Andy Ful

Level 38
Content Creator
Trusted
Verified
Andy, would ConfigureDefender at max settings block the ransomware attack used on this video?

Video - Windows Defender vs GandCrab Ransomware: video review
After the first update update of Windows 10 ver. 1809 (I just did it yesterday), the trick with executing PowerShell from VBScript (JScript) is now blocked. The trick was for fooling one of the ASR rules which blocked the execution when VBScript (JScript) malware downloaded the payload and next executed it, by using only one script engine.
So now, the GandCrab Ransomware from the video would be blocked by the ASR rule "Block JavaScript or VBScript from launching downloaded executable content" (or the old name used in Configuredefender "Impede JavaScript and VBScript to launch executables"). But, this malware technique will be surely enhanced in the next versions to bypass WD protection.
Generally the ASR rules are evolving and are stronger than before.
 

RoboMan

Level 26
Content Creator
Verified
So now, the GandCrab Ransomware from the video would be blocked by the ASR rule "Block JavaScript or VBScript from launching downloaded executable content"
Is this a default option on WD or only if you enable ConfigureDefender? The very same scenario of this video with latest Windows update should block it?
 
5

509322

After the first update update of Windows 10 ver. 1809 (I just did it yesterday), the trick with executing PowerShell from VBScript (JScript) is now blocked. The trick was for fooling one of the ASR rules which blocked the execution when VBScript (JScript) malware downloaded the payload and next executed it, by using only one script engine.
So now, the GandCrab Ransomware from the video would be blocked by the ASR rule "Block JavaScript or VBScript from launching downloaded executable content" (or the old name used in Configuredefender "Impede JavaScript and VBScript to launch executables"). But, this malware technique will be surely enhanced in the next versions to bypass WD protection.
Generally the ASR rules are evolving and are stronger than before.
It is just craziness. An overly complicated mousetrap that sometimes catches mice and other times does nothing or, perhaps, smashes the trap setter's fingers. Users looking at ASR and asking "Wut ?... Will it protect against this ?" And then the user not realizing that the ASR rules must be present (Microsoft has to create them - and they are always playing catch-up) and enabled. If not, they have to figure it out and then do it.

It's fine for us that want to tinker and figure stuff out, but for others who just want to protect their systems this Microsoft spaghetti protection is insane. Not to mention it is just a matter of time that the malc0ders bypass the fixed bypass. It's cuck-cah !

SRP can be crafted such that there is no wondering about "Will this protect against this ?" The only real protection to be had is at the process level - either allowing or denying the process. The fine-grained rules blocking specific behaviors is a pipe-dream fallacy - because new malicious behaviors that bypass current rules are implemented. Merely disable wscript and the rest of unwanted stepchild processes. This is not difficult. This is really easy. It is almost "push button" protection.
 
Last edited by a moderator:

Andy Ful

Level 38
Content Creator
Trusted
Verified
Is this a default option on WD or only if you enable ConfigureDefender? The very same scenario of this video with latest Windows update should block it?
ASR rules are deactivated in WD default settings. They can be activated via PowerShell cmdlets or via policies on Windows 10 Home (policies would require editing the Registry). ConfigureDefender is a GUI that uses PowerShell to activate ASR. I checked the "two script engines" trick some time ago and it could fool ASR, so the malware was probably successful. I did not test this trick again until today, after the first update of Windows 10 ver. 1809. I do not know if the same is true for other Windows 10 versions.
 

Andy Ful

Level 38
Content Creator
Trusted
Verified
...
The fine-grained rules blocking specific behaviors is a pipe-dream fallacy - because new malicious behaviors that bypass current rules are implemented. Merely disable wscript and the rest of unwanted stepchild processes. This is not difficult. This is really easy. It is almost "push button" protection.
This is recommended and most efficient for home users. Those users who cannot do it, for some reason, can consider activating WD ASR rules.:giggle:
 
5

509322

This is recommended and most efficient for home users. Those users who cannot do it, for some reason, can consider activating WD ASR rules.:giggle:
LOL... it is a whole lot easier to disable wscript than to enable WD ASR. Some people just like being difficult. :X3:
 
Reactions: Eddie Morra
E

Eddie Morra

LOL... it is a whole lot easier to disable wscript than to enable WD ASR. Some people just like being difficult. :X3:
What home user is going to genuinely need features like VBScript or local JScript? I cannot think of a single one. I think it is simpler for it to just be disabled and be done with it than relying on ASR which is going to be a risky game of hit'n'miss each time.