Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Security Statistics and Reports
Threat landscape and the results of protection based on telemetry data of malware in the wild (March 2023)
Message
<blockquote data-quote="Adrian Ścibor" data-source="post: 1037439" data-attributes="member: 71496"><p>OK, Gentleman. Let's say the Webroot was one of the first <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p></p><p></p><p>On second thought, this information will be addresses to technical geeks. We need to think whether this will be interesting at all:</p><p></p><p>HKLM\SOFTWARE\WOW6432Node\WRData\Status\Infected</p><p>HKLM\SOFTWARE\WOW6432Node\WRData\Status\ThreatBlocked</p><p>HKLM\SOFTWARE\WOW6432Node\WRData\Status\ThreatsRemoved</p><p>HKLM\SOFTWARE\WOW6432Node\WRData\Status\WasJustInfected</p><p>HKLM\SOFTWARE\WOW6432Node\WRData\Threats\*</p><p>HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active\Count</p><p>HKLM\SOFTWARE\WOW6432Node\WRData\Status\CurrentlyCleaning</p><p>HKLM\SOFTWARE\WOW6432Node\WRData\FileFlags</p><p>C:\ProgramData\WRData\WRLog.txt</p><p>C:\ProgramData\WRData\WRLog.log !!! So important for unknown files</p><p>C:\ProgramData\WRData\ace1.db or \ace*</p><p>C:\ProgramData\WRData\dbk.db or \dbk*</p><p></p><p>So, these are so-called Webroot's Antivirus Indicators - when some of them is triggered and logged by Sysmon, we know that malware is or was processing successfully.</p><p></p><p>*edited*</p><p>If you want to test it or similar indicators for another AV at own machine, please do not forget to set a Sysmon driver altitude regarding with our methodology (recommended): <a href="https://avlab.pl/en/methods-of-carrying-out-automatic-tests/" target="_blank">Methods Of Carrying Out Automatic Tests » AVLab Cybersecurity Foundation</a></p><p>[CODE]To change the Sysmon driver altitude we suggest the following CLI command:</p><p></p><p>reg add "HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Instances\Sysmon Instance" /v Altitude /t REG_SZ /d 244999[/CODE]</p><p></p><p></p><p>OK, let's see how it goes after the May edition.</p><p></p><p></p><p>I do not say - NO. maybe in next upcoming months. CheckPoint has changed Kaspersky's engine to another one, therefore it might be interesting to see their product on the list.</p></blockquote><p></p>
[QUOTE="Adrian Ścibor, post: 1037439, member: 71496"] OK, Gentleman. Let's say the Webroot was one of the first :) On second thought, this information will be addresses to technical geeks. We need to think whether this will be interesting at all: HKLM\SOFTWARE\WOW6432Node\WRData\Status\Infected HKLM\SOFTWARE\WOW6432Node\WRData\Status\ThreatBlocked HKLM\SOFTWARE\WOW6432Node\WRData\Status\ThreatsRemoved HKLM\SOFTWARE\WOW6432Node\WRData\Status\WasJustInfected HKLM\SOFTWARE\WOW6432Node\WRData\Threats\* HKLM\SOFTWARE\WOW6432Node\WRData\Threats\Active\Count HKLM\SOFTWARE\WOW6432Node\WRData\Status\CurrentlyCleaning HKLM\SOFTWARE\WOW6432Node\WRData\FileFlags C:\ProgramData\WRData\WRLog.txt C:\ProgramData\WRData\WRLog.log !!! So important for unknown files C:\ProgramData\WRData\ace1.db or \ace* C:\ProgramData\WRData\dbk.db or \dbk* So, these are so-called Webroot's Antivirus Indicators - when some of them is triggered and logged by Sysmon, we know that malware is or was processing successfully. *edited* If you want to test it or similar indicators for another AV at own machine, please do not forget to set a Sysmon driver altitude regarding with our methodology (recommended): [URL="https://avlab.pl/en/methods-of-carrying-out-automatic-tests/"]Methods Of Carrying Out Automatic Tests » AVLab Cybersecurity Foundation[/URL] [CODE]To change the Sysmon driver altitude we suggest the following CLI command: reg add "HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Instances\Sysmon Instance" /v Altitude /t REG_SZ /d 244999[/CODE] OK, let's see how it goes after the May edition. I do not say - NO. maybe in next upcoming months. CheckPoint has changed Kaspersky's engine to another one, therefore it might be interesting to see their product on the list. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
