Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
MacDefender Test #2, "Trojan" Ransomware
Message
<blockquote data-quote="MacDefender" data-source="post: 858307" data-attributes="member: 83059"><p>Neat -- CFA-like result -- blocked 7z.exe</p><p></p><p></p><p>Curious! Sure enough it didn't like something about the binary, I will have to explore which particular part made it suspicious.</p><p></p><p></p><p>Yeah so this refused to run the exploit because it's a binary that's not well known. </p><p></p><p></p><p>Ok neat, so this allowed the exploit to run, but when the exploit tries to start <strong>any</strong> console based process, KTS asks you whether or not to allow it. This is a fairly good mode of operation that gives expert users a chance to intervene with suspicious behavior.</p><p></p><p></p><p>Hmm not sure how this worked, curious to see how KTS blocked this exploit. <strong>Also what's up with the 1 detection on VirusTotal? It's SecureAge APEX....</strong></p><p></p><p>Overall I would say KTS is the only AV that has any sort of meaningful protection against this attack. In some configurations it correctly identified the TrojanZipperPOC binary as the offender, something that no other AV has succeeded at. However, I think this is still poor protection since the default settings left the system encrypted.</p><p></p><p>It also shows that whitelisting and not running unknown binaries are always great security practices, but that's not what we're trying to test with this POC <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p></blockquote><p></p>
[QUOTE="MacDefender, post: 858307, member: 83059"] Neat -- CFA-like result -- blocked 7z.exe Curious! Sure enough it didn't like something about the binary, I will have to explore which particular part made it suspicious. Yeah so this refused to run the exploit because it's a binary that's not well known. Ok neat, so this allowed the exploit to run, but when the exploit tries to start [B]any[/B] console based process, KTS asks you whether or not to allow it. This is a fairly good mode of operation that gives expert users a chance to intervene with suspicious behavior. Hmm not sure how this worked, curious to see how KTS blocked this exploit. [B]Also what's up with the 1 detection on VirusTotal? It's SecureAge APEX....[/B] Overall I would say KTS is the only AV that has any sort of meaningful protection against this attack. In some configurations it correctly identified the TrojanZipperPOC binary as the offender, something that no other AV has succeeded at. However, I think this is still poor protection since the default settings left the system encrypted. It also shows that whitelisting and not running unknown binaries are always great security practices, but that's not what we're trying to test with this POC :) [/QUOTE]
Insert quotes…
Verification
Post reply
Top