Lets say you install a game in a folder that is excepted from the antivirus scan.
And like the current lua worm case in garrys mod a worm spreads itself.
Is the computer unprotected?
Can the virus change things on the computer/operation system in folders and processes that arent excluded? Without being detected? (By behaviour … defense+, virus scope)
Can the virus act freely in the excluded folder?
Does the virus scope have an effect on processes that are “spawned” in excluded folders for the antivirus?
it is several questions and not included in a single “area” , problem zone …
Is the computer unprotected? Lets say you install a game in a folder that is excepted from the antivirus scan.
you give yourself the answer : excepted from the antivirus scan so it is not protected.
i, i understand like this : you ask to your antivirus to do not protect this folder …
download a game and analyze it and run it (better is trying to do it in sandbox if you are not sure).
Can the virus change things on the computer/operation system in folders and processes that arent excluded?
as soon as " a virus/worm/malware " is inside ; you are infected ; the behavior is depending on its program ; some of them are malicious , invisible , harmless ; another manage , remote and take all the rights of your computer and can destroy , send , change all that they want obviously. _ even if the other zone are protected and your folder-game _ because a virus know to do that …
Without being detected?
if you have uncheck _scan in real time and excluded from antivirus scan and installed your game (it is your will) on your computer ; and not maybe configured your firewall to react as a second protection and if a windows native protection (kernel for example) or windowsfirewall/defender do not suddenly become active to protect you : yes it will not be detect - or at least maybe at 75% and not at 100%.
(By behaviour … defense+, virus scope)
it is depending on your configuration : that you check or not … (same answer than written just above) and the precaution you take when you download & install an untrusted program.
Can the virus act freely in the excluded folder?
(same answer than written just above)
it is depending on its program - most of time no ; the virus go everywhere and can be not detected in the folder and react outside - it can even duplicate itself and looks inoffensive which one part could seem " safe " - in your folder (for example) and the other part will be outside of your folder = the real poison ; its task is to destroy & control your network/computer/folder/applications.
Does the virus scope have an effect on processes that are “spawned” in excluded folders for the antivirus?
I cannot answer to you - i am not enough competent - but if you read topic about viruscope on this site ; you will maybe find the right information.
Sorry, but your explainations do not answer the question.
Because, the antivirus was added as userfriendlyness. Comodo is default deny. Without auto sandbox.
So, the question is, if the antivirus does not scan a folder, and an allowed program is running, can a script or virus out of the program infect and change the computer?
Just because antivirus is not scanning ths folder?
first line of my answer : you give yourself the answer [ … ] so it is not protected.
So, the question is, if the antivirus does not scan a folder, and an allowed program is running, can a script or virus out of the program infect and change the computer? YES it can !
Just because antivirus is not scanning ths folder?YES it is right
Sorry, but your explainations do not answer the question
;D
YES it does ! and you did not read it.
[but a minimum of protection is running and it seems not enough to stop 100% of the malware … without explanations , it will look incoherent.]
ps: cis like other, must be configured correctly for a maximum protection-
If the files are excluded from the antivirus then all the other components will still act as normal. If the files are in the trusted files list they will be able to do what they want.
Below is my own speculative guess based on different ways a game could use the lua script and how BB/HIPS etc works, I haven’t tested this and it’s very much just a guess.
clockwork, how does the lua worm spread technically and what does it do?
If the game receives the script from another client and then simply just receives the data without putting it in a .lua file (eg. keeping the lua data in memory and executing from there) and then the game executes the code itself, then BB nor HIPS nor AV will help you.
Why?:
AV - There is no file to scan in the above scenario, there is only the gmod executable.
BB - Same reason as AV, there is no unknown executable that is running.
HIPS - You most likely have already set gmod to allowed application. 88)
However we also have Viruscope but I do not believe that it works on trusted applications, however if gmod.exe is not trusted but added to your HIPS rules as allowed then Viruscope should work for it (I think) However no we get the issue that Viruscope hasn’t really evolved into much yet, at least I don’t think so, and if it did react to the actions carried out then it would prompt you to remove the gmod executable most likely.
Now keep in mind that the above is only true if the lua script data is downloaded into memory and run by the game executable.
Another way it could work is if the game downloaded a .lua script to somewhere on your machine, temp perhaps. In that case we still have two possibilities without the AV active, the game could either a) Read the data of the file and execute the data itself or b) execute the .lua script (Keep in mind I do not know if .lua scripts are executables) in scenario a) BB would not do anything and HIPS probably would not to anything, Viruscope is same as before. In scenario b) BB would most likely sandbox the file and HIPS would give you alerts, Viruscope will probably monitor the file but since it doesn’t recognize much then it might not detect it.
Its a worm that loads itself on game servers, and spreads over connected clients.
It lets you post cough in steam chat. Thats the characteristic.
And its possibly taking rcon passwords and other things.
So in other words: In this scenario protection is based on detection of the antivirus
From what you wrote I still don’t have a full understanding of how it works, i.e where/how it’s saved and if it’s run as an executable or if the game acts as the executable for the scripts etc. These are all factors that decide whether or not a module of CIS will work against this worm.
See it like this until you get a better answer though, you’re using a software with an exploit that (if I understand it correctly) is currently being exploited… Personally I wouldn’t use that software until the exploit was patched, or if the security solutions you have are proven to work against this rather than “should work” against it.
I can’t tell you if and/or how CIS can protect against this without a full understand of it, I can only speculate. (And I’ve made speculations that have proven to be wrong before)
The source question is:
Does it matter from which position a malware is started? Or is it enough that it starts to run to be detected, even if it originates from an excluded folder?
A malicious file will not be detected as long as it is in an excluded folder, if we are talking AV. Doesn’t matter if you run it or not, excluded is excluded.
