Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Comodo
Comodo Endpoint Detection and Response (EDR) is now open source!
Message
<blockquote data-quote="Victor M" data-source="post: 1060134" data-attributes="member: 96560"><p>One thing that Auto Containment does NOT stop is Living off the Land attacks. Auto Containment fires up when there is a new unknown exe or when a rarely used Windows exe runs ( for example ROUTE.exe ) . </p><p></p><p>A Living off the Land attack uses native windows exe's and my red team used BitLocker to encrypt my drive image backup partition. So when I boot up the Macrium Rescue DVD, it could not read the backup partition rendering that backup useless. Of course, I had the image further backed up to my portable HDD so it wasn't a totally un-salvageable situation. So anyways, this illustrates the Living off the Land Attack concept.</p><p></p><p>[USER=100397]@rhythm[/USER]</p><p></p><p>You have to go to Assets > Configuration Templates. Clone the template you are using. ( maybe you are using the default template) Then click on the cloned template name and make it the Default. Then on the same page click on 'Add Profile Section' to add 'Client Access Control'. Modify that client access control and fill in all the passwords, and also checkmark 'Enable local users to override ...' at the bottom of the same client access control. Save the changes. After OpenEDR syncs with your PC, you will be able to uninstall Endpoint Manager when it asks for password; thus keeping Comodo Internet Security intact on your PC without any links to Xicitium.</p><p></p><p>My answer to the above Living off the Land attack was to block all instances of the BitLocker exe's using WDAC ( Windows Defender Application Control) . They reside in System32 and sub directories of WinSXS. You can also do it with SRP.</p></blockquote><p></p>
[QUOTE="Victor M, post: 1060134, member: 96560"] One thing that Auto Containment does NOT stop is Living off the Land attacks. Auto Containment fires up when there is a new unknown exe or when a rarely used Windows exe runs ( for example ROUTE.exe ) . A Living off the Land attack uses native windows exe's and my red team used BitLocker to encrypt my drive image backup partition. So when I boot up the Macrium Rescue DVD, it could not read the backup partition rendering that backup useless. Of course, I had the image further backed up to my portable HDD so it wasn't a totally un-salvageable situation. So anyways, this illustrates the Living off the Land Attack concept. [USER=100397]@rhythm[/USER] You have to go to Assets > Configuration Templates. Clone the template you are using. ( maybe you are using the default template) Then click on the cloned template name and make it the Default. Then on the same page click on 'Add Profile Section' to add 'Client Access Control'. Modify that client access control and fill in all the passwords, and also checkmark 'Enable local users to override ...' at the bottom of the same client access control. Save the changes. After OpenEDR syncs with your PC, you will be able to uninstall Endpoint Manager when it asks for password; thus keeping Comodo Internet Security intact on your PC without any links to Xicitium. My answer to the above Living off the Land attack was to block all instances of the BitLocker exe's using WDAC ( Windows Defender Application Control) . They reside in System32 and sub directories of WinSXS. You can also do it with SRP. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
