Skip to content
  • Categories
  • KForum
  • KClub
  • KClub Discord
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse

Kaspersky Beta

  1. Home
  2. ENGLISH USER FORUM
  3. Home
  4. Kaspersky
  5. Archive
  6. 2021
  7. [2021] Application Control (HIPS, SW, Firewall, IDS, TAM)
  8. Unable to completely block the behavior of a malicious sample

Unable to completely block the behavior of a malicious sample

Scheduled Pinned Locked Moved [2021] Application Control (HIPS, SW, Firewall, IDS, TAM)
7 Posts 2 Posters 4.1k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • huang1111H Offline
    huang1111H Offline
    huang1111
    [2021] Diamond BT
    wrote on last edited by Jarvis
    #1

    <p><strong>Reproduction steps:</strong></p>
    <p><span>Double-click this sample and wait for some time. The sample will run automatically. When the sample shows malicious behavior, Kaspersky detects the malicious program, but does not promptly pop up the prompt window and block the malware behavior, resulting in this malicious sample. Successfully carried out malicious acts and also destroyed the system (the language of some places has changed), for which Kaspersky did not recover the files lost by the computer.</span></p>
    <p><strong>Actual result:</strong></p>
    <p>Kaspersky did not promptly stop the malicious behavior of the virus sample, and did not delete the original file in time.</p>
    <p><strong>Expected Result:</strong></p>
    <p><span>Kaspersky promptly blocks the malicious behavior of the virus sample and deletes the original file in time.</span></p>
    <p><span></span></p>
    <p><span></span></p>
    <p><span></span></p>
    <p><span>Report download address:https://cloud.qainfo.ru/s/75oDrpeSbATxDgl</span></p>
    <p><span>Trace download address:https://cloud.qainfo.ru/s/f2gEstyRl4wjQBy</span></p>
    <p><span>Virus sample download address:https://cloud.qainfo.ru/s/YMl4Ms6hweGR05n</span></p>

    1 Reply Last reply
    0
    • JarvisJ Offline
      JarvisJ Offline
      Jarvis
      wrote on last edited by
      #2

      Hello! How can I start malicious actions? I ran the program, i see roulette, but KTS doesn't detect it.

      P.S. please send such files in archives with password

      huang1111H 2 Replies Last reply
      0
      • JarvisJ Jarvis

        Hello! How can I start malicious actions? I ran the program, i see roulette, but KTS doesn't detect it.

        P.S. please send such files in archives with password

        huang1111H Offline
        huang1111H Offline
        huang1111
        [2021] Diamond BT
        wrote on last edited by huang1111
        #3

        <p>@jarvis said in <a href="/post/6196" target="_blank" rel="noopener">Unable to completely block the behavior of a malicious sample</a>:</p>
        <blockquote>Hello! How can I start malicious actions? I ran the program, i see roulette, but KTS doesn't detect it. P.S. please send such files in archives with password</blockquote>
        <p>Double-click this program, it will prompt the user to choose, whenever it prompts, select the first option, if you can't reproduce it here, I can provide a video to the Google drive to let you watch online.</p>

        1 Reply Last reply
        0
        • JarvisJ Jarvis

          Hello! How can I start malicious actions? I ran the program, i see roulette, but KTS doesn't detect it.

          P.S. please send such files in archives with password

          huang1111H Offline
          huang1111H Offline
          huang1111
          [2021] Diamond BT
          wrote on last edited by
          #4

          <p>@jarvis said in <a href="/post/6196" target="_blank" rel="noopener">Unable to completely block the behavior of a malicious sample</a>:</p>
          <blockquote>Hello! How can I start malicious actions? I ran the program, i see roulette, but KTS doesn't detect it. P.S. please send such files in archives with password</blockquote>
          <p>video address:https://drive.google.com/file/d/1-oc3SXEO8bF8CYs0gbDqlaB-MDqG8kj6/view?usp=drivesdk</p>

          1 Reply Last reply
          0
          • JarvisJ Offline
            JarvisJ Offline
            Jarvis
            wrote on last edited by
            #5

            Hello! Can you try to reproduce it?
            i see, that file is being deleted before start

            huang1111H 1 Reply Last reply
            0
            • JarvisJ Jarvis

              Hello! Can you try to reproduce it?
              i see, that file is being deleted before start

              huang1111H Offline
              huang1111H Offline
              huang1111
              [2021] Diamond BT
              wrote on last edited by
              #6

              <p>@jarvis said in <a href="/post/6338" target="_blank" rel="noopener">Unable to completely block the behavior of a malicious sample</a>:</p>
              <blockquote>Hello! Can you try to reproduce it? i see, that file is being deleted before start</blockquote>
              <p>Hello, when I first tested this sample, I found that Kaspersky could not completely prevent its behavior, but it was added to the feature library by Kaspersky soon. Then I took this sample through Vmprotect and found it. Skie still couldn't completely stop its behavior, and I reported it here, but then the sample was reported again by some people and added to the feature library, so I can only say that it has not been reproduced, but a similar sample. It is still possible to cause damage to the user's data.</p>

              1 Reply Last reply
              0
              • JarvisJ Offline
                JarvisJ Offline
                Jarvis
                wrote on last edited by
                #7

                i think, it can be closed. This sample is detected by Kaspersky

                1 Reply Last reply
                0
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes


                • Login

                • Don't have an account? Register

                • Login or register to search.
                • First post
                  Last post
                0
                • Categories
                • KForum
                • KClub
                • KClub Discord