This ransomware bypass every antivirus and removes antivirus
- Thread starter HydraDragonAntivirus
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
This is tough!
You can kill the AVs pretty well. Unfortunately, AVs are a false sense of security. A lot depends on the User. Reading AndyFull, I prefer free Defender plus ASR rules.
ASR rules are OK, they can "raise the bar" for many attackers.
This malware can probably be prevented by Comodo Firewall (@cruelsister settings), Kaspersky (@harlan4096 settings), Avast with Hardened mode, etc.
In the home environment, also SmartScreen file reputation can be quite efficient.
However, no reasonable protection can stop the highly motivated attacker.
This malware probably bypassed Avast's cloud sandbox. 
It would be interesting to see if it could bypass the WDAC ISG (like in WHHLight).
It would be interesting to see if it could bypass the WDAC ISG (like in WHHLight).
I wonder if there is someone on here who could test this for us?
Which Kaspersky setup do you mean that harlan4096 made?ASR rules are OK, they can "raise the bar" for many attackers.
This malware can probably be prevented by Comodo Firewall (@cruelsister settings), Kaspersky (@harlan4096 settings), Avast with Hardened mode, etc.
In the home environment, also SmartScreen file reputation can be quite efficient.
However, no reasonable protection can stop the highly motivated attacker.
Does the ASR Rule you posted also block user initiated safe mode?
No (only CmdLine methods are blocked).
This is very good news. I'll do it now.
This is very good news. I'll do it now.
The initial malware can be most probably blocked by WDAC ISG before execution (due to the low prevalence). I can test it if someone would like to share the sample.
The ransomware dropped by the initial malware can be blocked by WDAC in Safe Mode if the sample is executed from a non-whitelisted location. The initial malware blocks the Internet connection before restarting in Safe Mode, so ISG cannot check the positive reputation and WDAC blocks the file.
Last edited:
- Apr 28, 2015
- 9,505
- 1
- 85,778
- 8,389
Last edited:
This file is blocked by WDAC ISG, along with all of the VoodooSoft products.
Thank you very much!
Where to look for this, in Home products?
Last edited:
- Apr 28, 2015
- 9,505
- 1
- 85,778
- 8,389
In Settings -> Security Settings -> Intrusion Prevention
Andy! It would be really nice if you could test these samples as you write.
I think I proved one malware enough to destory malware but that's rarely happens. I will test antiviruses aganist fully zero day harmful ip address. That would be too interesting than this because it's not only one malware it's too many urls.
I think you've little bit misunderstand. Your evidence is fine.
What you should look at is what Andy described, in this case what's happening. And also how the Defender behaves in this situation.
It detects by cloud right now probably but it didn't got deleted because Andy explanation is correct and we need use another method like Defender remover. But can't detect ransomware payload for some reason (I don't know is he going to detect final payload right now but when I tested in past it didn't get detected.).
You may also like...
-
-
Entreprise Antivirus Comparative : Cylance - CrowdStrike - Cynet - DeepInstinct
- Started by Shadowra
- Replies: 18
-
-
DEBATE | Are security YouTubers misleading people about antivirus effectiveness?- Started by RoboMan
- Replies: 26
-
Ebocious's Yoga 6 New Security Config- Started by ebocious
- Replies: 0