Ransomware and WSA in general.

Discussion in 'Prevx Releases' started by Esse, Sep 23, 2013.

Thread Status:
Not open for further replies.
  1. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    416
    Update!

    I went in to safe mode on the screen locked VM, and was able to run a scan from there.

    WSA found about 6 malware from the infested folder I was running my samples from. (Still left 284 undetected :doubt: )
    But it did not find the file holding me hostage.
    I could easily delete the file in question by hand, but I prefer to see how and when WSA handles this.

    All in a valuating purpose of course.

    Of course I also want the Rollback feature to take action here, when the infection is detected.
    Just because I do not know what else the infection have dumped in there, and I want that cleaned to.

    /E
     
  2. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I believe I've received it (in my spam box and I'm about to board a flight so I'll need to check a bit later).

    I'm in meetings all week so it may take me some time to respond. You may want to try writing into our support inbox as they'll be able to clean you quickly.
     
    Last edited: Oct 2, 2013
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks - could you also send the newest scan log to my username at gmail.com? Rollback will definitely remove the traces and changes made by the sample, we just need the data to look into it closer and block the original file (and see what it's doing differently than the other ransomware infections).
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    If it's only running within your browser, you should be able to use Alt+F4, or Ctrl+W to close the window. This wouldn't actually be an infection, rather, just a popup, which should be easy to close.
     
  5. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It's a VM, not his actual computer, and I've just received the data to investigate closer.
     
  6. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    416
    Take your time Joe, this is just a test rig I set up to evaluate WSA more closely.
    What you could do is prolong the trial key so that I can see WSA solve this problem by itself, after you have had the time to examine all data.
    I will send you the latest scan log, hope it is easy to find.

    /E
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Thanks! I've taken a look at the files you sent and while WSA is successfully blocking it from fully taking over the desktop, it does still show a full-screen window on bootup. You can use "Windows key + D" to get back to the desktop and get around the threat from there, but I think there is room for us to add generic logic to block this alternate type of attack as well.

    Based on the logs you sent to me via email, change journaling is indeed working properly so when we mark these files as malicious, they will be fully removed. I'm having our threat research team wait a bit still so that we can do some additional testing on the generic approach for this type of threat, but we'll be removing them soon.

    Thanks again and let me know if you find anything else in the meantime!
     
  8. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    416
    Sounds like a plan, as you say it is better to stop this kind of ransom for good. Take your time. Looking forward to see the magic happen :D

    Another tough appeared today, regarding rootkits, while testing (executing) some rootkits you can see in for example Killswitch from Comodo that they start and then shuts down. But you still get infected.
    Will this be the same scenario in your "Control Active Processes"?
    If it starts and then shuts down is it still monitored then?

    /E
     
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That's correct - it will continue being monitored (and "Stop Untrusted Processes" will just terminate them straight away).
     
  10. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    416
    Nice! :thumb:

    /E
     
  11. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    Sorry just not true. WSA cannot undo changes by Win32.Virut.
     
  12. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    WSA can undo the changes, provided it is installed before you get infected with Virut. If it isn't installed first, then you'll need to use a tool our threat team has developed.
     
  13. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    WSA was on the system BEFORE win32.virut got on it.
     
  14. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    Is there a link for this tool?
     
  15. Esse

    Esse Registered Member

    Joined:
    May 26, 2011
    Posts:
    416
    Interesting to see how this develops.

    Please post back when you have a solution volvic.

    /E
     
  16. AaLF

    AaLF Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    986
    Location:
    Sydney
    How does WSA handle malware & viruses & stuff it quarantines?

    Q1: Can I recover/restore a file that has been quarantined?
    Q2: Can I create a white-list of folders/files to be excluded from the scanning process?
     
  17. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    A1: Yes, PC security --> Settings --> Quarantine --> Restore
    A2: Yes and No, only files not folders. PC security --> Settings --> Block/Allow files --> Allow

    The possibility of excluding folders (and why this is not recommended and not possible in the tool) was discussed at length in the past. Have a search on this section. Basically the advantages of excluding folders is not proportional to the risk associated to it (free malware riding zones)

    Unless you want to exclude known malware/cracks/etc... then you should simply ask support to whitelist the files rather than having a folder permanently excluded.
     
  18. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    To add to fax's post, only executable files are applicable to A2.;)
     
  19. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    True :thumb: . This means not just .exe but .dll, .sys, etc... executables in large sense.
     
  20. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Our support team can supply a link to it.
     
  21. ams963

    ams963 Registered Member

    Joined:
    May 3, 2011
    Posts:
    5,974
    Location:
    Parallel Universe
    Right.:thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.