查看: 8553|回复: 10
收起左侧

[讨论] Avira新增了无文件攻击防护:内存扫描/AMSI扫描

[复制链接]
GreatMOLA
发表于 2024-1-10 19:41:22 | 显示全部楼层 |阅读模式
本帖最后由 GreatMOLA 于 2024-1-11 10:13 编辑

今天用Avira测试了几个大包,惊喜地发现Avira居然有了内存扫描。其报法为:“memorybuffer”。

红伞没有啃老本,还是很值得支持和期待的~


从Log来看,似乎走的是AMSI方式。
  1. [2024-01-10 19:31:58.796] [info] [BaseScan] [thread id: 9292] [LocalScanner] The file '5b1b7bd1fadfc3d2abcd8ea8f863fe96233e1dac8b994311c6a331179243b5cd' was checked with Local scanner. Flags: '{Detected}' Status: successful Detection name: {HEUR/AGEN.1326623} Removable: No
  2. [2024-01-10 19:31:58.799] [info] [Amsi] [thread id: 6952] [Epp] [Detection] Name: "HEUR/AGEN.1326623", Engine: "Scanner", File: "memorybuffer.5b1b7bd1fadfc3d2abcd8ea8f863fe96233e1dac8b994311c6a331179243b5cd", AppName: "DotNet", ContentName: "", Duration: 14ms, Actions:-cache/report/remed/sentry/alert

  3. [2024-01-10 19:32:53.988] [info] [BaseScan] [thread id: 9292] [LocalScanner] The file '2c6c4cd045537e2586eab73072d790af362e37e6d4112b1d01f15574491296b8' was checked with Local scanner. Flags: '{Detected}' Status: successful Detection name: {HEUR/AGEN.1367987} Removable: No
  4. [2024-01-10 19:32:53.989] [info] [Amsi] [thread id: 10468] [Epp] Generic remediation is paused for another 1h
  5. [2024-01-10 19:32:53.991] [info] [Amsi] [thread id: 10468] [Epp] [Detection] Name: "HEUR/AGEN.1367987", Engine: "Scanner", File: "memorybuffer.2c6c4cd045537e2586eab73072d790af362e37e6d4112b1d01f15574491296b8", AppName: "DotNet", ContentName: "", Duration: 33ms, Actions:-cache/report/remed/sentry/alert
复制代码


样本:





本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
anthonyqian
发表于 2024-1-10 20:19:57 | 显示全部楼层
老早就有了 基本上和新版本一起推出的

评分

参与人数 2人气 +3 收起 理由
swizzer + 1 正确的
GreatMOLA + 2 感谢解答: )

查看全部评分

GreatMOLA
 楼主| 发表于 2024-1-10 20:22:55 | 显示全部楼层
anthonyqian 发表于 2024-1-10 20:19
老早就有了 基本上和新版本一起推出的

好吧,最近才看见这个报法。
hhjjjjjj123
发表于 2024-1-11 01:05:23 来自手机 | 显示全部楼层
小红伞现在好用吗?是不是还需要安装托盘程序,是不是还有很多bug
zfc234
发表于 2024-1-11 08:35:48 | 显示全部楼层
beta版上个月底到期,自动续约到2025年了,可以期待一波
GreatMOLA
 楼主| 发表于 2024-1-11 11:16:55 | 显示全部楼层
本帖最后由 GreatMOLA 于 2024-1-11 11:18 编辑
anthonyqian 发表于 2024-1-10 20:19
老早就有了 基本上和新版本一起推出的

而且现在APC可以充当”鹊桥“,让Sentry可以和LocalScanner联动,补刀静态。


Log:
  1. 2024/01/11 10:42:04.892 | [i] [APC] Task result DETECTED [Path = C:\Users\User1211\Desktop\s\1.exe ] [SHA256 = 8CDF7B60F7C75040D704536F73F64771094A4507CC5584A21BFF1EF0BC97A9D1 ] [Response = {"sha256": {"8cdf7b60f7c75040d704536f73f64771094a4507cc5584a21bff1ef0bc97a9d1": {"cat": 33, "status": "OK", "det_name": "TR/AD.InstaBot.8cdf7b", "ttl": 3600, "known": false, "classification_type": "static", "times_requested": 1, "first_seen": 1704940073.764, "prevalence_band": 1, "is_installer": false}}}] in 5891(ms)
  2. 2024/01/11 10:42:04.892 | [i] Alert level is max [PID = 12552 ] [Path = C:\Users\User1211\Desktop\s\1.exe ]  [PUNQ = 1408749285640 ] [PPID =  8396 ]
  3. 2024/01/11 10:42:04.910 | [POL] Triggered  [PID = 12552] [Path = C:\Users\User1211\Desktop\s\1.exe]  [PUNQ = 1408749285640] [PPID =  8396] AlertLevel=0 PolicyName=
  4. 2024/01/11 10:42:04.910 | [POL] Triggered  [PID = 12552] [Path = C:\Users\User1211\Desktop\s\1.exe]  [PUNQ = 1408749285640] [PPID =  8396] AlertLevel=1 PolicyName=EyeScoreL1
  5. 2024/01/11 10:42:04.910 | [i] [Alert = 5 ] Drop.Win32.Score.APC.TR/AD.InstaBot.8cdf7b.000 [PID = 12552 ] [Path = C:\Users\User1211\Desktop\s\1.exe ] [PUNQ = 1408749285640 ] [PPID =  8396 ]
  6. 2024/01/11 10:42:04.915 | [i] [Alert = 5 ] [Quarantine] - Start -
  7. 2024/01/11 10:42:04.917 | [Alert 5] KNAPInformation is UNKNOWN in 0.00 [Path = C:\Users\User1211\Desktop\s\1.exe ]
复制代码
  1. [2024-01-11 10:42:02.333] [info] [BaseScan] [thread id: 10492] [ProtectionCloud] The file '\\?\C:\Users\User1211\Desktop\s\1.exe' was scanned with the Protection Cloud. SHA256: '8cdf7b60f7c75040d704536f73f64771094a4507cc5584a21bff1ef0bc97a9d1' Requestor: 'RealtimeProtection' Flags: '{Detected}' Status: successful
  2. [2024-01-11 10:42:02.333] [info] [BaseScan] [thread id: 10492] [ProtectionCloud] Detection by Protection Cloud: '{TR/AD.InstaBot.8cdf7b} File: '\\?\C:\Users\User1211\Desktop\s\1.exe' SHA256:'8cdf7b60f7c75040d704536f73f64771094a4507cc5584a21bff1ef0bc97a9d1
复制代码




本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
anthonyqian
发表于 2024-1-11 19:48:30 | 显示全部楼层
GreatMOLA 发表于 2024-1-11 11:16
而且现在APC可以充当”鹊桥“,让Sentry可以和LocalScanner联动,补刀静态。

应该是Sentry和APC联动,对于运行后才被APC检测到的进行回滚
yushu280
发表于 2024-1-17 15:43:31 | 显示全部楼层
zfc234 发表于 2024-1-11 08:35
beta版上个月底到期,自动续约到2025年了,可以期待一波

现在还能申请红伞beta吗?
zfc234
发表于 2024-1-17 15:50:08 | 显示全部楼层
yushu280 发表于 2024-1-17 15:43
现在还能申请红伞beta吗?

现在申请比较困难,因为好像要到脸书上找到他们的群组
真小读者
发表于 2024-1-17 15:57:31 | 显示全部楼层
hhjjjjjj123 发表于 2024-1-11 01:05
小红伞现在好用吗?是不是还需要安装托盘程序,是不是还有很多bug

简中字体大小不一可以算一个(如楼主截图)。我不用红伞主要因为这个
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-21 23:59 , Processed in 0.145475 second(s), 19 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表