harlan4096

Level 61
Verified
Staff member
Malware Hunter
About Kaspersky tests and maximum settings bypasses: that is not totally exact :), the tester is only limited to raising the security level to maximum, but it did not tweak, for instead, Application Control settings or other modules, so all those bypasses can be blocked just turning on Interactive Mode and/or setting Unknown Applications to High Restricted in Application Control, as I demonstrated not so long here with Kaspersky + Scorpion 3.1 malware...
 

Nevi

Level 4
Verified
I would not be too upset by those videos. It seems the person that do these tests, have the agenda that he can let some specific malware go through all antiviruses on the marked. We dont know what and how he do those tests, what settings etc.
Here is a detailed analysis of the "Kyrox ransomware".Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for '5943ad199607384ed7e1a4c58aef4673'

This variant is detected by 44 vendors on VT including Eset which does so as "a variant of Generik.TZCZKH."
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
That is a known fact for many years. The attacker has to compile/obfuscate something that can be detected as suspicious, but not suspicious enough to trigger the detection as malware.
Most of bypassed AVs, detected it probably as suspicious but allowed it to run without or with only a few restrictions.
As @harlan4096 noticed, some of Kaspersky (also WD and possibly other AVs) advanced modules were not configured (Application Control, ASR, etc), so the tests were not performed on max settings. Furthermore, the malware was allowed to run with Administrator rights, and was not downloaded from the Internet as an EXE file (probably in the compressed archive - no SmartScreen alert).

It is not so easy to create the malware that could bypass Kaspersky's enhanced (but not max) settings, anyway.(y)
Yet, it is not so difficult too, for a knowledgeable coder.:(
 
Last edited: