Avira新增了无文件攻击防护：内存扫描/AMSI扫描

GreatMOLA

今天用Avira测试了几个大包，惊喜地发现Avira居然有了内存扫描。其报法为：“memorybuffer”。

红伞没有啃老本，还是很值得支持和期待的~


从Log来看，似乎走的是AMSI方式。

1. [2024-01-10 19:31:58.796] [info] [BaseScan] [thread id: 9292] [LocalScanner] The file '5b1b7bd1fadfc3d2abcd8ea8f863fe96233e1dac8b994311c6a331179243b5cd' was checked with Local scanner. Flags: '{Detected}' Status: successful Detection name: {HEUR/AGEN.1326623} Removable: No
   
2. [2024-01-10 19:31:58.799] [info] [Amsi] [thread id: 6952] [Epp] [Detection] Name: "HEUR/AGEN.1326623", Engine: "Scanner", File: "memorybuffer.5b1b7bd1fadfc3d2abcd8ea8f863fe96233e1dac8b994311c6a331179243b5cd", AppName: "DotNet", ContentName: "", Duration: 14ms, Actions:-cache/report/remed/sentry/alert
   
3. 
   
4. [2024-01-10 19:32:53.988] [info] [BaseScan] [thread id: 9292] [LocalScanner] The file '2c6c4cd045537e2586eab73072d790af362e37e6d4112b1d01f15574491296b8' was checked with Local scanner. Flags: '{Detected}' Status: successful Detection name: {HEUR/AGEN.1367987} Removable: No
   
5. [2024-01-10 19:32:53.989] [info] [Amsi] [thread id: 10468] [Epp] Generic remediation is paused for another 1h
   
6. [2024-01-10 19:32:53.991] [info] [Amsi] [thread id: 10468] [Epp] [Detection] Name: "HEUR/AGEN.1367987", Engine: "Scanner", File: "memorybuffer.2c6c4cd045537e2586eab73072d790af362e37e6d4112b1d01f15574491296b8", AppName: "DotNet", ContentName: "", Duration: 33ms, Actions:-cache/report/remed/sentry/alert

复制代码

样本：

anthonyqian

老早就有了 基本上和新版本一起推出的

GreatMOLA

anthonyqian 发表于 2024-1-10 20:19
老早就有了 基本上和新版本一起推出的

好吧，最近才看见这个报法。

hhjjjjjj123

小红伞现在好用吗？是不是还需要安装托盘程序，是不是还有很多bug

zfc234

beta版上个月底到期，自动续约到2025年了，可以期待一波

GreatMOLA

anthonyqian 发表于 2024-1-10 20:19
老早就有了 基本上和新版本一起推出的

而且现在APC可以充当”鹊桥“，让Sentry可以和LocalScanner联动，补刀静态。


Log：

1. 2024/01/11 10:42:04.892 | [i] [APC] Task result DETECTED [Path = C:\Users\User1211\Desktop\s\1.exe ] [SHA256 = 8CDF7B60F7C75040D704536F73F64771094A4507CC5584A21BFF1EF0BC97A9D1 ] [Response = {"sha256": {"8cdf7b60f7c75040d704536f73f64771094a4507cc5584a21bff1ef0bc97a9d1": {"cat": 33, "status": "OK", "det_name": "TR/AD.InstaBot.8cdf7b", "ttl": 3600, "known": false, "classification_type": "static", "times_requested": 1, "first_seen": 1704940073.764, "prevalence_band": 1, "is_installer": false}}}] in 5891(ms)
   
2. 2024/01/11 10:42:04.892 | [i] Alert level is max [PID = 12552 ] [Path = C:\Users\User1211\Desktop\s\1.exe ]  [PUNQ = 1408749285640 ] [PPID =  8396 ]
   
3. 2024/01/11 10:42:04.910 | [POL] Triggered  [PID = 12552] [Path = C:\Users\User1211\Desktop\s\1.exe]  [PUNQ = 1408749285640] [PPID =  8396] AlertLevel=0 PolicyName=
   
4. 2024/01/11 10:42:04.910 | [POL] Triggered  [PID = 12552] [Path = C:\Users\User1211\Desktop\s\1.exe]  [PUNQ = 1408749285640] [PPID =  8396] AlertLevel=1 PolicyName=EyeScoreL1
   
5. 2024/01/11 10:42:04.910 | [i] [Alert = 5 ] Drop.Win32.Score.APC.TR/AD.InstaBot.8cdf7b.000 [PID = 12552 ] [Path = C:\Users\User1211\Desktop\s\1.exe ] [PUNQ = 1408749285640 ] [PPID =  8396 ]
   
6. 2024/01/11 10:42:04.915 | [i] [Alert = 5 ] [Quarantine] - Start -
   
7. 2024/01/11 10:42:04.917 | [Alert 5] KNAPInformation is UNKNOWN in 0.00 [Path = C:\Users\User1211\Desktop\s\1.exe ]

复制代码

1. [2024-01-11 10:42:02.333] [info] [BaseScan] [thread id: 10492] [ProtectionCloud] The file '\\?\C:\Users\User1211\Desktop\s\1.exe' was scanned with the Protection Cloud. SHA256: '8cdf7b60f7c75040d704536f73f64771094a4507cc5584a21bff1ef0bc97a9d1' Requestor: 'RealtimeProtection' Flags: '{Detected}' Status: successful
   
2. [2024-01-11 10:42:02.333] [info] [BaseScan] [thread id: 10492] [ProtectionCloud] Detection by Protection Cloud: '{TR/AD.InstaBot.8cdf7b} File: '\\?\C:\Users\User1211\Desktop\s\1.exe' SHA256:'8cdf7b60f7c75040d704536f73f64771094a4507cc5584a21bff1ef0bc97a9d1

复制代码

anthonyqian

GreatMOLA 发表于 2024-1-11 11:16
而且现在APC可以充当”鹊桥“，让Sentry可以和LocalScanner联动，补刀静态。

应该是Sentry和APC联动，对于运行后才被APC检测到的进行回滚

yushu280

zfc234 发表于 2024-1-11 08:35
beta版上个月底到期，自动续约到2025年了，可以期待一波

现在还能申请红伞beta吗？

zfc234

yushu280 发表于 2024-1-17 15:43
现在还能申请红伞beta吗？

现在申请比较困难，因为好像要到脸书上找到他们的群组

真小读者

hhjjjjjj123 发表于 2024-1-11 01:05
小红伞现在好用吗？是不是还需要安装托盘程序，是不是还有很多bug

简中字体大小不一可以算一个（如楼主截图）。我不用红伞主要因为这个