Am I infected?

[Xeno2ig]

I obtained a malicious script on my pc for the purpose of placing it into online sandboxes for analysis when I accidentally ran it. A error popped up saying, “This file can’t run, contact your administrator”. But kaspersky didnt block anything. I tried running another safe script file and I got the same error, so it might have not ran - the hips logs says no script related processes have started. Whenever I tried placing this into online sandboxes, Safe Browsing gave me a malicious detection cause of the file, but when I tried scanning it, it came out clean. Am I infected?

Edited September 14 by Xeno2ig

[Xeno2ig]

I also have a HIPS setup where whenever trust cannnot be defined, it’s placed in “Untrusted” and I do not automatically trust digitally signed objects.

[harlan4096]

Welcome to Kaspersky Community,

 

I guess You have set up Your K. with Default Deny approach, in so, I would say You are not infected.

 

 

Anyway, In Reports -> Intrusion Prevention, You should check if there is some entry about a possible execution blocking.

[Xeno2ig]

3 hours ago, harlan4096 said:

Welcome to Kaspersky Community,

 

I guess You have set up Your K. with Default Deny approach, in so, I would say You are not infected.

 

 

Anyway, In Reports -> Intrusion Prevention, You should check if there is some entry about a possible execution blocking.

Nothing about any scripts executing

[harlan4096]

Probably that script could not run in Your system due to different cause, it needs some 3ar party apps and/or dlls, etc...

 

But that execution error may be also due to K. Default Deny approach...

[Xeno2ig]

1 hour ago, harlan4096 said:

Probably that script could not run in Your system due to different cause, it needs some 3ar party apps and/or dlls, etc...

 

But that execution error may be also due to K. Default Deny approach...

I also use Simple Windows Hardening - I’ve noticed any file scripts can’t run. I made one not malicious and I ran it, same error but not blocked by Kaspersky.

Anyways, does K Default Deny block JS Files?

[harlan4096]

Ah if using SWH then probably was the cause... some of the changes applied to the system.

 

Quote

Anyways, does K Default Deny block JS Files?

 

Yes, unless They are known and trusted by KSN, all the unknown in general -> Untrusted group -> Won't run.

[Xeno2ig]

2 hours ago, harlan4096 said:

Ah if using SWH then probably was the cause... some of the changes applied to the system.

 

 

Yes, unless They are known and trusted by KSN, all the unknown in general -> Untrusted group -> Won't run.

Not sure what SWH does with scripts, but for me it seems they can’t run. I don’t mind that - I don’t use them.

[Xeno2ig]

Is there any reason though that whenever I scanned the file with right click it wasn’t detected, but whenever I uploaded it to an analysis website, Safe Browsing gave me a malicious script detected cause I was uploading it. 

[harlan4096]

Yes, there are some script files that have only sense when are immersed in site code, that's why K. sometimes only adds detections to Safe Browsing (Web AV) Module.

[Xeno2ig]

It’s a file on my computer, not just one for web scripts.

[harlan4096]

Report it to KOTIP

[Xeno2ig]

I did, it has a HEUR detection. Doesn’t detect it with HEUR via static scan though.

[harlan4096]

What is the purpose of that script?

[Xeno2ig]

2 часа назад, harlan4096 сказал:

What is the purpose of that script?

Not sure - detected as Trojan-PSW.

VT says it’s some sort of stealer.

[harlan4096]

Can You send me it via personal msg of the Community, compressed with password "infected".

[Xeno2ig]

2 часа назад, harlan4096 сказал:

Can You send me it via personal msg of the Community, compressed with password "infected".

I will when I get home.

I need to check if I had default deny enabled - I had to turn it off for something. No scripts are placed in low restricted (the default). Would I still be good?

[harlan4096]

If the script did not run... 🤷‍♂️

[Xeno2ig]

6 minutes ago, harlan4096 said:

If the script did not run... 🤷‍♂️

I’m ensuring it didn’t run - I’ve seen malware popup with fake errors - but it probably didn’t run cause of nothing weird in HIPS logs and SWH.

[harlan4096]

Send me, and I'll try it in one of my VMs.

[Xeno2ig]

14 minutes ago, harlan4096 said:

Send me, and I'll try it in one of my VMs.

I will in about a hour- that’s when I get home.

[LoadError]

Buddy in the settings first check the reports and go to intrusion prevention, there you will get a range of information about a possible blockade. My bet in this case is that everything is caused by your use of SWH.

[harlan4096]

Finally, I tested that sample in VM without any type of hardening, and I also got that execution error, so that script seems not programmed to be executed, but used in Web environment...