Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
"Bypassing" NoVirusThanks EXE Radar Pro
Message
<blockquote data-quote="509322" data-source="post: 619911"><p>Check the COMODO HIPS settings that he used\shows in the COMODO video. HIPS is set to Paranoid mode, but he sets HIPS alerts to OFF and to Allow Requests. Also, he enabled Create Rules for Safe Files.</p><p></p><p>Those settings ensure that cmd.exe and powershell.exe will be allowed to execute without any alerts because both are rated as Safe by COMODO. With those settings he effectively neutered HIPS Paranoid mode for the demonstration.</p><p></p><p>From CIS documentation...</p><ul> <li data-xf-list-type="ul"><strong>Do NOT show popup alerts</strong> - Configure whether or not you want to be notified when the HIPS encounters a malware. Choosing 'Do NOT show popup alerts' will minimize disturbances but at some loss of user awareness. (<em><strong>Default = Disabled</strong></em>). If you choose not to show alerts then you have a choice of default responses that CIS should automatically take – either 'Block Requests' or 'Allow Requests'.</li> <li data-xf-list-type="ul"><strong>Create rules for safe applications - </strong>Automatically creates rules for safe applications in HIPS Ruleset <em><strong>(Default = Disabled).</strong></em></li> </ul><p>In short, he is using settings\configurations in all the videos that I actually bothered to watch to ensure cmd and powershell are whitelisted or not monitored. I didn't watch every single video. He is using PowerShell Empire in some, Metasploit in others, and whatever else.</p><p></p><p>PowerShell Empire takes advantage of the fact that cmd and powershell are whitelisted by the vast majority of antivirus\internet security suites.</p><p></p><p>At least some of those tested softs can be tweaked by the user to alert upon initiation and during the "demonstration." Don't ask me how; research it and figure it out so it is permanently written on the inside of your skull.</p><p></p><p>[USER=178]@Umbra[/USER] asked him to show ALL settings, rules, etc for each video. Do you think the guy is actually going to honor that request and explain why he using the specific settings\configuration that he uses ?</p></blockquote><p></p>
[QUOTE="509322, post: 619911"] Check the COMODO HIPS settings that he used\shows in the COMODO video. HIPS is set to Paranoid mode, but he sets HIPS alerts to OFF and to Allow Requests. Also, he enabled Create Rules for Safe Files. Those settings ensure that cmd.exe and powershell.exe will be allowed to execute without any alerts because both are rated as Safe by COMODO. With those settings he effectively neutered HIPS Paranoid mode for the demonstration. From CIS documentation... [LIST] [*][B]Do NOT show popup alerts[/B] - Configure whether or not you want to be notified when the HIPS encounters a malware. Choosing 'Do NOT show popup alerts' will minimize disturbances but at some loss of user awareness. ([I][B]Default = Disabled[/B][/I]). If you choose not to show alerts then you have a choice of default responses that CIS should automatically take – either 'Block Requests' or 'Allow Requests'. [*][B]Create rules for safe applications - [/B]Automatically creates rules for safe applications in HIPS Ruleset [I][B](Default = Disabled).[/B][/I] [/LIST] In short, he is using settings\configurations in all the videos that I actually bothered to watch to ensure cmd and powershell are whitelisted or not monitored. I didn't watch every single video. He is using PowerShell Empire in some, Metasploit in others, and whatever else. PowerShell Empire takes advantage of the fact that cmd and powershell are whitelisted by the vast majority of antivirus\internet security suites. At least some of those tested softs can be tweaked by the user to alert upon initiation and during the "demonstration." Don't ask me how; research it and figure it out so it is permanently written on the inside of your skull. [USER=178]@Umbra[/USER] asked him to show ALL settings, rules, etc for each video. Do you think the guy is actually going to honor that request and explain why he using the specific settings\configuration that he uses ? [/QUOTE]
Insert quotes…
Verification
Post reply
Top
