A malicious behavoir which is not intercepted by Defence Plus v4

This type of behavior was once discussed as a POC here.

Now I found a malware that does almost same thing. The thread is here. GesWall, Malware Defender, Online Armor and CFP all are unable to stop this befavior. While DefenceWall and Sandboxie were able to stop this.

I wish Defence Plus to intercept this.

What I noticed with the Mabezat worm under Sandbox -

When I run it with the “limited” restriction policy:

  1. the worm creates many files which are created into the sandbox folder, but the real system is not affected.
  2. The bad thing is that it is able to close the CIS GUI. But you can re-open it from the minitray.

When I run it with the “restricted” restriction policy:

  1. The worm, again, creates many files, though inside the Sandbox, but it cannot close the GUI.
    So the worm is completely ineffective if run under the sandbox with the restriction level set to "restricted.

When I run it with the “untrusted” restriction level the worm does not run.

What I noticed with the with the mouse-freezer POC posted long back:

When I run it as limited or restricted the POC fails in trying to hang the mouse, and I get a lot of direct keyboard access alerts.

When I run it as untrusted, again the POC fails but no logs (neither direct keyboard access nor any other) are recorded in Events Viewer.