8. Unable to completely block the behavior of a malicious sample

#1531 Unable to completely block the behavior of a malicious sample

  • Rejected

    , last edited by Jarvis

    Reproduction steps:

    Double-click this sample and wait for some time. The sample will run automatically. When the sample shows malicious behavior, Kaspersky detects the malicious program, but does not promptly pop up the prompt window and block the malware behavior, resulting in this malicious sample. Successfully carried out malicious acts and also destroyed the system (the language of some places has changed), for which Kaspersky did not recover the files lost by the computer.

    Actual result:

    Kaspersky did not promptly stop the malicious behavior of the virus sample, and did not delete the original file in time.

    Expected Result:

    Kaspersky promptly blocks the malicious behavior of the virus sample and deletes the original file in time.

    Report download address:https://cloud.qainfo.ru/s/75oDrpeSbATxDgl

    Trace download address:https://cloud.qainfo.ru/s/f2gEstyRl4wjQBy

    Virus sample download address:https://cloud.qainfo.ru/s/YMl4Ms6hweGR05n

    System Settings

    Operating system: Win 10, x64

    System: Intel Core i7 4790k, Western Digital 2T black disk

    Product: KIS

    Product Version: 21.0.16.613

    Language: zh-CN

    Product Logs: https://cloud.qainfo.ru/s/f2gEstyRl4wjQBy

  • i think, it can be closed. This sample is detected by Kaspersky

  • @jarvis said in Unable to completely block the behavior of a malicious sample:

    Hello! Can you try to reproduce it? i see, that file is being deleted before start

    Hello, when I first tested this sample, I found that Kaspersky could not completely prevent its behavior, but it was added to the feature library by Kaspersky soon. Then I took this sample through Vmprotect and found it. Skie still couldn't completely stop its behavior, and I reported it here, but then the sample was reported again by some people and added to the feature library, so I can only say that it has not been reproduced, but a similar sample. It is still possible to cause damage to the user's data.

  • Hello! Can you try to reproduce it? i see, that file is being deleted before start

  • @jarvis said in Unable to completely block the behavior of a malicious sample:

    Hello! How can I start malicious actions? I ran the program, i see roulette, but KTS doesn't detect it. P.S. please send such files in archives with password

    video address:https://drive.google.com/file/d/1-oc3SXEO8bF8CYs0gbDqlaB-MDqG8kj6/view?usp=drivesdk

  • , last edited by huang1111

    @jarvis said in Unable to completely block the behavior of a malicious sample:

    Hello! How can I start malicious actions? I ran the program, i see roulette, but KTS doesn't detect it. P.S. please send such files in archives with password

    Double-click this program, it will prompt the user to choose, whenever it prompts, select the first option, if you can't reproduce it here, I can provide a video to the Google drive to let you watch online.

  • Hello! How can I start malicious actions? I ran the program, i see roulette, but KTS doesn't detect it. P.S. please send such files in archives with password

Looks like your connection to Beta Testing was lost, please wait while we try to reconnect.