Author Topic: FLAW In Protection: VBS malware and deepscreen  (Read 8503 times)

0 Members and 1 Guest are viewing this topic.

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #15 on: August 26, 2014, 07:16:18 PM »
Dave they could use dyna rules and stuff they like they do for other files.They should be adding dyna rules for these type of VBS malware.First all they need to have deepscreen working on vbs files.
« Last Edit: August 26, 2014, 07:23:28 PM by True Ind »
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83811
  • No support PMs thanks
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #16 on: August 26, 2014, 07:24:23 PM »
Dave they could use dyna rules and stuff they like they do for other files.

It doesn't really matter what they could use - Personally I'm against creating rules when there is meant to be a script scanning function built in to avast.

Creating a rule would also require an underlying routine to cater for .vbs instead of/as well as .exe's in deepscreen.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2429 (build 20.8.5653.561) UI-1.0.562/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #17 on: August 26, 2014, 07:26:56 PM »
Dave I think avast reputation service already has enough no of files in whitelist.Regardless not having rules/trigger for deepscreen for a major threat gate is a flaw.

Script scanning function?? Those are based on the AV database and these are polymorphic viruses and this wouldnt cut it because these change everday like rootkits.This makes some sense I guess.

And from previous experiences avast is not the quickest or smartest to pick the newer varients quickly either instead we have some proactive analysis system.
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83811
  • No support PMs thanks
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #18 on: August 26, 2014, 11:47:14 PM »
I have not mentioned reputation services or whitelisting of files in any of my replies.

I'm clearly stating the the supposed script scanning of avast should be scanning these scripts in the same way that they did when there was a Script Shield. This scanned scripts on both the web pages and scripts run locally.

Deepscreen to date hasn't been the beast it is meant to be, perhaps we will see more of in beta2. As I have mentioned those that have set Hardened Mode to Aggressive are essentially bypassing deepscreen. So any Rule if it were to have rules wouldn't be effective if the Hardened Mode were set to Aggressive.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2429 (build 20.8.5653.561) UI-1.0.562/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #19 on: August 27, 2014, 03:54:27 AM »
Dave neither hardened mode nor deepscreen blocks targets vbs extension files which they should be doing now because if this usb malware.I have done some deep testing on this before making this topic.

Nothing to argue on deepscreen improvements in beta2.I have full faith in the developers that they are surely making deepscreen worthy.
« Last Edit: August 27, 2014, 04:07:08 AM by True Ind »
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi

Offline TrueIndian

  • Poster
  • *
  • Posts: 434
Re: FLAW In Protection: VBS malware and deepscreen
« Reply #20 on: August 28, 2014, 05:48:29 AM »
Also its not just vbs format.There are many other formats like *.js that are not targeted by deepscreen.

I have been testing this with different file format and so far .vbs and .js are not targeted.
Malware Hunter/Tester/Analysis
https://twitter.com/avman1995

“When I despair, I remember that all through history the way of truth and love have always won. There have been tyrants and murderers, and for a time, they can seem invincible, but in the end, they always fall. Think of it--always.”
― Mahatma Gandhi