stepseven84

Level 7
Verified
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

mks_vir Internet Secutity (MKSV)
MKSV on default settings blocked all samples, except those which used Bitsadmin. Yet, most PowerShell samples were blocked only via the Firewall rule (blocked outbound connections). The VBScript samples which used WMI were also blocked by the Firewall rule for wscript.exe (blocked outbound connections).
Most VBScript samples were blocked by heuristics (static detection) and it can be compared to BitDefender static detection.
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.
Thanks for the test Andy, do you know if there is a plan to release MKSV in English?
Thank you very much.
 
5

509322

Fascinating. I never heard about that. Americans think they have a copyright on democracy.
Nope. That copyright belongs to the ancients. Every American schoolchild is taught this fact. Whether or not that schoolchild pays attention is a different matter.
 

KonradPL

Level 3
Maybe Poland is not a big country, but it is amiable and fierce.
When other countries gave up, Poland fought. It's just a few times we were erased from the map of Europe - because we always came back :)
The history of my country is complicated. On the one hand, full of tragedy on the other hand, great. For this I do not even expect anyone to understand it here.

I wonder why a good product from Poland caused such comments.
Politics is a different subject to me and there is no reason to mix MKS with politics.

It does not matter which country the AV comes from, it is important that it is effective and it is rife what to do;)
 

Andy Ful

Level 46
Verified
Trusted
Content Creator
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.
The test was done on Windows 8 in a VM, because on Windows 10 I use ShadowDefender, which is incompatible with F-Secure Safe.. If I correctly remember, F-Secure Safe has not yet adopted AMSI, so the result for Windows 10 should be the same.

F-Secure Safe
  1. Only one PowerShell sample was blocked by DeepGuard. The System.Net.WebClient class was blocked and could not download the payload. The rest of PowerShell methods were not blocked either by DeepGuard nor by the static detection. The static detection of PowerShell samples was slightly worse as compared to BitDefender. It seems that BitDefender uses a different heuristics.
  2. Yet, when the same code was transferred to VBScript which ran PowerShell, then DeepGuard did not detect System.Net.WebClient, and the payload was successfully executed.
  3. The 50% of VBScript samples were blocked by static detection (similar detection as for BitDefender). No DeepGuard detection for VBScript, at all. Next, I turned off the real-time AV scanning, and left DeepGuard active, but the result did not change - only the sample from point 1. was blocked.
I am curious why the static detection of PowerShell samples was different as compared to Bitdefender. Maybe it was adjusted to work with DeepGuard? Is heuristic detection related to DeepGuard?
Anyway, DeepGuard is not effective for blocking script trojan downloaders.
 
Last edited:
5

509322

This is no surprise - at least those of us who know what to generally expect.

If a person expects AV\IS, AMSI and ASR to stop malicious scripts and in-memory attacks, then their expectations are unrealistic.

Despite marketing efforts, claims and some limited AV test lab results... all AV\IS, AMSI and ASR remain ineffective against interpreter and sponsor attacks.

The only sure what to protect a system is to disable interpreters and sponsors in all accounts.
 

Burrito

Level 18
Verified
Going back to the very beginning....

Discuss: Do we actually need so many security programs?

Yes, we do.

If one does not stack enough security 'solutions' together such that you experience major software conflicts and/or slowdowns ---- you are not trying hard enough.

Always remember -- More is Better.
 

Evjl's Rain

Level 43
Verified
Trusted
Content Creator
Malware Hunter
I can tell about my experience with CCleaner attack

I had v5.33 (affected version) for a few weeks, during that time, I noticed my comodo firewall was blocking some random inbound connections, which I had never seen before
So I guess CF partially protected me from that attack, not very sure though

Since I updated to the newer version, those inbound connections disappeared

Kaspersky has network attack blocker, which worked for me in a few occasions but I didn't use KIS during that time so I can't confirm if it could prevent ccleaner attack or not
 
5

509322

I can tell about my experience with CCleaner attack

I had v5.33 (affected version) for a few weeks, during that time, I noticed my comodo firewall was blocking some random inbound connections, which I had never seen before
So I guess CF partially protected me from that attack, not very sure though

Since I updated to the newer version, those inbound connections disappeared

Kaspersky has network attack blocker, which worked for me in a few occasions but I didn't use KIS during that time so I can't confirm if it could prevent ccleaner attack or not
The CClenaer "attack" would only work on 32 bit systems.
 
5

509322

Script blocking could be a vital part of security going forward.

~LDogg
Vital protections against malicious scripts and post-exploits are at least a decade behind the 8 Ball.

The future (going forward) is now.

People have been on the vendors about this topic forever.

Use this as a general rule... effective management against specific threats takes approximately 10+ years. The first ransomware attack was documented in 1989. In the early 2000s ransomware became a prevalent attack. Not until the past year or two have vendors rolled out effective anti-ransomware protections. So, depending upon how you look at it, they're 15 to 20+ years behind the 8 Ball.

SRP\default deny has been around from the beginning. It has never been behind the 8 Ball.
 
Last edited by a moderator: