Do we actually need so many security programs?

[Andy Ful]

I am afraid that @Umbra is right. I suspect that there are no 3rd party free AVs (and only a few paid AVs), which adopted the real anti-script protection based on AMSI. Furthermore, such protection will not be as good as blocking scripts.
My testing scripts are not even obfuscated and use the well known ways of downloading and running executables.

 

[shmu26]

@Andy Ful could you try your test against Comodo ? Perhaps at CS settings?
Unless you are afraid to slaughter a holy cow...

 

[Andy Ful]

@Andy Ful could you try your test against Comodo ? Perhaps at CS settings?
Unless you are afraid to slaughter a holy cow...

I know the results already.

If script interpreters are set to trusted, then the trojan-downloader script will bypass CF, but the dropped payload (EXE, DLL) will be sandboxed (except when signed by the vendor from TVL).

If script interpreters are set to unsafe, then the script will be sandboxed. The payload will not be loaded, because the Internet connection is disabled in the sandbox (in CS settings).

My testing scripts are very simple. I did not test the scripts which run the fileless payloads.

 

[shmu26]

but the dropped payload (EXE, DLL) will be sandboxed

Now that's interesting. CFW will sandbox the DLLs, too? I like that.

 

[shmu26]

ASR is tightly bound to defender, so probably no go. Shame that the two are strongly coupled

ASR is really meant to be a component of Microsoft's advanced tier of protection, and as such, they are not going to give it away for all to use. It is meant primarily for the Enterprise edition of Windows, to be used in paid MS security services.
But Andy Ful's tool makes it readily accessible on Home and Pro versions of Windows, as well. Windows Defender with ASR is strong. It's a serious contender.

 

[bribon77]

@Andy Ful could you try your test against Comodo ? Perhaps at CS settings?
Unless you are afraid to slaughter a holy cow...

I would also like to .. I would give 3 €.

 

[Andy Ful]

Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

BitDefender Total Secutity 2018 and 2019 (BDTS).
BDTS detection was identical as for the free version (BDF) - 4 methods of downloading files and 4 methods of executing files. The files were detected on access (static detection, probably by heuristics).

Avira Free AV - 0 detection.

BDTS and Avira Free can benefit from adopting an additional application for script blocking.

 

[509322]

Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

BitDefender Total Secutity 2018 (BDTS).
BDTS detection was identical as for the free version (BDF) - 4 methods of downloading files and 4 methods of executing files. The files were detected on access (static detection, probably by heuristics).

Avira Free AV - 0 detection.

BDTS and Avira Free can benefit from adopting an additional application for script blocking.

BD is detecting malicious scripts via signatures. Therefore, they have to "collect it all to know it all" so they can create the signatures. Well, collecting it all to know it all is an impossible task. It is just like Microsoft asking researchers to report identified malicious scripts so they can protect against each one via AMSI and ASR. At that rate it will take the next 10 years to identify stuff at the tip of the iceberg. We're already over a decade into PoSh and, to be honest, even though Microsoft is decent at identifying malicious PoSh scripts - that is only because of a handful of PoSh researchers who have reported the malicious scripts and ways to bypass PoSh that they discovered over many years. :X3:

I don't know about anyone else, but that just defies any common sense.

If people think that is sufficient, then there is a very weird sense of what is appropriate, adequate and what constitutes trust.

 

[Andy Ful]

I am a little disappointed at the results of Bitdefender Total Security. I thought that Advanced Thread Defense could make a difference as compared to Bidefender Free.
I just wonder why some methods are blocked, and the rest are not. I did not use anything that could not be found in an hour (or two) when using Google.

 

[Deleted member 178]

Because if all scripts are blocked by default, admins will get angry and bane the product.
Admind are lazy, they love scripts.

 

[509322]

Because if all scripts are blocked by default, admins will get angry and bane the product.
Admind are lazy, they love scripts.

Microsoft made it that way, so it is to blame. To save and to squeeze every last fractional cent out of Windows, Microsoft ships Windows as a generic operating system in a default configuration expressly meant for IT Pros.

 

[509322]

I am a little disappointed at the results of Bitdefender Total Security. I thought that Advanced Thread Defense could make a difference as compared to Bidefender Free.
I just wonder why some methods are blocked, and the rest are not. I did not use anything that could not be found in an hour (or two) when using Google.

Bitdefender Free does have Advanced Threat Defense... the same as paid BD products.

The dog = multilayered default-allow and the crow = Windows interpreters and sponsors:

 

[Andy Ful]

Because if all scripts are blocked by default, admins will get angry and bane the product.
Admind are lazy, they love scripts.

Yes, they would rather kill the vendor. Yet, I am not thinking about blocking all scripts. You can still download something via script. You can also run something when using the script. But you should not do both those actions together with the same script. Bitdefender can block some ways of doing both actions together by the same script. Why does not it block more, like some WD ASR rules can do? Furthermore it is easy to make exclusions for the particular scripts.

 

[Andy Ful]

Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

Kaspersky Internet Security 2019 (KIS).
KIS detection (AMSI support) was much better as compared to all tested products. It detected all trojan-downloaders, but over 50% samples were allowed to run as Low Restricted.
Most VBScript samples were quarantined, except a few which were allowed as Low Restricted.
All scripts which used Bitsadmin were blocked (could not run as Low Restricted).
All PowerShell scripts were allowed to run as Low Restricted - that is not a perfect solution, because of the below note from Kaspersky (How to configure applications' rights and protected resources' properties by using Application Control in Kaspersky Internet Security 2015):
"...However, these applications have received low value of the threat rating (a special index that shows how dangerous an application could be for the system based on a number of criteria). They are allowed to perform some operations, such as accessing other processes, controlling the system, and accessing the network without notifying the user. However, the user's permission is required for most operations."
It would be much better to block them or run as High Restricted.
One can ask the similar question as for Bitdefender. Why some scripts are blocked and the rest are not? Most VBScript samples did the same as PowerShell samples.

KIS can also benefit from adopting an additional application for script blocking.

 

[509322]

Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

Kaspersky Internet Security 2019 (KIS).
KIS detection was much better as compared to all tested products. It detected all trojan-downloaders, but over 50% samples were allowed to run as Low Restricted.
Most VBScript samples were quarantined, except a few which were allowed as Low Restricted.
All scripts which used Bitsadmin were blocked (could not run as Low Restricted).
All PowerShell scripts were allowed to run as Low Restricted - that is not a perfect solution, because of the below note from Kaspersky (How to configure applications' rights and protected resources' properties by using Application Control in Kaspersky Internet Security 2015):
"...However, these applications have received low value of the threat rating (a special index that shows how dangerous an application could be for the system based on a number of criteria). They are allowed to perform some operations, such as accessing other processes, controlling the system, and accessing the network without notifying the user. However, the user's permission is required for most operations."
It would be much better to block them or run as High Restricted.
One can ask the similar question as for Bitdefender. Why some scripts are blocked and the rest are not? Most VBScript samples did the same as PowerShell.

KIS also can benefit from adopting an additional application for script blocking.

You have to use Trusted Applications Mode to block scripts outright.

Alternatively, if the user don't want to be bothered with TAM, the user can disable the interpreter by setting the toggle button for the process from Allow to Block.

The user can also set Kaspersky to send unknown scripts\files to High or Untrusted in the Application Control settings.

LOL...prior to a report I made, ps1 were allowed to run. Ask @harlan4096 as he's the one who actually submitted the report.

 

[shmu26]

Low Restricted is definitely not good enough. The "Low Restricted" rating allows installation of programs and most normal operations, without prompting the user, unless Interactive mode has been enabled.

 

[509322]

Low Restricted is definitely not good enough. The "Low Restricted" rating allows installation of programs and most normal operations, without prompting the user, unless Interactive mode has been enabled.

I don't know why people are surprised by this.

Kaspersky is using signatures to detect malicious scripts just the same as Bitdefender.

Both Bitdefender and Kaspersky claim AMSI integration.

The thing about AMSI integration is that the vendor usually can't get it right because Microsoft is obviously withholding much of the AMSI documentation\nitty-gritty. Nothing new there.

Just goes to show that AMSI isn't that great. However, in my testings, both Bitdefender and Kaspersky essentially performed the same. However, my testings were focused upon in-memory attacks. I don't understand the tunnel-vision focus upon on-disk scripts. That focus is noobish.

Rules based protections will fail people.

Default-allow will fail people.

At least Kaspersky has all the makings of SRP right there in Application Control and TAM. It's up to the user to make it real default-deny.

 

[Andy Ful]

You have to use Trusted Applications Mode to block scripts outright.

Alternatively, if the user don't want to be bothered with TAM, the user can disable the interpreter by setting the toggle button for the process from Allow to Block.

The user can also set Kaspersky to send unknown scripts\files to High or Untrusted in the Application Control settings.

LOL...prior to a report I made, ps1 were allowed to run. Ask @harlan4096 as he's the one who actually submitted the report.

Thanks. I edited my previous post. I copied the last sentence from another post.
My scripts were not blocked by signatures. All quarantined samples were detected by Kaspersky heuristics.

 

[Andy Ful]

...
At least Kaspersky has all the makings of SRP right there in Application Control and TAM. It's up to the user to make it real default-deny.

That is right.:emoji_ok_hand:
All other tested AVs, except KIS, need an external tool to block scripts. KIS allows the user to block script interpreters (and other sponsors) or add them to one of the restricted groups.
The default KIS settings are not the best for the home users. The VBScript samples were mostly blocked by heuristic rules, but after transferring to PowerShell, the samples were allowed to run as Low Restricted.
I think, that default settings and heuristic rules were adjusted in KIS for using in Enterprises. The same can probably be said about most (paid) AVs.

 

[shmu26]

You have to use Trusted Applications Mode to block scripts outright.

Could you explain this point a little more? Are you talking just about script files, or does TAM block also scripts passed in memory to interpreters?

@harlan4096 what do you say about TAM and script blocking?