- Jul 1, 2017
- 317
No, because I use Emsisoft AM.
Generally speaking my opinion would be that yes it is helpful. In a situation like a browser exploit then the payload will be trapped within the sandbox environment (this does not mean that can be exploited too though) and on the other side, programs isolated under the sandbox can be protected from exploitation by executing code running outside of the sandbox environment (even though the host would be compromised at a point like this, it is still a side of the story).
So yes I do think it is helpful. That goes without saying that I also think software for SRP would be helpful just as much as a sandbox in the same sense (e.g. restrictions -> now after exploitation the payload can be trapped from being successful due to restrictions in place)
IMO it is effortless to do something like sandbox a browser and use it without issue usually but these exploit attacks which would do something like RCE for malicious code executing under the browser process for ex. is extremely rare and unlikely. I doubt someone would target a 0 day like that at a home user, they would target a business where they know they can do more damage/make more money... also traditional browsers tend to have their own sandbox container in case of an attack like this. Like usage of AppContainer.. (MS Edge, Chrome have their own sandbox, etc)
- Jul 6, 2017
- 2,392
Thank you @Opcode. very useful your answer. Greetings.
- Jul 1, 2017
- 317
We've run into a fair amount of file-less malware in the last year or so (at work), more than usual, much more.. Most of the AV solutions don't seem to deal with it very well but often deal with the 'action' of the malware. So while the malware sits around file-less and isn't dealt with by the security product it's actions are often caught when it does try to do something. We've seen it walk right through Symantec, Trend and ESET in the last year with little effort. Sadly.
With that being said, I agree with Lockdown.. If you can avoid using Windows, then you should. Period. Then you can dispense with most of the security theater and get on with your privacy and security as an accepted part of your change of environment. Aunt Sue should probably be running Mageia or something, not Windows. After all, she doesn't game (real games), she browses, plays solitaire and goes onto Gmail or whatever..
My windows boxes are behind a very extensive, godly security infrastructure (that most people on this forum couldn't fathom to be honest) and I still have zero confidence in Windows even behind such an infrastructure, especially against a savvy and/or well funded/determined hacker (state actor or otherwise) I use every security protocol, best practice and some of the most advanced network/IT security available.. But my adversaries are very patient, always probing, always gathering data, and always formulating their next assault.
I've resolved that even with my infrastructure and practices in place that secured non-Windows based OS's are the only real defense when combined with my infrastructure. Whether that be Magaei, Chromebook, Tails or an undisclosed OS with a unique file system, it's really the only way I am confident near perfect security/privacy is available.. Security theater and musical chairs with Windows Security Apps isn't necessary at all.
I blame Microsoft.
Also, I will admit some sick fascination with Windows and security products for me.. Maybe it's the 'Dang it, I can secure Windows from anyone' ego thing in place.. But the moment I switch to a secured OS I start to get bored! No chatty AV watching me. No 'risk' for the most part. Almost like the fun is removed.
Mageia sure looks gorgeous on my 27" UHD Monitor and I can leave it on 24/7 with no risk of any possible intrusion or compromise and it's a self-security-auditing OS installation anyway. Then I have to switch back to Windows to play this or that game.. <sigh>
Mageia sure looks gorgeous on my 27" UHD Monitor and I can leave it on 24/7 with no risk of any possible intrusion or compromise and it's a self-security-auditing OS installation anyway. Then I have to switch back to Windows to play this or that game.. <sigh>
- Jul 3, 2015
- 8,153
So the thing is even if the source of the fileless infection is the internet, it will try to damage your system by utilizing vulnerable processes such as powershell or cmd.exe.
Protecting these processes is "post-exploit" protection. It doesn't stop your browser or your office app from getting exploited, but it does stop the exploit from working. So that's why anti-exe and HIPS and SRP can protect.
However, as mentioned, we never hear these days about home users getting infected from browser exploits. If you are running an old version of Internet Explorer on Windows XP, and you visit enough bad sites, you might succeed in getting infected, but from what I hear, even that is pretty hard.
There are exploits of Microsoft Office apps that actually take place, but you have to make a series of stupid mistakes in order for the attack to succeed. A mindless secretary might make all possible mistakes, but a member of this forum probably will not.
So for people like us, this fileless malware thing is like protecting yourself from invaders from Mars. Probably more likely you will get zapped by a Martian than by fileless malware.
- Nov 5, 2011
- 5,855
Lockdown wrote (post #17):
"Microsoft puts out advisory after advisory to disable processes to reduce attack surface. It is a recommended best practice. I don't see how that practice should not be used by home users - particularly home users.
Microsoft is to blame for shipping a bunch of vulnerable stuff that is not needed by most users in its general OS."
- Strongly agree with you.
That's why I did this deletion work from the beginning... (have 11 Windows processes)...
_____________________
shmu26 wrote (post #28):
"for people like us, this fileless malware thing is like protecting yourself from invaders from Mars. Probably more likely you will get zapped by a Martian than by fileless malware."
- yes exactly yes..
"Microsoft puts out advisory after advisory to disable processes to reduce attack surface. It is a recommended best practice. I don't see how that practice should not be used by home users - particularly home users.
Microsoft is to blame for shipping a bunch of vulnerable stuff that is not needed by most users in its general OS."
- Strongly agree with you.
That's why I did this deletion work from the beginning... (have 11 Windows processes)...
_____________________
shmu26 wrote (post #28):
"for people like us, this fileless malware thing is like protecting yourself from invaders from Mars. Probably more likely you will get zapped by a Martian than by fileless malware."
- yes exactly yes..
Last edited:
- Jul 3, 2015
- 8,153
It's not so simple that these processes are unneeded. Here are a few examples:
Wscript: Comodo runs a vbs script at installation and uninstallation.
The certificate used by my ISP filtering service is installed by vbs script.
Powershell: Dropbox desktop runs a powershell script at installation.
Mshta: HP printer software uses this process when you want to check your fax history. Teamviewer free version uses mshta when you close it, although I would be happier if it didn't work, because all it does is show their advert.
Cmd.exe: This is used for all sorts of purposes.
Wscript: Comodo runs a vbs script at installation and uninstallation.
The certificate used by my ISP filtering service is installed by vbs script.
Powershell: Dropbox desktop runs a powershell script at installation.
Mshta: HP printer software uses this process when you want to check your fax history. Teamviewer free version uses mshta when you close it, although I would be happier if it didn't work, because all it does is show their advert.
Cmd.exe: This is used for all sorts of purposes.
Needed = needed on a regular or generic basis; cmd.exe is arguably needed (not really)
Unneeded = only needed infrequently - such as during installs or some very specific purpose
What is needed or not needed depends upon what the user has installed on the system
I have a lot of Windows processes and libraries disabled without any ill effect. Then again, I don't have a lot installed on the system I am using at the moment. Allowing unneeded things to run actually substantially increases risk.
There is no reason to allow unneeded things to run.
@shmu26 - you're one of those guys that doesn't like anything legitimate blocked because you think it is breaking Windows or programs in some unknown, hidden way - and that is unfortunate because a block does not cause damage.
Just because it is legitimate does not mean that it is necessary. A lot of people do not get that concept. A legitimate process does not mean it is a secure process. Another concept people fail to understand.
Last edited by a moderator:
- Jul 3, 2015
- 8,153
You are right when it comes to Dropbox installer, and a bunch of other things. No damage done if the script doesn't run.
But Comodo uninstaller leaves behind junk if you don't let it run its script. And HP software simply won't let you see your fax history at all, unless you allow mshta .
If you send a lot of faxes and check your fax history a lot, then you allow mshta.exe permanently.
You should only allow wscript.exe as needed. COMODO still leaves behind a ton of junk - whether you allow that script to run or not. It just leaves less junk when the script runs.
- Mar 24, 2017
- 481
Let just say that some uninstallers are worse than the installers/program thenselves.
- Jul 3, 2015
- 8,153
Comodo uninstalls a lot cleaner than it used to. I don't poke around much in the registry, but the file system comes out pretty clean, if you let the script run.
- Apr 13, 2013
- 3,147
The one thing that should not be lost when discussing infections that use Powershell, wscript, cmd, etc is that these things are not malicious in themselves, but MUST be acted upon somehow to start in the first place, namely by some initial malware vector. It should be the goal of any security application to stop that original vector and thus prevent any malicious cascade that used Powershell, etc. The main issue here is that if that vector is a true zero day the Traditional AV will be defenseless. There are applications (like CF) which will act on that original vector and contain it, so the entire subsequent malware cascade will be isolated and thus will not harm the actual system.
For a couple of examples: first the "fileless" ransomware in the SOREBRECT class- this guy works both through regsvr32 and PS to do its dirty deed. However these things MUST first be called up by something- in this case the vector is a JScript. Under CF, when this script is run it will be isolated, and so will those things the script called up. So both regsvr and PS will also be contained and unable to do anything to the actual system. Another example is a Matrix variant which when activated calls up cmd,exe, attrib, and cacls to work. Once again, isolation of that initial vector will allow these things to run but once again they too will be isolated and left to die in despair.
Those using the traditional AV may have to sweat and shut down Java, PS, wscript, place some sort of preclusion on cmd, and do other arcane and complex things, but this is just to make up for the inadequacy of the traditional AV to stop true zero day malware. Using something more elegant and efficacious makes these steps unnecessary.
Final Point- when reading about Fileless malware in the Press you should be concerned; but don't for a second think that these things are Magic. They are not- they are just malware that operate under a different pathway.
For a couple of examples: first the "fileless" ransomware in the SOREBRECT class- this guy works both through regsvr32 and PS to do its dirty deed. However these things MUST first be called up by something- in this case the vector is a JScript. Under CF, when this script is run it will be isolated, and so will those things the script called up. So both regsvr and PS will also be contained and unable to do anything to the actual system. Another example is a Matrix variant which when activated calls up cmd,exe, attrib, and cacls to work. Once again, isolation of that initial vector will allow these things to run but once again they too will be isolated and left to die in despair.
Those using the traditional AV may have to sweat and shut down Java, PS, wscript, place some sort of preclusion on cmd, and do other arcane and complex things, but this is just to make up for the inadequacy of the traditional AV to stop true zero day malware. Using something more elegant and efficacious makes these steps unnecessary.
Final Point- when reading about Fileless malware in the Press you should be concerned; but don't for a second think that these things are Magic. They are not- they are just malware that operate under a different pathway.
- Apr 13, 2013
- 3,147
Obviously a crack is going to be suspect; many if not all traditional AV's will no doubt flag it as malicious. So taking it out of the sandbox to run would be exactly like ignoring the AV warning that it detected malware. In either case if you run it you are on your own.
About CCleaner533- remember that when this was zero-day it was legitimately signed and was downloaded from the authors site. It was only stumbled upon by someone seeing an overseas connection. Also note that the only thing that this guy did was to connect to Command, and if the victim was from a specific organization payloads would be downloaded. So:
1). If you used CF and hate Outbound connections by applications, the Firewall on Custom Mode would have alerted you to the request.
2). we don't really know about the ultimate payload so I can't make any statements on the End Game.
About CCleaner533- remember that when this was zero-day it was legitimately signed and was downloaded from the authors site. It was only stumbled upon by someone seeing an overseas connection. Also note that the only thing that this guy did was to connect to Command, and if the victim was from a specific organization payloads would be downloaded. So:
1). If you used CF and hate Outbound connections by applications, the Firewall on Custom Mode would have alerted you to the request.
2). we don't really know about the ultimate payload so I can't make any statements on the End Game.
The problem I see is most users probably wouldn't have blocked the outbound connection (unless it was automated) because they'd have assumed the connection was legitimately related to CCleaner itself.
These sort of attacks will usually always surpass your protection. The key is that it was from reputable trusted and signed software.
- Jul 6, 2017
- 2,392
Of course, they not only exceed their protection, but also the user. For example,. If I download the CCleaner and my antivirus warns me, I can think of it as a false positive. And if I don't hear it, I'm infected. But that is not the case with MT users.
We've got secured clients with egress limitations.
What that means is - XYZ corporation has their internal structure. DNS/DHCP/AD environment, maybe 3,4,5 or so Hypers running this or that. On-Prem AV server on one of the Hypers serving local signature updates to security programs. Then additionally, they have egress restrictions in place. 'You can go to these 100 websites only. Period. End of story'. Those 100 websites were ones deemed absolutely necessary for the operation of the day to day business of the secured facility. End of story. Firms that do this aren't going to get infected from any external source under almost all conditions. With further GP's of USB restrictions and/or hotglue shot into the USB ports that vector is now closed. Toss an active APT appliance on the network behind the UTM, RogueAP Suppression unit and you are good to go.
Egress restriction or egress monitoring is the foundation of strong security and security facilities. Any potential attacker is very limited in getting in, but more importantly getting out!
Similar threads
