App Review G data IS 2018 vs Ransomwares

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

What are your Final thoughts after this review ?

  • 5 star

    Votes: 16 53.3%

  • 4 star

    Votes: 14 46.7%
  • Total voters
    30
Last edited:
  • Like
Reactions: Solarquest, frogboy, Faybert and 7 others
abdou17 said:
In 3:20 the behavior blocker moved the wscript.exe to quarantine (FPs) ??
and didn't delete the GrandCrab.vbs
Click to expand...
LOL

You can see a few seconds beforehand that wscript.exe was terminated when the virus alert displayed, then the wscript.exe quarantine alert was pending and thus was shown after the virus alert was closed.

That's an interesting thing to notice, I am surprised they quarantined a Windows process (wscript.exe) instead of only the script executed by it.
 
  • Like
Reactions: Azure, Sunshine-boy, mekelek and 2 others
Opcode said:
LOL

You can see a few seconds beforehand that wscript.exe was terminated when the virus alert displayed, then the wscript.exe quarantine alert was pending and thus was shown after the virus alert was closed.

That's an interesting thing to notice, I am surprised they quarantined a Windows process (wscript.exe) instead of only the script executed by it.
Click to expand...

so it detect the payload not the vbs malware
and quarantine the wscript.exe which is safe
 
  • Like
Reactions: Sunshine-boy
abdou17 said:
so it detect the payload not the vbs malware
and quarantine the wscript.exe which is safe
Click to expand...
I don't know, unless we have the samples used to test with anything could have happened. It could have said one thing and not really done what it said, maybe it meant that the script executing under wscript.exe was quarantined.

However it does appear based on what the alert is saying that it quarantined a safe Windows process (wscript.exe), this could cause problems depending on the environment should wscript.exe be needed for things. On that note though, if it were to quarantine wscript.exe because of malicious software and unless it did successfully revert everything, the system would likely already be trashed and a re-installation of Windows would be in order for Incident Response policy anyway.

It is interesting though, I'd have thought it'd target only the script... Not the windows process as well. Not sure what to think of that. I can see positives of it, but not all scenarios would come from positive from it.

Scenario 1.
1. User gets infected.
2. Wscript.exe was used and becomes quarantined.
3. User cleans systems up with on-demand scanners since the threat was from a small actor and wasn't very complicated, can be cleaned properly without re-installation of Windows.
4. Now wscript.exe is still quarantined (could cause problems down the line, potentially (?))

Scenario 2.
1. Business gets infected.
2. Wscript.exe was used and becomes quarantined.
3. There's still traces of malware on the system from the same threat however it requires the script to be executed to continue, it can't since wscript.exe has been quarantined.
4. The business has a good Incident and Response implementation and formatting and re-installation of Windows will be performed after assessment of the infection and calculations of potential damage, etc. Therefore it no longer matters.

Different scenarios with different outcomes decide if it would cause an issue or not, however generally speaking, quarantine a system process... Not a good idea. Could always be a bug though.
 
  • Like
Reactions: Azure, Tsiehshi, upnorth and 5 others
A product just stopping wscript is pointless without detecting and dealing with the underlying vb script that is calling up wscript. If you notice, that vbs script was just using wscript to connect out and download the actual Crab payload and in itself is not the actual ransomware. But as any decent Blackhat will have a duplicate (or similar) script dropped on initial run somewhere on the system and also provide for autostarting or other persistence mechanisms for the daughter. If GD didn't nail it initially one will be getting the same wscript block every time the system is restarted.

The pity is that some popular on-demand scanners are also oblivious to this attack mechanism.

(ps- if on a Win10 system, nothing should be able to delete/move/quarantine wscript as this resides in the system32 folder. UAC, even at the Off setting, will prevent this. What no doubt actually occurred is that this one specific process was just terminated).
 
Last edited:
  • Like
Reactions: Solarquest, simmerskool, Der.Reisende and 12 others
cruelsister said:
(ps- if on a Win10 system, nothing should be able to delete/move/quarantine wscript as this resides in the system32 folder. UAC, even at the Off setting, will prevent this. What no doubt actually occurred is that this one specific process was just terminated).
Click to expand...
G-DATA can do it if it wants. It has a Windows Service (session 0, SYSTEM rights) or kernel-mode device drivers which would be able to do it if it wanted to.
 
  • Like
Reactions: Solarquest, codswollip, Hector1 and 6 others
ForgottenSeer 58943 said:
Trend Micro on detection of threat does 'many' things to a system. Resetting the UAC is just one of the things it does - without asking. It takes a few too many liberties IMO.
Click to expand...
They could just remember what setting it was on at installation time or monitor changes to the config to revert it properly.
 
  • Like
Reactions: abdou17
Lol, so much circlejerk and fanboyism about a crappy product with even crappier marketing campaign that's no better than ANY popular free alternatives despite being paid.

Aaaand it still gets exposed in a test that was supposed to make it look good. Hilarious. :ROFLMAO:
 
Last edited:

You may also like...