Advice Request Adaptive Defence 360

[Deleted member 178]

Home User Forum? Show me pleaseeeeee...Perhaps I came to the place full of home products....geeee...

Yes it is a home user forum, doesn't mean we can't talk about some corporate products but you will have few people interested; hence why we are on this thread.

Do you see many threads about Sophos UTM, Symantec EP, Palo Alto, Crowdstrike, hardware Firewall, Honeypots , IDS/IPS, etc...? No, so you get the picture.
People come here to know about Home User products , not endpoint ones, those they can buy or use for free, however some members like us work or worked as corporate admins so we are also interested by endpoints products, but 99%% of the other members here aren't.

and honestly views means nothing, my 2016 security setup thread had 63k views lol.

 

[Emmanuellws]

Yes it is a home user forum, doesn't mean we can't talk about some corporate products but you will have few people interested; hence why we are on this thread.

Do you see many threads about Sophos UTM, Symantec EP, Palo Alto, Crowdstrike, hardware Firewall, Honeypots , IDS/IPS, etc...? No, so you get the picture.
People come here to know about Home User products , not endpoint ones, those they can buy or use for free, however some members like us work or worked as corporate admins so we are also interested by endpoints products, but 99%% of the other members here aren't.

and honestly views means nothing, my 2016 security setup thread had 63k views lol.

yes thanks for explaining that to everyone here - questions raised from your previous statement about this forum is for home products only 63k is a lot.Job well done. Are we gonna get anything from thousands of views...if yes...I need to do something about it...hahahah kidding man.

 

[Emmanuellws]

Mr Umbra, Since you are one of the moderator here..probably just as a suggestion..maybe you can open a new categories for business and corporate users to post related questions..then you can actually pull in lots of business users which is good for malwaretips.com as well. Business Products and vendors can use this place as place to promote their product as well...you know like Barracuda....Sangfor.....Fortinet that stuff. Just a suggestion.

 

[Deleted member 178]

Mr Umbra, Since you are one of the moderator here..probably just as a suggestion..maybe you can open a new categories for business and corporate users to post related questions..then you can actually pull in lots of business users which is good for malwaretips.com as well. Business Products and vendors can use this place as place to promote their product as well...you know like Barracuda....Sangfor.....Fortinet that stuff. Just a suggestion.

Not worth it, i can count less than 10 members who are seriously interested by corporate solutions. If people want talk about corporate solutions, just open a classic thread, but i can already guess few will comment on them.

I am the one here that mostly open those threads lol.

 

[Emmanuellws]

Guys, check out Black Cipher Security channel in YouTube bypassing Antivirus and NextGen AV using penetration testing tools such as Metasploit and other malware and exploit generators..Panda Adaptive Defense 360 is in progress as requested... Black Cipher Security, contact them directly to test your favorite product security. They can do all sorts of attack including fileless or memory based attack. Stay tuned for Panda Adaptive Defense 360 video of it being bypassed.

 

[Amelith Nargothrond]

Wondering where did the software vendor and thread creator @owk688 disappear... This thread transformed into a Panda commercial.

 

[Emmanuellws]

It's ok.

 

[Emmanuellws]

Finally, after waiting...Black Cipher Security managed to bypass PAD360 and had to use the most sophisticated attack - Powershell through memory/RAM under hardening mode (Medium protection) although I suspect they rigged the test by allowing the uploaded backdoored application to "unblock" in the Cloud Console...still they need to use 3 tools combination namely, Powershell Empire, Metasploit and Veil-Evasion....and also they bypassed all other AV / Next GenAV from EmiSoft, Symantec, TrendMicro, F-Secure, Webroot, Avast, Sophos including its Intercept X, McAffee...upcoming..they are trying more including Cylance.....in fact, the only technology that can prevent their attack is Carbon Black with their own so called "Streaming Prevention" protection mechanism - apparently that is the product that they will introduce to corporate company or government. So all PAD360 users, please use Lock mode as Black Cipher said it blocked their backdoored application, hackers won't get far if they use this sophisticated attack. Apart from that, you are totally safe and secure under Lock mode. Oh by the way, apart from the 12 minutes bypass demo after their 6 days test and research....all other brand mentioned just now only took them between 5-7 minutes for a complete attack...and with only one tool Powershell Empire or just Metasploit. Powershell Fileless Attack is the real deal that all AV need to look out for. It won't leave any traces because it will not leave any files on the disk, it will not use any malware signature as it will uses existing Windows OS system apps like powershell and WMI to do hijacking, to steal data or to infect with ransomware through your PC RAM/memory. Stay safe everyone no matter what is your AV and ensure you have application whitelisting running with your AV so hackers cannot advanced further. Setup a log instances of powershell activity. Get notification and detect and take action. Last but not least, disable powershell if you dont use it, but still disabling won't prevent them from running their own powershell instances directly from their tool as the .NET dlls still running in your computer.

 

[Emmanuellws]

and the final summary is, Panda Adaptive Defense 360 - Workstation Policy is the best security configuration. Confirmed that they used the "Server Policy" which will allow powershell to execute and Windows 7 VM running Powershell 1.0/2.0 makes it is easier (See the videos comment section). No wonder it takes them 6 days to publish a 12 minute bypass demo video since my request made - the longest among all bypassed product so far bcoz there is no way and not much for them to customize the policy on the endpoint. So PAD360 users, don't worry, you are protected 100% no matter what powershell attack on the "Advanced Protection Workstation Policy". For Policy using servers, recommended to run minimum Windows Server 2016 to reduce the attack vector. If your servers are running Windows server 2016 with PAD360 Server Policy, and your endpoints are on PAD360 Workstation Policy, you are secured. All malware attack started from endpoints and will go to servers since endpoints are the ones that download and executes email attachment. Black Cipher Security did a good job of pointing out a weakness in the Server Policy since they could not exploit the workstation policy. I as a PAD360 users, accept the weakness but it won't happen bcoz we dont use servers to donwload email and open attachment directly. all in all...PAD360 is a good choice for enterprise endpoint security. Hmm...now I am off to check on LogRhythm or CyberShark features for visibility on network attacks and integrity. Chiaooo!

 

[jamescv7]

Powershell Fileless Attack is the real deal that all AV need to look out for. It won't leave any traces because it will not leave any files on the disk, it will not use any malware signature as it will uses existing Windows OS system apps like powershell and WMI to do hijacking, to steal data or to infect with ransomware through your PC RAM/memory.

Yes you are correct, a reason why it should integrate properly the Anti-exe concept or whitelisting technology since the purpose is to monitor the current programs which may provide different behavior so that the user can check and analyze the information.

Fileless is already been notified by some AV however the information must be prioritized by research.

 

[Deleted member 178]

If a software can't protect the memory, it has no uses to me.

 

[Emmanuellws]

If a software can't protect the memory, it has no uses to me.

Well, I agree on this statement.

 

[Emmanuellws]

Finally, BCS admitted they unblocked the backdoored putty.exe manually which allows the attack to leveraged to another level and allow full takeover.

My explanation to them is - Well it stopped that exe, yes because it is unknown...if the original putty.exe was untouched it would have been allowed, but since if anyone modifies the integrity of a file, it will be unknown, and sooner it will be flagged as malware after completed analysis and found out it creates an unwanted connection right after launching it. That's the feature of PAD360, it should blocked all zero day or unclassified programs, which will greatly reduce of a new attack. They said it will cause some productivity issue, I said hell no, because they easily allow unblock and allow their attack to progress further. By now, the backdoored putty.exe is already flagged as malware.

For all other Av products that they bypassed, I believe they did some unblock too and allow their attack to run which we viewers didn't see in which they admitted in this video.

 

[Deleted member 178]

@Emmanuellws they are Cylance reseller, and Cylance used to do "arranged" videos as they did in their demonstration "tours" ; so no surprises to me...

 

[Emmanuellws]

@Emmanuellws they are Cylance reseller, and Cylance used to do "arranged" videos as they did in their demonstration "tours" ; so no surprises to me...

Yes, Cylance and Carbon Black Defense. Well, even if it is unfair I managed to get them to admit that they rigged the test so there is an explanation behind all other AV products that they bypassed as well. So, don't worry, love and trust your own AV or security product, master it, and check your configuration. Oh well, at least they proved that if we mis-configured or reduced the security of a product, we sure get the attack to work flawlessly.

 

[Deleted member 178]

View attachment 147299
Oh well, at least they proved that if we mis-configured or reduced the security of a product, we sure get the attack to work flawlessly.

i don't need rigged tests to know that

 

[Emmanuellws]

i don't need rigged tests to know that

well not everyone is as good as you...so this serve as a reminder to others including myself. hehehe

 

[Deleted member 178]

What i don't like is the way they hide the important informations during the video.
- In Panda the unblocked a file,
- in ERP video they do't show the vulnerable processes;
- in Comodo , they put paranoid mode but enabled safe mode and allow trusted processes;

and when i asked them to show all settings next time , they don't replied. that is shady...

 

[Emmanuellws]

What i don't like is the way they hide the important informations during the video.
- In Panda the unblocked a file,
- in ERP video they do't show the vulnerable processes;
- in Comodo , they put paranoid mode but enabled safe mode and allow trusted processes;

and when i asked them to show all settings next time , they don't replied. that is shady...

I agree with you buddy. In the end, its all for their marketing purposes because it was not done by a real hacker or security hobbyist that do not earn profits. IF the bypassed demo videos were done fairly without tuning down the product's true capability, it would have been a different story. Let's sum up this way about their videos: They failed to show the weaknesses of those bypassed AV/Security products, instead, they showed their own weaknesses - by cheating.

 

[Emmanuellws]

@Umbra, Finally, Black Cipher Security plays it fair but they turned OFF some protections ->Application Control, Powershell and Active Scripts Protection.