Advice Request Adaptive Defence 360

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
R

Rodney74

Well today I thought I'd try something with a white list / cloud, something with signatures, and 2 way firewall, and Zemana to cover the rear...

So I installed Gdata Total Security, it has -2 way firewall, Immunet has cloud/whitelist, and Zemana Anti Malware.

Runs very fast on my i7-4820k with 32g Ram, and SSD


Wow...Sounds interesting. Would like to see it in action against new nasty zero day virus :);)

I don't have access to malicious files like you do, test it, all three programs listed have trial version.

Maybe make very short video and post your findings???
 

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
Here I do not have access yet to the malware files... Need to post more to access. However, i got another 2 websites has lots of samples and updated every minute or even seconds. Hybrid-analysis.com and malwr.com. I always bumped to malware in malwr.com that no AV has signature yet in virus total with message file not found, so you have to manually download and upload to virustotal to analyze
 

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
I found out that with Panda Adaptive Defense, I am unable to install keyloggers into my own machine without allowing it in from the cloud. If the keyloggers is flagged as malware by Panda, then there would be no way for me to allow the keylogger to be installed at the first place even if I am the administrator of the computer. Even if I manage to allow, Panda will eventually flag that keylogger as malware. So, now, direct hacking and spying attack won't work thanks to the app whitelisting feature plus AV and EDR capability.
 

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
Hi there ya'll. Check this out...this can also affect all whitelisting based security product...Inclusive AppGuard, Windows SRPs, Intercept X, Kaspersky TAM, VoodooShield or whatever you call it...as long it is based on MD5 hash....it is vulnerable. This blog however, target specifically Panda Adaptive Defense 360. I am sure by now..there is a Public Release of the patch already for PAD360. Please notify and check with your respective product vendor whether this is already patched or not. The only method a malware can use that can actually bypass MD5 based whitelisting technology security product.

Check out the timeline of the blogger at the end of this article.

Taken from SilentSignal's -> Blog.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

An update on MD5 poisoning
November 28, 2016Uncategorizedantivirus, bypass, evasion, md5, panda,whitelistingb


Last year we published a proof-of-concept tool to demonstrate bypasses against security products that still rely on the obsolete MD5 cryptographic hash function.

Summary: The method allows bypassing malicious executable detection and whitelists by creating two executables with colliding MD5 hashes. One of the executables (“sheep”) is harmless and can even perform some useful task and is expected to be categorized as goodware by the victim. After the sheep is accepted by the victim, the colliding malicious version (“wolf”) is sent. Because affected products rely solely on the MD5 fingerprints to identify known good executables, wolf is already whitelisted and can run.

Although the reception of the research was generally positive, some were skeptical about the extent and even the validity of the issue. Although in the meantime we received information about more affected products, NDA’s prevented us from further demonstrating that the problem indeed exists and affects multiple vendors.

Today we are able to share a demonstration of the problem affecting Panda Adaptive Defense 360. The issue is demonstrated against the stricter “Lock mode” of the product meaning that the Panda agent only allows known good executables to run (application whitelisting). For the sake of this video we manually unblock the harmless executable version (sheep4.exe) to speed up the process, as otherwise the analysis could take several hours to complete (it was confirmed that the “sheep” executables aren’t detected as malicious by the cloud scanner in case they are not manually unblocked):



(You can skip 01:00-01:55 if you are not interested in the policy update)

We notified Panda Security about this issue through their Hungarian partner (see the timeline at the end of this post). Panda responded that this is a known issue that is expected to be fixed in the next major version, but no ETA was provided. Panda stated that MD5 was used because of performance reasons. We informed Panda that the BLAKE2 hash function can provide higher level of security at better performance than MD5 (thanks to Tony Arcieri for this update!).

We’d like to stress that this research is not about individual vendors but about bad practices prevalent in the security industry. We now know of at least four vendors affected by the above problem and several others still provide MD5 fingerprints only in their tools and public reports. It is shameful that while hard work is put into phasing out SHA-1, in the security industry it is still generally accepted to use MD5, even after it was exploited in a real-world incident. We understand that there are more straightforward ways for evasion, but think that this issue is a good indicator of how security product development is often approached.

We should do better than this!

Timeline
2016.08.30: Sending technical information to vendor.
2016.09.05: Vendor requests more information, including PCOPInfo logs collected during retest.
2016.09.06: Sending demo video and identification information about product instance. Requesting more information about PCOPInfo usage.
2016.09.06: Vendor responds with instructions about PCOPInfo.
2016.09.08: Sending PCOPInfo logs to vendor.
2016.09.19: Vendor responds that this is a known issue, replacement algorithm is expected to be implemented in the next version.
2016.09.27: Requesting negotiation about issue publication date.
2016.10.12: Requesting negotiation about issue publication date. Including notification about 90-day disclosure deadline in case no agreement would be achieved.
2016.10.19: Vendor responds, internal discussion is still in progress.
2016.11.16: Requesting information about acceptance of publication date.
2016.11.28: Public release.
 
Last edited:
5

509322

Hi there ya'll. Check this out...this can also affect all whitelisting based security product...Inclusive AppGuard

AppGuard is not susceptible to this type of bypass. The user would have to disable AppGuard protections, "accept the 'sheep' [file]," and execute it. That is not a bypass. It is a user error.

Also, the concept does not apply due to other factors.
 
Last edited by a moderator:

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
AppGuard is not susceptible to this type of bypass. The user would have to disable AppGuard protections, "accept the 'sheep' [file]," and execute it. That is not a bypass. It is a user error.

Also, the concept does not apply due to other factors.
oic...so Appguard can allow user to make some errors? or it can be controlled and policy enforced from a command center? Blocking and unblocking for Panda cannot be done by normal user because they are the weakest link in a security endpoints. Whatever is blocked, needs to be analyzed using their AI machine learning or Big Data,then will be classified classified as goodware, malware or PUP...then update the command center database to either block or allow the execution and update all end point database...PAD360 end points from other parts of the world do not need worry about it already. I think it is dangerous to allow end users to decide to have that room for errors to disable protections because not all end users are tech security savvy. Not to forget, of all this Advanced Protection....it is still running with its Panda Antivirus....so there's double protection for you. So Appguard has its own antivirus or no and can run with any Antivirus? Like Voodooshield....I like Voodooshield...so powerfull...but it can be more powerfull when installed along with a light Antivirus.
 
Last edited:
  • Like
Reactions: Sunshine-boy
5

509322

oic...so Appguard can allow user to make some errors? or it can be controlled and policy enforced from a command center? Blocking and unblocking for Panda cannot be done by normal user because they are the weakest link in a security endpoints. Whatever is blocked, needs to be analyzed using thei AI machine learning, classified...then update the command center database to either block or allow the execution...PAD360 end points from other parts of the world do not need worry about it already. I think it is dangerous to allow end users to decide because not all end users are tech security savvy.

AppGuard utilizes "strict blocking." The user can set it to high security or system lock down as they see fit. Some flexibility in the product is provided such that a user can adjust the product and make it work as they wish for them personally on their specific system. We are not going to force system lock down on consumers by default. Different levels of system lock down are provided in the product and it is up to the end user to decide for themselves which level they wish to enforce.

What happens on the system always remains the user's responsibility no matter what security software is utilized. It's in every EULA - including Panda Adaptive Defense 360.
 
  • Like
Reactions: XhenEd

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
AppGuard utilizes "strict blocking." The user can set it to high security or system lock down as they see fit. Some flexibility in the product is provided such that a user can adjust the product and make it work as they wish for them personally on their specific system. We are not going to force system lock down on consumers by default. Different levels of system lock down are provided in the product and it is up to the end user to decide for themselves which level they wish to enforce.

What happens on the system always remains the user's responsibility no matter what security software is utilized. It's in every EULA - including Panda Adaptive Defense 360.
Yes I agree. Panda has Audit, Hardening and Lock Mode too...but all the modes ...the UI for end users they will have NO OPTION to reduce or to increase....its controlled by IT Admin from the cloud console through policy. It can deploy device security as well, exchange server protection as well, web security including web filtering which can deny or allow users to access certain websites anytime or by schedule. The UI at end points are so simple...not much buttons except seeing what is blocked, quarantined, deleted...network intrusion detection report if Panda firewall is enabled. Thats all. Because I believe, end users are the weakest link in the last line of defense. So Panda let Admin has full control and not the user. Well I respect Appguards decision to allow users to set whatever settings they want...I still have some Kaspersky users...and they have full control of it...again...they reduce the security so they can run conventional software...and again, 6 of them got infected with ransomware. Oh my, I don't believe in letting users deciding the level of protection by themselves from that point. Oh and panda can also prevent sabotage of computer system or data from happening...even if my users has full Administrator access in that machine...they wont be able to uninstall Panda, delete Panda related folders...they won't be able to install any trojans, or deliberately execute ransomware, or install keyloggers...they wont be able to do anything without us noticing the illegal stuff that they are trying to do. If I allow my users to be able to reduce the protection of a computer, its also a chance for users to sabotage or do data extortions. And that what makes Panda is at an advantage for its customer in-line with Europe's GDPR law which will be enforced next year.
 
5

509322

Yes I agree. Panda has Audit, Hardening and Lock Mode too...but all the modes ...the UI for end users they will have NO OPTION to reduce or to increase....its controlled by IT Admin from the cloud console through policy. It can deploy device security as well, exchange server protection as well, web security including web filtering which can deny or allow users to access certain websites anytime or by schedule. The UI at end points are so simple...not much buttons except seeing what is blocked, quarantined, deleted...network intrusion detection report if Panda firewall is enabled. Thats all. Because I believe, end users are the weakest link in the last line of defense. So Panda let Admin has full control and not the user. Well I respect Appguards decision to allow users to set whatever settings they want...I still have some Kaspersky users...and they have full control of it...again...they reduce the security so they can run conventional software...and again, 6 of them got infected with ransomware. Oh my, I don't believe in letting users deciding the level of protection by themselves from that point. Oh and panda can also prevent sabotage of computer system or data from happening...even if my users has full Administrator access in that machine...they wont be able to uninstall Panda, delete Panda related folders...they won't be able to install any trojans, or deliberately execute ransomware, or install keyloggers...they wont be able to do anything without us noticing the illegal stuff that they are trying to do. If I allow my users to be able to reduce the protection of a computer, its also a chance for users to sabotage or do data extortions. And that what makes Panda is at an advantage for its customer in-line with Europe's GDPR law which will be enforced next year.

It's unfortunate, but people shoot themselves in the foot everyday - even Admins with many years of experience, a strong working knowledge of security, a generous IT budget with competent staff, high attention to detail and hard-core, military-grade discipline. All it takes is one innocent moment of inattention. And I speak knowledgeably based wholly upon my own mistakes.

The wider security soft industry can "foolproof" security software only to a certain point. After that the responsibility is on the end user to combine products with knowledge, experience and enforce best practices - which you and I both know is the fundamental problem.

That's why it makes sense to not rely completely upon a single product, but instead to make combinations that add a degree of "user anti-screw-up."
 
D

Deleted member 178

oic...so Appguard can allow user to make some errors? or it can be controlled and policy enforced from a command center? Blocking and unblocking for Panda cannot be done by normal user because they are the weakest link in a security endpoints.
This is the Appguard Consumer (aka Home User version)... Dont mix discussion about corporate products and Home user ones...
The Enterprise version is managed only by the Admin (alone or in collaboration with BRN team because for BRN even Admins can't be trusted either).
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
This is the Appguard Consumer (aka Home User version)... Dont mix discussion about corporate products and Home user ones...
The Enterprise version is managed only by the Admin (alone or in collaboration with BRN team because for BRN even Admins can't be trusted either).
This. :D

AppGuard Enterprise obviously is tailored to enterprise environment, and therefore has management console just like with Panda's Adaptive Defense. :) AppGuard Personal/Professional doesn't have this because it's for home users. :)
 

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
This is the Appguard Consumer (aka Home User version)... Dont mix discussion about corporate products and Home user ones...
The Enterprise version is managed only by the Admin (alone or in collaboration with BRN team because for BRN even Admins can't be trusted either).
Thanks for pointing this out because I also have a mixed feeling that are we talking about the same grade of product - home consumer? Corporate? Thanks Umbra. I am sure Appguard has all the features like what Panda Adaptive Defense 360 too.
 

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
This. :D

AppGuard Enterprise obviously is tailored to enterprise environment, and therefore has management console just like with Panda's Adaptive Defense. :) AppGuard Personal/Professional doesn't have this because it's for home users. :)

Exactly I was thinking just now why wouldn't AppGuard has some controls from a management console from my understanding based on the posts? I was expecting answers related to Enterprise Grade...but got responses related to home consumer...so I got it all wrong. Anyway, Panda Adaptive Defense 360 is for Enterprise or Corporate...I wouldn't be here if I were using Panda Antivirus or their Internet Protection only. Don't get me wrong, all my post are related to PAD360 in my company's servers, desktops and laptops...and not in my computer at home or my personal laptop. (I use voodooshield and AVG at home...hehehe)
 
Last edited:

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
It's unfortunate, but people shoot themselves in the foot everyday - even Admins with many years of experience, a strong working knowledge of security, a generous IT budget with competent staff, high attention to detail and hard-core, military-grade discipline. All it takes is one innocent moment of inattention. And I speak knowledgeably based wholly upon my own mistakes.

The wider security soft industry can "foolproof" security software only to a certain point. After that the responsibility is on the end user to combine products with knowledge, experience and enforce best practices - which you and I both know is the fundamental problem.

That's why it makes sense to not rely completely upon a single product, but instead to make combinations that add a degree of "user anti-screw-up."
This one i really agree. I am with you on this :)
 
D

Deleted member 178

I was expecting answers related to Enterprise Grade...but got responses related to home consumer...so I got it all wrong. Anyway, Panda Adaptive Defense 360 is for Enterprise or Corporate...I wouldn't be here if I were using Panda Antivirus or their Internet Protection only. Don't get me wrong, all my post are related to PAD360 in my company's servers, desktops and laptops...and not in my computer at home or my personal laptop. (I use voodooshield and AVG at home...hehehe)
But we are in a home user forum, not a corporate one, so PAD360 will not be interesting to anyone here (hence very few cared as you can see), the home user version isn't worth mentioning; better solutions are available for home users.
 
Last edited by a moderator:

Emmanuellws

Level 3
Verified
Mar 11, 2017
132
But we are in a home user forum, not a corporate one, so PAD360 will not be interesting to anyone here (hence nobody cared as you can see), the home user version isn't worth mentioning; better solutions are available for home users.
Home User Forum? Show me pleaseeeeee...Perhaps I came to the place full of home products....geeee....but we are in the Thread Subject "Adaptive Defence 360" - enterprise and corporate level? Yes, no one is interested, but to get 2k views for such a small Panda.....is a thing hehehehe
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top