Author Topic: FLAW In Protection: VBS malware and deepscreen  (Read 8193 times)

0 Members and 1 Guest are viewing this topic.

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
FLAW In Protection: VBS malware and deepscreen
« on: August 20, 2014, 09:57:10 AM »
I see that .vbs malware from USB dont trigger any deepscreen anaysis!? I guess avast should add triggers for such type of nasties as well.As they seem to be on the rise.

Anything trying to mess with wscript.exe should be sandboxed.I guess avast needs to add more triggers into the program.I just got 2 files of .vbs  both were pretty much the same VBS:malware-gen crap and both got through without any peeps from deepscreen.It didnt even try to analyze it.Neither does hardened mode deal with vbs type crap.

I definately think avast can add a trigger for .vbs files in deepscreen.Just add a rule in the program somewhere that any randomly named vbs file from USB or any removable media must be sandboxed and if it accesses wscript.exe it should be detected as malware right away.In this way,avast can be completely immune to those VBS malware from USB.
This needs to be fixed.
« Last Edit: August 26, 2014, 04:35:08 PM by True Ind »
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31352
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: VBS malware and deepscreen
« Reply #1 on: August 20, 2014, 02:44:31 PM »
Do you have selected to scan all files in the file system shield ?
If not, please do so and check if they files are scanned.
For that you may need to enable debug logging.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9304
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: VBS malware and deepscreen
« Reply #2 on: August 20, 2014, 03:05:21 PM »
As far as i know DeepScreen only work son EXE files. Unless if they have changed this in v2015...
Visit my webpage RejZoR's Flock of Sheep

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: VBS malware and deepscreen
« Reply #3 on: August 20, 2014, 05:38:36 PM »
Rej it still seems to be a flaw...As a alot of USB malware is coming in form of VBS script and it triggers hell of a nasty damage.It executes wscript.exe and keeps launching itself over the bootup and infects every other clean usb.I think this trigger should be added as it is a major threat gate.
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: VBS malware and deepscreen
« Reply #4 on: August 24, 2014, 07:32:15 AM »
BUMP: Any update to this topic?

This is a serious flaw as vbs malware is increasing especially via USB sticks.They are also polymorphic and hard to detect.
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31352
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: VBS malware and deepscreen
« Reply #5 on: August 24, 2014, 03:05:01 PM »
Have you tried as I suggested ?

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: VBS malware and deepscreen
« Reply #6 on: August 24, 2014, 05:33:05 PM »
Have you tried as I suggested ?

I have done that before no difference.  :)
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: VBS malware and deepscreen
« Reply #7 on: August 24, 2014, 05:59:31 PM »
I would agree that this is a flaw that needs rectifying..  The vast majority of the time it is from a USB or SD card, so mayhap tweak the USB on insertion scan

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: VBS malware and deepscreen
« Reply #8 on: August 25, 2014, 11:53:23 AM »
I would agree that this is a flaw that needs rectifying..  The vast majority of the time it is from a USB or SD card, so mayhap tweak the USB on insertion scan

Thanks essex.I agree this needs to be fixed because there is alot of USB malware which are coming in this VBS format.Hope to see progress on this issue  :)
« Last Edit: August 25, 2014, 12:25:07 PM by True Ind »
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #9 on: August 26, 2014, 05:58:03 AM »
Added to topic.
« Last Edit: August 26, 2014, 04:34:59 PM by True Ind »
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline Alikhan

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2226
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #10 on: August 26, 2014, 04:14:15 PM »
+ 1.

It would be a good addition in protection.
Windows 10 Home 64-bit • Avast Internet Security (latest stable version) • Malwarebytes 3 Premium (latest) • Google Chrome • CCleaner •

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #11 on: August 26, 2014, 04:33:09 PM »
Thanks Alikhan.This is definately a rule and a trigger that avast deepscreen developers must consider.
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82708
  • No support PMs thanks
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #12 on: August 26, 2014, 04:52:19 PM »
Now there was me thinking that .VBS files would be scanned by the old script shield, now incorporated into another shield. That however, may be incorporated into the web shield rather than the file system shield.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.1.2397 (build 20.1.5069.558) UI-1.0.460/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #13 on: August 26, 2014, 04:55:58 PM »
Now there was me thinking that .VBS files would be scanned by the old script shield, now incorporated into another shield. That however, may be incorporated into the web shield rather than the file system shield.

The problem here is not the shields.But the VBS infections coming from USB are sort of polymorphic type that change constantly.So if avast adds a trigger for a vbs files for deepscreen then maybe they can also add a rule which will sandbox vbs files and as they are accessing wscript.exe it should be immediately quarantined by deepscreen.

VBS file runs>>deepscreened>>accessing wscript.exe>>blocked and quarantined.
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82708
  • No support PMs thanks
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #14 on: August 26, 2014, 07:02:25 PM »
Well essentially I want to know why the script scanning isn't running on a script file being executed, regardless of where it is located. If it was then theoretically there would be no requirement for a rule.

The merging of several shields (script/network/P2P, etc.) into the remaining shields shouldn't lessen the protection.

Your example of the actions is flawed as there would be many instances of legit .VBS software that has to run wscript.exe. Any blocking and quarantining should only be done if it is found to be malicious.

Another point being those who have the Hardened Mode set to Aggressive may have bypassed the deep screening function.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.1.2397 (build 20.1.5069.558) UI-1.0.460/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro