Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 673542" data-attributes="member: 32260"><p>Some additional notes about malware testing on <strong>Windows 8+ (Windows built-in security).</strong></p><p>Hard_Configurator in the Recommended Settings (<Recommended SRP> + <Recommended Restrictions>) allows to run files in two modes:</p><p>1. 'Default Deny' mode</p><p>2. 'Install' mode</p><p>The first mode is invoked for files which are run by the User, when left clicking or pressing the Enter key.</p><p>The second mode is for bypassing the first mode by the User, when right clicking and choosing "Run As SmartScreen" from Explorer context menu. The second mode runs only EXE and MSI files - they are obligatory checked by SmartScreen Application Reputation, and if not blocked, they are run with Administrative Rights.</p><p></p><p>So, how can this security work for the common malware samples: *.exe, *.scr, *.com, *.doc, *.doc.exe, *.pdf.exe, *.pdf, *.vbs, *.js, *.ps1 ?</p><p></p><p><strong>'Default Deny' mode.</strong></p><ul> <li data-xf-list-type="ul">The files: *.exe, *.scr, *.com, *.doc.exe, *.pdf.exe, *.vbs, *.js, *.ps1 - will always be blocked.</li> <li data-xf-list-type="ul">The files: *.doc, *.pdf - will always be allowed</li> <li data-xf-list-type="ul">If *.doc, *.pdf files have embedded scripts or are going to use *.vbs, *.js, *.ps1 scripts - they will be blocked.</li> <li data-xf-list-type="ul">PowerShell scripts ran filelessly from the remote servers will also be blocked (Constrained Language).</li> <li data-xf-list-type="ul">If *.doc, *.pdf files have embedded scripts which try to load from the Internet and run from the disk the malicious *.exe, *.scr, *.com, *.doc.exe, *.pdf.exe, *.vbs, *.js, *.ps1 files - they also will be blocked.</li> <li data-xf-list-type="ul">If *.doc, *.pdf files have embedded scripts which try to activate remote access - they will be blocked.</li> <li data-xf-list-type="ul">If *.doc, *.pdf files have embedded malicious Internet links, then they will be allowed, except if the User has something like Adguard DNS that can block many of them.</li> </ul><p>Anyway, there are some other, ways to attack the system, so generally is recommended to use sandboxed applications which opens documents, photos, media files, or related to Internet.</p><p></p><p><strong>'Install' mode.</strong></p><p>In this mode, the User applies "Run As SmartScreen", so all files are blocked except MSI or EXE, which passed SmartScreen check. This mode is 'user dependent', if the user has the ability to bypass SmartScreen.</p><p>In this mode the files with a double extension (like *.doc.exe, *.pdf.exe) shoud not be tested, because they are prepared to fool the users, when left clicking or pressing the Enter key (covered by 'Default Deny' mode).</p><p>If allowed executables are going to use *.vbs, *.js, *.ps1 scripts or activate the remote access - they will be mostly blocked.</p><p>'Mostly blocked' means, that the malware additionally has to change some registry values to unblock the above actions.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 673542, member: 32260"] Some additional notes about malware testing on [B]Windows 8+ (Windows built-in security).[/B] Hard_Configurator in the Recommended Settings (<Recommended SRP> + <Recommended Restrictions>) allows to run files in two modes: 1. 'Default Deny' mode 2. 'Install' mode The first mode is invoked for files which are run by the User, when left clicking or pressing the Enter key. The second mode is for bypassing the first mode by the User, when right clicking and choosing "Run As SmartScreen" from Explorer context menu. The second mode runs only EXE and MSI files - they are obligatory checked by SmartScreen Application Reputation, and if not blocked, they are run with Administrative Rights. So, how can this security work for the common malware samples: *.exe, *.scr, *.com, *.doc, *.doc.exe, *.pdf.exe, *.pdf, *.vbs, *.js, *.ps1 ? [B]'Default Deny' mode.[/B] [LIST] [*]The files: *.exe, *.scr, *.com, *.doc.exe, *.pdf.exe, *.vbs, *.js, *.ps1 - will always be blocked. [*]The files: *.doc, *.pdf - will always be allowed [*]If *.doc, *.pdf files have embedded scripts or are going to use *.vbs, *.js, *.ps1 scripts - they will be blocked. [*]PowerShell scripts ran filelessly from the remote servers will also be blocked (Constrained Language). [*]If *.doc, *.pdf files have embedded scripts which try to load from the Internet and run from the disk the malicious *.exe, *.scr, *.com, *.doc.exe, *.pdf.exe, *.vbs, *.js, *.ps1 files - they also will be blocked. [*]If *.doc, *.pdf files have embedded scripts which try to activate remote access - they will be blocked. [*]If *.doc, *.pdf files have embedded malicious Internet links, then they will be allowed, except if the User has something like Adguard DNS that can block many of them. [/LIST] Anyway, there are some other, ways to attack the system, so generally is recommended to use sandboxed applications which opens documents, photos, media files, or related to Internet. [B]'Install' mode.[/B] In this mode, the User applies "Run As SmartScreen", so all files are blocked except MSI or EXE, which passed SmartScreen check. This mode is 'user dependent', if the user has the ability to bypass SmartScreen. In this mode the files with a double extension (like *.doc.exe, *.pdf.exe) shoud not be tested, because they are prepared to fool the users, when left clicking or pressing the Enter key (covered by 'Default Deny' mode). If allowed executables are going to use *.vbs, *.js, *.ps1 scripts or activate the remote access - they will be mostly blocked. 'Mostly blocked' means, that the malware additionally has to change some registry values to unblock the above actions. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
