Do we actually need so many security programs?

Local Host · Nov 5, 2018

Eddie Morra said:
Let me guess... you then changed the password after the notifications/news and any other necessary account information, and it didn't put any of your other accounts for other services in danger, because you don't re-use the same password across services?

If only more people bothered to do these things... e-mail accounts wouldn't still be getting compromised because of credential dumps from service breaches that happened 3 years ago! But... here we are.

Pretty much, even then none of the accounts had suspicious logins, in most cases the passwords go encrypted, and they aren't going to bother to decrypt a 64-bit password.

Umbra said:
Safe habits is just one part of a proper security strategy, like a good driver in a well maintained car is less prone to create accidents.

A post-exploitation soft will probably save the poor user, but if properly configured.
Sadly many people add tons of redundant apps/extensions left at default settings, instead of just using one or two ideally configured.

I kept saying here to stop stockpiling but instead learn how to configure and use what you have.

I see some guys being proud about wasting lot of money on dozen apps when just one properly configured would suffice.

Taking 15 min. to go through all the settings carefully is a good ritual, this in all the software (not only security software), who knows what you might find.

Raiden · Nov 5, 2018

128BPM said:
I wonder if the safe habits argument is a myth, do you remember the ccleaner case?

It's definitely not a myth. Part of the problem is that (especially on security forums) there is so much fear that is generated (at times) people think that the more programs/extensions they have the more protected they will be. Also, people tend to create bad habits becuase they think that their security program(s)/setup will protect them 100%, which is not true and will never be true as no product/setup is 100% fool proof. You have to have a good balance between your security program(s) and good habits in order to be truly safe online IMHO.

Umbra said:
Safe habits is just one part of a proper security strategy, like a good driver in a well maintained car is less prone to create accidents.

A post-exploitation soft will probably save the poor user, but if properly configured.
Sadly many people add tons of redundant apps/extensions left at default settings, instead of just using one or two ideally configured.

I kept saying here to stop stockpiling but instead learn how to configure and use what you have.

I see some guys being proud about wasting lot of money on dozen apps when just one properly configured would suffice.

I agree with this 100%

Having safe habits is very important to any security setup. Adding more and more programs/extensions isn't going to make you safer, all it does is potentially create more stability issues and if they conflict with one another, actually make you less safer. Also the vast majority of security "suites" are more then enough by themselves. As you said, one needs to take the time to learn what it can and cannot do, and fill in the gaps from there if there are any.

509322 · Nov 5, 2018

shmu26 said:
But Appguard at default settings would let it do its thing, right? Just for the record...

Yes. Because that .vbs resides in System Space and wscript is not blocked by default. However, scripts in User Space are blocked by default.

The very first thing that should be done with SRP policy is to permanently disable PoSh, PoSh_ISE, wscript, and cscript. Along with the User Space file type blocking by AppGuard, right there are at least 98 % of the usual risks. If you want to get that last few percent, then you disable all the stuff in the extended list as post-exploit protection.

outlawxtorn · Nov 5, 2018

@Umbra Do you know if ReHips has some kind of trial?

shmu26 · Nov 5, 2018

ReHIPS has a demo version, which has a limit of 10 isolated processes per session. That means you can pretty much use it like the paid version, with the exception of Chrome. You cannot run Chrome in isolation with your usual number of extensions and open tabs. You will need to modify the rule for Chrome, so it will be unisolated, but still have post-exploit protection.

outlawxtorn · Nov 6, 2018

Thanks @shmu26. I really like this so far.

Andy Ful · Nov 6, 2018

Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

mks_vir Internet Secutity (MKSV)
MKSV on default settings blocked all samples, except those which used Bitsadmin. Yet, most PowerShell samples were blocked only via the Firewall rule (blocked outbound connections). The VBScript samples which used WMI were also blocked by the Firewall rule for wscript.exe (blocked outbound connections).
Most VBScript samples were blocked by heuristics (static detection) and it can be compared to BitDefender static detection.
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.

shmu26 · Nov 6, 2018

Andy Ful said:
Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

mks_vir Internet Secutity (MKSV)
MKSV on default settings blocked all samples, except those which used Bitsadmin. Yet, most PowerShell samples were blocked only via the Firewall rule (blocked outbound connections). The VBScript samples which used WMI were also blocked by the Firewall rule for wscript.exe (blocked outbound connections).
Most VBScript samples were blocked by heuristics (static detection) and it can be compared to BitDefender static detection.
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.

So at default settings, MKS is the winner, so far?
Funny, I never even heard of MKS.

KonradPL · Nov 6, 2018

Andy Thank you, I am grateful

KonradPL · Nov 6, 2018

And what about svhosts processes etc, is it worth blocking access to the network?

Deleted member 178 · Nov 6, 2018

KonradPL said:
And what about svhosts processes etc, is it worth blocking access to the network?

Each sessions is linked to a definite windows service/functionality, some can be blocked others shouldn't.

ichito · Nov 6, 2018

Andy Ful said:
MKSV has a very good protection against script trojan-downloaders. Yet, it is not perfect (can be bypassed, for example, by CHM scriptlets).
It is hard to compare MKSV to KIS, because KIS on default settings is not as good as MKSV, but KIS tweaked can also block all testing samples and additionally can detect/block other types of malicious scripts by AMSI or by blocking script interpreters.

Now we'll waitnig for KIS "army"

Fine test @andy and good results for MKSV...thanks

KonradPL · Nov 6, 2018

Somewhere I read that malware likes to hide in these processes. Personally, I do not use any synchronization in windows 10, I am running the onedrive and everything works well, or at least I think so

shmu26 · Nov 6, 2018

KonradPL said:
Somewhere I read that malware likes to hide in these processes. Personally, I do not use any synchronization in windows 10, I am running the onedrive and everything works well, or at least I think so

Yes, svchost can be exploited for process hollowing. But it is a very basic windows process, it serves very many functions, so you can't just block it or things won't work.

KonradPL · Nov 6, 2018

Okay thanks it is good to know

KonradPL · Nov 6, 2018

Andy maybe test script trojan-downloaders and F-Secure Safe?

Andy Ful · Nov 6, 2018

Test continuation with script trojan-downloaders.
The testing scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.

Malwarebytes Premium (MBP) - 0 blocked samples.
MBP has a good anti-exploit module. Among others, it has anti-script protection for Browsers and MS Office (Application Behavior Protection), but does not provide the system-wide anti-script protection (can only detect by signatures).

509322 · Nov 6, 2018

shmu26 said:
So at default settings, MKS is the winner, so far?
Funny, I never even heard of MKS.

It is Polish. Small user-base.

shmu26 · Nov 6, 2018

Lockdown said:
It is Polish. Small user-base.

You Poles are too good!

509322 · Nov 6, 2018

shmu26 said:
You Poles are too good!

If only Poland could stop others from invading its territory...

Search

Do we actually need so many security programs?

Local Host

Level 25

Raiden

Level 19

509322

outlawxtorn

Level 5

shmu26

Level 85

outlawxtorn

Level 5

Andy Ful

Level 75

shmu26

Level 85

KonradPL

Level 5

KonradPL

Level 5

Deleted member 178

ichito

Level 10

KonradPL

Level 5

shmu26

Level 85

KonradPL

Level 5

KonradPL

Level 5

Andy Ful

Level 75

509322

shmu26

Level 85

509322

Similar threads