App Review Microsoft Defender vs a ransomware Scriptor

[ForgottenSeer 69673]

As I have understood from articles, it would mostly default-deny unless app is trusted, like AppGuard (?) and others?

If you remove all the apps from the trusted list, NO app is trusted

 

[EASTER]

This little scriptor test and it's classic failure of CFA is given me renewed hope that now i must have to see how if Secure Folders also will fare. I can manufacture a same similar script from bits and pieces and try. As everyone know Secure Folders (driver enforced) is long abandoned by Promosoft who invented it then left it out there on servers for anyone who might find it useful. SF uses ACL's mods/permission restrictions etc and quite frankly if it proves stronger on sciptors in folders/files protected by SF (haven't crossed my mind to try that-Thanks CS) then it's a very poor showing WD is exposing it's user's/customer's and itself to. Side Note: SF is protected my malware zoo collection for years and is still maximum caged those bugs.

Another neat video BTW. Always intriguing.

 

[ForgottenSeer 95367]

If you remove all the apps from the trusted list, NO app is trusted

Create the system-wide block rule:

Deny = *

 

[cruelsister]

She often uses some French, or Latin

Only because no one ever learned me English good...

 

[cruelsister]

I don't know what I do wrong to always get ignored by her if I ask something

Oh God! I beg your pardon (truly)! I actually did employ Configure Defender, DefenderUI as well as UAC prior to releasing the video. I didn't include this as the results were the same as in the previous Defender videos where they failed to prevent the malicious cascade. Also adding them would mean that I couldn't use Jolie Blonde as the background track.

Once again, my apologies (don't hate me, I'm sensitive!).

m

 

[wat0114]

I actually did employ Configure Defender, DefenderUI as well as UAC prior to releasing the video.

Interesting, because @Shadowra had Automatic Sample Submission=Send, and Cloud Protection Level=Highest, and the script was blocked until she encrypted it to avoid its detection.

In your previous Magniber test video you had these settings at: Send & Block respectively, yet the script launched. Did you somehow modify to avoid detection?

Thanks again!

 

[Andy Ful]

It would be interesting to test the new Magniber against Defender with enabled ASR rules and also against Comodo. The new samples use obfuscated JavaScript/VBScript files, so they can be used to test some ASR rules related to scripts. This attack is fileless, so Comodo can have a problem with containing the attack, except when wscript.exe is added to untrusted executables. Anyway, Comodo has some anti-script protection that is independent of auto-sandbox, so there are some chances that the attack will be blocked.
https://malwaretips.com/threads/mag...ers-via-javascript-files.117780/#post-1007487
https://threatresearch.ext.hp.com/m...geting-home-users-with-fake-software-updates/

 

[cruelsister]

It would be interesting to test the new Magniber against Defender with enabled ASR rules and also against Comodo

The test of Defender vs the "new" Magniber script was published when they first appeared the last week of September on my channel (with both Controlled Folders and ASR rules in place). A few Magniberr java files recently were released, but sadly Microsoft has been on their game and quickly had definitions against them.

Although I was quite disappointed by these detection's, I did a couple of days ago post a video of Defender (also with ASR and controlled folders enabled) against a freshly coded JAR ransomware that had NOT been released in the wild (so zero detection by Defender). I didn't bother to post it on MT as I'm certain folk are rather bored by the same old thing (but it is the most current thingie on my channel on the off-chance anyone is interested).

As for Comodo, it contains all these ransom scriptors without any effort. If it did not even people in Zakopane would hear my wailing.

m

 

[Andy Ful]

As for Comodo, it contains all these ransom scriptors without any effort. If it did not even people in Zakopane would hear my wailing.

m

It is good news.
Did you add the wscript.exe as untrusted or something else were contained?

 

[cruelsister]

Did you add the wscript.exe as untrusted or something else were contained?

Not at all. Just ran these to confirm with CF at Proactive configuration (containment at default, HIPS disabled). Easy, easy...

 

[simmerskool]

The test of Defender vs the "new" Magniber script was published when they first appeared the last week of September on my channel (with both Controlled Folders and ASR rules in place). A few Magniberr java files recently were released, but sadly Microsoft has been on their game and quickly had definitions against them.

Although I was quite disappointed by these detection's, I did a couple of days ago post a video of Defender (also with ASR and controlled folders enabled) against a freshly coded JAR ransomware that had NOT been released in the wild (so zero detection by Defender). I didn't bother to post it on MT as I'm certain folk are rather bored by the same old thing (but it is the most current thingie on my channel on the off-chance anyone is interested).

As for Comodo, it contains all these ransom scriptors without any effort. If it did not even people in Zakopane would hear my wailing.

m

please remind some of us (me) where to find your channel, I've been away for nearly 2 years, many brain cells have died.

 

[Chuck57]

please remind some of us (me) where to find your channel, I've been away for nearly 2 years, many brain cells have died.

https://www.youtube.com/c/cruelsister1/videos

 

[simmerskool]

https://www.youtube.com/c/cruelsister1/videos

youtube! great, I'm spending half my day there already.

 

[cruelsister]

Yikes! Forgot that many may not have had the link to the exact video in question:



Sorry about that!

Now to move on to Online Armor.