AVLab - Fileless Malware Protection Test (X 2017)

Discussion in 'other anti-malware software' started by ichito, Nov 10, 2017.

  1. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,217
    Location:
    Paris
    I really wish that both AVLab, and for that matter MRG, would specifically identify the malware used in such tests thus allowing Peer Review of the results.

    Those organizations that seek to become mainstream testing sites should be held to a higher standard, and independent reproducibility is one of the highest standards.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,481
    Location:
    U.S.A.
    Send them an e-mail for the hashes used. Appears to me they did the test the right way. They connected to the attacker C&C server and downloaded the payload from there. Question is if they honeypotted the malware payload for later analysis. Appears it was a 0-day so it might not be formally ID yet..

    I assume the few AVs that detected by behavior such as WD, through an user alert for suspicious activity and that was it.
     
  3. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,217
    Location:
    Paris
    A request should not be needed. If they want to be for-profit and go big time then the exact data used in the paper should be made plain in that paper, just like is done by Trend Micro, Talos, Mandiant, etc.

    The methods used are inconsequential if the vector is unknown.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    How is this related to my comment? What I meant is that it would have been more interesting if this file-less attack was done from within a process that always needs an outbound connection like the browser. I don't think AV's are capable of blocking individual connections unless the malicious IP's are known. So the only thing you could do is restrict the browser like Chrome/Firefox as much as possible.
     
  5. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    422
    Location:
    Italy
    With Comodo, if a sandboxed app opens a browser, the browser will be sandboxed too
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    Correct, same goes for Sandboxie. But you still need to harden the sandbox by blocking file-access to certain folders for example.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,481
    Location:
    U.S.A.
    If you review the test results, only Kaspersky and ZoneAlarm blocked the attack at the browser level. BitDefender, Eset, Norton, and QuickHeal blocked the network connection to the C&C server. Since that connection was PowerShell based, it is a clear indication they are monitoring outbound PowerShell connections. The rest of the products that passed detected by execution behavior.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    Correct, but again: What if the malware was running inside the browser? Then simply blocking outbound connections is not enough, if the malicious IP's are not known.
     
  9. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,049
    Location:
    Europe then Asia
    if an XSS manage to infect a browser, there is few solution to block it like using a Firewall with packet analysis.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,869
    Location:
    The Netherlands
    I'm not sure what you mean, can you explain? What I meant is that in theory, you can make file-less malware like ransomware run inside browser memory. I wonder how many AV's would be able to tackle it.
     
  11. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,049
    Location:
    Europe then Asia
    i just meant that only solutions doing packet analysis may detect the code.
     
Loading...