Evasive VBS with very low VT

Status
Not open for further replies.

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
Yes it is, you will only see the PDM prefix for System Watcher detections.

"The proactive defense module is a module that monitors the sequence of actions conducted by an application in the system, and if suspicious activity is detected, the application is blocked to prevent it from conducting further activity. If an object is detected by the PDM, the name of the object begins with the “PDM:” prefix." It was likely renamed to System Watcher at some point, they just just stuck with the PDM prefix for detections.
 
Last edited:
  • Like
Reactions: simmerskool

Sandbox Breaker

Level 9
Thread author
Well-known
Jan 6, 2022
434
BSS is not a prefix they use for detections, when an item is detected by System Watcher it will always begin with "PDM:".
Who cares lol. At least they block it at many layers.

This also means Check Point Harmony has system watcher.
 
Last edited by a moderator:

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,518
Who cares lol. At least they block it at many layers.

This also means Check Point Harmony has system watcher.
Doesn't that mean that Kaspersky added a signature after it was detected by System Watcher? And the signature however is available for Harmony as it's using the Kaspersky engine and therefor its signatures? I doubt that it can dynamically analyze malware with Kaspersky's behavioural and AI components.
 
Last edited by a moderator:

Sandbox Breaker

Level 9
Thread author
Well-known
Jan 6, 2022
434
Doesn't that mean that Kaspersky added a signature after it was detected by System Watcher? And the signature however is available for Harmony as it's using the Kaspersky engine?
The PDM module runs locally. I've seen these seen these detections locally in Harmony before.
 
  • Like
Reactions: Kongo and Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,756
Detected by Harmony with Kaspersky : HEUR:Trojan-Downloader.Script.Generic

View attachment 276703View attachment 276702
PDM can be seen in @Shadowra's test here so it is in Harmony. I am using it with Sophos, hence it reached the behavioural guard layer, where it was instantly annihilated. PDM is probably system watcher's telemetry based. Kaspersky has multiple signatures that can detect the threat.
 

Sandbox Breaker

Level 9
Thread author
Well-known
Jan 6, 2022
434
PDM can be seen in @Shadowra's test here so it is in Harmony. I am using it with Sophos, hence it reached the behavioural guard layer, where it was instantly annihilated. PDM is probably system watcher's telemetry based. Kaspersky has multiple signatures that can detect the threat.
Yes sir.

Harmony is the best value and so superior. I'm also using their mobile solutions. Cloud sandboxes are included with harmony Mobile.
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,518
PDM can be seen in @Shadowra's test here so it is in Harmony. I am using it with Sophos, hence it reached the behavioural guard layer, where it was instantly annihilated. PDM is probably system watcher's telemetry based. Kaspersky has multiple signatures that can detect the threat.
So there is absolutely no delay in Kaspersky detections and Harmony with Kaspersky engine? And while all AVs with Bitdefender engine only get its signatures, Harmony actually also has access to other Kaspersky components?
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,756
So there is absolutely no delay in Kaspersky detections and Harmony with Kaspersky engine? And while all AVs with Bitdefender engine only get its signatures, Harmony actually also has access to other Kaspersky components?
It has access to the UDS (Urgent Detection System) which means they use the full sdk. They also use their feeds even if you choose to deploy with Sophos. Upon downloading files from any format, they will be looked up in ThreatCloud where Kaspersky and proprietary telemetry may contain the hash. On files already downloaded, executables reputation is checked in ThreatCloud.
 

Sandbox Breaker

Level 9
Thread author
Well-known
Jan 6, 2022
434
So there is absolutely no delay in Kaspersky detections and Harmony with Kaspersky engine? And while all AVs with Bitdefender engine only get its signatures, Harmony actually also has access to other Kaspersky components?
None. they have two Kaspersky update servers. One from CP and the other from Kaspersky for redundancy. There is a delay with VT thou
 
  • Like
  • Thanks
Reactions: roger_m and Kongo

Shadowra

Level 34
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,329
It has access to the UDS (Urgent Detection System) which means they use the full sdk. They also use their feeds even if you choose to deploy with Sophos. Upon downloading files from any format, they will be looked up in ThreatCloud where Kaspersky and proprietary telemetry may contain the hash. On files already downloaded, executables reputation is checked in ThreatCloud.

So even if I choose Sophos, I'll be protected by Kaspersky?
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,756
So even if I choose Sophos, I'll be protected by Kaspersky?
You are protected by Kaspersky but Kaspersky feeds malicious hashes to ThreatCloud. Once the hash changes, it will not be detected anymore (until Kaspersky sees it and feeds the new hash). But then you have Sophos and NGAV. An attacker will need to escape from all that, plus the emulation.
 

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,518
It has access to the UDS (Urgent Detection System) which means they use the full sdk. They also use their feeds even if you choose to deploy with Sophos. Upon downloading files from any format, they will be looked up in ThreatCloud where Kaspersky and proprietary telemetry may contain the hash. On files already downloaded, executables reputation is checked in ThreatCloud.

None. they have two Kaspersky update servers. One from CP and the other from Kaspersky for redundancy. There is a delay with VT thou
Thanks guys for the explanation. I should really look more into Harmony... Even if I was a little sceptical it now seems like a well thought-through solution to me. (y)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top