Do we actually need so many security programs?

[notabot]

My test was about anti-script capabilities. Sophos could detect the final payload via other modules. But, as we can see from the wild, the payloads are often 0-day malware files, so many of them will succeed.


ASR rules are also dynamical. For example, some ASR rules monitor what the scripts do. If the script has downloaded the payload and next tries to run it, then the payload will be blocked. Also, ASR rules have nothing to do with SRP.

I tested only Sophos exploit protection of MS Office against the weaponized documents. It was not bad, but WD + ASR rules are stronger for that.

You can keep Sophos Premium, just use something else for anti-script protection. You can start with SysHardener. Furthermore, do not use MS Office and Adobe Acrobat Reader.[/QUOTE]

SRP and ASR are different but both are policy tools - so to the extent SRP didn’t clash with Sophos, it’s likely ASR will not clash as well.

MS Office I.e. is not a security choice, to the extent online suites and OpenOffice are behind, work with spreadsheets & 40-50 page writeups is done in Microsoft Office . Acrobat reader can be replaced easily by online viewers these days.

 

[show-Zi]

Several security programs seem to be needed to heat the debate .Even a program with poor grades may gain popularity as a target of contribution.

 

[Andy Ful]

...
SRP and ASR are different but both are policy tools - so to the extent SRP didn’t clash with Sophos, it’s likely ASR will not clash as well.
...

If SRP is an example of the policy tool (whatever it means), then ASR is not even close to that.
But, this is not the right thread for showing the differences between SRP, WD ASR, and Sophos exploit protection. My tests were were done to see if Sophos Premium would benefit after adopting SysHardener or Hard_Configurator, because you were interested. You know the results and my opinion.
Be safe.

 

[notabot]

If SRP is an example of the policy tool (whatever it means), then ASR is not even close to that.
But, this is not the right thread for showing the differences between SRP, WD ASR, and Sophos exploit protection. My tests were were done to see if Sophos Premium would benefit after adopting SysHardener or Hard_Configurator, because you were interested. You know the results and my opinion.
Be safe.

Thanks for your testing, much appreciated - tests indeed show it’s possible to have both and they seem to complement each other.

 

[509322]

Thanks for your testing, much appreciated - tests indeed show it’s possible to have both and they seem to complement each other.

The entire basis of SRP is to allow or block processes and file types; it is generic protection. This type of protection is robust and reliable.

ASR is all rules based and specific to certain Microsoft programs; it is not generic protection. Rules based protections are neither robust nor reliable in the long term.

The smartest protection is simply not to use Microsoft Office and other targeted Microsoft products. Then you will never have any need for ASR.

 

[shmu26]

Thanks for your testing, much appreciated - tests indeed show it’s possible to have both and they seem to complement each other.

I don't know how you will implement ASR alongside with Sophos, because ASR is only available when Windows Defender is the active AV.
But SRP is independent. It can be implemented with any AV, or with none.

 

[notabot]

I looked it up, what you say it’s correct, ASR is tightly bound to defender, so probably no go. Shame that the two are strongly coupled

 

[Andy Ful]

MS Office introduces so many vectors of attack that it is not worthy for the home users, and they can try Libre Office, WPS Office or SoftMaker Office. The real problem may affect the users who have to use MS Office, because of compatibility issues. That can happen, especially with Excel documents, and the user cannot usually disable VBA macros, OLE, AciveX, etc., without breaking advanced Excel features. The Anti-Exploit AV modules are not well tested against weaponized documents (like in the case of Sophos).
I had such problem, because I had to share the documents with many people in work and I had to manage documents also in home.
Generally, there is no easy way to solve the MS Office problem. There are some uneasy solutions for the home users:

1. Sandboxed MS Office.
2. MS Office in the Virtual Machine.
3. SRP + WD ASR (real-time WD required).
4. Anti-Exe with not whitelisted system processes but whitelisted command lines with system processes.

There are probably some other like Comodo Firewall (autosandbox), KIS or BIS which have ATP like modules. Some people would choose also HitmanPro Alert. But, such solutions can cause some problems with system stability & compatibility on Windows 10.

 

[Andy Ful]

I have just tested another possibility. The user can create the special, restricted SUA account for MS Office only:

1. MS Office on SUA.
2. Local SRP high restrictions.

SRP can apply high restrictions similar to Hard_Configurator max restrictions with blocked sponsors, but only on that special account. Other accounts will not be restricted by SRP at all. The local restrictions are applied via local policies, so the malware ran as standard user cannot change them. The SUA accounts can be also forced to not elevate processes, so any malware (also digitally signed) cannot elevate on such restricted SUA.
I could make such restricted account in 5 minutes by transferring the registry keys from HKLM Hive (made by H_C) to HKU Hive created by SUA.

 

[notabot]

I have just tested another possibility. The user can create the special, restricted SUA account for MS Office only:

1. MS Office on SUA.
2. Local SRP high restrictions.

SRP can apply high restrictions similar to Hard_Configurator max restrictions with blocked sponsors, but only on that special account. Other accounts will not be restricted by SRP at all. The local restrictions are applied via local policies, so the malware ran as standard user cannot change them. The SUA accounts can be also forced to not elevate processes, so any malware (also digitally signed) cannot elevate on such restricted SUA.
I could make such restricted account in 5 minutes by transferring the registry keys from HKLM Hive (made by H_C) to HKU Hive created by SUA.

What does SUA stand for ?

 

[Moonhorse]

What does SUA stand for ?

Standard user account

 

[Andy Ful]

I repeated the test with script trojan-downloaders against Kaspersky Free AV (KFA) set to maximum protection. The scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.
KFA detected only one method of downloading files (via Bitsadmin) and one method of executing files (via WScript.Shell.Run). The scripts were detected by Kaspersky heuristics and quarantined.
This is slightly better as compared to Sophos Premium, but not exciting result anyway.
So, KFA will also benefit from adopting an additional application for script blocking.

 

[509322]

I repeated the test with script trojan-downloaders against Kaspersky Free AV (KFA) set to maximum protection. The scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.
KFA detected only one method of downloading files (via Bitsadmin) and one method of executing files (via WScript.Shell.Run). The scripts were detected by Kaspersky heuristics and quarantined.
This is slightly better as compared to Sophos Premium, but not exciting result anyway.
So, KFA will also benefit from adopting an additional application for script blocking.

The only way to ensure protection against malicious scripts and post-exploit code execution is to disable the interpreters and sponsors in both the Admin and Guest accounts. They aren't needed. And I have test proof that over two plus years, almost no problems occurred because of disabling them. What was blocked could be ignored or the fix was trivial.

Children and grandmas do it. So it is mind boggling that people here cannot do it.

 

[gery79]

all i use is ZoneAlarm Extreme and OSArmor

 

[Deleted Member 3a5v73x]

So it is mind boggling that people here cannot do it.

 

[509322]

 

[Andy Ful]

View attachment 200749

The bitter taste of reality.

 

[509322]

The bitter taste of reality.

At least he bounces. We don't. We just go "thud."

 

[Andy Ful]

I repeated the test with script trojan-downloaders against BitDefender Free AV (BDF). The scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.
BDF detected 4 methods of downloading files and 4 methods of executing files. The detected scripts were quarantined. The files were detected on access (static detection, probably by heuristics).
This is much better as compared to Sophos Premium and KFA, but far from perfect.
Also BDF will benefit from adopting an additional application for script blocking.

 

[Deleted member 178]

expecting AVs to prevent scripts and sponsors abuses is a lost cause, the only way is SRPs or Anti-exe.