- May 9, 2024
- 128
This ransomware bypass every antivirus and removes antivirus
- Thread starter XylentAntivirus
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- May 7, 2016
- 1,561
- Apr 15, 2020
- 458
This is tough!
You can kill the AVs pretty well. Unfortunately, AVs are a false sense of security. A lot depends on the User. Reading AndyFull, I prefer free Defender plus ASR rules.
- Dec 23, 2014
- 8,821
ASR rules are OK, they can "raise the bar" for many attackers.
This malware can probably be prevented by Comodo Firewall (@cruelsister settings), Kaspersky (@harlan4096 settings), Avast with Hardened mode, etc.
In the home environment, also SmartScreen file reputation can be quite efficient.
However, no reasonable protection can stop the highly motivated attacker.
- Dec 23, 2014
- 8,821
This malware probably bypassed Avast's cloud sandbox.
It would be interesting to see if it could bypass the WDAC ISG (like in WHHLight).
It would be interesting to see if it could bypass the WDAC ISG (like in WHHLight).
- Jan 27, 2018
- 1,503
I wonder if there is someone on here who could test this for us?
- Apr 15, 2020
- 458
Which Kaspersky setup do you mean that harlan4096 made?ASR rules are OK, they can "raise the bar" for many attackers.
This malware can probably be prevented by Comodo Firewall (@cruelsister settings), Kaspersky (@harlan4096 settings), Avast with Hardened mode, etc.
In the home environment, also SmartScreen file reputation can be quite efficient.
However, no reasonable protection can stop the highly motivated attacker.
Does the ASR Rule you posted also block user initiated safe mode?
- Dec 23, 2014
- 8,821
- Apr 15, 2020
- 458
No (only CmdLine methods are blocked).
This is very good news. I'll do it now.
This is very good news. I'll do it now.
- Dec 23, 2014
- 8,821
The initial malware can be most probably blocked by WDAC ISG before execution (due to the low prevalence). I can test it if someone would like to share the sample.
The ransomware dropped by the initial malware can be blocked by WDAC in Safe Mode if the sample is executed from a non-whitelisted location. The initial malware blocks the Internet connection before restarting in Safe Mode, so ISG cannot check the positive reputation and WDAC blocks the file.
Last edited:
- Apr 28, 2015
- 9,039
- May 31, 2017
- 1,771
This file is blocked by WDAC ISG, along with all of the VoodooSoft products.
- Apr 15, 2020
- 458
Thank you very much!
Where to look for this, in Home products?
Last edited:
- Apr 28, 2015
- 9,039
In Settings -> Security Settings -> Intrusion Prevention
- Apr 15, 2020
- 458
- Apr 15, 2020
- 458
Andy! It would be really nice if you could test these samples as you write.
- May 9, 2024
- 128
I think I proved one malware enough to destory malware but that's rarely happens. I will test antiviruses aganist fully zero day harmful ip address. That would be too interesting than this because it's not only one malware it's too many urls.
- Apr 15, 2020
- 458
I think you've little bit misunderstand. Your evidence is fine.
What you should look at is what Andy described, in this case what's happening. And also how the Defender behaves in this situation.
- May 7, 2016
- 1,561
- May 9, 2024
- 128
It detects by cloud right now probably but it didn't got deleted because Andy explanation is correct and we need use another method like Defender remover. But can't detect ransomware payload for some reason (I don't know is he going to detect final payload right now but when I tested in past it didn't get detected.).
Similar threads
