It’s too late now. We should’ve checked in the morning.
Kaspersky Threat Intelligence Portal
Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com
Just try it.
It says "Malware"
This is a bit more info about the sample:
Kaspersky Threat Intelligence Portal
Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses
opentip.kaspersky.com
This is a bit more info about the sample:
Last edited:
I somehow doubt it. As they say they have it "covered" with their HIPS for those that want to use it.
To be fair, a lot of other AVs don't offer that also. And Kaspersky's implementation is not that different from ESET's and is far from being "user friendly". I don't see ordinary users using it. At least I see it that way.
At the moment of posting the 2 rsw in Hub yesterday morning, Kaspersky already detected on demand the exe rsw, and by PDM on execution the ps1 script (checked in KOTIP service)
This PS1 script is really nasty. Good thing Kaspersky is able to detect it.
The process injection and compiled after delivery are to evade analysis.
Btw, this is how in ESET protected folders can be configured:
malwaretips.com
This is for Kaspersky:
malwaretips.com
ESET - Implement Protected Folders via HIPS
ESET Nod 32/Internet Security/Smart Security 1. Open ESET. Go to Setup -> Advanced setup -> HIPS -> In the HIPS SETTINGS sections click on the "Edit" button on the right side of Rules. On the new window, click on Add to create a new HIPS rule. 2. Now, put any name you wish in the Rule name...
malwaretips.com
This is for Kaspersky:
KIS/KTS/KSC Cloud - Implementing Protected Folders via Manage Resources
KIS/KTS/KSC Cloud Implementing Protected Folders via Manage Resources 1.- Go to Settings -> Protection -> Application Control -> Manage Resources 2.- Expand Personal Data folder and then select User Files folder 3.- Click on Add and then on Category and type a name, for example: PROTECTED...
malwaretips.com
It wouldn't have worked on both samples, but file journaling with effective DBI would have been able to remediate the ransomware, which simply registers one service. DBI could've become suspicious when executable with no digital signature and no visible window is ran. It also adds hooks. At that point it could've started monitoring the changes and journaling the files. Deleting then dropping large number of files in a sequence is a clear indication of ransomware. It could then kill the process, delete the service registry key, delete the file and restore all files from the journal. This would've been the correct behaviour.Btw, this is how in ESET protected folders can be configured:
ESET - Implement Protected Folders via HIPS
ESET Nod 32/Internet Security/Smart Security 1. Open ESET. Go to Setup -> Advanced setup -> HIPS -> In the HIPS SETTINGS sections click on the "Edit" button on the right side of Rules. On the new window, click on Add to create a new HIPS rule. 2. Now, put any name you wish in the Rule name...
I'm just showing that Protected Folders can be configured via ESET HIPS.
Btw, protected folders is not a guaranteed method either. In our malware hub here, protected folders of F-Secure, Trend Micro have been breached by malwares in one or two tests. There was also a POC which breached Microsoft Defender's protected folder when ran as administrator. So, many AV don't want to implement this because nowadays often malwares leverage trusted windows process for encryption which often bypasses protected folders which use reputatinal data to determine what is trusted and not unlike Microsoft Defender's protected folders which blocks everything. Block everything unless manually whitelisted is safer of the two approach.
The journaling function is also something not every AV can afford to implement. It increases CPU, ram, disk usage activity which may hamper performance. Kaspersky had some performance impact because of that but now they have mastered this it seems so performance impact is almost non-existent now. Bitdefender also have this journaling system now so kudos to them. According to Marcos of ESET forum, ESET also tried this but the performance impact is too much for their liking. Like I said before, false positive and performance impact are top two priorities of ESET.
When you ask for £49.99 per year, per device people expect you to do more than just saying "we tried and we failed". That's not excuse.
To give or not to give? That's the question. If I go on a company's forum and I read:
"Dear users, we are truly sorry to inform you that we won't be protecting you from ransomware effectively.
We tried a common ransomware protection technique, but the performance hit was too much for our liking."
I will answer that question too quick FOR THEIR LIKING.
I don't mind them not implementing journaling function because of performance impact but proactive protection against ransomwares need to improved that's for sure.
Even with no journaling it could use other methods such as the WiseVector "trap" or however it was called. I trust Eset. I am sure they will do something. We just need to wait and see what.
Similar threads
