App Review Windows Defender vs GandCrab Ransomware: video review

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,483
Content source
https://youtu.be/-sygS9-7-s0
During today's test for the Hub (which I will be posting later tonight, PS thanks @silversurfer!) I found this specific piece of malware that I loved, because of what it did. So I recorded a quick review for you to see.

Who will win? The whole Microsoft Security Team or... this little boy?



Note: please do not ask for the sample, straight rules won't allow sharing links or samples from the Hub.
 
  • Like
Reactions: kyokodash, AriDfoix, Gandalf_The_Grey and 29 others
5

509322

As soon as I saw wscript, I knew we had been infected by incurable plague.

I'm sorry but leaving interpreters enabled by default is a retarded protection model. Seriously.

There will be those that argue that interpreters are neither good nor bad.

I can make that kind of idiotic statement too..

"A gun lying on the street isn't good or bad either. It's just an object."

What's more effective and common sense for the vast majority of users of Windows - who don't use any interpreters - disable them by default or keep them enabled because "a lot of IT Pros use them" ? Seriously ? You're gonna make that kind of an argument ? So sink 7/8ths of humanity for the few - because it would be inconvenient for some IT pros to enable interpreters.

Windows security. And the people who control it. 8-Ball Chasers. Pathetic.
 
  • Like
Reactions: brambedkar59, AriDfoix, DeepWeb and 6 others
cruelsister

cruelsister

Level 43
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,224
Superb video!!!

1). Short and to the point- you made a short video look easy to produce, and I know it was probably anything but.
2). Humor! Yeah!
3). Shows that in spite of the results seen on the Pro AV testing sites (where malware relics, D+3 and above, are used), WD is inadequate against newer samples. And I can assure you a Blackhat is NEVER going to push out older malware.

Well done!
 
  • Like
Reactions: brambedkar59, AriDfoix, Gandalf_The_Grey and 12 others
RoboMan

RoboMan

Level 35
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,483
About interpreters - totally agree. Those very few who really need to use it, will know how to turn it on. The huge amount of the rest which doesn't know how to use and nor they will, will not know how the hell to turn it off. Should be off by default.

And @cruelsister your comment emotioned me the most! Coming from you, the person which tests and knowledge I admire the most over here, it's a pleasure :) Thank you!
 
  • Like
Reactions: brambedkar59, Gandalf_The_Grey, Burrito and 6 others
5

509322

Vendula Kubová said:
The script interpreters are cancerous. They should have never been given so much freedom. I don't understand why Microsoft designed monsters like PowerShell, Office Macro's, and VB Script the way they did.
Click to expand...

Because the Microsoft and the IT Pro admin retards got together. That's all it took. The rest is history.

Microsoft decided to disable cmd and powershell on 10 S - because it would annoy the fewest IT Pros.

Are the IT Pros gonna come to your house and disinfect your system ? I think they should. You have default Windows designed for them - and not to protect the people who need the greatest amount of protection. It is partly because Microsoft caters Windows to "IT Pros" that everyone else is placed at high risk.

Disgusting.
 
  • Like
Reactions: brambedkar59, AriDfoix, In2an3_PpG and 3 others
L

Local Host

As expected, WD lacks behaviour blocker, relying on Default-Deny, Cloud and Backups to stop most threats. Is also funny how easy it is to tamper with WD, to make all the options above irrelevant.

For us should be fine, but for Casual Users I won't be recommending WD any time soon.

Make another video, but with Kaspersky Free :unsure:
 
Last edited:
  • Like
Reactions: oldschool, Weebarra, harlan4096 and 1 other person
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Great vid. I don't watch many, but I watched this one.
Am I right in assuming that Windows Defender was at default settings?
WD @default definitely needs SmartScreen as its first line of defense, or else it gets clobbered by zeroday samples.
But what happens if you enable some ASR rules?
 
  • Like
Reactions: Gandalf_The_Grey, oldschool, stefanos and 7 others
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,905
Last edited:
  • Like
Reactions: brambedkar59, Gandalf_The_Grey, oldschool and 12 others
C

ChemicalB

Level 8
Verified
Sep 14, 2018
360
harlan4096 said:
I ran the dynamic test with KFA2019c + that sample yesterday about 30min after the pack was posted.

KFA2019 didn't detect the original script sample, but did (by signature) the dropped file:

https://malwaretips.com/threads/8-10-2018-22.87258/post-769739
Click to expand...
Sorry for the off topic but according to your experience Kaspersy Free can replace the paid version by ensuring a good protection level? I read it is really good in detection.
Thanks Harlan :)
 
  • Like
Reactions: brambedkar59, oldschool, RoboMan and 4 others
KonradPL

KonradPL

Level 5
Verified
Well-known
May 1, 2018
229
Hi Guys i have one question about WD and some windows settings.
If I want to using a Windows Defender and Edge and I turn off script execution by command in PowerShell 5.0 and uninstal PowerShell 2.0, turn off SMB protocol and flash player in Edge and windows it will be good?
Maybe someone want tu test this security config windows 10?
 
  • Like
Reactions: oldschool, vtqhtr413, RoboMan and 1 other person
harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,905
Just finished the test with this sample and Panda Dome Premium + ForgottenSeer 58943's settings + NVT OSA, I ran 2 different scenarios:

PDP + PD Application Control On + NVT OSA On -> attack blocked by NVT OSA. System Protected.

PDP + PD Application Control On + NVT OSA Off -> attack blocked by PD Application Control, but also detected/deleted as Trojan. System Protected.

Full results of the sample pack at MalWare Hub later...
 
  • Like
Reactions: brambedkar59, BigWrench, oldschool and 7 others
5

509322

KonradPL said:
Hi Guys i have one question about WD and some windows settings.
If I want to using a Windows Defender and Edge and I turn off script execution by command in PowerShell 5.0 and uninstal PowerShell 2.0, turn off SMB protocol and flash player in Edge and windows it will be good?
Maybe someone want tu test this security config windows 10?
Click to expand...

Disable PowerShell, PowerShell_ISE, wscript.exe, and cscript.exe is better.

Disable PowerShell v2.0 is good; it prevents many attacks.

Setting restricted execution policy in PowerShell v5.0 is easily bypassed; set Constrained Language mode.

You really should use a SUA.
 
  • Like
Reactions: brambedkar59, AriDfoix, Deleted member 178 and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
KonradPL said:
Hi Guys i have one question about WD and some windows settings.
If I want to using a Windows Defender and Edge and I turn off script execution by command in PowerShell 5.0 and uninstal PowerShell 2.0, turn off SMB protocol and flash player in Edge and windows it will be good?
Maybe someone want tu test this security config windows 10?
Click to expand...
I didn't understand what you meant by "turn off script execution by command in PowerShell". How are you turning it off?

Generally speaking, Edge is a secure browser, and Windows Defender at default settings is enough baseline protection for a careful user. But you are obviously trying for a higher level of protection. If so, disabling Powershell is good, but not enough. You should also disable Wscript, and there are other vulnerable processes, too. If you want to tweak your OS, use SysHardener. It's a free tool from NoVirusThanks.

I just saw that Lockdown answered you. Take his advice.
 
  • Like
Reactions: oldschool, vtqhtr413, RoboMan and 3 others

Similar threads

L
    • Like
App Review Windows Defender Controlled Folders bypassed by ransomware
Replies
1
Views
348
Video Reviews - Security and Privacy
oldschool
oldschool
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus (Default Settings + DefenderUI Recommanded Settings)
Replies
34
Views
3,133
Video Reviews - Security and Privacy
lokamoka820
lokamoka820
Shadowra
    • Like
    • +Reputation
    • Thanks
App Review Microsoft Defender Antivirus + Windows 11 Smart App Control (SAC)
Replies
44
Views
3,221
Video Reviews - Security and Privacy
tofargone
tofargone

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top