Virus is partially bypasing Defence Plus

Original thread is here.

I allowed the virus( vbs script) to execute and then denied all actions by scripting host with all custom rules and paranoid settings, all filters/ monitors of Defence Plus enabled.

CFP doesn,t monitor about putting hidden attributes to files and folders and malware is able to hide ALL folders in C drive including windows directory and program files folder.

Hope they can add this feature.

Not sure how you feel it’s partially bypassing anything when you allowed it to run…

Setting the hidden attribute doesn’t really do anything… It’s just a hint to programs to hide the file. But yes, monitoring it would be useful.

That’s exactly right, and more people need to understand the importance of that statement.

Remember how most people thought Malware Defender (MD) was bullet-proof? Well, 3 POCs were released recently that has caused Xiaolin to think about re-desgining MD!

If you let something unknown/untrusted run on your REAL system, there are many ways for malware to pounce. The only way to be truly “100%” is to deny execution at the gate. This is one big reason why I no longer use Classical HIPS in the everyday usage of my computer - there’s just no need. A simple anti-executable program is the way to go, and there really isn’t anything stronger (or cheaper or lighter) than (LUA) + SRP. Combine this with Sandboxie blocking/containing all your malware “threat-gates” and you have the strongest, lightest, (cheapest), and “set and forget” setup ever!

However, aigle does have a point here I think. Defense+ could probably be improved on to control the behaviour of files better (for whatever reason). I was just making the point of how to truly be “100%” haha. Cheers.

Yes, my main point is that, CFP should monitor asigning hidden attributes to files/ folders.

Then perhaps the thread title should reflect that?

It may be a bypass for some atleast. Important IMO too. see original thread.

Yes, I guess you are correct. It may be a bypass for some malware that people have partially allowed to run… 88)

Has anyone alerted a developer yet if this bypass is really existing ?

eXPerience

It,s more tricky as it,s a vbs script infact, one can just allow scripting host to execute.