Do we actually need so many security programs?

notabot

Level 15
Verified
Oct 31, 2018
703
My test was about anti-script capabilities. Sophos could detect the final payload via other modules. But, as we can see from the wild, the payloads are often 0-day malware files, so many of them will succeed.


ASR rules are also dynamical. For example, some ASR rules monitor what the scripts do. If the script has downloaded the payload and next tries to run it, then the payload will be blocked. Also, ASR rules have nothing to do with SRP.

I tested only Sophos exploit protection of MS Office against the weaponized documents. It was not bad, but WD + ASR rules are stronger for that.
You can keep Sophos Premium, just use something else for anti-script protection. You can start with SysHardener. Furthermore, do not use MS Office and Adobe Acrobat Reader.[/QUOTE]

SRP and ASR are different but both are policy tools - so to the extent SRP didn’t clash with Sophos, it’s likely ASR will not clash as well.

MS Office I.e. is not a security choice, to the extent online suites and OpenOffice are behind, work with spreadsheets & 40-50 page writeups is done in Microsoft Office . Acrobat reader can be replaced easily by online viewers these days.
 
Last edited:
  • Like
Reactions: shmu26 and bribon77

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
SRP and ASR are different but both are policy tools - so to the extent SRP didn’t clash with Sophos, it’s likely ASR will not clash as well.
...
If SRP is an example of the policy tool (whatever it means), then ASR is not even close to that.
But, this is not the right thread for showing the differences between SRP, WD ASR, and Sophos exploit protection. My tests were were done to see if Sophos Premium would benefit after adopting SysHardener or Hard_Configurator, because you were interested. You know the results and my opinion.
Be safe.(y)
 

notabot

Level 15
Verified
Oct 31, 2018
703
If SRP is an example of the policy tool (whatever it means), then ASR is not even close to that.
But, this is not the right thread for showing the differences between SRP, WD ASR, and Sophos exploit protection. My tests were were done to see if Sophos Premium would benefit after adopting SysHardener or Hard_Configurator, because you were interested. You know the results and my opinion.
Be safe.(y)

Thanks for your testing, much appreciated - tests indeed show it’s possible to have both and they seem to complement each other.
 
5

509322

Thanks for your testing, much appreciated - tests indeed show it’s possible to have both and they seem to complement each other.

The entire basis of SRP is to allow or block processes and file types; it is generic protection. This type of protection is robust and reliable.

ASR is all rules based and specific to certain Microsoft programs; it is not generic protection. Rules based protections are neither robust nor reliable in the long term.

The smartest protection is simply not to use Microsoft Office and other targeted Microsoft products. Then you will never have any need for ASR.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Thanks for your testing, much appreciated - tests indeed show it’s possible to have both and they seem to complement each other.
I don't know how you will implement ASR alongside with Sophos, because ASR is only available when Windows Defender is the active AV.
But SRP is independent. It can be implemented with any AV, or with none.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
MS Office introduces so many vectors of attack that it is not worthy for the home users, and they can try Libre Office, WPS Office or SoftMaker Office. The real problem may affect the users who have to use MS Office, because of compatibility issues. That can happen, especially with Excel documents, and the user cannot usually disable VBA macros, OLE, AciveX, etc., without breaking advanced Excel features. The Anti-Exploit AV modules are not well tested against weaponized documents (like in the case of Sophos).
I had such problem, because I had to share the documents with many people in work and I had to manage documents also in home.
Generally, there is no easy way to solve the MS Office problem. There are some uneasy solutions for the home users:
  1. Sandboxed MS Office.
  2. MS Office in the Virtual Machine.
  3. SRP + WD ASR (real-time WD required).
  4. Anti-Exe with not whitelisted system processes but whitelisted command lines with system processes.
There are probably some other like Comodo Firewall (autosandbox), KIS or BIS which have ATP like modules. Some people would choose also HitmanPro Alert. But, such solutions can cause some problems with system stability & compatibility on Windows 10.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I have just tested another possibility. The user can create the special, restricted SUA account for MS Office only:
  1. MS Office on SUA.
  2. Local SRP high restrictions.
SRP can apply high restrictions similar to Hard_Configurator max restrictions with blocked sponsors, but only on that special account. Other accounts will not be restricted by SRP at all. The local restrictions are applied via local policies, so the malware ran as standard user cannot change them. The SUA accounts can be also forced to not elevate processes, so any malware (also digitally signed) cannot elevate on such restricted SUA.
I could make such restricted account in 5 minutes by transferring the registry keys from HKLM Hive (made by H_C) to HKU Hive created by SUA.
 
Last edited:

notabot

Level 15
Verified
Oct 31, 2018
703
I have just tested another possibility. The user can create the special, restricted SUA account for MS Office only:
  1. MS Office on SUA.
  2. Local SRP high restrictions.
SRP can apply high restrictions similar to Hard_Configurator max restrictions with blocked sponsors, but only on that special account. Other accounts will not be restricted by SRP at all. The local restrictions are applied via local policies, so the malware ran as standard user cannot change them. The SUA accounts can be also forced to not elevate processes, so any malware (also digitally signed) cannot elevate on such restricted SUA.
I could make such restricted account in 5 minutes by transferring the registry keys from HKLM Hive (made by H_C) to HKU Hive created by SUA.

What does SUA stand for ?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I repeated the test with script trojan-downloaders against Kaspersky Free AV (KFA) set to maximum protection. The scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.
KFA detected only one method of downloading files (via Bitsadmin) and one method of executing files (via WScript.Shell.Run). The scripts were detected by Kaspersky heuristics and quarantined.
This is slightly better as compared to Sophos Premium, but not exciting result anyway.
So, KFA will also benefit from adopting an additional application for script blocking.
 
5

509322

I repeated the test with script trojan-downloaders against Kaspersky Free AV (KFA) set to maximum protection. The scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.
KFA detected only one method of downloading files (via Bitsadmin) and one method of executing files (via WScript.Shell.Run). The scripts were detected by Kaspersky heuristics and quarantined.
This is slightly better as compared to Sophos Premium, but not exciting result anyway.
So, KFA will also benefit from adopting an additional application for script blocking.

The only way to ensure protection against malicious scripts and post-exploit code execution is to disable the interpreters and sponsors in both the Admin and Guest accounts. They aren't needed. And I have test proof that over two plus years, almost no problems occurred because of disabling them. What was blocked could be ignored or the fix was trivial.

Children and grandmas do it. So it is mind boggling that people here cannot do it.
 
Last edited by a moderator:
D

Deleted Member 3a5v73x

So it is mind boggling that people here cannot do it.
giphy.gif
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I repeated the test with script trojan-downloaders against BitDefender Free AV (BDF). The scripts adopted 7 different methods of downloading files and 8 different methods of executing files from scripts. I used VBScript and PowerShell.
BDF detected 4 methods of downloading files and 4 methods of executing files. The detected scripts were quarantined. The files were detected on access (static detection, probably by heuristics).
This is much better as compared to Sophos Premium and KFA, but far from perfect.
Also BDF will benefit from adopting an additional application for script blocking.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top