Source
https://youtu.be/-sygS9-7-s0
Video Uploaded by
RoboMan
Hub Thread
https://malwaretips.com/threads/8-10-2018-22.87258/

RoboMan

Level 24
Content Creator
Verified
Joined
Jun 24, 2016
Messages
1,381
OS
Windows 10
Antivirus
Bitdefender
#1
During today's test for the Hub (which I will be posting later tonight, PS thanks @silversurfer!) I found this specific piece of malware that I loved, because of what it did. So I recorded a quick review for you to see.

Who will win? The whole Microsoft Security Team or... this little boy?


Note: please do not ask for the sample, straight rules won't allow sharing links or samples from the Hub.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#2
As soon as I saw wscript, I knew we had been infected by incurable plague.

I'm sorry but leaving interpreters enabled by default is a retarded protection model. Seriously.

There will be those that argue that interpreters are neither good nor bad.

I can make that kind of idiotic statement too..

"A gun lying on the street isn't good or bad either. It's just an object."

What's more effective and common sense for the vast majority of users of Windows - who don't use any interpreters - disable them by default or keep them enabled because "a lot of IT Pros use them" ? Seriously ? You're gonna make that kind of an argument ? So sink 7/8ths of humanity for the few - because it would be inconvenient for some IT pros to enable interpreters.

Windows security. And the people who control it. 8-Ball Chasers. Pathetic.
 

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,577
#4
Superb video!!!

1). Short and to the point- you made a short video look easy to produce, and I know it was probably anything but.
2). Humor! Yeah!
3). Shows that in spite of the results seen on the Pro AV testing sites (where malware relics, D+3 and above, are used), WD is inadequate against newer samples. And I can assure you a Blackhat is NEVER going to push out older malware.

Well done!
 

RoboMan

Level 24
Content Creator
Verified
Joined
Jun 24, 2016
Messages
1,381
OS
Windows 10
Antivirus
Bitdefender
#5
About interpreters - totally agree. Those very few who really need to use it, will know how to turn it on. The huge amount of the rest which doesn't know how to use and nor they will, will not know how the hell to turn it off. Should be off by default.

And @cruelsister your comment emotioned me the most! Coming from you, the person which tests and knowledge I admire the most over here, it's a pleasure :) Thank you!
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#6
The script interpreters are cancerous. They should have never been given so much freedom. I don't understand why Microsoft designed monsters like PowerShell, Office Macro's, and VB Script the way they did.
Because the Microsoft and the IT Pro admin retards got together. That's all it took. The rest is history.

Microsoft decided to disable cmd and powershell on 10 S - because it would annoy the fewest IT Pros.

Are the IT Pros gonna come to your house and disinfect your system ? I think they should. You have default Windows designed for them - and not to protect the people who need the greatest amount of protection. It is partly because Microsoft caters Windows to "IT Pros" that everyone else is placed at high risk.

Disgusting.
 
Joined
Sep 26, 2017
Messages
453
Antivirus
Microsoft
#8
As expected, WD lacks behaviour blocker, relying on Default-Deny, Cloud and Backups to stop most threats. Is also funny how easy it is to tamper with WD, to make all the options above irrelevant.

For us should be fine, but for Casual Users I won't be recommending WD any time soon.

Make another video, but with Kaspersky Free :emoji_thinking:
 
Last edited:

shmu26

Level 70
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,960
OS
Windows 10
#9
Great vid. I don't watch many, but I watched this one.
Am I right in assuming that Windows Defender was at default settings?
WD @default definitely needs SmartScreen as its first line of defense, or else it gets clobbered by zeroday samples.
But what happens if you enable some ASR rules?
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#10
Great vid. I don't watch many, but I watched this one.
Am I right in assuming that Windows Defender was at default settings?
WD @default definitely needs SmartScreen as its first line of defense, or else it gets clobbered by zeroday samples.
But what happens if you enable some ASR rules?
Disabling less than 5 processes can save a person from a whole lot of pain.
 

harlan4096

Moderator
MalwareTips Staff
AV-Tester
Verified
Joined
Apr 28, 2015
Messages
3,868
OS
Windows 10
Antivirus
Kaspersky
#11
Last edited:
Joined
Sep 14, 2018
Messages
147
OS
Windows 10
Antivirus
F-Secure
#12
I ran the dynamic test with KFA2019c + that sample yesterday about 30min after the pack was posted.

KFA2019 didn't detect the original script sample, but did (by signature) the dropped file:

https://malwaretips.com/threads/8-10-2018-22.87258/post-769739
Sorry for the off topic but according to your experience Kaspersy Free can replace the paid version by ensuring a good protection level? I read it is really good in detection.
Thanks Harlan :)
 
Joined
Sep 14, 2018
Messages
147
OS
Windows 10
Antivirus
F-Secure
#14
KFA2019 does not have Application Control + FireWall... so probably a combo with NVT OSA, or SysHardened... or the so known combo CFW + CS's settings...
Thaks again.
I have another PC that my son uses just for fun (and yes sometimes he is an happy clicker) with just SB and WD.
So I'm planning to install KFA and make a good scan :)
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#15
Joined
May 1, 2018
Messages
50
OS
Windows 10
Antivirus
Microsoft
#16
Hi Guys i have one question about WD and some windows settings.
If I want to using a Windows Defender and Edge and I turn off script execution by command in PowerShell 5.0 and uninstal PowerShell 2.0, turn off SMB protocol and flash player in Edge and windows it will be good?
Maybe someone want tu test this security config windows 10?
 

harlan4096

Moderator
MalwareTips Staff
AV-Tester
Verified
Joined
Apr 28, 2015
Messages
3,868
OS
Windows 10
Antivirus
Kaspersky
#17
Just finished the test with this sample and Panda Dome Premium + Slyguy's settings + NVT OSA, I ran 2 different scenarios:

PDP + PD Application Control On + NVT OSA On -> attack blocked by NVT OSA. System Protected.

PDP + PD Application Control On + NVT OSA Off -> attack blocked by PD Application Control, but also detected/deleted as Trojan. System Protected.

Full results of the sample pack at MalWare Hub later...
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,186
#18
Hi Guys i have one question about WD and some windows settings.
If I want to using a Windows Defender and Edge and I turn off script execution by command in PowerShell 5.0 and uninstal PowerShell 2.0, turn off SMB protocol and flash player in Edge and windows it will be good?
Maybe someone want tu test this security config windows 10?
Disable PowerShell, PowerShell_ISE, wscript.exe, and cscript.exe is better.

Disable PowerShell v2.0 is good; it prevents many attacks.

Setting restricted execution policy in PowerShell v5.0 is easily bypassed; set Constrained Language mode.

You really should use a SUA.
 

shmu26

Level 70
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,960
OS
Windows 10
#19
Hi Guys i have one question about WD and some windows settings.
If I want to using a Windows Defender and Edge and I turn off script execution by command in PowerShell 5.0 and uninstal PowerShell 2.0, turn off SMB protocol and flash player in Edge and windows it will be good?
Maybe someone want tu test this security config windows 10?
I didn't understand what you meant by "turn off script execution by command in PowerShell". How are you turning it off?

Generally speaking, Edge is a secure browser, and Windows Defender at default settings is enough baseline protection for a careful user. But you are obviously trying for a higher level of protection. If so, disabling Powershell is good, but not enough. You should also disable Wscript, and there are other vulnerable processes, too. If you want to tweak your OS, use SysHardener. It's a free tool from NoVirusThanks.

I just saw that Lockdown answered you. Take his advice.