- Dec 12, 2016
- 1,585
Wouldn't a sample first be examined by cybercapture (still doesn't mean avast doesn't need to fix the bypass as good multilayer is key to good defense )
Avast's challenge.
- Thread starter Andy Ful
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Dec 12, 2016
- 1,585
I the reason is that it's diffuclt to get issues to the right people and not something sinister like only caring about in the wild
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,593
The attack can skirt around SmartScreen, CyberCapture, and Avast Hardened Mode. It does not mean that they fail - simply they are not designed to check the file types used in the attack. I useed trusted EXEs and a few files that are not checked by those security layers. All files except one EXE are hidden, so they are not visible in the Explorer.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,593
Some readers may doubt why Avast's CyberCapture cannot detect the attack in the cloud Sandbox. So, let's look at the alternatestreamview.exe process in the Process Explorer:
We can see many DLLs loaded by this executable. CyberCapture does not send all those Dlls to the sandbox, only the EXE file can be sent if it is recognized as suspicious. So, even if the alternatestreamview.exe would be unknown and suspicious, CyberCapture could only examine how this executable behaves in the virtual environment with DLLs native to the sandbox and without the DLL used locally in the attack. This is a well-known limitation, typical to many cloud sandboxes. Otherwise, many files should be uploaded to the cloud causing performance issues, overloading the cloud, etc.
The problem of DLLs can be partially solved when using file reputation cloud lookup like in Smart App Control, Norton Download Insight, etc. However, this approach gives many false positive detections. As usual, the requirement of protection usability necessitates a reduction in security.
If Avast decides to check the reputation of DLLs in the future, it will probably be thanks to changes to Hardened Mode.
We can see many DLLs loaded by this executable. CyberCapture does not send all those Dlls to the sandbox, only the EXE file can be sent if it is recognized as suspicious. So, even if the alternatestreamview.exe would be unknown and suspicious, CyberCapture could only examine how this executable behaves in the virtual environment with DLLs native to the sandbox and without the DLL used locally in the attack. This is a well-known limitation, typical to many cloud sandboxes. Otherwise, many files should be uploaded to the cloud causing performance issues, overloading the cloud, etc.
The problem of DLLs can be partially solved when using file reputation cloud lookup like in Smart App Control, Norton Download Insight, etc. However, this approach gives many false positive detections. As usual, the requirement of protection usability necessitates a reduction in security.
If Avast decides to check the reputation of DLLs in the future, it will probably be thanks to changes to Hardened Mode.
Last edited:
- Dec 12, 2016
- 1,585
when I send samples to Symantec thankfully they check every dll but it can take even days till they file back a report in the mail if it's something unknown to them not very convenient but still pretty useful as it's simpler then debugging , disassembling suspicious files myself but even they probably only check certain filetypes and languages so you could probably bypass it with some gaming engine specific scripting language or other simple yet genius methods threat actors use in the wild
Seems like default deny is the only way to stop all current in the wild threats yet both business and consumers usually don't really use default deny as it basically makes everything unknown a false positive
Oh and even with default deny there are all kinds of tricks to bypass many default deny solutions just like you have shown
I really hope windows does something to help users against so many threats as windows security by default has many exploit mitigations Linux lacks and windows I
Is pushing safe languages to it's kernel (forced declaration, compiler memory checks etc )
As long as they keep allow by default then social engineering will cause people to execute malware as usual just like happens to many big corporations meanwhile the base of windows technically as more security features then Linux but who cares when they don't need to try to exploit memory of processes with effective simple social engineering that users basically execute malicious software themselves
Even I can easily get fooled to executing malware on my windows system and at least android ,ios have sandboxes , restricted permissions by default (true security by default) wich makes it harder for attackers to get privileged code running as they have to actually use exploit chains (layers of sandbox , memory checks etc requires in most cases a chain )
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,593
Yes, there is no perfect solution. However, applying a higher security level than the attacker expected really matters. The "predator and prey" model is valid even if the prey can fly high and run fast. The average or weakened target is never safe. It does not mean that everyone has to use the default deny approach. For example, many readers can be safer just by reading the posts on MT about attack methods and developing safer habits. One can make a security solution less strict and more usable if this is covered by knowledge and safe habits.
People can have very different demands about security. I like a solutions that can easily switch between a few security levels, Similar to changing clothes according to the weather.
Last edited:
- Dec 12, 2016
- 1,585
DefinitelyYes, there is no perfect solution. However, applying a higher security level than the attacker expected really matters. The "predator and prey" model is valid even if the prey can fly high and run fast. The average or weakened target is never safe. It does not mean that everyone has to use the default deny approach. For example, many readers can be safer just by reading the posts on MT about attack methods and developing safer habits. One can make a security solution less strict and more usable if this is covered by knowledge and safe habits.
People can have very different demands about security. I like a solutions that can easily switch between a few security levels, Similar to changing clothes according to the weather.
Good behavior practice taught here and recommendations of either configured defender or good third party solution helps a lot
Btw people recommend here DNS with good intelligence (quad9), extensions (users usually recommend here traffic light but I personally recommend checkpoint +Symantec extension combo that had excellent results in my tests )
Wich can help a lot to avoid malicious links from pishing to malware in the first place
So good behavior , layers (asr rules etc ) can definitely help keep most people safe and I'm sure most of the people in this fourm that use good practice are safe from that alone safe no matter what os system they use
(Assuming we aren't all already infected by state sponsored actor at low level firmware like controllers to baseband etc with a sleeping malware waiting for an event)
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,593
Yes, it had (all tested solutions had it). They asked me to submit the details but I did not check the result.
Similar threads
