]

So even if theres a runtime bypass, there's still hope?

Theoretically yes. But it doesn't always have to be the case.

 

[Xeno1234]

I mean with Kaspersky/Harmony I probably should be good.

 

[Kongo]

I mean with Kaspersky/Harmony I probably should be good.

One of the best solutions out there so you will be good. Just know that no antivirus can protect you from everything that is out there.

 

[Xeno1234]

One of the best solutions out there so you will be good. Just know that no antivirus can protect you from everything that is out there.

True, But Kaspersky/Harmony is probably the closest thing to it that I can get ahold of.

 

[Shadowra]

NEVER rely on an antivirus solution!
If Kaspersky and Harmony fail and Norton succeeds, will you install Norton?
Ditto if F-Secure succeeds?
You've got to stop believing that antivirus solutions are superheroes who will protect you from everything. They're not...

For a RAT, you already need to know whether the code is known. Some AVs like Eset or Kaspersky decompile the code. If they see a known piece of code, it will be blocked.
For Kaspersky, if the RAT tries to touch the system, it will also be blocked.
And if it gets past Kaspersky, the server's ip address or url must not be known....

Once again, most antivirus programs can protect you from it, some will do better, but if you don't download files like "FortniteVbuksFreeCracked.exe" or "MyDogIsBeautiful.jpg.jar" you risk nothing.

 

[Xeno1234]

NEVER rely on an antivirus solution!
If Kaspersky and Harmony fail and Norton succeeds, will you install Norton?
Ditto if F-Secure succeeds?
You've got to stop believing that antivirus solutions are superheroes who will protect you from everything. They're not...

For a RAT, you already need to know whether the code is known. Some AVs like Eset or Kaspersky decompile the code. If they see a known piece of code, it will be blocked.
For Kaspersky, if the RAT tries to touch the system, it will also be blocked.
And if it gets past Kaspersky, the server's ip address or url must not be known....

Once again, most antivirus programs can protect you from it, some will do better, but if you don't download files like "FortniteVbuksFreeCracked.exe" or "MyDogIsBeautiful.jpg.jar" you risk nothing.

The only RATS that could infect me are malicious mc mods, which basically just take your mc account, but I believe their RATS, not too sure.

 

[Shadowra]

The only RATS that could infect me are malicious mc mods, which basically just take your mc account, but I believe their RATS, not too sure.

If your RAT has been encrypted with a tool bought cheaply by a script-kiddies, it will be blocked very quickly.
Making malware completely FUD with all current defensive techniques (Behavior Blocker, Hexadecimal signature, Machine Learning, DeepLearning etc) is not impossible, but difficult.....

 

[Kongo]

The only RATS that could infect me are malicious mc mods, which basically just take your mc account, but I believe their RATS, not too sure.

No. If you are careful and always double check downloads of which you are unsure about, even "Malicious minecraft mods" can't infect you. And again, those malicious Minecraft mods that you are talking about, are just some kind of stealer that are also used in other attacks. So they are not specifically created to infect minecraft players.

 

[Xeno1234]

If your RAT has been encrypted with a tool bought cheaply by a script-kiddies, it will be blocked very quickly.
Making malware completely FUD with all current defensive techniques (Behavior Blocker, Hexadecimal signature, Machine Learning, DeepLearning etc) is not impossible, but difficult.....

How can you encrypt behavioral blocking?

 

[Trident]

With Harmony you will be able to inspect whether the theft was successful by looking at the Mitre Att&CK Matrix. You can find a course online cheap or free on how to work with the Mitre Att&CK. For solutions that do not offer such mapping (all home AVs) you can hope for the best. In addition, you can upload mods on VT and check them there before you open them.

 

[Xeno1234]

With Harmony you will be able to inspect whether the theft was successful by looking at the Mitre Att&CK Matrix. You can find a course online cheap or free on how to work with the Mitre Att&CK. For solutions that do not offer such mapping (all home AVs) you can hope for the best. In addition, you can upload mods on VT and check them there before you open them.

typically they always come out to clean, despite being 100% malware.