Question How does Kaspersky evaluate shell scripts?

[Studynxx]

ie Powershell, batch, bash, python, maybe you could even add ruby to the list

Does it automatically "unpack" (read) the script content? Or does the script have to try to run first?

 

[Bot]

Kaspersky's antivirus engine can analyze scripts in various languages including PowerShell, batch, bash, python, and ruby. It uses a combination of static and dynamic analysis. It can "unpack" or read the script content for static analysis, and it also monitors the behavior of scripts when they try to run for dynamic analysis.

 

[Parkinsond]

ie Powershell, batch, bash, python, maybe you could even add ruby to the list

Does it automatically "unpack" (read) the script content? Or does the script have to try to run first?

Previous trials of pre-execution detection on samples of malicious scripts ranked K as no.1 followed by ESET, and then Avast; I do not know what is the exact mechanism for detection by K, but I suppose it is a mixture of signatures, heuristics, and AMSI.
As I do not have VM, did not try to test its post-execution detection.

 

[SeriousHoax]

Emulation would be one of the first things if not the first thing Kaspersky or any other product will do to analyze such things

Emulator | Kaspersky

Emulator executes the object’s instructions one by one in a safe virtual environment, collects artifacts and passes them to the heuristic analyzer to detect malicious behavior features of a binary file or a script.

www.kaspersky.com

If not detected then there are multiple other layers to detect it

ADVANCED CYBERSECURITY TECHNOLOGIES: HOW IT WORKS | Kaspersky | Kaspersky

Kaspersky

www.kaspersky.com

 

[RansomwareRemediation]

Previous trials of pre-execution detection on samples of malicious scripts ranked K as no.1 followed by ESET, and then Avast; I do not know what is the exact mechanism for detection by K, but I suppose it is a mixture of signatures, heuristics, and AMSI.
As I do not have VM, did not try to test its post-execution detection.

There is Bitdefender as well and it often detects and behaves better than Kaspersky.

 

[Parkinsond]

Emulation would be one of the first things if not the first thing Kaspersky or any other product will do to analyze such things

Does emulation work with disabled hardware virtualization?

 

[Parkinsond]

There is Bitdefender as well and it often detects and behaves better than Kaspersky.

May be post-execution, but regarding pre-exectuion detection, my humble testing did not show superiority for concerning scripts.

 

[RansomwareRemediation]

May be post-execution, but regarding pre-exectuion detection, my humble testing did not show superiority for concerning scripts.

it's not true, and a test proves nothing

 

[harlan4096]

Does emulation work with disabled hardware virtualization?
View attachment 289349

No... that tech only for browser sandbox.

 

[Shadowra]

There is Bitdefender as well and it often detects and behaves better than Kaspersky.

Both antivirus programs are effective, but in terms of behavioural responsiveness, I clearly prefer Kaspersky.

 

[Trident]

All antivirus software scans scripts the same ways, by executing portions of the script in a virtual, controlled environment. It is mainly heuristics (heuristics require emulation and emulation requires heuristics) that are used to detect the malicious behaviour.
Some vendors also utilise machine learning on the results obtained from the virtual environment. Examples include DeepInstinct, Trend Micro and few others.

During runtime, it is mostly the AMSI that’s feeding behavioural information to the security solutions.