DeppGaurd weakness!!

Hi
i agree that DeepGaurd is one of the best Behavior Blocker out there but,
it is so weak against scripts whose payloads are not a PE/exe file, in this cases DeepGuard can't stop the script
Specially against powershell, .vbs, Javascripts and etc (it fails against some .exe too)
If you don't plan to make it stronger, it can do nothing against new threats
in a test, a .vbs RANSOMWARE encrypted all the files and DeepGaurd did nothing
I can send you screenshots if you want
0 Like
This discussion has been closed.
Comments
DeepGaurd can be Bypassed this way easily!
(test done by my friend in Malwaretips forum)
one weakness I've found in F-Secure and other Behavior Blockers is that the most common way to escape the behavior blocker is by using a trusted (but not super well known) process to do your dirty work.
If you use something too popular like Powershell or cmd.exe, behavior blockers are smart, especially thanks to AMSI. However, if you use something just mildly popular like a Node.JS runtime, a copy of Cygwin/MinGW, or in this case, 7-Zip, it seems to be blanket whitelisted by behavior blockers.
This piece of fake "malware", which I'm calling TrojanZipperPOC, does this:
All the files got encrypted even when Ransomware protection is enabled
This is a really really trivial way of commandeering a known process to do your dirty work. It's not hard to trace the fact that 7z.exe was launched directly by an untrusted process, so I consider this to be a solvable vulnerability.
It wouldn't be impossible to distance the untrusted process further from 7z.exe. For example, scheduled tasks or startup items, or using a process to launch a process, etc etc etc. So consider this a dumb "5 minute" approach (that's literally how long it took for me to write this) to replicate a in-the-wild ransomware strategy.
I don't care how technical one wants to get, the fact remains that certain Ransomeware cannot be stopped. Yesterday one actually infiltrated a Kaspersky users system and locked in. The latest I read was it is unlikely to be decrypted because of its unique flavor.
I keep all important files backed up and let nature take it's course. Then it's not so end of the world.
Hi @aamir
https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163346/F-Secure_DeepGuard.pdf
More information about how to protect against ransomewares
https://blog-assets.f-secure.com/wp-content/uploads/2019/11/20112058/ransomware_ppdr_2019.pdf
I understand that F-secure dosen't just rely on DeepGaurd and just wanted to inform you that DeepGaurd can be bypassed this way
After all, I really appreciate that you didn't deny it (like other companies) and are working on improving DeepGaurd and other parts