This is how you can reproduce this possible bypass. You must ahve more than one disk or partitions on ur PC.
Download and extract/ install XYplorer portable from here.
http://www.portablefreeware.com/index.php?q=xyplorer&m=SearchPut Defence Plus in Paranoid mode with Proactive Security configuration.
Open Defence Plus Pre-defined Security Policies and make a test policy. Allow only file access and Deny all other actions in this policy( see pic 1).
Now execute the malware b.css exe via cmd.exe and allow first execution pop up, allwoing execution of b.css by cmd.exe( see pic 2).
On second pop up alert choose test policy made by us( Pic 3) for b.css. Now Defence Plus will deny ecery single action by b.css without a pop up except file acess that will produce pop up alerts. Allow all file access( create/ modify/ delete) pop up alerts. Malware will create an autorun.inf file and a TPR.pif file in root directory of each hard disk partition. They will be hidden though, not visible via explorer.exe. Let the malware run and Open xyplorer by executig XYplorerfree.exe.
Navigate to one of your non-OS partitions( D, E, etc), locate TPR.pif file and double click on it to execute it via XYplorer( Pic 4).
Now here ius the point. One would expect here a pop up about TPR.pif being executed by XYplorer.exe. But interestingly instead you will first get two weired alerts about XYplorer.exe:
1- XYplorer.exe trying to access DNS/ RPC client service( Pic 5)
2- XYplorer.exe trying to access internet( Pic 6)
It,s after these two alerts that you get an alert about TPR.pif being executed by XYplorer.exe( Pic 7).
Now my question is how this malware manipulated XYplorer to access internet without any pop up alerts by Defence Plus about XYplorer manipulation or any windows message to xyplorer by the malware. Malware was never allowed to do anything excpet file creation etc. due to the test policy imposed on it?
Hope I have made my point clear. I need your opinions. Thanks
Author