Advice Request File-less attacks through browser

Please provide comments and solutions that are helpful to the author of this topic.
Status
Not open for further replies.
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Jul 3, 2015
8,148
1
31,237
8,388
Middle Earth
If you have a decent anti-executable, you don't have to worry so much about malicious files running on your system.
So next main concern would be attacks carried out solely through memory.
If you also have an ad-blocker, what other common vectors still need to be covered, to protect from file-less attacks?
 
  • Like
Reactions: DardiM
Sort by date Sort by votes
shmu26 said:
If you also have an ad-blocker, what other common vectors still need to be covered, to protect from file-less attacks?
Click to expand...

Regarding browses, just use Chrome/Opera/Edge (and Firefox, once sandboxing has been implemented) and keep them updated. They are designed to contain file-less attacks. Though as a home user, with a modern and updated browser, you will not see file-less attacks, regardless of what vendors tell you.

If you really feel the need to mitigate legacy applications, my first choice would be HitmanPro.Alert 3. Alert stops things at the earliest possible stage and has no competition right now, at least when serious alternatives are concerned. If that's not an option, then Sandboxie OR AppGuard. Neither stops file-less attacks from happening, but they contain them (just like the browsers' built-in sandboxes would, so they have no benefit regarding modern browsers).

In the meantime, I am still waiting for the first exploit to happen on my computer at all. It will not happen, of course, but I have hope.
 
  • Like
Reactions: Ink, DardiM, harlan4096 and 1 other person
Upvote 0 Downvote
shmu26 said:
If you have a decent anti-executable, you don't have to worry so much about malicious files running on your system.
So next main concern would be attacks carried out solely through memory.
If you also have an ad-blocker, what other common vectors still need to be covered, to protect from file-less attacks?
Click to expand...

An anti-executable by itself will not prevent fileless infection. The browser and its child processes have to be run with limited privileges\file system and registry access rights.

The only security soft that I know of that generically (signature-less) prevents fileless infections like Poweliks, Kovter, Phasebot, etc - is AppGuard.

Fileless infections use an exploit - so if you have updated browser it should be fine. That's not to say that current browsers cannot be exploited - because they most certainly can.
 
  • Like
Reactions: Sunshine-boy, jamescv7, mal1 and 2 others
Upvote 0 Downvote
hjlbx said:
An anti-executable by itself will not prevent fileless infection. The browser and its child processes have to be run with limited privileges\file system and registry access rights.

The only security soft that I know of that generically (signature-less) prevents fileless infections like Poweliks, Kovter, Phasebot, etc - is AppGuard.

Fileless infections use an exploit - so if you have updated browser it should be fine. That's not to say that current browsers cannot be exploited - because they most certainly can.
Click to expand...
okay, but how do you get hit by this kind of exploit? I mean, if you block ads, so how does it get triggered, in the real world?
 
  • Like
Reactions: frogboy and DardiM
Upvote 0 Downvote
shmu26 said:
okay, but how do you get hit by this kind of exploit? I mean, if you block ads, so how does it get triggered, in the real world?
Click to expand...

Ad and URL blocker can't keep you away from every single exploit page.

There are exploit webpages, re-directs to exploit webpages (exploit kits), etc. There are also Poweliks executables. So any number of means.

Anyhow, your risk of ending up:

1. on an exploit webpage

2. with an exploitable browser

is quite low.

So low that you need not fret about it.

I shouldn't worry about it...

If you are paranoid user, and these sorts of things really bother you, then you should be using AppGuard or Excubits products.
 
  • Like
Reactions: mal1, DardiM, harlan4096 and 1 other person
Upvote 0 Downvote
hjlbx said:
Ad and URL blocker can't keep you away from every single exploit page.

There are exploit webpages, re-directs to exploit webpages (exploit kits), etc. There are also Poweliks executables. So any number of means.

Anyhow, your risk of ending up:

1. on an exploit webpage

2. with an exploitable browser

is quite low.

So low that you need not fret about it.

I shouldn't worry about it...

If you are paranoid user, and these sorts of things really bother you, then you should be using AppGuard or Excubits products.
Click to expand...
if you aren't worried, then neither am I!
 
Upvote 0 Downvote
hjlbx said:
Fileless infections use an exploit
Click to expand...

The exploit needs to be very advanced and zero-day to do any damage on a modern browser. For example, Chrome sub-processes (that are the ones which have the chance of being exploited) have no file-system and registry access (not even read) and they cannot access the memory of other processes because of their integrity level / user-sid / alternate desktop etc.
 
  • Like
Reactions: frogboy and DardiM
Upvote 0 Downvote
hjlbx said:
An anti-executable by itself will not prevent fileless infection. The browser and its child processes have to be run with limited privileges\file system and registry access rights.

The only security soft that I know of that generically (signature-less) prevents fileless infections like Poweliks, Kovter, Phasebot, etc - is AppGuard.

Fileless infections use an exploit - so if you have updated browser it should be fine. That's not to say that current browsers cannot be exploited - because they most certainly can.
Click to expand...

How about EMET, HMPA or MBAE? Is it effective against fileless infection?
 
Upvote 0 Downvote
FleischmannTV said:
The exploit needs to be very advanced and zero-day to do any damage on a modern browser. For example, Chrome sub-processes (that are the ones which have the chance of being exploited) have no file-system and registry access (not even read) and they cannot access the memory of other processes because of their integrity level / user-sid / alternate desktop etc.
Click to expand...

Indeed, very remote.
bunchuu said:
How about EMET, HMPA or MBAE? Is it effective against fileless infection?
Click to expand...

Anti-exploits stop the escalation of privileges that lead to fileless infections. So yes...

However, at @FleischmannTV points out, you only need to worry about an exploit in an older browser. Current browsers can be exploited - but it would need to be a zero-day.

Quite honestly, I think anti-exploit softs are just-in-case security softs.
 
  • Like
Reactions: Sunshine-boy, harlan4096 and XhenEd
Upvote 0 Downvote
Honestly an anti exploit software is only needed if you have outdated software the chances of getting attacked by a zero day is pretty slim. An adblocker can be helpful on porn\crack sites but other than those its pretty much hurting the other innocent sites.
 
  • Like
Reactions: Sunshine-boy
Upvote 0 Downvote
I think it should accompany through the use of HIPS, since the concept of fileless attack must invoke processes' any rules which are not meet on criteria should give approval first.
 
Upvote 0 Downvote
Status
Not open for further replies.

You may also like...