Evasive VBS with very low VT

Status
Not open for further replies.
S

ScandinavianFish

Level 7
Verified
Dec 12, 2021
319
Sandbox Breaker said:
It's not. Heuristic and proactive detections
Click to expand...
Yes it is, you will only see the PDM prefix for System Watcher detections.

"The proactive defense module is a module that monitors the sequence of actions conducted by an application in the system, and if suspicious activity is detected, the application is blocked to prevent it from conducting further activity. If an object is detected by the PDM, the name of the object begins with the “PDM:” prefix." It was likely renamed to System Watcher at some point, they just just stuck with the PDM prefix for detections.
 
Last edited:
  • Like
Reactions: simmerskool
Sandbox Breaker

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
435
ScandinavianFish said:
BSS is not a prefix they use for detections, when an item is detected by System Watcher it will always begin with "PDM:".
Click to expand...
Who cares lol. At least they block it at many layers.

This also means Check Point Harmony has system watcher.
 
Last edited by a moderator:
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,501
Sandbox Breaker said:
Who cares lol. At least they block it at many layers.

This also means Check Point Harmony has system watcher.
Click to expand...
Doesn't that mean that Kaspersky added a signature after it was detected by System Watcher? And the signature however is available for Harmony as it's using the Kaspersky engine and therefor its signatures? I doubt that it can dynamically analyze malware with Kaspersky's behavioural and AI components.
 
Last edited by a moderator:
  • Like
Reactions: simmerskool and Trident
Sandbox Breaker

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
435
Kongo said:
Doesn't that mean that Kaspersky added a signature after it was detected by System Watcher? And the signature however is available for Harmony as it's using the Kaspersky engine?
Click to expand...
The PDM module runs locally. I've seen these seen these detections locally in Harmony before.
 
  • Like
Reactions: Kongo and Trident
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Shadowra said:
Detected by Harmony with Kaspersky : HEUR:Trojan-Downloader.Script.Generic

View attachment 276703View attachment 276702
Click to expand...
PDM can be seen in @Shadowra's test here so it is in Harmony. I am using it with Sophos, hence it reached the behavioural guard layer, where it was instantly annihilated. PDM is probably system watcher's telemetry based. Kaspersky has multiple signatures that can detect the threat.
 
  • Applause
  • Like
  • +Reputation
Reactions: roger_m, simmerskool, Shadowra and 2 others
Sandbox Breaker

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
435
Trident said:
PDM can be seen in @Shadowra's test here so it is in Harmony. I am using it with Sophos, hence it reached the behavioural guard layer, where it was instantly annihilated. PDM is probably system watcher's telemetry based. Kaspersky has multiple signatures that can detect the threat.
Click to expand...
Yes sir.

Sandbox Breaker said:
Yes sir.
Click to expand...
Harmony is the best value and so superior. I'm also using their mobile solutions. Cloud sandboxes are included with harmony Mobile.
 
  • Like
Reactions: simmerskool, Shadowra, Kongo and 1 other person
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,501
Trident said:
PDM can be seen in @Shadowra's test here so it is in Harmony. I am using it with Sophos, hence it reached the behavioural guard layer, where it was instantly annihilated. PDM is probably system watcher's telemetry based. Kaspersky has multiple signatures that can detect the threat.
Click to expand...
So there is absolutely no delay in Kaspersky detections and Harmony with Kaspersky engine? And while all AVs with Bitdefender engine only get its signatures, Harmony actually also has access to other Kaspersky components?
 
  • Like
Reactions: simmerskool and Trident
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Kongo said:
So there is absolutely no delay in Kaspersky detections and Harmony with Kaspersky engine? And while all AVs with Bitdefender engine only get its signatures, Harmony actually also has access to other Kaspersky components?
Click to expand...
It has access to the UDS (Urgent Detection System) which means they use the full sdk. They also use their feeds even if you choose to deploy with Sophos. Upon downloading files from any format, they will be looked up in ThreatCloud where Kaspersky and proprietary telemetry may contain the hash. On files already downloaded, executables reputation is checked in ThreatCloud.
 
  • Like
  • Wow
  • Applause
Reactions: SeriousHoax, roger_m, simmerskool and 2 others
Sandbox Breaker

Sandbox Breaker

Level 9
Thread author
Verified
Well-known
Jan 6, 2022
435
Kongo said:
So there is absolutely no delay in Kaspersky detections and Harmony with Kaspersky engine? And while all AVs with Bitdefender engine only get its signatures, Harmony actually also has access to other Kaspersky components?
Click to expand...
None. they have two Kaspersky update servers. One from CP and the other from Kaspersky for redundancy. There is a delay with VT thou
 
  • Like
  • Thanks
Reactions: roger_m and Kongo
Shadowra

Shadowra

Level 34
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,309
Trident said:
It has access to the UDS (Urgent Detection System) which means they use the full sdk. They also use their feeds even if you choose to deploy with Sophos. Upon downloading files from any format, they will be looked up in ThreatCloud where Kaspersky and proprietary telemetry may contain the hash. On files already downloaded, executables reputation is checked in ThreatCloud.
Click to expand...

So even if I choose Sophos, I'll be protected by Kaspersky?
 
  • Like
Reactions: roger_m, simmerskool, Trident and 1 other person
Trident

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Shadowra said:
So even if I choose Sophos, I'll be protected by Kaspersky?
Click to expand...
You are protected by Kaspersky but Kaspersky feeds malicious hashes to ThreatCloud. Once the hash changes, it will not be detected anymore (until Kaspersky sees it and feeds the new hash). But then you have Sophos and NGAV. An attacker will need to escape from all that, plus the emulation.
 
  • Like
  • Hundred Points
Reactions: SeriousHoax, roger_m, simmerskool and 3 others
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,501
Trident said:
It has access to the UDS (Urgent Detection System) which means they use the full sdk. They also use their feeds even if you choose to deploy with Sophos. Upon downloading files from any format, they will be looked up in ThreatCloud where Kaspersky and proprietary telemetry may contain the hash. On files already downloaded, executables reputation is checked in ThreatCloud.
Click to expand...

Sandbox Breaker said:
None. they have two Kaspersky update servers. One from CP and the other from Kaspersky for redundancy. There is a delay with VT thou
Click to expand...
Thanks guys for the explanation. I should really look more into Harmony... Even if I was a little sceptical it now seems like a well thought-through solution to me. (y)
 
  • Like
Reactions: Nevi, SeriousHoax, simmerskool and 2 others
Status
Not open for further replies.

Similar threads

L
    • Like
    • +Reputation
Evasive Sample
Replies
12
Views
1,680
Malware Analysis Archive
piquiteco
piquiteco
Sandbox Breaker
    • Like
    • +Reputation
Signed Sample - Very Suspect
Replies
5
Views
780
Malware Analysis Archive
harlan4096
harlan4096
Sandbox Breaker
    • Like
    • +Reputation
    • Applause
Malware Analysis Mystic Stealer Bypassing Sandboxes
Replies
50
Views
2,801
Malware Analysis Archive
Trident
Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top