App Review A Fileless Malware Primer

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
5

509322

Simply beautiful! Excellent video (and music).

The part where the Anti Malware's display Your system is clean? LoL :eek:

Security solutions do not scan Scheduled Tasks. Once a task is created, they do not know if it is safe or malicious.

This attack is called fileless, but technically it is not. There are scheduled tasks created and the files that are executed by the tasks are created in c:\users\<user>.
 
Last edited by a moderator:
5

509322

ThumbsUp.

I suppose I should have also mentioned there are certainly others which would/could do the same but ERP was the first anti-exe that came to mind.
  • Anti-executables that monitor cmd\powershell\wscript
  • SRP in which a user has manually created deny policies for cmd\powershell\schtasks\wscript (e.g. AppGuard > User Space - YES)
  • Emsisoft's behavior blocker (when WinWord.exe attempts to access cmd.exe (launch of unprotected document), the exploit protection will terminate WinWord.exe)
  • A security soft in which a user has manually created deny or restricted policies for cmd\powershell\schtasks\wscript (e.g. Kaspersky's Application Control > Untrusted)
  • Run such documents sandboxed\virtualized
  • HIPS - do not create permanent rules for interpreters; the HIPS will alert when an interpreter is launched; a user might have to move interpreters to certain file groups in certain products to generate alerts for their launch - for example Unrecognized in COMODO or low\high restricted in Kaspersky
Most typical AppGuard users would know that if it blocks an interpreter launch while opening and working with a document that something is not right and investigate.
 
Last edited by a moderator:

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
With so many different vectors, those secondary components like HIPS, BB and even Anti-exe should be more aggressive on possible exploit holes.

Powershell and other common programs that known for security holes must act seriously from the business enterprise, cause it will just kill the system easily.

Today's security strategy should not rely on one tool only.
 

EASTER

Level 4
Verified
Well-known
May 9, 2017
145
With so many different vectors, those secondary components like HIPS, BB and even Anti-exe should be more aggressive on possible exploit holes.

Powershell and other common programs that known for security holes must act seriously from the business enterprise, cause it will just kill the system easily.

Today's security strategy should not rely on one tool only.

It's almost dizzying the multiple curves that Microsoft continues to cram into each new release when most folks haven't finished quite yet charting the previous ones all the way.

It's a cover the basics strategy for most users. Anti-Malware along with a dedicated AV or vice versa/together etc.

This video is yet another example of just what CAN and DOES happen and without much of a peep for most.

With so much and so many ways to disrupt your good machine you have to admonish the efforts of Cruelsister in showcasing Comodo FW for those many people who just want a safer way to get around the block (so to speak) without running into time wasting "easy avenue malwares" coming at them.

Anxiously awaiting that next follow-up to this.
 
5

509322

It's almost dizzying the multiple curves that Microsoft continues to cram into each new release when most folks haven't finished quite yet charting the previous ones all the way.

It's a cover the basics strategy for most users. Anti-Malware along with a dedicated AV or vice versa/together etc.

This video is yet another example of just what CAN and DOES happen and without much of a peep for most.

With so much and so many ways to disrupt your good machine you have to admonish the efforts of Cruelsister in showcasing Comodo FW for those many people who just want a safer way to get around the block (so to speak) without running into time wasting "easy avenue malwares" coming at them.

Anxiously awaiting that next follow-up to this.

Attacks are fundamentally the same. Protecting a system against an attack is not that difficult. For home use protection scenarios, the real limitation - or hindrance if you will - is the user - on so many levels.
 

EASTER

Level 4
Verified
Well-known
May 9, 2017
145
Attacks are fundamentally the same. Protecting a system against an attack is not that difficult. For home use protection scenarios, the real limitation - or hindrance if you will - is the user - on so many levels.

Almost always so, which begs for a little push in the right direction which can go a long way in a short amount of time in reducing the limitations.

And to that end, and specifically geared to the newest of people/users not anywhere near having a handle on their systems yet, the results of CS's ComodoFW videos (per CS settings) seems a really reasonable and immensely helpful starting point for any of them.

Let's hope some of them catch on soon enough and then gain that confidence to look over all the other available programs and prevention methods they can see clearer in which to choose from.
 
5

509322

Almost always so, which begs for a little push in the right direction which can go a long way in a short amount of time in reducing the limitations.

And to that end, and specifically geared to the newest of people/users not anywhere near having a handle on their systems yet, the results of CS's ComodoFW videos (per CS settings) seems a really reasonable and immensely helpful starting point for any of them.

Let's hope some of them catch on soon enough and then gain that confidence to look over all the other available programs and prevention methods they can see clearer in which to choose from.

Even if you paid some people to protect their systems, they still would not do it.
 
5

509322

It would be interesting to know if the same scanners would detect something with real-time active protection.

Kaspersky and a few others detect menu.rtf upon extraction from the archive or upon opening the document, while others detect it only during a scan.

menu.rtf has been around for a while so there are signatures for it.

If it were newly released within the past hour, then you would need something that blocks it from executing wscript.exe, which in turn attempts to launch cmd.exe. Prevent WinWord.exe from launching wscript.exe and the infection run is broken.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top