Exploit blocking 101

[shmu26]

Most of us already know that we should use common sense, and keep our OS and software updated. Most also know they need to watch out for malicious exe files. Even something as simple as AVAST hardened mode/aggressive will help with this.

Slightly harder is to protect from malicious scripts. For this, you also need to monitor (or block) wscript.exe, which is the default Windows process for opening java script files.
EDIT: do the same with cscript.exe

Most default/deny apps do this.

Now let's get to the trickier stuff. This category includes exploits that operate only in memory, and DLL attacks.

For these, the common attack methods utilize powershell, powershell ISE, or cmd.exe. So these processes should be monitored/blocked, too. (Although rogue dlls can be loaded by various Windows processes, they first have to get downloaded, which typically means running a script or command.)

Question: what else needs to be done, to protect from exploits?

 

[SHvFl]

Patch your software and OS. Don't run random things. Isolate your browser.. The end.

....


and we all lived happily ever after.

 

[Wave]

what else needs to be done, to protect from exploits?

Don't visit suspicious non-trusted websites, don't download and run programs you are unsure of, don't handle attachments from e-mails which are not from a trusted sender (and make sure it wasn't spoofed, and depending on the circumstance you can check with the person to make sure they actually sent you the e-mail), and don't just plug-in a USB you found or onto someone else's system unless you know it's clean.

You can work with anti-exploit software such as HitmanPro.Alert (it can protect from more sophisticated exploits like BadUSB, and can alert you when your browser has become compromised by hooks which may be from a banking trojan such as Zeus or Carberp for example) on your host system, you can isolate your web-browser like @SHvFl suggested or you can use a Virtual Machine for browsing and testing of new programs and keep only the essentials on your host (and once the VM becomes infected you can simply revert back via a snapshot, simple) - or use a mix of those ideas.

That being said, always keep your software up-to-date and rid of any software you no longer use because the more software you have installed on your system will open up more holes to be exploited by an attacker.

Truth is, there is nothing you can do to fully protect yourself from exploits. This is because zero-day exploits will be unknown to the vendor and typically found and then utilised for malicious intent by the attacker. This is the reason as to why zero-day vulnerabilities which work on the latest versions of Windows for things like privilege escalation and the such sell for such a high price on the black market (and believe it or not, real security vendors buy them from time to time so they can get their hands on it before another attacker does and make custom patch code for their security software to block it).

Good luck.

 

[shukla44]

Very nice thread & info's here. Thanks for creating this for novices like me.

I have done all the things mentioned here except for (I have cscript.exe monitored as well, not mentioned by OP, Just a FYI) -

Isolate your browser.. The end.

What is this? How can i isolate my browser? My primary browser is Firefox (32-bit) which i use with addons ABP & NoScript. Is it not secure enough?

 

[Wave]

What is this? How can i isolate my browser? My primary browser is Firefox (32-bit) which i use with addons ABP & NoScript. Is it not secure enough?

You can isolate your browser through Sandboxie (free version is available) or by using a Virtual Machine (e.g. VirtualBox). Using the Sandbox is much easier than using a Virtual Machine since to use a VM you will need to set-it up which will require to find the OS ISO and then install the OS within the VM, etc.

That being said, a Virtual Machine is the securest option, however both are very good and a majority of people who use a sandbox do not find it to become exploited.

 

[shukla44]

You can isolate your browser through Sandboxie (free version is available) or by using a Virtual Machine (e.g. VirtualBox). Using the Sandbox is much easier than using a Virtual Machine since to use a VM you will need to set-it up which will require to find the OS ISO and then install the OS within the VM, etc.

That being said, a Virtual Machine is the securest option, however both are very good and a majority of people who use a sandbox do not find it to become exploited.

Thanks a lot for your quick & descriptive response.

I understand about Virtual machines. I use VMware workstation, myself. I don't want to use Sandboxie because of the whole incompatibility issue with Kaspersky. So i guess i am stuck with virtualization.

Is Kaspersky Safe Money enough sandbox?, I mean for exploits & all. Usually i use Safe Money for banking & other financial transactions.

 

[Wave]

Is Kaspersky Safe Money enough sandbox?, I mean for exploits & all. Usually i use Safe Money for banking & other financial transactions.

It's safe to use and a good piece of software but I cannot tell you it is exploit-proof because that would be lying since nothing is full-proof, exploits are designed to use a weakness as an advantage (e.g. for malicious intent), therefore everything can be exploited one way or another somehow.

That being said, since nothing is full-proof you may as well stick with it because it is decent and should do the job just fine - switching elsewhere won't necessarily reduce the chance of infection through an exploit, but maybe increase them instead.

 

[SHvFl]

Very nice thread & info's here. Thanks for creating this for novices like me.

I have done all the things mentioned here except for (I have cscript.exe monitored as well, not mentioned by OP, Just a FYI) -



What is this? How can i isolate my browser? My primary browser is Firefox (32-bit) which i use with addons ABP & NoScript. Is it not secure enough?

Many programs to do it. Few off the top of my mind.
Rehips - Paid(Free version has a limit of 10 processes isolated at a time, good for anything than Chrome)
Comodo Cloud antivirus - Free
Comodo Firewall - Free
Shade sandbox - Free
Sandboxie - Free with a nag screen when you launch something sandboxed

 

[shukla44]

since nothing is full-proof you may as well stick with it because it is decent and should do the job just fine - switching elsewhere won't necessarily reduce the chance of infection through an exploit, but maybe increase them instead.

I guess so. I just want to know i won't be exploited by the common & known exploits with these methods used.
I mean using an Anti-Exploit app, doesn't really guarantee anything as well. FYI, Kaspersky already has AEP (Anti-Exploit Protection). I don't know about how effective it is when compared to dedicated programs like HMP.A, Spyshelter, etc.

Many programs to do it. Few off the top of my mind.
Rehips - Paid(Free version has a limit of 10 processes isolated at a time, good for anything than Chrome)
Comodo Cloud antivirus - Free
Comodo Firewall - Free
Shade sandbox - Free
Sandboxie - Free with a nag screen when you launch something sandboxed

Can't use these. I already have KTS + VS. But thanks anyway.

 

[SHvFl]

I guess so. I just want to know i won't be exploited by the common & known exploits with these methods used.
I mean using an Anti-Exploit app, doesn't really guarantee anything as well. FYI, Kaspersky already has AEP (Anti-Exploit Protection). I don't know about how much effective it is when compared to dedicated programs like HMP.A or Spyshelter or anything else.



Can't use these. I already have KTS + VS. But thanks anyway.

Some of those will work for sure with KTS and VS. It's just a matter of you deciding if you really need them.

 

[shmu26]

Is Kaspersky Safe Money enough sandbox?, I mean for exploits & all. Usually i use Safe Money for banking & other financial transactions.

the kaspersky safe money is primarily for sandboxing the browser from any hidden malware that might be lurking on your own computer. It does not provide real sandbox protection for threats that originate from the outside, although it does have certain security features that verify a secure and certified connection.

 

[shmu26]

you can use ReHIPS with Kaspersky and VS, if you want, although if you do go for ReHIPS, you might actually decide you don't even need the other ones.

 

[AtlBo]

Slightly harder is to protect from malicious scripts. For this, you also need to monitor (or block) wscript.exe, which is the default Windows process for opening java script files.
Most default/deny apps do this.

Excellent thread. Anyone know what happens system-wide if cscript.exe or wscript.exe are sandboxed? No detection with this, but if this would confine damage to the sandbox, I guess this would be something to start with anyway.

Thinking of a strategy to sandbox cmd, powershell, and powershell ISE and some others. No idea if this would be of any benefit or maybe there could be bad side effects such as if the sandbox had to be emptied or other?

 

[SHvFl]

Excellent thread. Anyone know what happens system-wide if cscript.exe or wscript.exe are sandboxed? No detection with this, but if this would confine damage to the sandbox, I guess this would be something to start with anyway.

Thinking of a strategy to sandbox cmd, powershell, and powershell ISE and some others. No idea if this would be of any benefit or maybe there could be bad side effects such as if the sandbox had to be emptied or other?

Depends on what program you use to sandbox. Each do it differently they don't act exactly the same.

 

[Wave]

Thinking of a strategy to sandbox cmd, powershell, and powershell ISE and some others. No idea if this would be of any benefit or maybe there could be bad side effects such as if the sandbox had to be emptied or other?

Well if they are sand-boxed then it probably won't be able to function correctly when executing the commands, so it could just be useless and you may as well just disable them in that case.

 

[AtlBo]

OK. I guess I could try cmd and see if it will function in the sandbox.

EDIT: oh yes, 360 TS sandbox

 

[Wave]

OK. I guess I could try cmd and see if it will function in the sandbox.

EDIT: oh yes, 360 TS sandbox

I think @shmu26 is right actually, he/she probably tested a lot with this. So ignore what I said.

 

[shukla44]

Some of those will work for sure with KTS and VS. It's just a matter of you deciding if you really need them.

I guess Shade & Rehips will work with my combo. But sorry to be so blunt, i don't need more security software on my already slow system. I just wanted to know more, what can be done beside installing many layered security apps, i mean like little tricks as mentioned by OP in the first post. I have already done all those. So i guess i am protected from exploits, i mean not from fileless or any other sophisticated ones but the common ones which use dll's or script or batch files as i have VS & it's exploit protection as well.

 

[SHvFl]

I guess Shade & Rehips will work with my combo. But sorry to be so blunt, i don't need more security software on my already slow system. I just wanted to know more, what can be done beside installing many layered security apps, i mean like little tricks as mentioned by OP in the first post. I have already done all those. So i guess i am protected from exploits, i mean not from fileless or any other sophisticated ones but the common ones which use dll's or script or batch files as i have VS & it's exploit protection as well.

Yeah, that's why i told you this. Each person comfort level is different and nothing bad with that.

Some of those will work for sure with KTS and VS. It's just a matter of you deciding if you really need them.

 

[AtlBo]

Well if they are sand-boxed then it probably won't be able to function correctly when executing the commands, so it could just be useless and you may as well just disable them in that case.

cmd app is blocked from opening in the sandbox as you suspected wave. I can see the end of trying to accomplish this with the 360 sandbox. Think it's a privileges thing, because I have to run in an Admin account until I can figure out how to get some apps to work in a limited rights one. cmd is going to be trying to start with higher privileges than the sandbox allows.

Blocking non-browser scripts is going to take an app like VoodooShield I guess, although it won't work for me at present. Scripts I have cause ceaseless pop ups that occur every so often.