- Aug 19, 2019
- 1,224
Interesting ransomware was tested on MH:
This example shows two things:
The first point is evident from the Malware Hub results. So, the best method is still blocking scripts in UserSpace.
- Even the AV with ATP cannot detect all scripting attacks.
- There is a big difference between malware tests and real-world tests.
The second point follows from the fact that in the real world attack, the attacker will not use a PowerShell script as the initial infection vector due to the PowerShell Execution Policy. So, the MS Office document, shortcut, or another infection vector will be used to run the PowerShell script and bypass the PowerShell Execution Policy. In most cases, also the phishing link will be used. This will change the detection significantly for all AVs with ATP. For example, the WD ASR rules will block such attacks performed via exploiting MS Office or Adobe Reader applications.
Do you have any recommendations beyond the Recommended Settings in H_C to cover this or does the H_C defaults already protect us?