- Jan 8, 2017
- 1,320
@silversurfer, @Der.Reisende , we could get this sample (SilentSpring.exe) from the video to test in MH?
G data IS 2018 vs Ransomwares
- Thread starter Mahesh Sudula
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
I use G Data with the firewall set to maximum on my gaming rig. It's light and very effective.
- Jul 13, 2014
- 766
Will be included in the latest pack.
I hope it works
Antivirus scan for a0fa26c2f79fd4e0f3f25b3fcb7aa02bb0194b34f13aa8d721b114432a00b05a at 2018-03-06 19:04:23 UTC - VirusTotal
EDIT:
It does work.
Did encrypt a few files before getting stopped (and files recovered) by AppCheck AntiRansomware.
Last edited:
- May 3, 2013
- 82
In 3:20 the behavior blocker moved the wscript.exe to quarantine (FPs) ??
and didn't delete the GrandCrab.vbs
and didn't delete the GrandCrab.vbs
LOL
You can see a few seconds beforehand that wscript.exe was terminated when the virus alert displayed, then the wscript.exe quarantine alert was pending and thus was shown after the virus alert was closed.
That's an interesting thing to notice, I am surprised they quarantined a Windows process (wscript.exe) instead of only the script executed by it.
- May 3, 2013
- 82
so it detect the payload not the vbs malware
and quarantine the wscript.exe which is safe
I don't know, unless we have the samples used to test with anything could have happened. It could have said one thing and not really done what it said, maybe it meant that the script executing under wscript.exe was quarantined.
However it does appear based on what the alert is saying that it quarantined a safe Windows process (wscript.exe), this could cause problems depending on the environment should wscript.exe be needed for things. On that note though, if it were to quarantine wscript.exe because of malicious software and unless it did successfully revert everything, the system would likely already be trashed and a re-installation of Windows would be in order for Incident Response policy anyway.
It is interesting though, I'd have thought it'd target only the script... Not the windows process as well. Not sure what to think of that. I can see positives of it, but not all scenarios would come from positive from it.
Scenario 1.
1. User gets infected.
2. Wscript.exe was used and becomes quarantined.
3. User cleans systems up with on-demand scanners since the threat was from a small actor and wasn't very complicated, can be cleaned properly without re-installation of Windows.
4. Now wscript.exe is still quarantined (could cause problems down the line, potentially (?))
Scenario 2.
1. Business gets infected.
2. Wscript.exe was used and becomes quarantined.
3. There's still traces of malware on the system from the same threat however it requires the script to be executed to continue, it can't since wscript.exe has been quarantined.
4. The business has a good Incident and Response implementation and formatting and re-installation of Windows will be performed after assessment of the infection and calculations of potential damage, etc. Therefore it no longer matters.
Different scenarios with different outcomes decide if it would cause an issue or not, however generally speaking, quarantine a system process... Not a good idea. Could always be a bug though.
- Apr 13, 2013
- 3,224
A product just stopping wscript is pointless without detecting and dealing with the underlying vb script that is calling up wscript. If you notice, that vbs script was just using wscript to connect out and download the actual Crab payload and in itself is not the actual ransomware. But as any decent Blackhat will have a duplicate (or similar) script dropped on initial run somewhere on the system and also provide for autostarting or other persistence mechanisms for the daughter. If GD didn't nail it initially one will be getting the same wscript block every time the system is restarted.
The pity is that some popular on-demand scanners are also oblivious to this attack mechanism.
(ps- if on a Win10 system, nothing should be able to delete/move/quarantine wscript as this resides in the system32 folder. UAC, even at the Off setting, will prevent this. What no doubt actually occurred is that this one specific process was just terminated).
The pity is that some popular on-demand scanners are also oblivious to this attack mechanism.
(ps- if on a Win10 system, nothing should be able to delete/move/quarantine wscript as this resides in the system32 folder. UAC, even at the Off setting, will prevent this. What no doubt actually occurred is that this one specific process was just terminated).
Last edited:
G-DATA can do it if it wants. It has a Windows Service (session 0, SYSTEM rights) or kernel-mode device drivers which would be able to do it if it wanted to.
- Apr 13, 2013
- 3,224
You are so correct, which makes things even more sick; just like Trend Micro putting UAC to Default even if you had set it at max.
Some Companies take far too many liberties with our systems...
.
Some Companies take far too many liberties with our systems...
.
WHAT!
I can't believe that (well I can since I believe you), but that is absolutely ridiculous. How dare they, how is that enhancing protection?!
Trend Micro on detection of threat does 'many' things to a system. Resetting the UAC is just one of the things it does - without asking. It takes a few too many liberties IMO.
They could just remember what setting it was on at installation time or monitor changes to the config to revert it properly.
Lol, so much circlejerk and fanboyism about a crappy product with even crappier marketing campaign that's no better than ANY popular free alternatives despite being paid.
Aaaand it still gets exposed in a test that was supposed to make it look good. Hilarious.
Aaaand it still gets exposed in a test that was supposed to make it look good. Hilarious.
Last edited:
Similar threads
