Status
Not open for further replies.

Local Host

Level 22
Verified
Hi Andy,

What free security software do you think has a very solid anti-script protection?
Kaspersky can stop scripts through the behaviour blocker (system watcher), this was tested with recent malware where WD failed to contain the threat, while KFA managed to protect the system.

I'm sure you'll be able to find that topic somewhere, as this was not too long ago (a week or two max).

You can also keep an eye on this topics, you'll notice KFA blocks most threats (including scripts), https://malwaretips.com/threads/kaspersky-free-antivirus-2019-october-2018-report.87133/

All this keeping in mind Home Users will rarely run into 0-day malware (if at all), so you don't need to worry.
 

Moonhorse

Level 28
Verified
Content Creator
I do not know, because I tested only KFA and Sophos, so far. Comodo Firewall in @cruelsister settings can contain scripts and payloads, if script interpreters are set to unsafe. Yet, even when interpreters are set to trusted, the situation is far better as compared to other AVs, because in most cases the 0-day executable payload (EXE, DLL, ...) will be sandboxed (except some digitally signed).
But the script abuse is more common than signed malware does, right? If im using WD+ CF(cruels) id still like to disable script hosts etc. with syshardener and disable some un-used processes. Is there any downsides by using cf (cs) + wd with hard configurator, if i want to harden SRP rules
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
Kaspersky can stop scripts through the behaviour blocker (system watcher), this was tested with recent malware where WD failed to contain the threat, while KFA managed to protect the system.
...
WD without ASR is also not good against script trojan-downloaders, just like KFA heuristics.
When running my script trojan-downloaders, KFA blocked some samples with an alert related to heuristic detection.
From Malware Hub tests with KFA is evident that in many cases, scripts can drop payloads. That is also my conclusion. KFA is very good at blocking the final payloads, but not the initial scripts.
The important thing is that those payloads are ignored by SmartScreen (no MOTW attached to payload), so they are much more dangerous than 0-day non-script malware (EXE, SCR, MSI, ...) downlkoaded by the user from the Internet.
My tests are not intended to compare AVs, but to check if the tested AV will benefit after blocking scripts.
 
Last edited:

Andy Ful

Level 60
Verified
Trusted
Content Creator
...
Is there any downsides by using cf (cs) + wd with hard configurator, if i want to harden SRP rules
That would be an overkill. Skip CF (for system compatibility/stability) or skip H_C (if you like CF and strong firewall).
SRP should work without problems with CF, but H_C executables have to be set to trusted.
One H_C option will not work with CF, it is <Run As SmartScreen>.
 

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
almost none of the traditional AVs have good script blocking by default/without tweaking because it would cause so much trouble for average users. They will ditch their products because something stops working and they don't understand why

Kaspersky is certainly one of the best default-allow AVs which can block malicious scripts post-execution by its strong BB, some post-exploit protection and network attack blocker

Every AV needs tweaking or needs to combine with another product for better script protection
it's unfair for any AV in default settings if other AVs are tweaked

just simply apply Syshardener, we would get 95% protection against scripts. Perhaps, some advanced powershell attack can bypass it => block powershell if you are worried
 

oldschool

Level 53
Verified
almost none of the traditional AVs have good script blocking by default/without tweaking because it would cause so much trouble for average users. They will ditch their products because something stops working and they don't understand why

Kaspersky is certainly one of the best default-allow AVs which can block malicious scripts post-execution by its strong BB, some post-exploit protection and network attack blocker

Every AV needs tweaking or needs to combine with another product for better script protection
it's unfair for any AV in default settings if other AVs are tweaked

just simply apply Syshardener, we would get 95% protection against scripts. Perhaps, some advanced powershell attack can bypass it => block powershell if you are worried
+1 on that. Good to see you posting @Evjl's Rain! :)(y)
 

Gandalf_The_Grey

Level 31
Verified
I think it's more a warning for sites like AnyDesk used by telephone scammers, but I'm not sure never got such warning.
If the check box is selected, Kaspersky Security Cloud checks the target URL against the database of URLs containing legitimate applications that can be used by criminals to damage your computer or personal data. When you attempt to visit web addresses of this category, the application shows a notification stating that the web address may be used by criminals to damage your computer or your data.
From: Advanced settings of Web Anti-Virus window
 

shmu26

Level 85
Verified
Trusted
Content Creator
That is also my conclusion. KFA is very good at blocking the final payloads, but not the initial scripts.
The important thing is that those payloads are ignored by SmartScreen (no MOTW attached to payload),
@Andy Ful, I just want to make sure I understood you right: with Windows Defender, the final payload will be inspected by Windows SmartScreen? Is this unique to WD? So all 3rd party AVs will lack final payload inspection by smartscreen?
 

Andy Ful

Level 60
Verified
Trusted
Content Creator
@Andy Ful, I just want to make sure I understood you right: with Windows Defender, the final payload will be inspected by Windows SmartScreen? Is this unique to WD? So all 3rd party AVs will lack final payload inspection by smartscreen?
That is a general behavior for every AV, because it is independent of any AV. It depends only on SmartScreen design. The SmartScreen usually cannot check a payload downloaded by the malicious script, because the scripts usually do not use web browsers or other online services for that. The payloads do not have MOTW attached, so they are ignored by SmartScreen. Adding the MOTW to files is not the Windows feature, but particular application feature. Most web browsers can automatically add MOTW to the downloaded files - Microsoft Shop and OneDrive, too.
Only in Windows Enterprise edition, there is an option to activate SmartScreen also for files without MOTW - it can be done via Application Control.
The standard SmartScreen is not a security feature designed to stop malware. It is designed to stop the user from executing the malware, downloaded by him/her from the Internet in the usual way (via web browser or using online services like Microsoft Shop, OneDrive, etc.). So, if the users download the executables via Internet downloaders or torrent downloaders, then SmartScreen will ignore file execution, too.
 
Last edited:
5

509322

almost none of the traditional AVs have good script blocking by default/without tweaking because it would cause so much trouble for average users.
That isn't correct. In my findings the vast majority of average users - meaning at least 98 % of the population, if not higher - do not need scripts. This is based upon actual field work asking literally hundreds of people about their script use. Almost 100 % of the time when I ask about scripts the person replies "Huh ?"

Plus, there is very little program breakage when scripts - plus a bunch of other file types - are disabled.

I'd appreciate it if you would stop saying that blocking scripts and other aspects of Windows causes too much trouble for average users because it just isn't accurate. Not even Microsoft would say it because they recommend users of all types disable what isn't needed - and that includes a whole lot that is shipped with Windows.
 
5

509322

That is a general behavior for every AV, because it is independent of any AV. It depends only on SmartScreen design. The SmartScreen usually cannot check a payload downloaded by the malicious script, because the scripts usually do not use web browsers or other online services for that. The payloads do not have MOTW attached, so they are ignored by SmartScreen. Adding the MOTW to files is not the Windows feature, but particular application feature. Most web browsers can automatically add MOTW to the downloaded files - Microsoft Shop and OneDrive, too.
Only in Windows Enterprise edition, there is an option to activate SmartScreen also for files without MOTW - it can be done via Application Control.
The standard SmartScreen is not a security feature designed to stop malware. It is designed to stop the user from executing the malware, downloaded by him/her from the Internet in the usual way (via web browser or using online services like Microsoft Shop, OneDrive, etc.). So, if the users download the executables via Internet downloaders or torrent downloaders, then SmartScreen will ignore file execution, too.
Skipping files because they have no MOTW is absolute stupidity. For example, it's the cause of massive USB flashdrive-based infections in central and SE Asia. It's just a massive hole in Windows security that, quite frankly, is utter negligence.

But I hope Microsoft keeps up the good work. More money for us 3rd-party vendors because we can get it right where Microsoft just has never been able to. That won't change either. Microsoft has a tradition of doing it half-way and then stopping.

So people should be grateful for 3rd-party publishers.
 

shmu26

Level 85
Verified
Trusted
Content Creator
That is a general behavior for every AV, because it is independent of any AV. It depends only on SmartScreen design. The SmartScreen usually cannot check a payload downloaded by the malicious script, because the scripts usually do not use web browsers or other online services for that. The payloads do not have MOTW attached, so they are ignored by SmartScreen. Adding the MOTW to files is not the Windows feature, but particular application feature. Most web browsers can automatically add MOTW to the downloaded files - Microsoft Shop and OneDrive, too.
Only in Windows Enterprise edition, there is an option to activate SmartScreen also for files without MOTW - it can be done via Application Control.
The standard SmartScreen is not a security feature designed to stop malware. It is designed to stop the user from executing the malware, downloaded by him/her from the Internet in the usual way (via web browser or using online services like Microsoft Shop, OneDrive, etc.). So, if the users download the executables via Internet downloaders or torrent downloaders, then SmartScreen will ignore file execution, too.
Thanks. So this is a very big advantage to Windows Defender over all 3rd party AVs, on Windows Home and Pro.
But if you have a default/deny setup, it is not needed. The final payload, if it is an executable file, will be blocked anyways.
 
5

509322

Thanks. So this is a very big advantage to Windows Defender over all 3rd party AVs, on Windows Home and Pro.
But if you have a default/deny setup, it is not needed. The final payload, if it is an executable file, will be blocked anyways.
SmartScreen is a definite weakness compared to all 3rd-party supplied protections that inspect regardless of MOTW.
 

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
Thanks. So this is a very big advantage to Windows Defender over all 3rd party AVs, on Windows Home and Pro.
But if you have a default/deny setup, it is not needed. The final payload, if it is an exe file, will be blocked anyways.
I don't think it's an advantage of WD but windows in general because when we install another 3rd-party AV or disable WD, smartscreen is not disabled => they can work together
so the difference here is the functionality between the actual WD and other AVs, which one has better protection when smartscreen is bypassed
most people won't tweak WD because they don't know how to

as I observed here in my country where we have really unstable internet connections (<500KB/s) with frequent disconnections, so many people are using download accelerators like cracked IDM (95%) or some use eagleget or free download manager => smartscreen and google safe browsing are bypassed => WD will eventually be bypassed
there are some guides in my language to improve internet speed or system performance or reduce telemetry => some of them advice user to disable google safe browsing and smartscreen => problems
 
Status
Not open for further replies.
Top