- Mar 22, 2017
- 587
One other purpose of any AV like software is to the defend the user from its stupidity. Not the case here.
Bypassing Emsisoft (Video)
- Thread starter Sunshine-boy
- Start date
- Status
- Aug 2, 2015
- 4,286
No, show me where any AV or AV Vendor states this ? show me just one.
You can't because thats misinformation and your good at that.
You stick with your AV you will be fine
lol
- Mar 22, 2017
- 587
No, show me where any AV or AV Vendor states this ? show me just one.
You can't because thats misinformation and your good at that.
You stick with your AV you will be fine
You want me to show you an AV that says: "gee dude, don't click on stuff because that's malware and I can't protect you?"
Is that what you're saying?
- Aug 2, 2015
- 4,286
No, show me this quote from you is true:
It's an opinion and one not based in the reality of what AV's are designed to do, the fact that you can't figure that out is sad as hell.
- Mar 22, 2017
- 587
Oh, so it's ok that the user opened an attachment and sent his password, got his keys logged, sent his screen captures to third parties without his consent because he was stupid and had an AV installed he bought just to prevent these sorts of things. Got it.
Well, to all AV vendors: please add to your EULA that you do not protect "idiot users" that click and open email attachments. You protect just the smart ones that do not open email attachments. Thanks.
- Aug 2, 2015
- 4,286
rofl, if that's what you got out of that post, ok then. Have a awesome day
Some of you that read this can hopefully see right through this.
Don't want to steer this off topic, so I'm done. PeAcE
In summary for those that don't know.
AV and AV like software are designed with spacific protections in mind, while they do protect you from a vast blanket of harmful software and actions, the user will forever be the weak point, the flaw so to speak. That's why here at MT Jack is big on user education.
An educated user knows "not" to click on a attachment from an unknown source,
and without that there is no issue.
Last edited:
- Mar 22, 2017
- 587
rofl, if that's what you got out of that post, ok then. Have a awesome day
Some of you that read this can hopefully see right through this.
Don't want to steer this off topic, so I'm done. PeAcE
Right.
Have a great day to you too buddy!
- Aug 2, 2015
- 4,286
Nice I love EmsiSoft, that does not address the "Email" attachment issue which is on par with the OP's post nor yourRight.
Have a great day to you too buddy!
statment. Cool redirect though
- Aug 2, 2015
- 4,286
- Mar 22, 2017
- 587
Nice I love EmsiSoft, that does not address the "Email" attachment issue which is on par with the OP's post nor your
statment. Cool redirect though
It doesn't. Probably they know better why (this was an exaggeration for the ones who voted with Trump and misunderstood my irony <- this is also an irony).
But it does state the "unintentional clicking", so they are thinking about the stupid user. No user would be stupid enough to click and open stuff to get infected intentionally, either by clicking on links or opening attachments. But they do get infected. That is why the stupid user buys an AV, to protect him. No AV is perfect, Emsisoft is a great one, top rated, no doubt about it, but in this case, it failed.
But you can't say Emsisoft failed because the user was stupid. The user is in many cases unintentionally stupid, that is why he/she buys an AV, to rely on it. Not the case of the video. End of story.
Last edited:
- Aug 2, 2015
- 4,286
You may not be able to yet, don't worry a mod will see it and clean it up for you, offer them some of that wine they may forgive you
- Feb 13, 2017
- 737
I would like to see this threat against Voodoshield.
- Mar 22, 2017
- 587
You may not be able to yet, don't worry a mod will see it and clean it up for you, offer them some of that wine they may forgive you
Damn... they will miss your part where rum is your thing and I was getting ready to reply that I like rum
- Aug 2, 2015
- 4,286
That would run into a situation where the user would have to allow it. VS blocks it
as it should , but now you have the user having to make a decision to run it or leave it blocked.
hence the user being the weak point in nearly all instances.
And that is the point I was trying to make, in the past People could "for the most part"
rely on an AV for protection, but the landscape has changed and users can't or "shouldn't"
do this anymore, it's too dangerous. Any software is an aide in keeping you safe, but
should "not" be relied on for 100% protection, no software can, AV or not.
In todays threat landscape you have to educate yourself or you will continue to fall pery
to savvy malware authors.
Last edited:
- Feb 13, 2017
- 737
Voodoshield at default would block it without user action required. I guess it would solve the problem even for noob users
- Mar 22, 2017
- 587
It might be interesting to see if it gains access to the PC without Emsisoft installed if the user clicks on allow with VS installed. That would be a marker if it exploited Emsisoft or not.
- Aug 2, 2015
- 4,286
- Mar 22, 2017
- 587
Yep, agreed, the user is almost always the ultimate culprit of his failure. And although the classic AVs struggle to fight with the user's actions, you can't match human error in the end. That's why they invented EULAs, they are very good at protecting themselves.
At the end of the day, the best protection is that you learn to avoid trouble, but have a layer of security if you fail. But if that fails as well, you're on your own. In the end, both failed.
Things is, me as a sysadmin also rely on the AVs (in some smaller environments) and other methods to protect the user, as I am supposed to protect them as well by providing a good enough protection. Now think of it this way: I know the user does things it should not. My "boss" (my client) relies on me to get him and his company the best productive protection. You will imagine that in the end it's not the user he blames if the protection fails... Then, who am I getting to blame? Default-deny solutions are very good, but training is needed, beyond the usual office stuff and that's the point of failure with default-deny solutions. In many cases, it's just not working with some people and companies. So you have to fall back to others stuff like AVs. And then... you have to find other stuff... blame other people, AVs as well because they should've protected the user... and so forth. Endless circle of errors.
Last edited:
- Mar 22, 2017
- 587
Also worth giving an example from another domain:
Airbus relies on their equipment to avoid pilot error.
Boeing relies on pilots to avoid equipment error.
Flight control relies on both to avoid any error.
Which one is to blame if the plane crashes and does it matter in the end? But they do, rarely, but still, they do, with all the sophisticated and smart equipment, pilot training, or help from the ground.
It's the same in the IT world. Every approach has its cons and pros. Nothing is the best everywhere.
Airbus relies on their equipment to avoid pilot error.
Boeing relies on pilots to avoid equipment error.
Flight control relies on both to avoid any error.
Which one is to blame if the plane crashes and does it matter in the end? But they do, rarely, but still, they do, with all the sophisticated and smart equipment, pilot training, or help from the ground.
It's the same in the IT world. Every approach has its cons and pros. Nothing is the best everywhere.
He used a confirmed escalation of privilege exploit - more than likely one of the many that are passed-around the pen-tester community. He needed to bypass UAC and elevate the agent so he could run the Mimikatz module which itself needs admin privileges.
He used the Invoke-BypassUAC.ps1 that's in the privsec\bypassmodule. The command you see him type "bypassuac EmsiBypass" = bypassuac is an alias and EmsiBypass is the listener which must be specified. The elevated agent is denoted by the * symbol next to it. Next he runs Mimikatz.
He's using the same technique in other videos on his YouTube channel.
Emsisoft itself was not exploited.
He used the Invoke-BypassUAC.ps1 that's in the privsec\bypassmodule. The command you see him type "bypassuac EmsiBypass" = bypassuac is an alias and EmsiBypass is the listener which must be specified. The elevated agent is denoted by the * symbol next to it. Next he runs Mimikatz.
He's using the same technique in other videos on his YouTube channel.
Emsisoft itself was not exploited.
- Status
