- Mar 27, 2017
- 160
Fileless malware demo:Why antivirus alone is not enough
- Thread starter Prayag
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Mar 27, 2017
- 160
One thing,I forgot to show in video is the dynamic protection by idp in avast.
It was able to detect kovter and a powershell abuse by behavior shield.
So it can stop any file less malware that exploits the vulnerability if it tries to abuse powershell and other critical files may also be protected.
But then also we need a more powerful solution besides av as I have been infected with a file less malware even when using avast 2017 with behavior shield and that malware stayed in my system for almost three months,with no reaction from avast and eek both of which were regularly updated during the period.
It was able to detect kovter and a powershell abuse by behavior shield.
So it can stop any file less malware that exploits the vulnerability if it tries to abuse powershell and other critical files may also be protected.
But then also we need a more powerful solution besides av as I have been infected with a file less malware even when using avast 2017 with behavior shield and that malware stayed in my system for almost three months,with no reaction from avast and eek both of which were regularly updated during the period.
Last edited:
- Mar 27, 2017
- 160
- Mar 27, 2017
- 160
As for qihoo 360 Ts,it didn't do any well.
It can't even detect it through signatures.
I have set up it at maximum settings but without any third party av as I think a product should provide this type of protection through its default engine and bit defender engine in qihoo 360 isn't that optimized either.It(when bit defender engine is installed and up-to-date) can't detect many samples that eek detects through bit defender engine long back.
Even the cloud engine of qihoo couldn't detect it.
Its behavior blocking or dynamic protection also couldn't block it.
I was shocked to see the result so I have tried running the threat 3 times after turning it back to the earlier state but nothing changed.
Every time eek detected it.
So if any malware of such type couldn't be detected through signatures then rest assured the behavior blocker of qihoo will not prevent it from abusing powershell and other such stuffs(but avast can,to some extent and you will be infected without you even knowing.
So my advice is to use avast instead of qihoo as qihoo only seem to have special patterns for preventing ransomware attack but not general and process hollowers but avast is great in detecting (thanks to its continuosly improved idp)general,process hollowers as well as ransomwares better than qihoo(at this moment) and I also felt that avast uses less resources as compared to qihoo.
Well,if you use comodo fw tweaked than you can opt for any av,it doesn't really matter,but for standalone av,the choice is clear(it isn't qihoo).
Hope you have got all the answers for your queries.
Thanks for reading so far.
It can't even detect it through signatures.
I have set up it at maximum settings but without any third party av as I think a product should provide this type of protection through its default engine and bit defender engine in qihoo 360 isn't that optimized either.It(when bit defender engine is installed and up-to-date) can't detect many samples that eek detects through bit defender engine long back.
Even the cloud engine of qihoo couldn't detect it.
Its behavior blocking or dynamic protection also couldn't block it.
I was shocked to see the result so I have tried running the threat 3 times after turning it back to the earlier state but nothing changed.
Every time eek detected it.
So if any malware of such type couldn't be detected through signatures then rest assured the behavior blocker of qihoo will not prevent it from abusing powershell and other such stuffs(but avast can,to some extent and you will be infected without you even knowing.
So my advice is to use avast instead of qihoo as qihoo only seem to have special patterns for preventing ransomware attack but not general and process hollowers but avast is great in detecting (thanks to its continuosly improved idp)general,process hollowers as well as ransomwares better than qihoo(at this moment) and I also felt that avast uses less resources as compared to qihoo.
Well,if you use comodo fw tweaked than you can opt for any av,it doesn't really matter,but for standalone av,the choice is clear(it isn't qihoo).
Hope you have got all the answers for your queries.
Thanks for reading so far.
Last edited:
- Mar 27, 2017
- 160
Qihoo has also declared this file clean in virus total analysis.
Last edited:
- Dec 29, 2014
- 1,716
Hey @Prayag. Excellent test. Much knowledge to be gained examining how these malwares travel through the system. Thanks.
I run all programs with this same princple, so I like HIPs alerts. This helps me understand system policy and what is good and not good and then also a little bit about critical protection zones. Even normal safe signed software can be very edgy with dangerous changes and lots of internet connections. It's becoming less I think though with the normal safe signed software thanks to improving security apps and education.
You mention "autoblock any suspicious file". Did you mean 3:15 Comodo setting "Enable enhanced protection mode"? Always wondered what this does. Looks to me like Advanced Protection->Miscellaneous->Do heuristic command-line analysis for... picked up the memory activity. The file Comodo HIPs used was the partial script file created by the heuristic monitoring module and could be found in C:\ProgramData\Comodo\Cis\tempscrpt. This is good for anyone to see who relies on Comodo. These files are not just monitored by the HIPs. They are subject to all the protections of Comodo just like any other file.
Comodo HIPs looks like a good tool in malware testing for identifying what malware does. Thanks again.
- Mar 27, 2017
- 160
A
This is a part of my testing to evolve a security setup that would not ask users for taking decision and maintaining a high level of protection while not blocking any clean files like games.
This security setup is designed for my friends who don't know how to answer the popups.
Thanks for your kind words.
'Autoblock any suspicious files' means I have set comodo to not show any hips alert and instead of alert,autoblock the file in question.
This is a part of my testing to evolve a security setup that would not ask users for taking decision and maintaining a high level of protection while not blocking any clean files like games.
This security setup is designed for my friends who don't know how to answer the popups.
Thanks for your kind words.
Last edited:
- Dec 29, 2014
- 1,716
Thanks. I didn't understand your meaning
, since you turned off the "auto-Block" for the test when you disabled "Do not show alerts..."I am curious. Would you happen to know with HIPs alerts set not to show and then set to block, does Comodo still show a block alert when a file is blocked? Obviously, it won't run, but I haven't ever tested this dynamic to see if there is a block alert since I have the alerts set to show. There is a smaller alert for a HIPs block event using alerts->show.
- Mar 27, 2017
- 160
No alerts will be shown in this setting.Thanks. I didn't understand your meaning
I am curious. Would you happen to know with HIPs alerts set not to show and then set to block, does COMODO still show a block alert when a file is blocked? Obviously, it won't run, but I haven't ever tested this dynamic to see if there is a block alert since I have the alerts set to show. There is a smaller alert for a HIPs block event using alerts->show.
Everything will be silently blocked even the popup that tell you that a particular file is blocked will not be shown.
Have you got any issues,just see the 'unblock applications' option to find which file has been blocked or by which module.
Additionally,rules for unknown applications or files are generated in 'hips rules' column,if you like you can see there also.
- Apr 1, 2017
- 1,782
- Mar 27, 2017
- 160
I haven't tried rehips.
Maybe some other(who uses rehips) will answer your query.
- Dec 29, 2014
- 1,716
OK thanks. Nice explanation for my question.
When using "Unblock Applications" on the widget, your friends might be helped to know that it works this way:
Unblock an application from "Unblock Applications" on widget->
1. New Firewall rule->Allow
2. New HIPs rule->Allow
3. New Containment rule->Allow
4. File rating in Files list goes from "Unrecognized"->Trusted
2. New HIPs rule->Allow
3. New Containment rule->Allow
4. File rating in Files list goes from "Unrecognized"->Trusted
It's a full unconditional allow for the application and all of its activities, so make sure unblocking is what is required and be 100% sure the unblocked application is safe. If you aren't sure it's safe leave it blocked and ask someone on MalwareTips what to do. That's the best way.
- Mar 27, 2017
- 160
Yeah I know this thing but as I have the solution,I don't worry about this.OK thanks. Nice explanation for my question.
When using "Unblock Applications" on the widget, your friends might be helped to know that it works this way:
Unblock an application from "Unblock Applications" on widget->
1. New Firewall rule->Allow
2. New HIPs rule->Allow
3. New Containment rule->Allow
4. File rating in Files list goes from "Unrecognized"->Trusted
It's a full unconditional allow for the application and all of its activities, so make sure unblocking is what is required and be 100% sure the unblocked application is safe. If you aren't sure it's safe leave it blocked and ask someone on MalwareTips what to do. That's the best way.
Yeah,right.Friends should be taught how to use it.
But anyway,thanks
- Mar 15, 2011
- 13,070
Source: Read Here
Technically at the end of the day, Antivirus that relies on signature is indeed obsolete cause attacks are more on behavior rather on execution through own program.
Unfortunately the typical Antivirus that we have are something in partial and not on full blown like from Comodo; since it should be critically assess if the program can detect it very smart without any other relying information.
@Prayag :
You said : "Have you got any issues,just see the 'unblock applications' option to find which file has been blocked or by which module.
Additionally,rules for unknown applications or files are generated in 'hips rules' column,if you like you can see there also."
Is this your answer because AtlBo set the the Alert to show or for others reasons ? Not sure I have fully understood.
You said : "Have you got any issues,just see the 'unblock applications' option to find which file has been blocked or by which module.
Additionally,rules for unknown applications or files are generated in 'hips rules' column,if you like you can see there also."
Is this your answer because AtlBo set the the Alert to show or for others reasons ? Not sure I have fully understood.
Similar threads
