FLAW In Protection: VBS malware and deepscreen

I see that .vbs malware from USB dont trigger any deepscreen anaysis!? I guess avast should add triggers for such type of nasties as well.As they seem to be on the rise.

Anything trying to mess with wscript.exe should be sandboxed.I guess avast needs to add more triggers into the program.I just got 2 files of .vbs both were pretty much the same VBS:malware-gen crap and both got through without any peeps from deepscreen.It didnt even try to analyze it.Neither does hardened mode deal with vbs type crap.

I definately think avast can add a trigger for .vbs files in deepscreen.Just add a rule in the program somewhere that any randomly named vbs file from USB or any removable media must be sandboxed and if it accesses wscript.exe it should be detected as malware right away.In this way,avast can be completely immune to those VBS malware from USB.
This needs to be fixed.

Do you have selected to scan all files in the file system shield ?
If not, please do so and check if they files are scanned.
For that you may need to enable debug logging.

As far as i know DeepScreen only work son EXE files. Unless if they have changed this in v2015…

Rej it still seems to be a flaw…As a alot of USB malware is coming in form of VBS script and it triggers hell of a nasty damage.It executes wscript.exe and keeps launching itself over the bootup and infects every other clean usb.I think this trigger should be added as it is a major threat gate.

BUMP: Any update to this topic?

This is a serious flaw as vbs malware is increasing especially via USB sticks.They are also polymorphic and hard to detect.

Have you tried as I suggested ?

I have done that before no difference. :slight_smile:

I would agree that this is a flaw that needs rectifying… The vast majority of the time it is from a USB or SD card, so mayhap tweak the USB on insertion scan

Thanks essex.I agree this needs to be fixed because there is alot of USB malware which are coming in this VBS format.Hope to see progress on this issue :slight_smile:

Added to topic.

It would be a good addition in protection.

Thanks Alikhan.This is definately a rule and a trigger that avast deepscreen developers must consider.

Now there was me thinking that .VBS files would be scanned by the old script shield, now incorporated into another shield. That however, may be incorporated into the web shield rather than the file system shield.

The problem here is not the shields.But the VBS infections coming from USB are sort of polymorphic type that change constantly.So if avast adds a trigger for a vbs files for deepscreen then maybe they can also add a rule which will sandbox vbs files and as they are accessing wscript.exe it should be immediately quarantined by deepscreen.

VBS file runs>>deepscreened>>accessing wscript.exe>>blocked and quarantined.

Well essentially I want to know why the script scanning isn’t running on a script file being executed, regardless of where it is located. If it was then theoretically there would be no requirement for a rule.

The merging of several shields (script/network/P2P, etc.) into the remaining shields shouldn’t lessen the protection.

Your example of the actions is flawed as there would be many instances of legit .VBS software that has to run wscript.exe. Any blocking and quarantining should only be done if it is found to be malicious.

Another point being those who have the Hardened Mode set to Aggressive may have bypassed the deep screening function.

Dave they could use dyna rules and stuff they like they do for other files.They should be adding dyna rules for these type of VBS malware.First all they need to have deepscreen working on vbs files.

It doesn’t really matter what they could use - Personally I’m against creating rules when there is meant to be a script scanning function built in to avast.

Creating a rule would also require an underlying routine to cater for .vbs instead of/as well as .exe’s in deepscreen.

Dave I think avast reputation service already has enough no of files in whitelist.Regardless not having rules/trigger for deepscreen for a major threat gate is a flaw.

Script scanning function?? Those are based on the AV database and these are polymorphic viruses and this wouldnt cut it because these change everday like rootkits.This makes some sense I guess.

And from previous experiences avast is not the quickest or smartest to pick the newer varients quickly either instead we have some proactive analysis system.

I have not mentioned reputation services or whitelisting of files in any of my replies.

I’m clearly stating the the supposed script scanning of avast should be scanning these scripts in the same way that they did when there was a Script Shield. This scanned scripts on both the web pages and scripts run locally.

Deepscreen to date hasn’t been the beast it is meant to be, perhaps we will see more of in beta2. As I have mentioned those that have set Hardened Mode to Aggressive are essentially bypassing deepscreen. So any Rule if it were to have rules wouldn’t be effective if the Hardened Mode were set to Aggressive.

Dave neither hardened mode nor deepscreen blocks targets vbs extension files which they should be doing now because if this usb malware.I have done some deep testing on this before making this topic.

Nothing to argue on deepscreen improvements in beta2.I have full faith in the developers that they are surely making deepscreen worthy.