Disclaimer

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

askalan

Level 14
Malware Hunter
Verified
  1. Containment: VirtualBox 5.1.38
  2. Windows: 10 LTSB
  3. VPN: CyberGhost
  4. Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)
  5. Office: LibreOffice (standard settings)
Disclaimer: Experimental setup for testing effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with above-average knowledge of Windows' built-in security features.
February 2019Amount of samplesSamples that have harmed the system/ changed system configurationFiles aren't touched/encryptedThread link
Mixed Threats #13 (01/02/2019)130yeslink
#CDC Ransomware (almost FUD) - 02/02/201910yeslink
#Exploit (03/02/2019)10yeslink
4/02/2019 #18180yeslink
AZORult (5/02/2019)10yeslink
#Buhtrap Ransomware (signed) - 07/02/201911nolink
8/02/2019 #15150yeslink
#FCrypt Ransomware10yeslink
AgentTesla (11/02/2019)10yeslink
12/02/2019 #23230yeslink
Malware Big Pack #24 (13/02/2019)240yeslink
Remcos RAT (14/02/2019)10yeslink
Malware x4 (16/02/2019)40yeslink

Hard_Configurator by @Andy Ful
 

Attachments

Last edited:

Andy Ful

Level 36
Content Creator
Trusted
Verified
The ransomware from MH https://malwaretips.com/threads/buhtrap-ransomware-signed-07-02-2019.90379/ is signed, so it will be a challenge for SmartScreen Application Reputation. The malware should be mitigated by SRP, even if it would bypass SmartScreen, because it uses Windows Script Host (CScript).

Edit
I had to edit my post, because of my evident error - SRP (in H_C recommended settings) is set to allow the processes with Admin rights, and the tested malware was run with Admin rights.:(
It could be mitigated If the option <Disable Win. Script Host> was set to ON. Maybe I should add it to recommended settings alongside SRP script mitigations?
 
Last edited:

Gandalf_The_Grey

Level 13
Verified

imuade

Level 6
Verified

Andy Ful

Level 36
Content Creator
Trusted
Verified
I have just seen the [S]@askalan video, and it seems that the trojan part of the malware was mitigated by H_C, because the CScript payload was blocked and remote features were disabled. But, the ransomware part (no elevation) was successful.[/S]
That malware is an example of what I wrote in the January report. In some cases, the signed malware can bypass the SmartScreen even some days after detecting by many AVs. So, it is good to have also a real-time AV alongside H_C.
Anyway, this malware will be delivered in the wild mostly via malicious spam attachments (scripts, documents), and this will be prevented by H_C settings.

Post edited - the malware was not mitigated by H_C, because it was allowed to run with Admin rights via "Run As SmartScreen".
 
Last edited:

Andy Ful

Level 36
Content Creator
Trusted
Verified
Would have it made any difference if the test had been done with tighter (enhanced) settings instead of default ones?
Yes, but not for preventing encryption in this case - it is done by the main executable which was allowed to run. Yet, this malware can also use cmd.exe to run some sponsors: attrib.exe, bcedit.exe, cscript.exe (already blocked), chcp.exe, net.exe ('net view' command blocked), reg.exe, vssadmin.exe, wbadmin.exe, wmic.exe.
https://www.hybrid-analysis.com/sample/f1d0df0e6b4e050703056fa3cad9b690c45ee7d239d5a45faf3e0cdf6b0ebd20?environmentId=100

Most of the above sponsors will require admin rights, SMB1, etc. to do something important - accessing Admin rights is hard with H_C settings and SMB1 is blocked. But, even without Admin rights the sponsor reg.exe can change the Registry keys in the HKCU Hive and wmic.exe can be used for gathering information about the system, so they are blocked in H_C enhanced settings.


I am sorry, I had to be very sleepy to overlook that the malware was run with Admin rights, so could not be mitigated by SRP and H_C recommended or enhanced settings.
That is the con of usability of "Run As SmartScreen" which is intended to bypass SRP.
The only H_C setting that could mitigate this malware is <Disable Win. Script Host> set to ON.
 
Last edited:

Andy Ful

Level 36
Content Creator
Trusted
Verified
I had to edit my previous posts. I forgot that in the recommended settings the option <Disable Win. Script Host> is set to OFF. That means that Windows Script Host is protected only by SRP, and will be bypassed by design, when the malware is run with Admin rights. That is the case of the malware run via "Run As SmartScreen", if the SmartScreen failed to stop it.
The malware could be probably mitigated if <Disable Win. Script Host> was set to ON.
@askalan, could you please test it also with this setting ON, to see the difference?
 

imuade

Level 6
Verified
Yes, but not for preventing encryption in this case - it is done by the main executable which was allowed to run. Yet, this malware can also use cmd.exe to run some sponsors: attrib.exe, bcedit.exe, cscript.exe (already blocked), chcp.exe, net.exe ('net view' command blocked), reg.exe, vssadmin.exe, wbadmin.exe, wmic.exe.
https://www.hybrid-analysis.com/sample/f1d0df0e6b4e050703056fa3cad9b690c45ee7d239d5a45faf3e0cdf6b0ebd20?environmentId=100


Most of the above sponsors will require admin rights, SMB1, etc. to do something important - accessing Admin rights is hard with H_C settings and SMB1 is blocked. But, even without Admin rights the sponsor reg.exe can change the Registry keys in the HKCU Hive and wmic.exe can be used for gathering information about the system, so they are blocked in H_C enhanced settings.

I am sorry, I had to be very sleepy to overlook that the malware was run with Admin rights, so could not be mitigated by SRP and H_C recommended or enhanced settings.
That is the con of usability of "Run As SmartScreen" which is intended to bypass SRP.
The only H_C setting that could mitigate this malware is <Disable Win. Script Host> set to ON.
Ah, OK, so I was correct to set <Disable Win. Script Host> to ON :emoji_v:
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
Ah, OK, so I was correct to set <Disable Win. Script Host> to ON :emoji_v:
Please, look after some time into the log of blocked events, for event Id = 1000 with Provider = Windows Script Host. This event means that Windows Script Host script was blocked with Admin rights. There are some administrative&troubleshooting scripts in Windows folder, which will be blocked by this setting, but they are not important in the healthy system.

In the first versions of H_C the <Disable Win. Script Host> was set to ON by default, but now it is set to OFF. When set to ON, it could mitigate some malware which bypassed SmartScreen. But anyway, such mitigation will be usually insufficient because the malware is already running with Admin rights. Furthermore, such event will be very improbable in the home user environment, because the infection chain in the wild will start not from EXE file (like in the test), but from the weaponized document or script started without admin rights. Such files will be blocked by recommended H_C settings and cannot bypass SmartScreen (automatically blocked when "Run As SmartScreen").
The different scenario is probable only when the user is going to download cracks and pirated software.
But, setting <Disable Win. Script Host> = ON will not hurt - the user has to only remember that scripts are blocked by two independent settings and that blocked events cannot be whitelisted.
 
Last edited:

askalan

Level 14
Malware Hunter
Verified
In my future tests you will find the screenshots of the al-khaser test.
LordNoteworthy/al-khaser

This program is supposed to determine if a virtual machine solution is hidden enough. I hope that the other testers will also publish the screenshots of this test in the future. It is very important to know how well the virtual machine has been configured.

(For information: if you want to run this test on your own VM it usually takes an hour. So don't be confused and let the test take its time.)

Video - Why a good VM configuration is important
 

Moonhorse

Level 23
Content Creator
Verified
So, it is good to have also a real-time AV alongside H_C.
Would the windows defender enabled on high settings, stopped it if the signatures detect it? Since WD has behaviour monitoring, but is that as effective as behaviour blocker

Is there anything that would make WD+ H_C stronger, something like appcheck or ransomoff? Anything to add on that combo, i know that i would probably be alright running wd alone, but is there anything that can still harden that setup? Custom settings of H_C? If the malware werent signed by comodo TVL, wouldnt something like comodo firewall be alright to add into that WD+H_C combo
 
Last edited:

oldschool

Level 21
Verified
… … Is there anything that would make WD+ H_C stronger, something like appcheck or ransomoff? Anything to add on that combo, i know that i would probably be alright running wd alone, but is there anything that can still harden that setup? Custom settings of H_C? If the malware werent signed by comodo TVL, wouldnt something like comodo firewall be alright to add into that WD+H_C combo
More is not the answer. You are already secure. :D
 

Andy Ful

Level 36
Content Creator
Trusted
Verified
WD and any other AV can sometimes detect such malware, and sometimes not. This sample was initially detected by 5 AVs (Avast, AVG, DrWeb, Eset, VB32). In other cases, it could be detected by Microsoft, Kaspersky, Avira, and BitDefender. Defender High settings can detect much more than WD on defaults.

One could strengthen the setup in many ways, but that would be unreasonable. Let's look at the below scenario:
  1. I have a very strong setup, which is also pretty much usable, but not so easy anyway.
  2. It can be even stronger by blocking many sponsors, adding the sandbox application or anti-ransomware protection, using Application Guard to block sponsors as administrator, blocking the Internet connection to vulnerable applications in the firewall, adding HIPS and Exploit Protection, etc.
  3. Wow, I have extremely strong protection.
  4. But, wait. Why my system is so unusable and I do not understand what disturbs the functionality of my applications?
  5. I give up. The default-deny protection sucks. I rather go back to AV only.
  6. Wow, I have so usable setup now. But, wait. Why it cannot detect everything on Malware Hub?
  7. I can make it stronger by adding .... (and so on).
I would rather recommend to think through this fact:
If default-deny protection is not simple, then it is unusable for most users, including the reader of this post.
:giggle:(y):emoji_pray:
 
Last edited:

shmu26

Level 72
Content Creator
Trusted
Verified
  1. It can be even stronger by blocking many sponsors, adding the sandbox application or anti-ransomware protection, using Application Guard to block sponsors as administrator, blocking the Internet connection to vulnerable applications in the firewall, adding HIPS and Exploit Protection, etc.
  2. Wow, I have extremely strong protection.
  3. But, wait. Why my system is so unusable and I do not understand what disturbs the functionality of my applications?
Very funny, and very true. Such a setup is good for people who enjoy and make a hobby out of creating a paranoid security setup.
 

Similar Threads

Similar Threads