Very interesting fileless malware testing

I also appreciate your effort. I couldn't test such wide range of product by myself, and you even requested new samples to kafeine while you yourself being busy.
I'm going to go to trip and maybe won't drop in Wilders during that, but looking forward to see the results.
If possible, can you test some major AV not for HIPS or sandbox? Maybe, well, if it blocked exploit in the first stage, note down this and next allow/whitelist it, then if it detects the malware by signature, same, and finally if BB blocks it...though I suppose most AV won't monitor behavior of what is whitelisted... and I'm not sure what should be whitelisted in fileless infection... But it will take quite the time & effort, so only if you can.

 

I had before tried only Avast IS. It's web shield blocked the URL. After that nothing more. If I disable web shield, Avast is happy to stay with malware. Probably no more AV testing as it needs a lot of time to download and install, then update and finally getting no detectíon.

 

No problem, I can understand it.

 

If something is adding a fileless, script-based autostart to the registry, I’d like to be informed of that, regardless of the sequence of events giving rise to such occurrence.

Can anyone tell me: Does WinPatrol, a free 'HIPS' with reg protection, alert on Poweliks and similar fileless persistent malware?

And if WinPatrol doesn’t give such alerts, what if anything can be added on Registry Monitoring tab of WinPatrol Plus in order to give such alerts?

 

Plain old fashioned hardening with ACL (denying changes on user autoruns) also adds a threshold, same with denying access to shell/scripting through registry or default program changes.

 

I agree. I removed some rights on key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for my username (Set value, Create subkey...) but left them for usergroup Administrators. I also entirely removed Users group rights. Now if program wants to write to that registry key it has to get elevation approved through UAC prompt.

 

Yep Works great. All my trusted upde processes run elevated so no problems or functionality restrictions