RoboMan

Level 26
Content Creator
Verified
During today's test for the Hub (which I will be posting later tonight, PS thanks @silversurfer!) I found this specific piece of malware that I loved, because of what it did. So I recorded a quick review for you to see.

Who will win? The whole Microsoft Security Team or... this little boy?


Note: please do not ask for the sample, straight rules won't allow sharing links or samples from the Hub.
 
5

509322

As soon as I saw wscript, I knew we had been infected by incurable plague.

I'm sorry but leaving interpreters enabled by default is a retarded protection model. Seriously.

There will be those that argue that interpreters are neither good nor bad.

I can make that kind of idiotic statement too..

"A gun lying on the street isn't good or bad either. It's just an object."

What's more effective and common sense for the vast majority of users of Windows - who don't use any interpreters - disable them by default or keep them enabled because "a lot of IT Pros use them" ? Seriously ? You're gonna make that kind of an argument ? So sink 7/8ths of humanity for the few - because it would be inconvenient for some IT pros to enable interpreters.

Windows security. And the people who control it. 8-Ball Chasers. Pathetic.
 

cruelsister

Level 36
Content Creator
Trusted
Verified
Superb video!!!

1). Short and to the point- you made a short video look easy to produce, and I know it was probably anything but.
2). Humor! Yeah!
3). Shows that in spite of the results seen on the Pro AV testing sites (where malware relics, D+3 and above, are used), WD is inadequate against newer samples. And I can assure you a Blackhat is NEVER going to push out older malware.

Well done!
 

RoboMan

Level 26
Content Creator
Verified
About interpreters - totally agree. Those very few who really need to use it, will know how to turn it on. The huge amount of the rest which doesn't know how to use and nor they will, will not know how the hell to turn it off. Should be off by default.

And @cruelsister your comment emotioned me the most! Coming from you, the person which tests and knowledge I admire the most over here, it's a pleasure :) Thank you!
 
5

509322

The script interpreters are cancerous. They should have never been given so much freedom. I don't understand why Microsoft designed monsters like PowerShell, Office Macro's, and VB Script the way they did.
Because the Microsoft and the IT Pro admin retards got together. That's all it took. The rest is history.

Microsoft decided to disable cmd and powershell on 10 S - because it would annoy the fewest IT Pros.

Are the IT Pros gonna come to your house and disinfect your system ? I think they should. You have default Windows designed for them - and not to protect the people who need the greatest amount of protection. It is partly because Microsoft caters Windows to "IT Pros" that everyone else is placed at high risk.

Disgusting.
 

Local Host

Level 12
As expected, WD lacks behaviour blocker, relying on Default-Deny, Cloud and Backups to stop most threats. Is also funny how easy it is to tamper with WD, to make all the options above irrelevant.

For us should be fine, but for Casual Users I won't be recommending WD any time soon.

Make another video, but with Kaspersky Free :emoji_thinking:
 
Last edited:

shmu26

Level 74
Content Creator
Trusted
Verified
Great vid. I don't watch many, but I watched this one.
Am I right in assuming that Windows Defender was at default settings?
WD @default definitely needs SmartScreen as its first line of defense, or else it gets clobbered by zeroday samples.
But what happens if you enable some ASR rules?
 
5

509322

Great vid. I don't watch many, but I watched this one.
Am I right in assuming that Windows Defender was at default settings?
WD @default definitely needs SmartScreen as its first line of defense, or else it gets clobbered by zeroday samples.
But what happens if you enable some ASR rules?
Disabling less than 5 processes can save a person from a whole lot of pain.
 

harlan4096

Moderator
Staff member
Malware Hunter
Verified
Last edited:

stepseven84

Level 7
Verified
I ran the dynamic test with KFA2019c + that sample yesterday about 30min after the pack was posted.

KFA2019 didn't detect the original script sample, but did (by signature) the dropped file:

https://malwaretips.com/threads/8-10-2018-22.87258/post-769739
Sorry for the off topic but according to your experience Kaspersy Free can replace the paid version by ensuring a good protection level? I read it is really good in detection.
Thanks Harlan :)
 

KonradPL

Level 3
Hi Guys i have one question about WD and some windows settings.
If I want to using a Windows Defender and Edge and I turn off script execution by command in PowerShell 5.0 and uninstal PowerShell 2.0, turn off SMB protocol and flash player in Edge and windows it will be good?
Maybe someone want tu test this security config windows 10?
 

harlan4096

Moderator
Staff member
Malware Hunter
Verified
Just finished the test with this sample and Panda Dome Premium + Slyguy's settings + NVT OSA, I ran 2 different scenarios:

PDP + PD Application Control On + NVT OSA On -> attack blocked by NVT OSA. System Protected.

PDP + PD Application Control On + NVT OSA Off -> attack blocked by PD Application Control, but also detected/deleted as Trojan. System Protected.

Full results of the sample pack at MalWare Hub later...
 
5

509322

Hi Guys i have one question about WD and some windows settings.
If I want to using a Windows Defender and Edge and I turn off script execution by command in PowerShell 5.0 and uninstal PowerShell 2.0, turn off SMB protocol and flash player in Edge and windows it will be good?
Maybe someone want tu test this security config windows 10?
Disable PowerShell, PowerShell_ISE, wscript.exe, and cscript.exe is better.

Disable PowerShell v2.0 is good; it prevents many attacks.

Setting restricted execution policy in PowerShell v5.0 is easily bypassed; set Constrained Language mode.

You really should use a SUA.
 

shmu26

Level 74
Content Creator
Trusted
Verified
Hi Guys i have one question about WD and some windows settings.
If I want to using a Windows Defender and Edge and I turn off script execution by command in PowerShell 5.0 and uninstal PowerShell 2.0, turn off SMB protocol and flash player in Edge and windows it will be good?
Maybe someone want tu test this security config windows 10?
I didn't understand what you meant by "turn off script execution by command in PowerShell". How are you turning it off?

Generally speaking, Edge is a secure browser, and Windows Defender at default settings is enough baseline protection for a careful user. But you are obviously trying for a higher level of protection. If so, disabling Powershell is good, but not enough. You should also disable Wscript, and there are other vulnerable processes, too. If you want to tweak your OS, use SysHardener. It's a free tool from NoVirusThanks.

I just saw that Lockdown answered you. Take his advice.