- Feb 7, 2023
- 1,742
Scripts are emulated as well. Even without restriction, everything will be OK.
Can Anti-Viruses stop RATS that have their connection established?
- Thread starter Xeno1234
- Start date
Blocking risky file extension execution is a simpler and far more effective approach than a script emulator for home users. Because people pay for advanced protection they like to believe they don't need Windows build in protections. It is like saying, I don't need to run as standard user, because my security is so advanced I can run as Admin.
The risk surface for home use can be easily reduced by taking a few measures, for instance running SUA, blocking risky file extensions in user folders (Simple Windows Hardening) and allowing only known good (white listed) executables to execute (Configure Defender on MAX). Alternatively you could switch to a more restrictieve OS which does not allow the user to weaken security.
In the corporate environment the endpoint protection is not the problem, it is the user who is using that endpoint. Best in class security provides automated analysis of events on endpoints and provides signals when users are sloppy or fall into tricks. In these use cases a script emulator is a watch guard which provides valuable insights for the EDR-system.
The risk surface for home use can be easily reduced by taking a few measures, for instance running SUA, blocking risky file extensions in user folders (Simple Windows Hardening) and allowing only known good (white listed) executables to execute (Configure Defender on MAX). Alternatively you could switch to a more restrictieve OS which does not allow the user to weaken security.
In the corporate environment the endpoint protection is not the problem, it is the user who is using that endpoint. Best in class security provides automated analysis of events on endpoints and provides signals when users are sloppy or fall into tricks. In these use cases a script emulator is a watch guard which provides valuable insights for the EDR-system.
Last edited by a moderator:
- Feb 7, 2023
- 1,742
In the case of Harmony which was previously discussed, there is script emulator, you can block the download of certain files (whatever extensions you want), you can block LOLBins from connecting, terminate them upon attempt to connect or completely block their launch.
@Trident yes I edited my post, to make clear I that I agree with you for corporate market
- Jun 24, 2016
- 2,400
Aforementioned, antiviruses have different "capes" of protection to ensure your safety. If it failed to protect you via signature (static detection), and it also failed at file launch (dynamic detection), then there's still ways it can detect it afterwards. Let me give you an example:
Imaginate you executed a malware file that wasn't on the antivirus database. At first, the malware will be active and working. If it doesn't behave suspicious at all, chances are it remains undetected. Now the "issue" begins when it starts behaving like a virus, since antivirus monitor files and their actions in look for weird behaviour.
About half a year ago, I wasn't careful and got infected out of stupidy. But the scenario was similar to what I'm describing. Here's the post on my infection: How I got infected last time thread
You will see that the file was detected due to the internet connections the file established with the host. These connections were blocked by Norton's Firewall, so no information was stolen... but the main executable creating this connections wasn't quarantined nor blocked, so it was an endless loop of blocked connections that kept repeating, until I had to find another way to delete the payload.
Imaginate you executed a malware file that wasn't on the antivirus database. At first, the malware will be active and working. If it doesn't behave suspicious at all, chances are it remains undetected. Now the "issue" begins when it starts behaving like a virus, since antivirus monitor files and their actions in look for weird behaviour.
- If this malicious file starts screen recording or capturing keys, this will trigger an alert in the antivirus, which will probably check the file for a signature or hash that matches with a screen capturing software, or else possibly flag it as malicious.
- If this malicious file starts calling back home constantly, sending information from here to there, this will probably trigger the antivirus, whom's firewall will have detected the destination host or IP as malicious.
About half a year ago, I wasn't careful and got infected out of stupidy. But the scenario was similar to what I'm describing. Here's the post on my infection: How I got infected last time thread
You will see that the file was detected due to the internet connections the file established with the host. These connections were blocked by Norton's Firewall, so no information was stolen... but the main executable creating this connections wasn't quarantined nor blocked, so it was an endless loop of blocked connections that kept repeating, until I had to find another way to delete the payload.
- Jun 12, 2023
- 699
Screen recording cant really be triggered as a malicious action since other applications do it, such as legitimate screen recorders.
Also, what about taking files from your PC, like Remote Access? The Anti-Virus should detect it, right?
- Feb 7, 2023
- 1,742
It’s not all as simple as
if (appInspect().screenshotCapability() == 1) {
if (appInspect().checkLegitProcess() == 0) {isMalware =1}
}
There is a ton of other stuff to it.
if (appInspect().screenshotCapability() == 1) {
if (appInspect().checkLegitProcess() == 0) {isMalware =1}
}
There is a ton of other stuff to it.
- Apr 13, 2013
- 3,149
It’s not all as simple as
Also a Smart anti-malware application must be able to differentiate between a benign Keyboard Event API for windows apps versus a keylogging python Hook like:
OnKeyboardEvent(event): global numchars, keys.
Also it helps when a difference is noted between when a browser is opened versus when a malware stealer using Import Socket connects out to the nasties.
Tru dat!
Also a Smart anti-malware application must be able to differentiate between a benign Keyboard Event API for windows apps versus a keylogging python Hook like:
OnKeyboardEvent(event): global numchars, keys.
Also it helps when a difference is noted between when a browser is opened versus when a malware stealer using Import Socket connects out to the nasties.
- Feb 7, 2023
- 1,742
And finally, all observations are processed through various machine learning techniques like decision trees and others. Both locally and on the cloud.
But firstly, majority of AVs normally complement dynamic and static analysis with behavioural blocking. By the time all these observations have started, the executable is pre-analysed and some verdict is already produced. It is all extremely complex, jam packed with variables and as such, it opens doors for more sophisticated attackers to wiggle around.
- Jun 12, 2023
- 699
Does Kaspersky utilize KSN for deep learning/ML in general?
- Feb 7, 2023
- 1,742
Deep learning analysis performed locally on a Windows Machine is not too common. Majority of vendors perform “bagging” where IoCs and various other observations are collected locally, transmitted online and the cloud quickly issues a verdict.
Microsoft wants SAC to be for Windows what the Gatekeeper is to MacOS.
As I discovered, even disabled, you cannot run unsigned = by definition, untrusted apps on your Mac.
As I discovered, even disabled, you cannot run unsigned = by definition, untrusted apps on your Mac.
- Feb 7, 2023
- 1,742
You can run unsigned apps on Mac by right clicking on the app and then on open.
They show up as damaged when you double click them to run.
- Feb 7, 2023
- 1,742
From the launcher. You need to use Finder and do the steps above (right click -> open).
- Mar 13, 2022
- 599
I assume, therefore, that the DevKit(?) for MacOS apps includes the ability to create an in-house signature to avoid these problems while testing?
- Jun 12, 2023
- 699
For SWH, since im using Harmony, I dont really need or want it. if I reset windows, does its settings get reset? I had to for technical issues.SWH = Simple Windows Hardening:
SAC is Windows 11 only
New Update - Simple Windows Hardening
Post updated in July 2023. SWH ver. 2.1.1.1 - July 2023 (added support for Windows 11 ver. 22H2) https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip SWH ver. 2.0.0.1 - August 2022 (no support for Windows 11 ver. 22H2)...malwaretips.com
What is Smart App Control? - Microsoft Support
Smart App Control is a feature of Windows 11 that helps to block malicious, untrusted, or potentially unwanted apps from running on your device.support.microsoft.com
- Apr 24, 2016
- 6,613
You can reset the settings to default from the menu of SWH.
If you reset Windows the settings will also be reset to default.
cartaphilus
Level 5
- Mar 17, 2023
- 202
I see that my SAC is disabled. There is no way to reenable it unless I reset the PC. I gave a home build PC so I don't know if SAC would even reset after I reset windows. Is that the only way?
- Aug 22, 2013
- 828
Yes, it's the only way apart from reinstalling. SAC is half backed product which is still in a nascent stage of its development, so don't waste your time on it. It's not worth it. The switching off can be triggered by installation of any kind of software, it's highly unpredictable. I have seen it getting switched off by installation of revo uninstaller pro, which is a digitally signed legitimate software.
You can stop the auto triggering of SAC by manually changing it from "evaluation" mode to "on" state after resetting/reinstall, before installing any 3rd party software. But keep in mind that SAC will prevent installation of software it doesn't like and there is no option to add an "exception" to it. So to me Smart App Control is anything but smart.
Last edited:
Similar threads
