Serious Discussion Any replacements for Microsoft Defender Exploit Protection?

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
424
Hi @Rita , That was an interesting video. Thanks.

However, it shows the Kaspersky for Server edition. I have heard different things about protections offered by different editions of a product. Some say that the same protection is available in all editions. Some say you have to specifically buy a certain edition to get a certain protection feature. I tend to believe the latter. What does everybody have to say about that?

In my case, I have Kaspersky Premium.

Anyways, the red team test their tools against common AV's before deploying them. So the chances are great that Kaspersky will fail.
 
Last edited:
  • Like
Reactions: Nevi

Sandbox Breaker

Level 9
Well-known
Jan 6, 2022
436
You need more layers and to be holistic. You can't teach that.

I've setup windows xp laptops for fun and still red teams were rage quitting 😅

Their words were, it's unfair as we cannot even communicate with the targets. I said Find a way. Little do they know that windows firewall kicked their butts due to my policies. They couldn't even get to execution or exploitation.
 

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
424
Hi @Sandbox Breaker ,
I've setup windows xp laptops for fun and still red teams were rage quitting
It's great to be in your shoes.

Unfortunately my red team don't know the word 'quit'.

Since we are talking about firewalls, what do you think of this config: Setup Idea - Default Deny Windows Firewall setup How To

There Are other layers in my defenses. But the whole point of this test is to test the abilities of OpenEDR and it's included Comodo Internet Security. I don't like Comodo's firewlall policy and have replaced with the above and added MalwareBytes' Anti-exploit. But I have kept their other protections. And their sales person is pitching me to upgrade to their 'advanced' package. I queried their support about the ability to detect and stop Metasploit's shell Meterpreter on friday, they have kicked the query to the advanced team, but they haven't responded yet.
 
Last edited:

Sandbox Breaker

Level 9
Well-known
Jan 6, 2022
436
Hi @Sandbox Breaker ,

It's great to be in your shoes.

Unfortunately my red team don't know the word 'quit'.

Since we are talking about firewalls, what do you think of this config: Setup Idea - Default Deny Windows Firewall setup How To

There Are other layers in my defenses. But the whole point of this test is to test the abilities of OpenEDR and it's included Comodo Internet Security. I don't like Comodo's firewlall policy and have replaced with the above and added MalwareBytes' Anti-exploit. But I have kept their other protections. And their sales person is pitching me to upgrade to their 'advanced' package. I queried their support about the ability to detect and stop Metasploit's shell Meterpreter on friday, they have kicked the query to the advanced team, but they haven't responded yet.
Advice isn't free. I hope you succeed in your project.
 

Victor M

Level 9
Thread author
Verified
Well-known
Oct 3, 2022
424
Advice isn't free
Well, I look at it this way - at my age, if you don't teach, you are going to take it to your grave, or forget half of it after you retire. You just take walks with your dog and watch TV. Unless you plan to go back to school and get that Masters degree to keep your mind young. That's should not be taken to mean that my advice is always the best approach.
 
Last edited:

Sandbox Breaker

Level 9
Well-known
Jan 6, 2022
436
Well, I look at it this way - at my age, if you don't teach, you are going to take it to your grave, or forget half of it after you retire. You just take walks with your dog and watch TV. Unless you plan to go back to school and get that Masters degree to keep your mind young. That's should not be taken to mean that my advice is always the best approach.
I don't know your age. :ROFLMAO: I'm sure others will help.
 

Xeno1234

Level 14
Jun 12, 2023
684
Hi @Rita , That was an interesting video. Thanks.

However, it shows the Kaspersky for Server edition. I have heard different things about protections offered by different editions of a product. Some say that the same protection is available in all editions. Some say you have to specifically buy a certain edition to get a certain protection feature. I tend to believe the latter. What does everybody have to say about that?

In my case, I have Kaspersky Premium.

Anyways, the red team test their tools against common AV's before deploying them. So the chances are great that Kaspersky will fail.
Business protection (besides Adaptive Anomaly Control) doesnt differ from the home protection - according to someone who I talked to understands K alot.
 
F

ForgottenSeer 93475

Hi @Rita , That was an interesting video. Thanks.

However, it shows the Kaspersky for Server edition. I have heard different things about protections offered by different editions of a product. Some say that the same protection is available in all editions. Some say you have to specifically buy a certain edition to get a certain protection feature. I tend to believe the latter. What does everybody have to say about that?

In my case, I have Kaspersky Premium.

Anyways, the red team test their tools against common AV's before deploying them. So the chances are great that Kaspersky will fail.
Hi @Victor M
It's present equally in all Kaspersky products. Enterprise versions may have additional controls, but the basic protection is the same
 
Last edited by a moderator:
F

ForgottenSeer 93475

Also, any program, no matter how powerful, may fail because there is no complete protection, but I do not think it is a good idea to assume a high failure rate for either Kaspersky or other protection programs before testing
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,698
Hi @SpyNetGirl ,

We meet again. My other layers of protection currently on that box is some hardened/disabled services, SRP, and some group policy items. The main defenses are Comodo's Internet Security which is packaged and free from OpenEDR, and Cyber Lock. This configuration is deployed because I want to test out the recommended configuration of OpenEDR. The Cyber Lock piece is a protection that I always deploy so I left it on.

I tried to deploy MS Security Baseline also but it conflicts with Comodo - system won't boot. I think it is due to one group policy item which disallows turning off Windows Defender. I will try again tomorrow and disable that item and see if that works.

Does it take a long time to understand how to use your hardening?
You probably already know this, but please make sure you disable the option "Automatically deactivate after 10 minutes of system idle" in CyberLock Settings / Basic tab prior to the red team testing. CyberLock is designed to protect the endpoint while the user is engaging in risky activities, so we left this option on by default. We should probably automatically disable this option after 2-4 weeks, or prompt the user to see if they would like to disable this option at that time. Also, please remember when testing CyberLock, to reset the whitelist when retesting a certain attack.

I would also like to mention that locking the endpoint down to the point where it is completely unusable is actually the easy part. The difficult part is to lock the endpoint down as tightly as possible, WHILE making it user-friendly enough to actually be able to use. For example, could you imagine if a military department was at war and they were unable to execute software necessary to complete their mission?

A wise women once asked me a simple question with an analogy while trying to make a point about security in general. Here question was "What is the best exercise equipment? (e.g. Bowflex, Peloton). Her answer was simply... "It is the one that you use".
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top