Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
ConfigureDefender utility for Windows 10/11
Message
<blockquote data-quote="Andy Ful" data-source="post: 834160" data-attributes="member: 32260"><p><strong>ConfigureDefender and the fileless malware.</strong></p><p></p><p>I would like to share some information about WD ASR rules in the context of <strong><span style="color: rgb(184, 49, 47)">fileless attacks</span></strong>. Fileless attack (common definition) is an attack during which no portable executable (PE) file is written to and executed from disk.</p><p></p><p>The below ASR rules are strictly related to the protection of MS software:</p><ul> <li data-xf-list-type="ul"><em>Block executable content from email client and webmail</em> (Outlook or Outlook.com).<br /> It blocks the following file types: EXE, SCR, DLL, <span style="color: rgb(184, 49, 47)"><strong>PS, JS, VBS,</strong></span> etc. when these files are launched from Outlook or Outlook.com (and probably some other popular webmail providers).</li> <li data-xf-list-type="ul"><em>Block Office applications from creating child processes</em> - blocks also the<span style="color: rgb(184, 49, 47)"><strong> execution of script engines and other LOLBins</strong></span> by Office exploits.</li> <li data-xf-list-type="ul"><em>Block Office applications from injecting into other processes</em> - prevents the Office exploits to<strong><span style="color: rgb(184, 49, 47)"> inject the malicious code into other processes</span></strong>.</li> <li data-xf-list-type="ul"><em>Block Win32 imports from Macro code in Office</em> - <strong><span style="color: rgb(184, 49, 47)">restricts VBA macros when they try to use Win32 API calls</span></strong>.</li> <li data-xf-list-type="ul"><em>Block only Office communication applications from creating child processes</em> - prevents Outlook exploits from creating child processes, also <span style="color: rgb(184, 49, 47)"><strong>script engines and other LOLBins</strong></span>.</li> </ul><p><strong>The below ASR rules can generally protect the system:</strong></p><ul> <li data-xf-list-type="ul"><em>Use advanced protection against ransomware</em> - includes also remediation of <span style="color: rgb(184, 49, 47)"><strong>PowerShell trojan-downloaders</strong></span>.</li> <li data-xf-list-type="ul"><em>Impede JavaScript and VBScript to launch executables</em> - blocks common <span style="color: rgb(184, 49, 47)"><strong>JavaScript and VBScript trojan-downloaders</strong></span><strong>.</strong></li> <li data-xf-list-type="ul"><em>Block credential stealing from the Windows local security authority subsystem (lsass.exe)</em> - protects<span style="color: rgb(184, 49, 47)"><strong> passwords and credentials</strong></span>.</li> <li data-xf-list-type="ul"><em>Block process creations originating from PSExec and WMI commands</em> - prevents <span style="color: rgb(184, 49, 47)"><strong>spying, </strong></span>blocks <span style="color: rgb(184, 49, 47)"><strong>wmic.exe, </strong></span>prevents<span style="color: rgb(184, 49, 47)"><strong> remote code execution</strong></span>.</li> <li data-xf-list-type="ul"><em>Block Adobe Reader from creating child processes -</em> blocks also the <strong><span style="color: rgb(184, 49, 47)">execution of script engines, Office applications, and other LOLBins</span></strong> by Adobe Reader exploits.</li> <li data-xf-list-type="ul"><em>Block execution of potentially obfuscated scripts</em> - blocks some <strong><span style="color: rgb(184, 49, 47)">obfuscated JS, VBS, PS, VBA code</span></strong>.</li> <li data-xf-list-type="ul"><em>Block persistence through WMI event subscription</em> - prevents the threats that abuse WMI to <strong><span style="color: rgb(184, 49, 47)">persist and stay hidden in WMI repository</span></strong>.</li> </ul><p>See also:</p><p>[URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction[/URL]</p><p></p><p>As can be seen from the above points, WD ASR rules do not prevent the attacks performed via Python scripts or Java files ( .jar files), which are sometimes used by malc0ders too. But, such attacks require installing Python or Java engines.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 834160, member: 32260"] [B]ConfigureDefender and the fileless malware.[/B] I would like to share some information about WD ASR rules in the context of [B][COLOR=rgb(184, 49, 47)]fileless attacks[/COLOR][/B]. Fileless attack (common definition) is an attack during which no portable executable (PE) file is written to and executed from disk. The below ASR rules are strictly related to the protection of MS software: [LIST] [*][I]Block executable content from email client and webmail[/I] (Outlook or Outlook.com). It blocks the following file types: EXE, SCR, DLL, [COLOR=rgb(184, 49, 47)][B]PS, JS, VBS,[/B][/COLOR] etc. when these files are launched from Outlook or Outlook.com (and probably some other popular webmail providers). [*][I]Block Office applications from creating child processes[/I] - blocks also the[COLOR=rgb(184, 49, 47)][B] execution of script engines and other LOLBins[/B][/COLOR] by Office exploits. [*][I]Block Office applications from injecting into other processes[/I] - prevents the Office exploits to[B][COLOR=rgb(184, 49, 47)] inject the malicious code into other processes[/COLOR][/B]. [*][I]Block Win32 imports from Macro code in Office[/I] - [B][COLOR=rgb(184, 49, 47)]restricts VBA macros when they try to use Win32 API calls[/COLOR][/B]. [*][I]Block only Office communication applications from creating child processes[/I] - prevents Outlook exploits from creating child processes, also [COLOR=rgb(184, 49, 47)][B]script engines and other LOLBins[/B][/COLOR]. [/LIST] [B]The below ASR rules can generally protect the system:[/B] [LIST] [*][I]Use advanced protection against ransomware[/I] - includes also remediation of [COLOR=rgb(184, 49, 47)][B]PowerShell trojan-downloaders[/B][/COLOR]. [*][I]Impede JavaScript and VBScript to launch executables[/I] - blocks common [COLOR=rgb(184, 49, 47)][B]JavaScript and VBScript trojan-downloaders[/B][/COLOR][B].[/B] [*][I]Block credential stealing from the Windows local security authority subsystem (lsass.exe)[/I] - protects[COLOR=rgb(184, 49, 47)][B] passwords and credentials[/B][/COLOR]. [*][I]Block process creations originating from PSExec and WMI commands[/I] - prevents [COLOR=rgb(184, 49, 47)][B]spying, [/B][/COLOR]blocks [COLOR=rgb(184, 49, 47)][B]wmic.exe, [/B][/COLOR]prevents[COLOR=rgb(184, 49, 47)][B] remote code execution[/B][/COLOR]. [*][I]Block Adobe Reader from creating child processes -[/I] blocks also the [B][COLOR=rgb(184, 49, 47)]execution of script engines, Office applications, and other LOLBins[/COLOR][/B] by Adobe Reader exploits. [*][I]Block execution of potentially obfuscated scripts[/I] - blocks some [B][COLOR=rgb(184, 49, 47)]obfuscated JS, VBS, PS, VBA code[/COLOR][/B]. [*][I]Block persistence through WMI event subscription[/I] - prevents the threats that abuse WMI to [B][COLOR=rgb(184, 49, 47)]persist and stay hidden in WMI repository[/COLOR][/B]. [/LIST] See also: [URL unfurl="true"]https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction[/URL] As can be seen from the above points, WD ASR rules do not prevent the attacks performed via Python scripts or Java files ( .jar files), which are sometimes used by malc0ders too. But, such attacks require installing Python or Java engines. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
