No script file detection

Norton Security | Norton Internet Security
1

There is still no detection on the client of this file. More than 3 days have passed since the definition appeared on VirusTotal. I take it that engine updates are more for eye wash, in fact signatures are not updated locally? 

The file is available by clicking on https://www.upload.ee/files/12348203/cn.rar.html

Password to archive infected

2

~ extract cn.rar archive >

Filename: cn.ps1
Threat name: Trojan.Gen.NPE
Full Path: C:\Users\bjm\Desktop\cn\cn.ps1

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

Source File: cn.ps1
File Actions
File: C:\Users\bjm\Desktop\cn\ cn.ps1 Removed

File Thumbprint - SHA:
1802e2cb97e5c5e502c4cb70dd38539502dbccc8972cc8c2b75d0e571f58cabb
File Thumbprint - MD5:
6c5252bee2eff7646cc082c4c64d66c6

Category: Resolved Security Risks
Date & Time,Risk,Activity,Status,Recommended Action,Activity - Details
10/7/2020 4:56:38 AM,High,cn.ps1 (Trojan.Gen.NPE) detected by Download Insight,Quarantined,Resolved - No Action Required,Threat Actions performed: 1

~ with Auto-Protect disabled > extract cn.rar archive > scan cn.ps1 >

Scan Statistics:
  Scan Targets: C:\Users\bjm\Desktop\cn\cn.ps1
  Counts:
   Total items scanned: 1
   - Files & Directories: 1
   - Registry Entries: 0
   - Processes & Startup Items: 0
   - Network & Browser Items: 0
   - Other: 0
   - Trusted Files: 0
   - Skipped Files: 0

   Total security risks detected: 1
   Total items resolved: 1
   Total items that require attention: 0

Resolved Threats:
Trojan.Gen.NPE
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)
 Categories: Virus
 Status: Fully Resolved
 -----------
 1 Infected File
C:\Users\bjm\Desktop\cn\cn.ps1 - Deleted

3

Yes, I sent this file using the link you suggested. But the status check did not give anything.
I rewrote the sample again. You can check the presence of the detector again.

https://www.upload.ee/files/12361273/cn.rar.html

Screenshot_6.png

4
uddu:

The file detect is now available, arrived with the latest LiveUpdate updates. The other malicious scripts I mentioned earlier are now also detected with the Trojan Horse definition.

Did you submit file/s to Norton?
Thanks.  I deleted cn.ps1 file....so, can't see detection my side. 

5

The file detect is now available, arrived with the latest LiveUpdate updates. The other malicious scripts I mentioned earlier are now also detected with the Trojan Horse definition. In any case, it is at least some progress.

6

 

Script Control helps protect you from malware that you download or receive as attachments in phishing emails. It removes suspicious scripts from files and sanitizes the files, by default.

 However, you can restore the original files with the script, and configure how you want Norton to handle documents with embedded scripts.

Scripts are used to make documents dynamic and interactive. Although the primary objective of scripts is to improve the document experience, cybercriminals can use them to sneak malware on your computer. Scripts are generally not important to the function of a document and many software programs disable them by default.

Script Control identifies potential threats based on the behavior of files. If Norton detects any potentially dangerous activity when you open a document with embedded script, it blocks the application from running the script. You can configure how you want Norton to handle the scripts when you open documents with embedded scripts.

https://support.norton.com/sp/en/us/norton-360/22.20.5.39/solutions/v132996721

Script Control helps protect you from malware that you download or receive as attachments in phishing emails. It removes suspicious scripts from files and sanitizes the files, by default. However, you can restore the original files with the script, and configure how you want Norton to handle documents with embedded scripts.

https://support.norton.com/sp/en/us/norton-360/22.20.5.39/solutions/v132996618

Vitalik93:
It's interesting why Norton Script Control doesn't remove it.

Maybe, ask NortonLifeLock Support. 

IMO ...the static text file is not by itself malicious. 
 
I'd urge you to not run the script. 

7

It’s interesting why Norton Script Control doesn’t remove it. I think this component doesn’t depends on virus signatures and should remove such viruses.

8

Have you run the PowerShell script file. 

@uddu feels the file is Not detected by Norton. 
Use this form to upload a suspected infected file which has not been detected by Norton.  This is also called a False Negative.

https://submit.norton.com/?type=URL

9

Sorry, of course, but it's a shame! I check the malware scripts PowerShell one after the other, and no antivirus reaction! Signature databases are not updated locally, it's a fact! Is there any way you can comment on this?

Screenshot_2_0.pngScreenshot_3.png

 

10

uddu:
Why isn't there a detection on this malicious file on the client when the detection on VirusTotal has long since appeared?

Maybe, VirusTotal is reporting on running the PowerShell script file.  
Maybe, ask VirusTotal > https://www.virustotal.com/gui/contact-us
Have you run the PowerShell script file. 

@uddu feels the file is Not detecting by Norton. 
Use this form to upload a suspected infected file which has not been detected by Norton.  This is also called a False Negative.

https://submit.norton.com/?type=URL

11

Hi! I understand it all very well. I'm interested in another question, Why isn't there a detection on this malicious file on the client when the detection on VirusTotal has long since appeared?

12

On Windows 10, PowerShell is a command-line tool designed by Microsoft to run commands and scripts to change settings and automate tasks. In a way, it's similar to Command Prompt. However, PowerShell is a more capable command-line interface (CLI) that offers an extensive set of tools and more flexibility and control. Also, unlike Command Prompt, PowerShell is available on Windows, macOS, and Linux.

A script is just a collection of commands saved into a text file (using the special ".ps1" extension) that PowerShell understands and executes in sequence to perform different actions.

The only caveat is that the default security protocol always blocks any script from running on a device. This means that when double-clicking a ".ps1" file on Windows 10 nothing will happen, and if you try to run the script within PowerShell, you'll see the "cannot be loaded because running scripts is disabled on this system" error message. However, it's not impossible to run scripts on your computer. You only need to enable the correct execution policy.

https://www.windowscentral.com/how-create-and-run-your-first-powershell-script-file-windows-10#run_powershell_script_windows10 

13

A PowerShell script is really nothing more than a simple text file. The file contains a series of PowerShell commands, with each command appearing on a separate line. For the text file to be treated as a PowerShell script, its filename needs to use the . PS1 extension.

https://www.virustotal.com/gui/file/1802e2cb97e5c5e502c4cb70dd38539502dbccc8972cc8c2b75d0e571f58cabb/detection/f-1802e2cb97e5c5e502c4cb70dd38539502dbccc8972cc8c2b75d0e571f58cabb-160176048

png_7831.pngScan Statistics:
  Scan Targets: C:\Users\bjm\Desktop\cn\cn.ps1
  Counts:
   Total items scanned: 1
   - Files & Directories: 1
   - Registry Entries: 0
   - Processes & Startup Items: 0
   - Network & Browser Items: 0
   - Other: 0
   - Trusted Files: 0
   - Skipped Files: 0

   Total security risks detected: 0
   Total items resolved: 0
   Total items that require attention: 0

14

Norton malware detections rely mainly on real time online definitions, which are much more up to date than any downloaded definitions.

Do not post links to possible malicious files in the open forum. If you see this in time, please delete the link. No one is going to download malware.