(Bad?) Protection against Anti Phishing

Products Endpoint Protection
1

I’m still using profiles based on the ‘Hardened windows profile’ for all my devices.
This after a client wast infected twice with ransomware using the endpoint client.

I tought that the ‘Hardened profile’ should detect a lot of malware/phishing codes.

But what struck me is the following:
Lately I see a lot of anti phishing activities.
A client received a phishing email and opened the attached link.
It leaded to a fake webpage.
He/or I, didn’t receive a message regarding a fake website or blocked code.

But… the same client also had a private laptop with him where Bitdefender Free was installed.
And Bitdefender did detect the phishing code, blocked it and warned the user.

bd
bd764×501 25.1 KB

My question:
How come that XCitium isn’t blocking this and a free antivirus like Bitdefender is?
How can I achieve this level of detection and warning with the XCitium client? My client feels that a free antivirus protects him better than an enterprise classed, paid product…

2

Hi @ailan

Thank you for bringing this to our attention.
I shall get my counter part at Xcitium to contact you regarding this.

3

Hi @RT-AMS-ITarian,

Thanks for the info.
I don’t need direct contact regarding this issue.
Please let them place the info directly on the forum so everyone can benefit.

I don’t think this is an unknown situation and it should work already.

Regards

4

Hi @ailan

I have been speaking to @ilgazy at Xcitium on this and will get him to place something public here.

From my discussions with him, please bear in mind that the profiles default is to not display information to the end user like you have experienced from Bitdefender. In theory the file should have been blocked as it was an “unknown” file and should list in the logs for the AV inside Endpoint Manager and directly on the device in the AV control panel.

I obviously do not have the logs for your portal and cannot comment on the status of this being blocked or not, but I can let you know that you can inside your portal turn on client side warnings as shown in the below image.

image
image929×735 88.6 KB

5

Hi @RT-AMS-ITarian,

It’s correct that a lot of warnings are not displayed by default.
And that’s why I was counting that the attached link to the phishing site was blocked.
But no, a few clients did open the link and the page of the false website was presented.

I tried the same test also on my machines.
And of course I enabled all the warnings:

1
1814×480 34.9 KB

But still no warning or detection and the page is also presented on my machines.

Whereas the machine with Bitdefender was giving me a warning and/or cleaned the attachment.
test-Pymnt_Aging_419860.zip (14.1 KB)

You can test it yourself with attached file.

It’s safe to save and try to open the file.
The emailaddress has been changed.
It’s all about the detection, you don’t have to fill anything in.

Regards

6

@ailan just tested and the HTML file within the ZIP is detected as malware on my machine and quarantined by the Xcitium Security Client.

To me, it seems that XCS is operating correctly.

7

Hi @nct,

That sounds great!
Thanks for testing.

Would you like to share your profile with us?
If not, maybe screenshots of the relevant modules in your config template?

It would be great if there’s a subgroup on this forum where profile tips could be shared or posted.
(but that’s something I already opted a few years ago…)

Hope to hear which option(s) I have to configure to detect these phishing links/ sites/ scripts.

Regards

8

Hi @ailan

If you share your profile here, I’ll take a look at the settings for you.
I’m also attaching an extract from my XCS logs showing the file being quarantined.

av
av1615×122 76 KB

9

Hi @nct,

Thanks for checking my profile. I just sent you my config.

Hope you can see something.

Regards…

10

I’ve replied…check your inbox.

1 Like
11

Thanks again.
I replied too…