Jump to content
Kaspersky Support Forum

Kaspersky not detect and block abnormal encrypt files activities

JohnCateer86

By JohnCateer86
in Virus and Ransomware related questions

 Share

Recommended Posts

JohnCateer86

JohnCateer86

Posted
Posted

Hello,

Kaspersky Endpoint Security cannot detect PS1 file contain abnormal script run encrypt files as the attach files.

Does Kaspersky verify it again?

https://github.com/Tai-bdev-vn/Encrypt-Delete-Test/blob/main/EncryptDelTestv4.1.ps1.txt

3.PNG

2.PNG

1.PNG

harlan4096

harlan4096

Posted
Posted

Welcome to Kaspersky Community.

 

I tested that .jar in a VM with KES 12.8 + W11 in a virtual machine, and can confirm that KES does not warn about encrypting...

 

But some considerations about that tool:

 

It seems it's a POC (Proof of Concept Tool), that of course uses legit operating system commands to encrypt the system, so this makes it difficult to discern the really malicious behavior of the script.

 

Also, does that tool really behave maliciously, enough for Kaspersky to consider it malicious? 🤔

  • Like 2
JohnCateer86

JohnCateer86

Posted
  • Author
Posted

I tested other vendors, and they all detected and blocked it. It seems that other vendors are better at preventing ransomware compared to Kaspersky.

jon_01_BD.jpg.9accc7ec3ac2177ece0661487afca4a8.jpg

 

jon_02_TrendMicro.jpg.0b279046aebf074dfd1a20d54d111d03.jpg

 

jon_03_sophos.jpg.3f76c20da6abf08a364503611f2f37d2.jpg

 

Flood and Flood's wife

Flood and Flood's wife

Posted
Posted (edited)
42 minutes ago, JohnCateer86 said:

I tested other vendors, and they all detected and blocked it. It seems that other vendors are better at preventing ransomware compared to Kaspersky.

 

Hello @JohnCateer86

IF (you) have licensed Kaspersky software (you're) more than welcome to submit the files via (your) company account & request they get sent to Kaspersky's Virus Lab experts for analysis; make sure to zip the files - password protect the archive - use either MALICIOUS or INFECTED - as the password & tell support the password

Also, these documents may interest (you) - for general information; they're available in the Home user's repository: https://support.kaspersky.com/b2c/global

image.thumb.png.af0b02a4b22275acd744a65961aa6372.png

Thank you🙏
Flood🐳+🐋

Edited by Flood and Flood's wife
pn
harlan4096

harlan4096

Posted
Posted

I've reported the tools (.ps1 and the .jar), waiting the verdict from K. analysts.

 

Still that's a simulator, a POC, not a real rsw... and it needs the intervention of the user to Encrypt and Decrypt..

  • Like 2
JohnCateer86

JohnCateer86

Posted
  • Author
Posted

I still haven't seen any updates on Kaspersky being able to detect and prevent this behavior, while other vendors offer good protection. LOL😆

JohnCateer86

JohnCateer86

Posted
  • Author
Posted

If the scripts above are saved as .ps1 files, Kaspersky can detect and block them. However, if they are obfuscated or executed directly by an attacker, Kaspersky cannot detect abnormal behavior or prevent the attack.

image.thumb.png.d018947546ff9545c3ca765aaac3faa4.png

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...