You can't intercept this bat ransomware

This BAT ransomware can ignore Xcitium Client-Security, this ransomware does not take advantage of white file loading, however, HIPS and sandbox cannot detect any movement

VirusTotal - File - 82c924171590a1c17fc1671d6e187d0ef4193173cc1b33bd398f1e2b0e30d8cf

Hi @leung2

I will forward the details with the verdict team and get back to you with feedback.

Are you saying it will bypass XCS because it’s not listed as detected on virus total or did you test the sample and it was able to bypass XCS and encrypt the machine?

I have actually executed the virus sample, comodo’s hips and sandbox did not have any reaction, I have analyzed the encryption mode of this virus, he is using cmd to call certutil, each call only encrypts one file, however, when executing the virus, comodo sandbox did not isolate it.And HIPS does not prompt CMD calls, execute certutil, modify files and other behaviors, which is very strange, this happened before only the use of trusted exe files to load malicious dll bypass defense, this time no response is very strange

In addition, the problem of trusted EXE loading malicious DLLS was first raised by me in this forum before, when the forum was still very simple, and later comodo added this defense to the software, I now see the defense in the software Settings inside the advanced defense - other inside the bottom

Below is a sample of the virus ,password: infected (please execute it on a virtual machine)
b6 ransomware.7z -
Upload files for free - b6 ransomware.7z -


The initial sample on this thread is not very well coded, so not very enjoyable.

However the B6 sample in the post above shows the IMPORTANCE of making sure that Script Analysis is left at the Default (Enabled).

I actually did a video on my channel last week about this:

But if you have a VM, further samples of this ilk can be found:


But with Containment (even at default AND Script Analysis at default all will be blocked with ease.

1 Like

i just uploaded the ransomware to Xcitium and it says its Malicious

Yes, they are both Ransomware- for testing Containment in a VM.

After re-testing, it turns out that you are right, script analysis needs to open all CMD projects before the defense can be triggered

The green border indicates its in the sandbox

I can’t see how containment missed this, even with script analysis disabled. What are your containment rules? Can you give a screenshot of them?

+1, interested in this

I used the default rule for the test

rules from lv1,2 or 3 security profile?

With Script Analysis disabled Containment will ignore various Scriptor malware. I did a video which used a java malware file as an example:

The Importance Of Comodo’s Script Analysis

This post was flagged by the community and is temporarily hidden.

I did my own test earlier, XCS, IS Premium and the new beta running all 3 at the same time. Chose the 3 as i wanted to get a better picture of version, home and business. All section was enabled exept script analysis was disabled for all 3 VM’s. I had 145 fileless malware sample, none older than 3days and ran them all. The majority did open and was not running in containment and no green border, they ran a couple commands etc. After the test was done, I had 3 startup items for all 3 VM’s each and 98 of the 145 malware was at the end of the test was still unknown. I had no ransomware infection and Sophos, NPE, ESET online scanner and Malwarebytes found only a handful of problems. This was interesting and I’m glad you guys mentioned this as I didn’t know script analysis played a big part in containment. I think the ransomware infection you had could just be the sample you tested with, and I might not have had a similar one or maybe some other rules i have in HIPS etc. It;s good to test products so we can help to improve them.

Hi @leung2

The issue raised by you regarding the malware has been resolved by the team. It will be detected coreectly now.

Thank you