Hot Take 3 Reasons Why Experienced Users Are Getting Infected!

  • Thread starter Thread starter ForgottenSeer 69673
  • Start date Start date
The way we should protect our devices is by hardening them, preventing the malware from doing its damage in the first place by preventing an important step in their execution, process injection, or collection. An example being Firewall Hardeniing to block LOLbins, which by itself make info-stealers such as Redline (that abuse .NET framework files for evasion), useless.
 
  • Like
Reactions: Victor M, DDE_Server, zkSnark and 7 others
Whether it's supply chain attack, social engineering, or someone having physical access to your device there is always a way to compromise your PC, router, enterprise firewall, laptop or mobile if you are a bad and big enough target. All it takes is enough time, skill and money and exploits/bugs in software will fall like XMAS presents from the tree.

Criminal malware is one part but that is usually high volume and eventually is detectable by most security software. Not a huge worry.

But would experienced users even notice they were infected if the adversary is the NSA's Equation group or some other advanced APT? I mean how would you determine if your hard drives firmware has been hacked? Or your laptop's BIOS/UEFI firmware is backdoored? Or your device has a sophisticated implant installed?

Answer is in 99.9% of cases you wouldn't know. But we still keep trying to protect ourselves, everything evolves and improves over time. We strive for 100% protection in our security setup but in reality, you get no such guarantees.
 
  • Like
Reactions: Brie, Victor M, DDE_Server and 8 others
ticklemefeet said:
The reason experienced users get infected and do not reboot is because.

1. they don't use App guard
2. they don't use shadow defender
3. they don't use a whitelisting firewall.
Click to expand...

Simple answer, just try being even more careful, that does usually help to avoid getting infected.
Any security software doesn't prevent even experienced users from making same mistake like careless beginners...

For me personally as home user, AppGuard is too expensive.
Shadow Defender haven't received any update since a few years, so might risky to use it.
 
  • Like
  • +Reputation
  • Applause
Reactions: DDE_Server, Nevi, roger_m and 6 others
the majority of the users don't get infected, and the majority of the users are not "experienced" users so.....

1. humans are prone to mistakes and even you are experienced, it depends on what hits you
2.the experienced users are not experienced enough for that situation
3. given enough resources, every system can be compromised, it does not matter the experience level
 
  • Like
  • Applause
  • +Reputation
Reactions: DDE_Server, Nevi, roger_m and 4 others
ticklemefeet said:
The reason experienced users get infected and do not reboot is because.

1. they don't use App guard
2. they don't use shadow defender
3. they don't use a whitelisting firewall.
Click to expand...
Nahh, you only have one reason half right :) :) :) these are the real three reasons why over confident (I would not call them experienced) users get infected
1. They run out dated/end of life OS-ses
2. They run admin instead of standard user
3. They don't use a whitelist/default deny approach for user space
 
Last edited by a moderator:
  • Like
Reactions: DDE_Server, Nevi, piquiteco and 3 others
silversurfer said:
Simple answer, just try being even more careful, that does usually help to avoid getting infected.
Any security software doesn't prevent even experienced users from making same mistake like careless beginners...

For me personally as home user, AppGuard is too expensive.
Shadow Defender haven't received any update since a few years, so might risky to use it.
Click to expand...
I got AG for $39/year to see if I'm comfortable using it (still learning). I think VS free is gone and now $29/yr. It's all relative, and Avast, eg, is protecting for free near 100% protection at AV-C.
 
  • Like
Reactions: DDE_Server, Nevi, Sandbox Breaker - DFIR and 5 others
With WDAC having such an easy wizard Windows Defender Application Control Wizard I would buy a Windows Pro version. You can use the WDAC in audit mode and use the event messages to create rules. WDAC also has an option to fallback to AUDIT mode when critical software does not start. So when you are willing to dive into WDAC, it is the cheapest whitelist option available.

I have three whitelists:
1. For all users in all folders: Windows Defender on MAX (cloud whitelist)
2. For all user in user folders: WDAC only allowing Microsoft Signed and Syncback Free
3. For Standard user in user folders: SRP default deny

And yes I am running SUA all the time (Windows and Office update without asking for elevation).
 
Last edited by a moderator:
  • Like
  • Thanks
  • +Reputation
Reactions: Nevi, piquiteco, simmerskool and 1 other person
silversurfer said:
Simple answer, just try being even more careful, that does usually help to avoid getting infected.
Any security software doesn't prevent even experienced users from making same mistake like careless beginners...

For me personally as home user, AppGuard is too expensive.
Shadow Defender haven't received any update since a few years, so might risky to use it.
Click to expand...
appguard is only 39 dollars for superb protection if one is not afraid to use it.
shadow defender needs no updates. still works just fine on my windows 11 enterprise.
so, what if you get infected? With shadow defender a simple reboot works to fix the problem and if you are able to configure a whitelist firewall, no info will be stolen.
I hope you don't think i have not used every bit of security software out there. Believe me, I have.
two of the less resource hogs created are appguard and shadow defender.

unless you get targeted with a hardware bug that can stay resident even after a reboot. I guess it would be sludge hammer time then.
 
  • Like
Reactions: Nevi, piquiteco, silversurfer and 1 other person
ticklemefeet said:
shadow defender needs no updates. still works just fine on my windows 11 enterprise.
Click to expand...
How do we or you know for sure there are no security flaws in Shadow Defender? The developer was always a mystery, he replied back sometimes via email.

In general, any security related software what doesn't receive regularly updates anymore, everyone can use it but that shouldn't be recommendable to other people.
Anyway, we don't need to agree about all points ;)

ticklemefeet said:
I hope you don't think i have not used every bit of security software out there. Believe me, I have.
two of the less resource hogs created are appguard and shadow defender.
Click to expand...
I believe that you tried all possible security software, I did the same or partially still do even for different purpose as just for fun...
I have purchased a license of Shadow Defender and been using it for around 5 years, but I don't use it anymore since the release of Windows 11.
 
  • Like
  • +Reputation
  • Applause
Reactions: Nevi, brambedkar59, roger_m and 3 others
ScandinavianFish said:
The way we should protect our devices is by hardening them, preventing the malware from doing its damage in the first place by preventing an important step in their execution, process injection, or collection. An example being Firewall Hardeniing to block LOLbins, which by itself make info-stealers such as Redline (that abuse .NET framework files for evasion), useless.
Click to expand...
this is the protection model developed by the nsa, nist, and industry leaders such as microsoft and various linux groups
there are various standards such as iso 27001 and nist 800-53 that require attack surface reduction, disabling of unused services and lolbins, application of srp such as selinux
any organization that conducts any form of business with the federal government must implement nist 800-53 and other cybersecurity frameworks
to obtain cybersecurity insurance many underwriters also require the applicant to implement one of the stringent cybersecurity standards
there is a standard above the commerce cybersecurity standards, they are called national security cybersecuity standards and mandate such thing as systems and phones that are stripped of only essential functionality
for unregulated businesses, they can do whatever they want, and they do - and get breached
 
  • Like
Reactions: Nevi, piquiteco, Zero Knowledge and 1 other person
Andrezj said:
this is the protection model developed by the nsa, nist, and industry leaders such as microsoft and various linux groups
there are various standards such as iso 27001 and nist 800-53 that require attack surface reduction, disabling of unused services and lolbins, application of srp such as selinux
any organization that conducts any form of business with the federal government must implement nist 800-53 and other cybersecurity frameworks
to obtain cybersecurity insurance many underwriters also require the applicant to implement one of the stringent cybersecurity standards
there is a standard above the commerce cybersecurity standards, they are called national security cybersecuity standards and mandate such thing as systems and phones that are stripped of only essential functionality
for unregulated businesses, they can do whatever they want, and they do - and get breached
Click to expand...
I don't know the details, but my wife worked in a US Congressional local office a few years ago, and when they had a computer issue, they flew in 2 techs from some well-known government contractor (don't recall the name) and they were serious dudes in black suits. I just happened to be there that day and I was scary-impressed.
 
  • Like
Reactions: Azure, Nevi and Zero Knowledge
simmerskool said:
I don't know the details, but my wife worked in a US Congressional local office a few years ago, and when they had a computer issue, they flew in 2 techs from some well-known government contractor (don't recall the name) and they were serious dudes in black suits. I just happened to be there that day and I was scary-impressed.
Click to expand...
ex special operations with the mib issued suit
objective: re-issue password
 
  • HaHa
  • Like
Reactions: Nevi, piquiteco and zkSnark
Threat model or risk assessment > Design and implement security solutions > Review, revaluate and adjust controls

Minimalist said:
Main reason anybody gets infected IMO is that:
- they run (execute) malware.
Click to expand...

This takes care of the low hanging fruit, it will stop common criminal malware like trojans, backdoors and ransomware.

But I don't sit awake at night worrying about criminal malware, it's high volume and easily detectable through spam, YouTube downloads cracks or keygens.

But for professionally designed and implemented attacks then it's game on and any device can be compromised with enough time and skill.
 
  • Like
Reactions: Nevi, oldschool and piquiteco
ScandinavianFish said:
An example being Firewall Hardeniing to block LOLbins, which by itself make info-stealers such as Redline (that abuse .NET framework files for evasion), useless.
Click to expand...
Is there any tutorial instructions available to set this up for home user on Windows 11?
 
zkSnark said:
Is there any tutorial instructions available to set this up for home user on Windows 11?
Click to expand...
Just use Andy Ful's Firewall Hardening blocklist. Download Hard_Configurator, SRP doesn't work on Windows 11 but the Firewall rules should work, so just click on Firewall Rules and add LOLbins and recommended rules.
 
  • Like
Reactions: Nevi, oldschool, zkSnark and 2 others

You may also like...