As protection from Microsoft deleted the code on the servers. Bike about Defender
Today is on the calendar August 16, 2016. Windows Defender deleted the working code from the host. How it was:
Discussing with a colleague news about a series of problems with Microsoft, which are full of news. It hung there, it disappeared, there was something else - apparently he crap himself of problems. Working on a virtual server with IIS code, I suddenly get a warning that Windows Defender detected the Worm inside many ASP files on the host and strongly recommends deleting it.
The beauty is that the options does not offer Defender. Files are already empty and locked. Until yesterday, this problem did not exist. Any attempt to restore files from the repository - causes outrage at Defender, with the subsequent deletion of files.
')
Checking the settings showed that Windows Defender was updated on 8/15/16 to version 1.225.3982.0. The scanner persistently saw Worm: VBS / VBSWGbased.gen in ASP (VBScript) files. Checking one of the files on virustotal.com showed the same results. Of the 53 test tests - only Microsoft Defender finds Worm: VBS / VBSWGbased.gen.
Next comes a lot of hours trying to understand exactly what made the virus find and remove the code. Going through the line options and checking each line with the scanner, we managed to delete everything and get the minimum test file that causes madness for Defender.
The code is strange only because I deleted as much as I could while the scanner still saw the Worm. This text is minimal, any change or removal of one of the lines - stops driving Defender crazy.
Update: a more recent version of the text to take it for a virus:
Saving the text to a file as test.txt and sending it to virustotal.com still issues a confirmation about the Worm, despite the fact that Defender has already received several new updates. Here is the result from virustital.com
Result
Attempting to contact Microsoft's tech center in chat mode, slightly cheered up. The girl + specialist persistently tried to help me restore the system and RestorePoint issuing commands like SCN and others. All attempts to clarify that the problem was not with me with the computer were conducted around the persistent attempt to solve my problem with my computer. Understanding that reporting a problem with Defender would fail, I contacted Host Administrators with a warning that we might have problems on all servers.
Administrators are not normally available. I hope that they will not respond as usual, when something already collapsed. (sarcasm)
Analysis of the "malware" when, does not give an understanding of any logic. Everything leads to a random set of some kind of coincidence. Any change in the text leads to the fact that the Worm is no longer located. But the whole trick is that the text does not go in a row !!! This code is cleared of everything else, and this is only part of the lines, between these lines were hundreds of lines of other code. Finding the Worm worked only when these lines existed among other lines of code weighing 80kb. So this is not a template, but rather on a regular basis finding some number of certain words or phrases. I did not see any other logic.
I have nothing against Microsoft, but something recently their mistakes are fraught with enormous consequences. Administrators have a hard and fast rule - No updates on servers !!! First, long tests on test machines. I understand that this does not sound new - but Microsoft's fixes should fix and protect and not kill and create new problems, even more terrible.
PS Defender received the next batch of updates, v1.225.4025.0 - but it still persistently blocks and deletes files on the test PC, on other machines it is disabled everywhere.
Discussing with a colleague news about a series of problems with Microsoft, which are full of news. It hung there, it disappeared, there was something else - apparently he crap himself of problems. Working on a virtual server with IIS code, I suddenly get a warning that Windows Defender detected the Worm inside many ASP files on the host and strongly recommends deleting it.
The beauty is that the options does not offer Defender. Files are already empty and locked. Until yesterday, this problem did not exist. Any attempt to restore files from the repository - causes outrage at Defender, with the subsequent deletion of files.
')
Checking the settings showed that Windows Defender was updated on 8/15/16 to version 1.225.3982.0. The scanner persistently saw Worm: VBS / VBSWGbased.gen in ASP (VBScript) files. Checking one of the files on virustotal.com showed the same results. Of the 53 test tests - only Microsoft Defender finds Worm: VBS / VBSWGbased.gen.
Next comes a lot of hours trying to understand exactly what made the virus find and remove the code. Going through the line options and checking each line with the scanner, we managed to delete everything and get the minimum test file that causes madness for Defender.
Function SafeSQLLogin() Execute(SafeSQLLogin()) End Function Function Stream_StringToBinary(Text) Set BinaryStream = CreateObject("ADODB.Stream") BinaryStream.Type = adTypeText BinaryStream.CharSet = "us-ascii" BinaryStream.Open BinaryStream.WriteText Text BinaryStream.Position = 0 BinaryStream.Type = adTypeBinary BinaryStream.Position = 0 Stream_StringToBinary = BinaryStream.Read Set BinaryStream = Nothing End Function Function strCrypt() For i = 1 To Len(Text) End Function The code is strange only because I deleted as much as I could while the scanner still saw the Worm. This text is minimal, any change or removal of one of the lines - stops driving Defender crazy.
Update: a more recent version of the text to take it for a virus:
Function S Execute S End Function For i To Len T Saving the text to a file as test.txt and sending it to virustotal.com still issues a confirmation about the Worm, despite the fact that Defender has already received several new updates. Here is the result from virustital.com
Result
Attempting to contact Microsoft's tech center in chat mode, slightly cheered up. The girl + specialist persistently tried to help me restore the system and RestorePoint issuing commands like SCN and others. All attempts to clarify that the problem was not with me with the computer were conducted around the persistent attempt to solve my problem with my computer. Understanding that reporting a problem with Defender would fail, I contacted Host Administrators with a warning that we might have problems on all servers.
Administrators are not normally available. I hope that they will not respond as usual, when something already collapsed. (sarcasm)
Analysis of the "malware" when, does not give an understanding of any logic. Everything leads to a random set of some kind of coincidence. Any change in the text leads to the fact that the Worm is no longer located. But the whole trick is that the text does not go in a row !!! This code is cleared of everything else, and this is only part of the lines, between these lines were hundreds of lines of other code. Finding the Worm worked only when these lines existed among other lines of code weighing 80kb. So this is not a template, but rather on a regular basis finding some number of certain words or phrases. I did not see any other logic.
I have nothing against Microsoft, but something recently their mistakes are fraught with enormous consequences. Administrators have a hard and fast rule - No updates on servers !!! First, long tests on test machines. I understand that this does not sound new - but Microsoft's fixes should fix and protect and not kill and create new problems, even more terrible.
PS Defender received the next batch of updates, v1.225.4025.0 - but it still persistently blocks and deletes files on the test PC, on other machines it is disabled everywhere.
Source: https://habr.com/ru/post/307818/
All Articles