一个火绒主防无法拦截的样本

显示全部楼层 · 发表于 2014-1-28 17:20:24

消停发表于 2014-1-28 16:46
文件名: 338.exe
威胁名称: SONAR.Heuristic.112
完整路径: 不可用

好吧 Heuristic 启发式跟某容一个调调

显示全部楼层 · 发表于 2014-1-28 17:31:01

jone_jys 发表于 2014-1-28 15:44
火绒目前主打的就是本地未知主防，断不断网都一样。。。

PS：楼上很多都只是围观的，这让我想 ...

联网和断网的样本行为可能是有区别的，其二看看火绒报毒以后的行为分析，是在某些环境的下触发了一些注册表操作而报毒，至于修改登录密码火绒是拦截不了的

显示全部楼层 · 发表于 2014-1-28 17:34:30

墨家小子发表于 2014-1-28 17:20
好吧 Heuristic 启发式跟某容一个调调

某容是什么？

显示全部楼层 · 发表于 2014-1-28 17:37:01

STCn1000 发表于 2014-1-28 17:34
某容是什么？

我不能太作了，不然会死得很惨的，所以你懂的

显示全部楼层 · 发表于 2014-1-28 17:39:06

墨家小子发表于 2014-1-28 17:37
我不能太作了，不然会死得很惨的，所以你懂的

那我不问了

显示全部楼层 · 发表于 2014-1-28 17:39:33

vm001 发表于 2014-1-28 17:31
联网和断网的样本行为可能是有区别的，其二看看火绒报毒以后的行为分析，是在某些环境的下触发了一些注册 ...

要不像这个帖子（http://bbs.kafan.cn/thread-1681756-1-1.html）加点自定义规则看看能不能拦截到，那个行为拦截实在是雾里看花信服不了啊

显示全部楼层 · 发表于 2014-1-28 17:52:13

2014-01-28 17:50:46 修改注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
值: 0x00000000(0)
规则: [应用程序组]S+_Program Group -> [注册表组]阻止_path

2014-01-28 17:50:46 删除注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
规则: [注册表组]拦截_Blocked Others -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\*

2014-01-28 17:50:46 删除注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
规则: [注册表组]拦截_Blocked Others -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\*

2014-01-28 17:50:46 删除注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
规则: [注册表组]拦截_Blocked Others -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\*

2014-01-28 17:50:46 修改注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
值: 46 00 00 00 2a 2b 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 14 00 00 00 68 74 74 70 3a 2f 2f 77 70 61 64 2f 77 70 61 64 2e 64 61 74 c0 da 10 58 10 1b cf 01 01 00 00 00 c0 a8 01 03 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 c0 a8 01 03 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
规则: [注册表组]拦截_Blocked Others -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\*

2014-01-28 17:50:46 修改注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
值: 0x00000000(0)
规则: [应用程序组]S+_Program Group -> [注册表组]阻止_path

2014-01-28 17:50:46 删除注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
规则: [注册表组]拦截_Blocked Others -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\*

2014-01-28 17:50:46 删除注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
规则: [注册表组]拦截_Blocked Others -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\*

2014-01-28 17:50:46 删除注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
规则: [注册表组]拦截_Blocked Others -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\*

2014-01-28 17:50:46 修改注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
值: 46 00 00 00 2a 2b 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 14 00 00 00 68 74 74 70 3a 2f 2f 77 70 61 64 2f 77 70 61 64 2e 64 61 74 c0 da 10 58 10 1b cf 01 01 00 00 00 c0 a8 01 03 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 c0 a8 01 03 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
规则: [注册表组]拦截_Blocked Others -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\*

2014-01-28 17:50:49 修改注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
值: 46 00 00 00 67 11 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 14 00 00 00 68 74 74 70 3a 2f 2f 77 70 61 64 2f 77 70 61 64 2e 64 61 74 c0 da 10 58 10 1b cf 01 01 00 00 00 c0 a8 01 03 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 c0 a8 01 03 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
规则: [注册表组]拦截_Blocked Others -> [注册表]*\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\*

2014-01-28 17:51:42 修改注册表值阻止
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4\F
值: 02 00 01 00 00 00 00 00 66 25 cc 05 01 1c cf 01 00 00 00 00 00 00 00 00 92 e2 80 56 af 8e ce 01 ff ff ff ff ff ff ff 7f 00 00 00 00 00 00 00 00 f4 01 00 00 01 02 00 00 10 02 00 00 00 00 00 00 00 00 53 03 01 00 00 00 00 00 00 00 57 00 49 00
规则: [应用程序]c:\windows\system32\lsass.exe -> [注册表]*\SAM\SAM\Domains\Account\Users\*; ?

2014-01-28 17:51:43 使用配置单元文件替换注册表项阻止
进程: c:\windows\system32\lsass.exe
目标: HKEY_LOCAL_MACHINE\SAM
配置单元:
规则: [应用程序]c:\windows\system32\lsass.exe

2014-01-28 17:51:51 注销、关机或重新启动系统阻止
进程: e:\program files\test\修改登录密码\338.exe
规则: [应用程序]*

显示全部楼层 · 发表于 2014-1-28 18:13:20

好吧看来OP的全局规则真的存在问题貌似要把全局规则加到lsass.exe才可以拦截到

上菜了

显示全部楼层 · 发表于 2014-1-28 18:22:27

左手发表于 2014-1-28 17:52
2014-01-28 17:50:46 修改注册表值阻止
进程: e:\program files\test\修改登录密码\338.exe
目标: ...

久违业户大大的为什么没有拦截到？
http://bbs.kafan.cn/forum.php?mo ... &fromuid=906361

显示全部楼层 · 发表于 2014-1-28 19:18:38

本帖最后由 mengld 于 2014-1-28 19:23 编辑

墨家小子发表于 2014-1-28 17:19
说的比唱的都好继续努力

下面引用是官方论坛找来的~~~

[分享] 一个火绒主防无法拦截的样本

本帖子中包含更多资源

本帖子中包含更多资源