Local Host

Level 18
Verified
Let me guess... you then changed the password after the notifications/news and any other necessary account information, and it didn't put any of your other accounts for other services in danger, because you don't re-use the same password across services?

If only more people bothered to do these things... e-mail accounts wouldn't still be getting compromised because of credential dumps from service breaches that happened 3 years ago! But... here we are.
Pretty much, even then none of the accounts had suspicious logins, in most cases the passwords go encrypted, and they aren't going to bother to decrypt a 64-bit password.
Safe habits is just one part of a proper security strategy, like a good driver in a well maintained car is less prone to create accidents.

A post-exploitation soft will probably save the poor user, but if properly configured.
Sadly many people add tons of redundant apps/extensions left at default settings, instead of just using one or two ideally configured.

I kept saying here to stop stockpiling but instead learn how to configure and use what you have.

I see some guys being proud about wasting lot of money on dozen apps when just one properly configured would suffice.
Taking 15 min. to go through all the settings carefully is a good ritual, this in all the software (not only security software), who knows what you might find.
 

Raiden

Level 13
Verified
Content Creator
I wonder if the safe habits argument is a myth, do you remember the ccleaner case?
It's definitely not a myth. Part of the problem is that (especially on security forums) there is so much fear that is generated (at times) people think that the more programs/extensions they have the more protected they will be. Also, people tend to create bad habits becuase they think that their security program(s)/setup will protect them 100%, which is not true and will never be true as no product/setup is 100% fool proof. You have to have a good balance between your security program(s) and good habits in order to be truly safe online IMHO.

Safe habits is just one part of a proper security strategy, like a good driver in a well maintained car is less prone to create accidents.

A post-exploitation soft will probably save the poor user, but if properly configured.
Sadly many people add tons of redundant apps/extensions left at default settings, instead of just using one or two ideally configured.

I kept saying here to stop stockpiling but instead learn how to configure and use what you have.

I see some guys being proud about wasting lot of money on dozen apps when just one properly configured would suffice.
I agree with this 100%

Having safe habits is very important to any security setup. Adding more and more programs/extensions isn't going to make you safer, all it does is potentially create more stability issues and if they conflict with one another, actually make you less safer. Also the vast majority of security "suites" are more then enough by themselves. As you said, one needs to take the time to learn what it can and cannot do, and fill in the gaps from there if there are any.
 
5

509322

But Appguard at default settings would let it do its thing, right? Just for the record...
Yes. Because that .vbs resides in System Space and wscript is not blocked by default. However, scripts in User Space are blocked by default.

The very first thing that should be done with SRP policy is to permanently disable PoSh, PoSh_ISE, wscript, and cscript. Along with the User Space file type blocking by AppGuard, right there are at least 98 % of the usual risks. If you want to get that last few percent, then you disable all the stuff in the extended list as post-exploit protection.
 

shmu26

Level 83
Verified
Trusted
Content Creator
ReHIPS has a demo version, which has a limit of 10 isolated processes per session. That means you can pretty much use it like the paid version, with the exception of Chrome. You cannot run Chrome in isolation with your usual number of extensions and open tabs. You will need to modify the rule for Chrome, so it will be unisolated, but still have post-exploit protection.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

mks_vir Internet Secutity (MKSV)
MKSV on default settings blocked all samples, except those which used Bitsadmin. Yet, most PowerShell samples were blocked only via the Firewall rule (blocked outbound connections). The VBScript samples which used WMI were also blocked by the Firewall rule for wscript.exe (blocked outbound connections).
Most VBScript samples were blocked by heuristics (static detection) and it can be compared to BitDefender static detection.
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

mks_vir Internet Secutity (MKSV)
MKSV on default settings blocked all samples, except those which used Bitsadmin. Yet, most PowerShell samples were blocked only via the Firewall rule (blocked outbound connections). The VBScript samples which used WMI were also blocked by the Firewall rule for wscript.exe (blocked outbound connections).
Most VBScript samples were blocked by heuristics (static detection) and it can be compared to BitDefender static detection.
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.
So at default settings, MKS is the winner, so far?
Funny, I never even heard of MKS.
 

ichito

Level 6
Verified
Content Creator
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.
Now we'll waitnig for KIS "army" :)
Fine test @andy and good results for MKSV...thanks :emoji_beer:
 

KonradPL

Level 3
Somewhere I read that malware likes to hide in these processes. Personally, I do not use any synchronization in windows 10, I am running the onedrive and everything works well, or at least I think so :)
 

shmu26

Level 83
Verified
Trusted
Content Creator
Somewhere I read that malware likes to hide in these processes. Personally, I do not use any synchronization in windows 10, I am running the onedrive and everything works well, or at least I think so :)
Yes, svchost can be exploited for process hollowing. But it is a very basic windows process, it serves very many functions, so you can't just block it or things won't work.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

Malwarebytes Premium (MBP) - 0 blocked samples.
MBP has a good anti-exploit module. Among others, it has anti-script protection for Browsers and MS Office (Application Behavior Protection), but does not provide the system-wide anti-script protection (can only detect by signatures).