This BAT ransomware can ignore Xcitium Client-Security, this ransomware does not take advantage of white file loading, however, HIPS and sandbox cannot detect any movement
Are you saying it will bypass XCS because it’s not listed as detected on virus total or did you test the sample and it was able to bypass XCS and encrypt the machine?
I have actually executed the virus sample, comodo’s hips and sandbox did not have any reaction, I have analyzed the encryption mode of this virus, he is using cmd to call certutil, each call only encrypts one file, however, when executing the virus, comodo sandbox did not isolate it.And HIPS does not prompt CMD calls, execute certutil, modify files and other behaviors, which is very strange, this happened before only the use of trusted exe files to load malicious dll bypass defense, this time no response is very strange
In addition, the problem of trusted EXE loading malicious DLLS was first raised by me in this forum before, when the forum was still very simple, and later comodo added this defense to the software, I now see the defense in the software Settings inside the advanced defense - other inside the bottom
I did my own test earlier, XCS, IS Premium and the new beta running all 3 at the same time. Chose the 3 as i wanted to get a better picture of version, home and business. All section was enabled exept script analysis was disabled for all 3 VM’s. I had 145 fileless malware sample, none older than 3days and ran them all. The majority did open and was not running in containment and no green border, they ran a couple commands etc. After the test was done, I had 3 startup items for all 3 VM’s each and 98 of the 145 malware was at the end of the test was still unknown. I had no ransomware infection and Sophos, NPE, ESET online scanner and Malwarebytes found only a handful of problems. This was interesting and I’m glad you guys mentioned this as I didn’t know script analysis played a big part in containment. I think the ransomware infection you had could just be the sample you tested with, and I might not have had a similar one or maybe some other rules i have in HIPS etc. It;s good to test products so we can help to improve them.