A few years ago Kaspersky offered an extended evaluation version of Kaspersky Endpoint Security for Windows version 10.0 of 90 or 120 days, I don't remember exactly when, and I went to check that it is now version 12.1.0.506, as time flies. I didn't want to because I thought it would be too complicated to configure.
The DI way of controlling scripts is more similar to the Application Control of Harmony Endpoint or the Adaptive Protection of Symantec Endpoint Protection Complete. It blocks calls from one LOLBin to another, for example from Equation Editor to PowerShell. It also blocks common commands like PowerShell with hidden window, with encoded command and others (Avast also uses similar logics). But it’s not a behavioural analyser like Symantec SONAR (now behavioural blocking), Bitdefender ATD or the Check Point behavioural guard. It’s more like system hardening or the Microsoft ASR rules (some of them).
I would use Linux if I had those concerns in any case, more cost-effective not to say free. Greetings, and I don't comment here anymore. Peace. All the best.
Actually it would have (and does). piquiteco kindly just provided that sample and at CF base Containment settings both the initial malware file and the spawned daughter (cursed.exe) are contained. The data stolen from Edge was blocked from getting out by the Firewall (Over 50K attempts out in a few minutes!). At my settings the outbound connections (only 3 intrusions) are blocked. Both malware files eventually delete in Containment after a minute or so.
Last night @piquiteco said it wasn't contained? I'm confused. Why was it not contained on their test?
it is that stealer @Kongo posted on another thread. It was something like "stealer poses as game".
malwaretips.com
Malware Analysis - Supposed "Game" that actually is stealer malware
Hey guys, Just stumbled upon this video and thought why not checking out the file by myself. By now the malware should be at least two months old and still isn't detected by any AV on VirusTotal except ESET. Normally malicious PE files are detected easily by AI-based AV solutions and...
Would have tested it myself, but the other license I got is on my girlfriends PC. So I am not really able to test DI atm. Please share the results if you decide to test it.
Still wonder why it's not detected by static AI on my system. Doesn't matter if I extract it or even download it again.
maybe Shadowra using Trident's policies with perhaps some variation from yoursStill wonder why it's not detected by static AI on my system. Doesn't matter if I extract it or even download it again.
No, DeepInstinct is not with my policies. This is a DI detection above. Check Point and ZoneAlarm detect the sample via anti-bot and perform a full removal of everything.maybe Shadowra using Trident's policies with perhaps some variation from yours
There is nothing else I could change to make static AI detect the sample. I already have the most sensitive settings possible..maybe Shadowra using Trident's policies with perhaps some variation from yours
From so much scanning, it may have fallen in some permanent cache or something. On a hex editor, try putting a dot or something at the end of the file.
Wait there you got it wrong, I used the proactive configuration, and it failed, so it was my fault, not the CF, bad configuration on my part and operator fault. I have to admit. More I did not use it in the configuration @cruelsister I talked to her just now, she shared with me the screenshots of the CF, everything was contained, the C&C connections were all blocked, minutes later the malware died in the sandbox. In addition to the screenshots she provided, which were several, she also wrote explaining the running processes, and in addition she tested in two ways partially isolated and restricted all two ways the malware was contained minutes later it stopped breathing. I talked to @ErzCrz yesterday he used CF for years, he told me it never failed and found it strange my tests failed his status is ONLINE for me at the moment, if he sees the notification he will comment here. I told him that the configuration he used in CF is safe if it was @cruelsister's, because I did not use that configuration, it was probably a mistake on my part. I replied to @cruelsister that the screenshot tests were already worth a thousand words, it was still with ZOOM the screenshots she shared of the screenshot you could see all processes running clearly already had the explanations is more than a proof of concept. Wow, nothing else to say.
In @Kongo's post has the sample URL, I also posted the sample URL in another post but left the credits to @Kongo. Just below the post @SeriousHoax talks to @Kongo of the malware stealer tests that's right he posts with capital letters "An alleged fake game" that exactly the same sample I provided to @cruelsister. Sorry for the delay in answering, I am like a turtle when it comes to typing on the keyboard.
