Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 890988" data-attributes="member: 32260"><p>Interesting ransomware was tested on MH:</p><p>[URL unfurl="true"]https://malwaretips.com/threads/fud-netwalker-ransomware-ps1-20-06-2020.101973/#post-890953[/URL]</p><p>This example shows two things:</p><ol> <li data-xf-list-type="ol">Even the AV with ATP cannot detect all scripting attacks.</li> <li data-xf-list-type="ol">There is a big difference between malware tests and real-world tests.</li> </ol><p>The first point is evident from the Malware Hub results. So, the best method is still blocking scripts in UserSpace.</p><p></p><p>The second point follows from the fact that in the real world attack, the attacker will not use a PowerShell script as the initial infection vector due to the PowerShell Execution Policy. So, the MS Office document, shortcut, or another infection vector will be used to run the PowerShell script and bypass the PowerShell Execution Policy. In most cases, also the phishing link will be used. This will change the detection significantly for all AVs with ATP. For example, the WD ASR rules will block such attacks performed via exploiting MS Office or Adobe Reader applications.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite130" alt="(y)" title="Thumbs up (y)" loading="lazy" data-shortname="(y)" /></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 890988, member: 32260"] Interesting ransomware was tested on MH: [URL unfurl="true"]https://malwaretips.com/threads/fud-netwalker-ransomware-ps1-20-06-2020.101973/#post-890953[/URL] This example shows two things: [LIST=1] [*]Even the AV with ATP cannot detect all scripting attacks. [*]There is a big difference between malware tests and real-world tests. [/LIST] The first point is evident from the Malware Hub results. So, the best method is still blocking scripts in UserSpace. The second point follows from the fact that in the real world attack, the attacker will not use a PowerShell script as the initial infection vector due to the PowerShell Execution Policy. So, the MS Office document, shortcut, or another infection vector will be used to run the PowerShell script and bypass the PowerShell Execution Policy. In most cases, also the phishing link will be used. This will change the detection significantly for all AVs with ATP. For example, the WD ASR rules will block such attacks performed via exploiting MS Office or Adobe Reader applications.(y) [/QUOTE]
Insert quotes…
Verification
Post reply
Top
