Hot Take 3 Reasons Why Experienced Users Are Getting Infected!

[ForgottenSeer 69673]

The reason experienced users get infected and do not reboot is because.

1. they don't use App guard
2. they don't use shadow defender
3. they don't use a whitelisting firewall.

 

[ScandinavianFish]

The way we should protect our devices is by hardening them, preventing the malware from doing its damage in the first place by preventing an important step in their execution, process injection, or collection. An example being Firewall Hardeniing to block LOLbins, which by itself make info-stealers such as Redline (that abuse .NET framework files for evasion), useless.

 

[Zero Knowledge]

Whether it's supply chain attack, social engineering, or someone having physical access to your device there is always a way to compromise your PC, router, enterprise firewall, laptop or mobile if you are a bad and big enough target. All it takes is enough time, skill and money and exploits/bugs in software will fall like XMAS presents from the tree.

Criminal malware is one part but that is usually high volume and eventually is detectable by most security software. Not a huge worry.

But would experienced users even notice they were infected if the adversary is the NSA's Equation group or some other advanced APT? I mean how would you determine if your hard drives firmware has been hacked? Or your laptop's BIOS/UEFI firmware is backdoored? Or your device has a sophisticated implant installed?

Answer is in 99.9% of cases you wouldn't know. But we still keep trying to protect ourselves, everything evolves and improves over time. We strive for 100% protection in our security setup but in reality, you get no such guarantees.

 

[WhiteMouse]

Sometimes it's unavoidable. You have to choose between cool game mod with a chance of infection or stick to the boring original version. Any kind of whitelisting is useless since users have to trust that file.

 

[Ink]

Add to the list:

• they use Windows

 

[silversurfer]

The reason experienced users get infected and do not reboot is because.

1. they don't use App guard
2. they don't use shadow defender
3. they don't use a whitelisting firewall.

Simple answer, just try being even more careful, that does usually help to avoid getting infected.
Any security software doesn't prevent even experienced users from making same mistake like careless beginners...

For me personally as home user, AppGuard is too expensive.
Shadow Defender haven't received any update since a few years, so might risky to use it.

 

[overdivine]

the majority of the users don't get infected, and the majority of the users are not "experienced" users so.....

1. humans are prone to mistakes and even you are experienced, it depends on what hits you
2.the experienced users are not experienced enough for that situation
3. given enough resources, every system can be compromised, it does not matter the experience level

 

[ForgottenSeer 97327]

The reason experienced users get infected and do not reboot is because.

1. they don't use App guard
2. they don't use shadow defender
3. they don't use a whitelisting firewall.

Nahh, you only have one reason half right these are the real three reasons why over confident (I would not call them experienced) users get infected
1. They run out dated/end of life OS-ses
2. They run admin instead of standard user
3. They don't use a whitelist/default deny approach for user space

 

[simmerskool]

Simple answer, just try being even more careful, that does usually help to avoid getting infected.
Any security software doesn't prevent even experienced users from making same mistake like careless beginners...

For me personally as home user, AppGuard is too expensive.
Shadow Defender haven't received any update since a few years, so might risky to use it.

I got AG for $39/year to see if I'm comfortable using it (still learning). I think VS free is gone and now $29/yr. It's all relative, and Avast, eg, is protecting for free near 100% protection at AV-C.

 

[ForgottenSeer 97327]

With WDAC having such an easy wizard Windows Defender Application Control Wizard I would buy a Windows Pro version. You can use the WDAC in audit mode and use the event messages to create rules. WDAC also has an option to fallback to AUDIT mode when critical software does not start. So when you are willing to dive into WDAC, it is the cheapest whitelist option available.

I have three whitelists:
1. For all users in all folders: Windows Defender on MAX (cloud whitelist)
2. For all user in user folders: WDAC only allowing Microsoft Signed and Syncback Free
3. For Standard user in user folders: SRP default deny

And yes I am running SUA all the time (Windows and Office update without asking for elevation).

 

[ForgottenSeer 69673]

Simple answer, just try being even more careful, that does usually help to avoid getting infected.
Any security software doesn't prevent even experienced users from making same mistake like careless beginners...

For me personally as home user, AppGuard is too expensive.
Shadow Defender haven't received any update since a few years, so might risky to use it.

appguard is only 39 dollars for superb protection if one is not afraid to use it.
shadow defender needs no updates. still works just fine on my windows 11 enterprise.
so, what if you get infected? With shadow defender a simple reboot works to fix the problem and if you are able to configure a whitelist firewall, no info will be stolen.
I hope you don't think i have not used every bit of security software out there. Believe me, I have.
two of the less resource hogs created are appguard and shadow defender.

unless you get targeted with a hardware bug that can stay resident even after a reboot. I guess it would be sludge hammer time then.

 

[silversurfer]

shadow defender needs no updates. still works just fine on my windows 11 enterprise.

How do we or you know for sure there are no security flaws in Shadow Defender? The developer was always a mystery, he replied back sometimes via email.

In general, any security related software what doesn't receive regularly updates anymore, everyone can use it but that shouldn't be recommendable to other people.
Anyway, we don't need to agree about all points

I hope you don't think i have not used every bit of security software out there. Believe me, I have.
two of the less resource hogs created are appguard and shadow defender.

I believe that you tried all possible security software, I did the same or partially still do even for different purpose as just for fun...
I have purchased a license of Shadow Defender and been using it for around 5 years, but I don't use it anymore since the release of Windows 11.

 

[Andrezj]

The way we should protect our devices is by hardening them, preventing the malware from doing its damage in the first place by preventing an important step in their execution, process injection, or collection. An example being Firewall Hardeniing to block LOLbins, which by itself make info-stealers such as Redline (that abuse .NET framework files for evasion), useless.

this is the protection model developed by the nsa, nist, and industry leaders such as microsoft and various linux groups
there are various standards such as iso 27001 and nist 800-53 that require attack surface reduction, disabling of unused services and lolbins, application of srp such as selinux
any organization that conducts any form of business with the federal government must implement nist 800-53 and other cybersecurity frameworks
to obtain cybersecurity insurance many underwriters also require the applicant to implement one of the stringent cybersecurity standards
there is a standard above the commerce cybersecurity standards, they are called national security cybersecuity standards and mandate such thing as systems and phones that are stripped of only essential functionality
for unregulated businesses, they can do whatever they want, and they do - and get breached

 

[Minimalist]

Main reason anybody gets infected IMO is that:
- they run (execute) malware.

 

[simmerskool]

this is the protection model developed by the nsa, nist, and industry leaders such as microsoft and various linux groups
there are various standards such as iso 27001 and nist 800-53 that require attack surface reduction, disabling of unused services and lolbins, application of srp such as selinux
any organization that conducts any form of business with the federal government must implement nist 800-53 and other cybersecurity frameworks
to obtain cybersecurity insurance many underwriters also require the applicant to implement one of the stringent cybersecurity standards
there is a standard above the commerce cybersecurity standards, they are called national security cybersecuity standards and mandate such thing as systems and phones that are stripped of only essential functionality
for unregulated businesses, they can do whatever they want, and they do - and get breached

I don't know the details, but my wife worked in a US Congressional local office a few years ago, and when they had a computer issue, they flew in 2 techs from some well-known government contractor (don't recall the name) and they were serious dudes in black suits. I just happened to be there that day and I was scary-impressed.

 

[Andrezj]

I don't know the details, but my wife worked in a US Congressional local office a few years ago, and when they had a computer issue, they flew in 2 techs from some well-known government contractor (don't recall the name) and they were serious dudes in black suits. I just happened to be there that day and I was scary-impressed.

ex special operations with the mib issued suit
objective: re-issue password

 

[Nightwalker]

Main reason anybody gets infected IMO is that:
- they run (execute) malware.

THIS

 

[Zero Knowledge]

Threat model or risk assessment > Design and implement security solutions > Review, revaluate and adjust controls

Main reason anybody gets infected IMO is that:
- they run (execute) malware.

This takes care of the low hanging fruit, it will stop common criminal malware like trojans, backdoors and ransomware.

But I don't sit awake at night worrying about criminal malware, it's high volume and easily detectable through spam, YouTube downloads cracks or keygens.

But for professionally designed and implemented attacks then it's game on and any device can be compromised with enough time and skill.

 

[zkSnark]

An example being Firewall Hardeniing to block LOLbins, which by itself make info-stealers such as Redline (that abuse .NET framework files for evasion), useless.

Is there any tutorial instructions available to set this up for home user on Windows 11?

 

[Zero Knowledge]

Is there any tutorial instructions available to set this up for home user on Windows 11?

Just use Andy Ful's Firewall Hardening blocklist. Download Hard_Configurator, SRP doesn't work on Windows 11 but the Firewall rules should work, so just click on Firewall Rules and add LOLbins and recommended rules.