Do we actually need so many security programs?

ChemicalB

Level 8
Verified
Sep 14, 2018
360
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

mks_vir Internet Secutity (MKSV)
MKSV on default settings blocked all samples, except those which used Bitsadmin. Yet, most PowerShell samples were blocked only via the Firewall rule (blocked outbound connections). The VBScript samples which used WMI were also blocked by the Firewall rule for wscript.exe (blocked outbound connections).
Most VBScript samples were blocked by heuristics (static detection) and it can be compared to BitDefender static detection.
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.
Thanks for the test Andy, do you know if there is a plan to release MKSV in English?
Thank you very much.
 

erreale

Level 9
Verified
Content Creator
Malware Hunter
Well-known
Oct 22, 2016
409
Malwarebytes Premium (MBP) - 0 blocked samples.

tenor.gif
 

KonradPL

Level 5
Verified
Well-known
May 1, 2018
229
Maybe Poland is not a big country, but it is amiable and fierce.
When other countries gave up, Poland fought. It's just a few times we were erased from the map of Europe - because we always came back :)
The history of my country is complicated. On the one hand, full of tragedy on the other hand, great. For this I do not even expect anyone to understand it here.

I wonder why a good product from Poland caused such comments.
Politics is a different subject to me and there is no reason to mix MKS with politics.

It does not matter which country the AV comes from, it is important that it is effective and it is rife what to do;)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.
The test was done on Windows 8 in a VM, because on Windows 10 I use ShadowDefender, which is incompatible with F-Secure Safe.. If I correctly remember, F-Secure Safe has not yet adopted AMSI, so the result for Windows 10 should be the same.

F-Secure Safe
  1. Only one PowerShell sample was blocked by DeepGuard. The System.Net.WebClient class was blocked and could not download the payload. The rest of PowerShell methods were not blocked either by DeepGuard nor by the static detection. The static detection of PowerShell samples was slightly worse as compared to BitDefender. It seems that BitDefender uses a different heuristics.
  2. Yet, when the same code was transferred to VBScript which ran PowerShell, then DeepGuard did not detect System.Net.WebClient, and the payload was successfully executed.
  3. The 50% of VBScript samples were blocked by static detection (similar detection as for BitDefender). No DeepGuard detection for VBScript, at all. Next, I turned off the real-time AV scanning, and left DeepGuard active, but the result did not change - only the sample from point 1. was blocked.
I am curious why the static detection of PowerShell samples was different as compared to Bitdefender. Maybe it was adjusted to work with DeepGuard? Is heuristic detection related to DeepGuard?
Anyway, DeepGuard is not effective for blocking script trojan downloaders.
 
Last edited:
5

509322

This is no surprise - at least those of us who know what to generally expect.

If a person expects AV\IS, AMSI and ASR to stop malicious scripts and in-memory attacks, then their expectations are unrealistic.

Despite marketing efforts, claims and some limited AV test lab results... all AV\IS, AMSI and ASR remain ineffective against interpreter and sponsor attacks.

The only sure what to protect a system is to disable interpreters and sponsors in all accounts.
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
Going back to the very beginning....

Discuss: Do we actually need so many security programs?

Yes, we do.

If one does not stack enough security 'solutions' together such that you experience major software conflicts and/or slowdowns ---- you are not trying hard enough.

Always remember -- More is Better.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I can tell about my experience with CCleaner attack

I had v5.33 (affected version) for a few weeks, during that time, I noticed my comodo firewall was blocking some random inbound connections, which I had never seen before
So I guess CF partially protected me from that attack, not very sure though

Since I updated to the newer version, those inbound connections disappeared

Kaspersky has network attack blocker, which worked for me in a few occasions but I didn't use KIS during that time so I can't confirm if it could prevent ccleaner attack or not
 
5

509322

I can tell about my experience with CCleaner attack

I had v5.33 (affected version) for a few weeks, during that time, I noticed my comodo firewall was blocking some random inbound connections, which I had never seen before
So I guess CF partially protected me from that attack, not very sure though

Since I updated to the newer version, those inbound connections disappeared

Kaspersky has network attack blocker, which worked for me in a few occasions but I didn't use KIS during that time so I can't confirm if it could prevent ccleaner attack or not

The CClenaer "attack" would only work on 32 bit systems.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
If one does not stack enough security 'solutions' together such that you experience major software conflicts and/or slowdowns ---- you are not trying hard enough.

Always remember -- More is Better.
I agree. My computer is not slow enough. I think I need to add something to my security config.
 
5

509322

Script blocking could be a vital part of security going forward.

~LDogg

Vital protections against malicious scripts and post-exploits are at least a decade behind the 8 Ball.

The future (going forward) is now.

People have been on the vendors about this topic forever.

Use this as a general rule... effective management against specific threats takes approximately 10+ years. The first ransomware attack was documented in 1989. In the early 2000s ransomware became a prevalent attack. Not until the past year or two have vendors rolled out effective anti-ransomware protections. So, depending upon how you look at it, they're 15 to 20+ years behind the 8 Ball.

SRP\default deny has been around from the beginning. It has never been behind the 8 Ball.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top