Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 755183" data-attributes="member: 32260"><p>This sample has DigiCert High Assurance EV Root CA, so should also bypass SmartScreen.</p><p></p><p>Edit.</p><p>@[USER=51905]Evjl's Rain[/USER] Confirmed SmartScreen bypass. I am not sure if the second SmartScreen bypass was real, because WD checks files on access when the folder is opened. The suspicious files are blocked by WD until the analysis will complete. So I suspect that the malware sample<span style="font-size: 18px"><strong> __-_.exe</strong></span> could be not checked by SmartScreen at all.</p><p>By the way, he uses 'Run <span style="color: rgb(184, 49, 47)"><strong>By</strong></span> SmartScreen' in his tests. On the contrary to "Run <span style="color: rgb(41, 105, 176)"><strong>As</strong></span> SmartScreen", his treatment of the malware with document icon was correct. The 'Run <span style="color: rgb(184, 49, 47)"><strong>By</strong></span> SmartScreen' is intended for default-allow security setup and for all unsafe files in the Userspace (outside' Windows' and 'Program Files...' folders). It checks more file extensions (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR, and VBE) via SmartScreen. Furthermore, if the file extension is dangerous (WSH, WSF, WSC, WS, VBS, VB, SHS, SCT, REG, PS1, PCD, MST, MSP, MSC, MDE, MDB, JS, JAR, ISP, INS, INF, HTA, HLP, CRT, CHM, BAS, ADP, ADE), then the file is blocked with notification. Other files, when "Run By SmartScreen", are allowed to be opened.</p><p><span style="color: rgb(184, 49, 47)">The proper usage of "Run By SmartScreen" is always opening the new files via the right-click Explorer context menu option (Run By SmartScreen).</span><strong> If that would be so, then most malware samples in @[USER=51905]Evjl's Rain[/USER] tests:</strong></p><p><strong><a href="https://malwaretips.com/threads/6-08-2018-16.85757/post-755188" target="_blank">https://malwaretips.com/threads/6-08-2018-16.85757/post-755188</a></strong></p><p><strong><a href="https://malwaretips.com/threads/3-08-2018-21.85688/post-754757" target="_blank">https://malwaretips.com/threads/3-08-2018-21.85688/post-754757</a></strong></p><p><strong>would be blocked with notification, except the popular types like documents, photos, media.</strong></p><p><strong>.</strong></p><p><strong>I suspect that <strong>@[USER=51905]Evjl's Rain[/USER]</strong> intended to test forced SmartScreen itself, but not the "Run By SmartScreen" capabilities.</strong></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 755183, member: 32260"] This sample has DigiCert High Assurance EV Root CA, so should also bypass SmartScreen. Edit. @[USER=51905]Evjl's Rain[/USER] Confirmed SmartScreen bypass. I am not sure if the second SmartScreen bypass was real, because WD checks files on access when the folder is opened. The suspicious files are blocked by WD until the analysis will complete. So I suspect that the malware sample[SIZE=18px][B] __-_.exe[/B][/SIZE] could be not checked by SmartScreen at all. By the way, he uses 'Run [COLOR=rgb(184, 49, 47)][B]By[/B][/COLOR] SmartScreen' in his tests. On the contrary to "Run [COLOR=rgb(41, 105, 176)][B]As[/B][/COLOR] SmartScreen", his treatment of the malware with document icon was correct. The 'Run [COLOR=rgb(184, 49, 47)][B]By[/B][/COLOR] SmartScreen' is intended for default-allow security setup and for all unsafe files in the Userspace (outside' Windows' and 'Program Files...' folders). It checks more file extensions (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, SCR, and VBE) via SmartScreen. Furthermore, if the file extension is dangerous (WSH, WSF, WSC, WS, VBS, VB, SHS, SCT, REG, PS1, PCD, MST, MSP, MSC, MDE, MDB, JS, JAR, ISP, INS, INF, HTA, HLP, CRT, CHM, BAS, ADP, ADE), then the file is blocked with notification. Other files, when "Run By SmartScreen", are allowed to be opened. [COLOR=rgb(184, 49, 47)]The proper usage of "Run By SmartScreen" is always opening the new files via the right-click Explorer context menu option (Run By SmartScreen).[/COLOR][B] If that would be so, then most malware samples in @[USER=51905]Evjl's Rain[/USER] tests: [URL]https://malwaretips.com/threads/6-08-2018-16.85757/post-755188[/URL] [URL]https://malwaretips.com/threads/3-08-2018-21.85688/post-754757[/URL] would be blocked with notification, except the popular types like documents, photos, media. . I suspect that [B]@[USER=51905]Evjl's Rain[/USER][/B] intended to test forced SmartScreen itself, but not the "Run By SmartScreen" capabilities.[/B] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
