6 Replies Latest reply on Jun 12, 2015 2:39 AM by Troja

    Malware completely bypasses Application Control

    Troja

      Hi all,

      i have a system where malware is executed to analyze threats. I have a threat which completely bypasses Application Control. How this can be??

      If i execute the malware anything is bypassed, real any mcafee security product!

      Actually GTI knows the original file. But in fact, if there is a new version of it, and this will happen, why appplication control is not able to protect??

       

      This is my system configuration:

      AppCont.jpg

      Solidcore Configuration:

      C:\>sadmin config show

        CustomerConfig                158 (0x9e)

        MPCompat                      0 (0x0)

        FileRetrySecs                 0 (0x0)

        DoNotApplyAefBackupRules      0 (0x0)

        CustomizedEventCacheSize      1000 (0x3e8)

        EventCacheSize                2 (0x2)

        EventCacheWMHigh              90 (0x5a)

        EventCacheWMLow               70 (0x46)

        FailSafeConf                  0 (0x0)

      * FeaturesEnabled               213340175514933423 (0x2f5efc261e318af)

      * FeaturesEnabledOnReboot       213340175514933423 (0x2f5efc261e318af)

      * FeaturesInstalled             288212725746833663 (0x3ffeff271e318ff)

      * FileAttrCTrack                5024 (0x13a0)

      * FileDenyReadOptions           1024 (0x400)

      * FileDenyWriteOptions          4831 (0x12df)

        FileDiffAttrOnlyTypes         zip,7z,rar,gz,tgz,jpg,gif,tiff,png,bmp,pdf,tar,b

      z,bz2,exe,dll,sys,jar

        FileDiffMaxFiles              100 (0x64)

        FileDiffMaxSize               1000 (0x3e8)

        FipsMode                      0 (0x0)

        InvDiffConfig2                2 (0x2)

        InvDiffTimeout                10800 (0x2a30)

        PullInvTimeout                604800 (0x93a80)

      * LockdownStatus                0 (0x0)

        LogFileNum                    4 (0x4)

      * LogFilePath                   C:\PROGRA~3\McAfee\Solidcore\Logs

        LogFileSize                   2048 (0x800)

        ProdIntegrationConfig         1 (0x1)

      * RTEMode                       1 (0x1)

      * RTEModeOnReboot               1 (0x1)

        SoPriority                    1 (0x1)

        ssLangId                      Default

      * WorkFlowId                    OBSERVE_MODE: AUTO_1

      * AgentEventsThreshold          2000 (0x7d0)

        AgentEventsThresholdOnWakeup  2000 (0x7d0)

      * SupplierCacheSize             7000 (0x1b58)

        SupplierCacheSizeOnWakeup     7000 (0x1b58)

        ConsumerThreadTimeout         10800000 (0xa4cb80)

        InvDiffAgentEventsThreshold   15000 (0x3a98)

      * ObAgentEventsThreshold        100 (0x64)

        ObAgentEventsThresholdOnWakeup        100 (0x64)

      * ObSupplierCacheSize           700 (0x2bc)

        ObSupplierCacheSizeOnWakeup   700 (0x2bc)

        ObConsumerThreadTimeout       10800000 (0xa4cb80)

        Accessibility                 0 (0x0)

        EventCacheIntervalMilliSecs   10000 (0x2710)

       

      Memory Protection Features:

      C:\>sadmin features list

        activex                        Enabled

        checksum                       Enabled

        deny-read                      Enabled

        deny-write                     Enabled

        discover-updaters              Enabled

        enduser-notification           Enabled

        integrity                      Enabled

        mp                             Enabled

        mp-nx                          Enabled

        mp-vasr                        Enabled

        mp-vasr-forced-relocation      Enabled

        network-tracking               Enabled

        pkg-ctrl                       Enabled

        script-auth                    Enabled

       

      The location where the malware is located is not solidified

      C:\>sadmin lu c:\malware

      c:\malware\noscan\File_0_pw_infected\Crypt.exe

      c:\malware\noscan\File_0_pw_infected\FileZilla_3.8.1_win32-setup.exe

       

      If i execute the Filezilla Installation i receive an error:

      AppCont2.jpg

       

       

      If i execute the crypt.exe file the malware gets active. No Solicdore Event! Nothing.... afterwards it just encrypts the system!

      - open command line windows are closed and so on...

       

      1) The location where i started the crypt.exe file shows the help decrypt file.

      AppCont3.jpg

       

      2) MWG shows access to the servers in internet (is set not to block to show the behavior)

      ipinfo.io is not a "bad" url in GTI.

      AppCont4.jpg

       

       

      How this can be?? Can anyone explain this??