AVLab - Fileless Malware Protection Test (X 2017)

I really wish that both AVLab, and for that matter MRG, would specifically identify the malware used in such tests thus allowing Peer Review of the results.

Those organizations that seek to become mainstream testing sites should be held to a higher standard, and independent reproducibility is one of the highest standards.

 

Send them an e-mail for the hashes used. Appears to me they did the test the right way. They connected to the attacker C&C server and downloaded the payload from there. Question is if they honeypotted the malware payload for later analysis. Appears it was a 0-day so it might not be formally ID yet..

I assume the few AVs that detected by behavior such as WD, through an user alert for suspicious activity and that was it.

 

A request should not be needed. If they want to be for-profit and go big time then the exact data used in the paper should be made plain in that paper, just like is done by Trend Micro, Talos, Mandiant, etc.

The methods used are inconsequential if the vector is unknown.

 

How is this related to my comment? What I meant is that it would have been more interesting if this file-less attack was done from within a process that always needs an outbound connection like the browser. I don't think AV's are capable of blocking individual connections unless the malicious IP's are known. So the only thing you could do is restrict the browser like Chrome/Firefox as much as possible.

 

With Comodo, if a sandboxed app opens a browser, the browser will be sandboxed too

 

Correct, same goes for Sandboxie. But you still need to harden the sandbox by blocking file-access to certain folders for example.

 

If you review the test results, only Kaspersky and ZoneAlarm blocked the attack at the browser level. BitDefender, Eset, Norton, and QuickHeal blocked the network connection to the C&C server. Since that connection was PowerShell based, it is a clear indication they are monitoring outbound PowerShell connections. The rest of the products that passed detected by execution behavior.

 

Correct, but again: What if the malware was running inside the browser? Then simply blocking outbound connections is not enough, if the malicious IP's are not known.

 

if an XSS manage to infect a browser, there is few solution to block it like using a Firewall with packet analysis.

 

I'm not sure what you mean, can you explain? What I meant is that in theory, you can make file-less malware like ransomware run inside browser memory. I wonder how many AV's would be able to tackle it.

 

i just meant that only solutions doing packet analysis may detect the code.