Other issues in this category (27)
Tuesday, October 20, 2020
The average user understands that there exist files (although they probably won't be able to tell you exactly what a file is) and documents. They don’t realise that an executable is only one of a number of types of files and that documents are in fact just another type of file. But every now and then, the universe stirs and users learn about certain entities other than the files and documents inhabiting their computers.
Why does this happen?
Host: …, description: unavailable)
Event time: …
Process showing suspicious activity: D:\Vtb\Cbp\Services\Vtb.Integration.Mdm.Cabs\Vtb.Integration.MdmCabs.Service.exe (PID: 14016), started by user: NT AUTHORITY\SYSTEM.
Path to the protected file that the process attempted to access:
Unauthorised code execution was blocked for the following reason: suspicious code execution attempt.
Action performed with the suspicious process: disabled.
Action for the suspicious process initiated by: Preventive Protection auto response (blocked attempts: 1).
A user saw a pop-up message notifying them about an unauthorised attempt to access something and some code execution getting blocked. What was that all about?
Let's try to explain in simple terms how executable files are launched. Whenever an executable file is launched by a user or by a process in the system, it usually doesn't just mean that a number of instructions contained within the file are executed one after another. It's more complicated than that. A portion of the available RAM is allocated to the new process and data is loaded into the memory (the code to be executed as well as the data the application needs to perform its tasks). If the program requires additional libraries, they are loaded into the memory too. This is how a process whose operation users can observe is created in the memory.
Application files are usually digitally signed, and their signatures are verified whenever they are launched. Of course, attackers can try to modify the contents of a file, but that will invalidate the file's signature and the operating system (as well as the anti-virus) will display a corresponding warning. So instead attackers may want to alter the contents of another running process—to inject their code into it.
The Anti-virus Times recommends
Note that Dr.Web's Preventive Protection keeps a close watch over the system and controls all attempts to access running processes—it maintains their integrity to ensure that no one can alter their behaviour by introducing new features or modifying existing ones.
A code injection attempt by an unsigned process ("Vtb.Integration.MdmCabs.Service.exe") targeting WmiPrvSE.exe has been blocked.
Essentially, attackers attempt to introduce their code into another process's address space.
The anti-virus's Preventive Protection analyses process behaviour to stop actions of this kind.
In this case, the process doesn't have a legitimate digital signature and gets blocked by the Preventive Protection. A block notification is displayed.
Preventive Protection can deflect attacks even if no malware signature is available in the virus databases (i.e., a malicious code sample hasn't yet been examined by malware researchers). In such situations, malware can be identified by its actions—e.g., when it attempts to interfere with the normal operation of online banking applications or browsers.
Make sure that your Preventive Protection is always up and running.