AVLab - Fileless Malware Protection Test (X 2017)

Discussion in 'other anti-malware software' started by ichito, Nov 10, 2017.

  1. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow

    https://avlab.pl/sites/default/files/68files/Malware_Fileless_Protection_Test_EN.pdf
     
  2. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Impressive result for Kaspersky Free, great result for Comodo (both CIS and CCAV), nice to see Windows Defender at the top :)
     
  3. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Guys- I hate to say this as I LOVE Poland, but take the Avlab results with more than a grain of salt. My cat could (and often does) code a fileless thingy that would easily bypass some of the "Best+++" products listed.
     
  4. plat1098

    plat1098 Guest

    I apologise profusely, but the result I'm looking at is from April 2017? This result is just a snapshot in time but at any rate, justifies (to me) my moving to a HIPS/standalone/sandbox model. At least some AV makers are paying attention. Perfect, thanks.
     
  5. amico81

    amico81 Registered Member

    Joined:
    Oct 18, 2017
    Posts:
    100
    Location:
    Germany
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    AV Labs did a test for drive-by downloads in April, 2017: https://avlab.pl/sites/default/files/68files/avlab_drive_by_download_test_en.pdf

    Perhaps this is what you are looking at?
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Appears most of the major AVs memory scanners are detecting disk based Powershell execution of in memory scripts. A better test would have been a Powershell 2.0 executable download to memory and using it to execute the script from memory. Definitely would work on Win 7 and possibly Win 8+ as long as they had .Net 2.0 installed.

    -EDIT- The main point to note is that AV memory scanners are looking for a malware sig.. No sig. and you're "dead meat."
     
    Last edited: Nov 10, 2017
  8. guest

    guest Guest

    if ReflectiveDll Injection is used; i can guess the result would be way more dramatic.
     
    Last edited by a moderator: Nov 10, 2017
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    In regards to the payload dropper used:
    PowerShell constrained language mode would have prevented it.

    -EDIT- Also and obviously, blocking any outbound networking traffic from PowerShell will also stop it. That is as long as Window's directory PowerShell was being used.
     
    Last edited: Nov 12, 2017
  10. plat1098

    plat1098 Guest

  11. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,997
    Location:
    Poland - Cracow
    @adrian_sc is the owner of AVLab and perhaps he'll come here to say somthing intereressting about such test.
     
  12. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    Amico- I don't really care for any AV, but if I had to choose I would list Kaspersky, Qihoo, Avast and Sophos. The traditional AV's actual utility has long since past- essentially a relic of yesteryear. To paraphrase a certain author dear to Comrade Evgeny's heart, the traditional AV is the opiate of the masses.

    guest- You, as usual, cut to the heart of the matter. Imagine if such a test is run using Metsploit or something like a fileless reg only malware? There would be much weeping and gnashing of teeth.

    That's my main issue in with the AVlab tests- they are much too nice. I personally would be a bit more aggressive.
     
  13. guest

    guest Guest

    i knew you will pinpoint it ;)
    beefed XSS > Download cradle > powerpick > thank you for your participation :p

    i bet you would hehe
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Actually, I'm surprised that most AV's don't simply block outbound connections made by abused system processes like powershell.exe, cmd.exe, wscript.exe and cscript.exe. That would make them all pass, unless I'm missing something.
     
  15. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,649
    Location:
    Paris
    R- You are not really missing anything, but you must differentiate between Script Kiddies and Blackhats.

    No decent Blackhat will allow any Outbound connection from malware until the intended damage is done, and this connection only being for something like a ransom message or a data stealer that was piggybacked on to the primary vector for giggles. Malware that needs an Outbound connection to cause damage is more in the realm of low class kiddies that couldn't get into Blackhat U (except for targeted espionage miners- but these will co-opt legit processes and will work only as delayed pulse connections, so will avoid detection by anything other than Real-Time forensics). I personally have no clue about such things being Kind and Gentle, but I did ask my cat, Ophelia, who seems to be knowledgeable.

    M
     
    Last edited: Nov 11, 2017
  16. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    1,387
    I know that Kaspersky's System Watcher can aggressively detect and stop those abused system processes:


    Likewise I think Emsisoft behavior blocker can do the same.
     

    Attached Files:

    • 2B.png
      2B.png
      File size:
      618.7 KB
      Views:
      35
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Maybe a review of the methodology will help:
    Only Kaspersky and ZoneAlarm detected the browser injection. This is the best outcome since malware was stopped "dead in its tracks"

    Most of the tested solutions that detected did so via inbound/outbound network traffic from the malware running in the memory.

    I believe the use of a .bat script was to bypass Win 10 AMSI protection since it will only scan wscript.exe and Powershell.exe processed scripts. Obviously if you're monitoring cmd.exe startup and your security solution detects child process startup from the browser, you're covered.
     
    Last edited: Nov 11, 2017
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Also of interest was that WD and a few others were able to detect the downloads by heuristics/behavior method. A clear indication that WD's cloud scanning appears to be effective against memory based malware. This was indeed an "eye opener." -EDIT- Appears WD has implemented a memory scanner that can detect code injection. Wonder is this is only for Edge and AV Labs was using it for testing. I could not find any ref. in the test write up on which browser was used.

    Also of note is:
     
    Last edited: Nov 11, 2017
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    One other interesting observation from this test. Most AVs did not detect the execution of Powershell from the .bat script in memory other than to detect the remote communication attempt from it. Malware could have run whatever from that script; for example to establish a delayed execution at next boot . Permissions could have been change using icacls.exe. Etc., etc. A great example why AV vendors really need to start monitoring cmd.exe startup activity.
     
  20. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,920
    And what is the opiate for the paranoid? Just curious.
     
  21. guest

    guest Guest

    HIPS, SRP, anti-exe :p
     
  22. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    I must say this question was perfectly phrased, as it's opiate regardless. The addicted are in no way superior, they're just addicted to a different drug.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What I'm basically saying is that most malware will eventually need to make an outbound connection in order to steal data. It doesn't matter if it's file-less or not. So if in-memory malware is running inside a process with network access, you have a problem. There is no easy way to spot malicious network connections.

    The best thing you could do is to block read and write access to certain folders with private/most important data. But this particular test would have failed on my system, because I block certain system processes from running at all, and even if they do manage to run they are blocked from outbound access.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Looks good to me. :thumb:
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I guess you didn't analyze the report in detail ......... as usual.:rolleyes: This is exactly how most AV's detected the malware used in the test; via outbound network connection.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.