Evasive VBS with very low VT

Status
Not open for further replies.
Sandbox Breaker said:
It's not. Heuristic and proactive detections
Click to expand...
Yes it is, you will only see the PDM prefix for System Watcher detections.

"The proactive defense module is a module that monitors the sequence of actions conducted by an application in the system, and if suspicious activity is detected, the application is blocked to prevent it from conducting further activity. If an object is detected by the PDM, the name of the object begins with the “PDM:” prefix." It was likely renamed to System Watcher at some point, they just just stuck with the PDM prefix for detections.
 
Last edited by a moderator:
  • Like
Reactions: simmerskool
Sandbox Breaker said:
Who cares lol. At least they block it at many layers.

This also means Check Point Harmony has system watcher.
Click to expand...
Doesn't that mean that Kaspersky added a signature after it was detected by System Watcher? And the signature however is available for Harmony as it's using the Kaspersky engine and therefor its signatures? I doubt that it can dynamically analyze malware with Kaspersky's behavioural and AI components.
 
Last edited by a moderator:
  • Like
Reactions: simmerskool and Trident
Shadowra said:
Detected by Harmony with Kaspersky : HEUR:Trojan-Downloader.Script.Generic

View attachment 276703View attachment 276702
Click to expand...
PDM can be seen in @Shadowra's test here so it is in Harmony. I am using it with Sophos, hence it reached the behavioural guard layer, where it was instantly annihilated. PDM is probably system watcher's telemetry based. Kaspersky has multiple signatures that can detect the threat.
 
  • Applause
  • Like
  • +Reputation
Reactions: roger_m, simmerskool, Shadowra and 2 others
Trident said:
PDM can be seen in @Shadowra's test here so it is in Harmony. I am using it with Sophos, hence it reached the behavioural guard layer, where it was instantly annihilated. PDM is probably system watcher's telemetry based. Kaspersky has multiple signatures that can detect the threat.
Click to expand...
Yes sir.

Sandbox Breaker said:
Yes sir.
Click to expand...
Harmony is the best value and so superior. I'm also using their mobile solutions. Cloud sandboxes are included with harmony Mobile.
 
  • Like
Reactions: simmerskool, Shadowra, Kongo and 1 other person
Trident said:
PDM can be seen in @Shadowra's test here so it is in Harmony. I am using it with Sophos, hence it reached the behavioural guard layer, where it was instantly annihilated. PDM is probably system watcher's telemetry based. Kaspersky has multiple signatures that can detect the threat.
Click to expand...
So there is absolutely no delay in Kaspersky detections and Harmony with Kaspersky engine? And while all AVs with Bitdefender engine only get its signatures, Harmony actually also has access to other Kaspersky components?
 
  • Like
Reactions: simmerskool and Trident
Kongo said:
So there is absolutely no delay in Kaspersky detections and Harmony with Kaspersky engine? And while all AVs with Bitdefender engine only get its signatures, Harmony actually also has access to other Kaspersky components?
Click to expand...
It has access to the UDS (Urgent Detection System) which means they use the full sdk. They also use their feeds even if you choose to deploy with Sophos. Upon downloading files from any format, they will be looked up in ThreatCloud where Kaspersky and proprietary telemetry may contain the hash. On files already downloaded, executables reputation is checked in ThreatCloud.
 
  • Like
  • Wow
  • Applause
Reactions: SeriousHoax, roger_m, simmerskool and 2 others
Kongo said:
So there is absolutely no delay in Kaspersky detections and Harmony with Kaspersky engine? And while all AVs with Bitdefender engine only get its signatures, Harmony actually also has access to other Kaspersky components?
Click to expand...
None. they have two Kaspersky update servers. One from CP and the other from Kaspersky for redundancy. There is a delay with VT thou
 
  • Like
  • Thanks
Reactions: roger_m and Kongo
Trident said:
It has access to the UDS (Urgent Detection System) which means they use the full sdk. They also use their feeds even if you choose to deploy with Sophos. Upon downloading files from any format, they will be looked up in ThreatCloud where Kaspersky and proprietary telemetry may contain the hash. On files already downloaded, executables reputation is checked in ThreatCloud.
Click to expand...

So even if I choose Sophos, I'll be protected by Kaspersky?
 
  • Like
Reactions: roger_m, simmerskool, Trident and 1 other person
Shadowra said:
So even if I choose Sophos, I'll be protected by Kaspersky?
Click to expand...
You are protected by Kaspersky but Kaspersky feeds malicious hashes to ThreatCloud. Once the hash changes, it will not be detected anymore (until Kaspersky sees it and feeds the new hash). But then you have Sophos and NGAV. An attacker will need to escape from all that, plus the emulation.
 
  • Like
  • Hundred Points
Reactions: SeriousHoax, roger_m, simmerskool and 3 others
Trident said:
It has access to the UDS (Urgent Detection System) which means they use the full sdk. They also use their feeds even if you choose to deploy with Sophos. Upon downloading files from any format, they will be looked up in ThreatCloud where Kaspersky and proprietary telemetry may contain the hash. On files already downloaded, executables reputation is checked in ThreatCloud.
Click to expand...

Sandbox Breaker said:
None. they have two Kaspersky update servers. One from CP and the other from Kaspersky for redundancy. There is a delay with VT thou
Click to expand...
Thanks guys for the explanation. I should really look more into Harmony... Even if I was a little sceptical it now seems like a well thought-through solution to me. (y)
 
  • Like
Reactions: Nevi, SeriousHoax, simmerskool and 2 others
Status
Not open for further replies.

You may also like...