Do we actually need so many security programs?

Local Host

Local Host

Level 22
Verified
Eddie Morra said:
Let me guess... you then changed the password after the notifications/news and any other necessary account information, and it didn't put any of your other accounts for other services in danger, because you don't re-use the same password across services?

If only more people bothered to do these things... e-mail accounts wouldn't still be getting compromised because of credential dumps from service breaches that happened 3 years ago! But... here we are.
Click to expand...
Pretty much, even then none of the accounts had suspicious logins, in most cases the passwords go encrypted, and they aren't going to bother to decrypt a 64-bit password.
Umbra said:
Safe habits is just one part of a proper security strategy, like a good driver in a well maintained car is less prone to create accidents.

A post-exploitation soft will probably save the poor user, but if properly configured.
Sadly many people add tons of redundant apps/extensions left at default settings, instead of just using one or two ideally configured.

I kept saying here to stop stockpiling but instead learn how to configure and use what you have.

I see some guys being proud about wasting lot of money on dozen apps when just one properly configured would suffice.
Click to expand...
Taking 15 min. to go through all the settings carefully is a good ritual, this in all the software (not only security software), who knows what you might find.
 
  • Like
Reactions: mlnevese, Raiden, Moonhorse and 1 other person
Raiden

Raiden

Level 18
Verified
Content Creator
128BPM said:
I wonder if the safe habits argument is a myth, do you remember the ccleaner case?
Click to expand...

It's definitely not a myth. Part of the problem is that (especially on security forums) there is so much fear that is generated (at times) people think that the more programs/extensions they have the more protected they will be. Also, people tend to create bad habits becuase they think that their security program(s)/setup will protect them 100%, which is not true and will never be true as no product/setup is 100% fool proof. You have to have a good balance between your security program(s) and good habits in order to be truly safe online IMHO.

Umbra said:
Safe habits is just one part of a proper security strategy, like a good driver in a well maintained car is less prone to create accidents.

A post-exploitation soft will probably save the poor user, but if properly configured.
Sadly many people add tons of redundant apps/extensions left at default settings, instead of just using one or two ideally configured.

I kept saying here to stop stockpiling but instead learn how to configure and use what you have.

I see some guys being proud about wasting lot of money on dozen apps when just one properly configured would suffice.
Click to expand...

I agree with this 100%

Having safe habits is very important to any security setup. Adding more and more programs/extensions isn't going to make you safer, all it does is potentially create more stability issues and if they conflict with one another, actually make you less safer. Also the vast majority of security "suites" are more then enough by themselves. As you said, one needs to take the time to learn what it can and cannot do, and fill in the gaps from there if there are any.
 
  • Like
Reactions: Moonhorse, Eddie Morra, mlnevese and 3 others
5

509322

shmu26 said:
But Appguard at default settings would let it do its thing, right? Just for the record...
Click to expand...

Yes. Because that .vbs resides in System Space and wscript is not blocked by default. However, scripts in User Space are blocked by default.

The very first thing that should be done with SRP policy is to permanently disable PoSh, PoSh_ISE, wscript, and cscript. Along with the User Space file type blocking by AppGuard, right there are at least 98 % of the usual risks. If you want to get that last few percent, then you disable all the stuff in the extended list as post-exploit protection.
 
  • Like
Reactions: Eddie Morra and shmu26
shmu26

shmu26

Level 85
Verified
Trusted
Content Creator
ReHIPS has a demo version, which has a limit of 10 isolated processes per session. That means you can pretty much use it like the paid version, with the exception of Chrome. You cannot run Chrome in isolation with your usual number of extensions and open tabs. You will need to modify the rule for Chrome, so it will be unisolated, but still have post-exploit protection.
 
  • Like
Reactions: outlawxtorn and oldschool
Andy Ful

Andy Ful

Level 63
Verified
Trusted
Content Creator
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

mks_vir Internet Secutity (MKSV)
MKSV on default settings blocked all samples, except those which used Bitsadmin. Yet, most PowerShell samples were blocked only via the Firewall rule (blocked outbound connections). The VBScript samples which used WMI were also blocked by the Firewall rule for wscript.exe (blocked outbound connections).
Most VBScript samples were blocked by heuristics (static detection) and it can be compared to BitDefender static detection.
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.
 
Last edited:
  • Like
Reactions: Raiden, ChemicalB, silversurfer and 8 others
shmu26

shmu26

Level 85
Verified
Trusted
Content Creator
Andy Ful said:
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

mks_vir Internet Secutity (MKSV)
MKSV on default settings blocked all samples, except those which used Bitsadmin. Yet, most PowerShell samples were blocked only via the Firewall rule (blocked outbound connections). The VBScript samples which used WMI were also blocked by the Firewall rule for wscript.exe (blocked outbound connections).
Most VBScript samples were blocked by heuristics (static detection) and it can be compared to BitDefender static detection.
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.
Click to expand...
So at default settings, MKS is the winner, so far?
Funny, I never even heard of MKS.
 
  • Like
Reactions: Raiden, oldschool, Andy Ful and 3 others
ichito

ichito

Level 9
Verified
Content Creator
Andy Ful said:
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.
Click to expand...
Now we'll waitnig for KIS "army" :)
Fine test @andy and good results for MKSV...thanks :emoji_beer:
 
  • Like
Reactions: oldschool, Andy Ful, KonradPL and 1 other person
KonradPL

KonradPL

Level 4
Somewhere I read that malware likes to hide in these processes. Personally, I do not use any synchronization in windows 10, I am running the onedrive and everything works well, or at least I think so :)
 
  • Like
Reactions: oldschool and shmu26
shmu26

shmu26

Level 85
Verified
Trusted
Content Creator
KonradPL said:
Somewhere I read that malware likes to hide in these processes. Personally, I do not use any synchronization in windows 10, I am running the onedrive and everything works well, or at least I think so :)
Click to expand...
Yes, svchost can be exploited for process hollowing. But it is a very basic windows process, it serves very many functions, so you can't just block it or things won't work.
 
  • Like
Reactions: oldschool, Andy Ful, harlan4096 and 1 other person
Andy Ful

Andy Ful

Level 63
Verified
Trusted
Content Creator
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

Malwarebytes Premium (MBP) - 0 blocked samples.
MBP has a good anti-exploit module. Among others, it has anti-script protection for Browsers and MS Office (Application Behavior Protection), but does not provide the system-wide anti-script protection (can only detect by signatures).
 
  • Like
Reactions: Raiden, erreale, silversurfer and 7 others

Similar threads

jetman
Q&A VPN ownership- what do we know and can we really trust them ?
    • Like
    • +Reputation
Replies
17
Views
731
Privacy & VPN
show-Zi
show-Zi
Chipicao
Q&A We need something like this (X-Ray v2.0)
    • Like
Replies
13
Views
669
General Security Discussions
Andrew3000
Andrew3000
SFox
  • Poll
Q&A "Hardening" - the pros and cons?
    • Like
Replies
29
Views
1,366
General Security Discussions
blackice
blackice
Top