Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 839048" data-attributes="member: 32260"><p><strong>Bypassing SmartScreen.</strong></p><p></p><p>It is worth to know that SmartScreen Application Reputation check, can be bypassed by DLL hijacking. Simply, the checked executable could be a legal (vulnerable) program with malicious DLL located in the same folder. This DLL will be loaded by the program after SmartScreen check and DLL will not be checked by SmartScreen.</p><p>Such a method is often used via infected USB drives. Both "Run As SmartScreen" and "Run By SmartScreen" can prevent DLL hijacking when used on executables located on USB drives.</p><p></p><p>The attackers can also use the packed spam attachments (ZIP, ARJ, 7-ZIP, etc. downloaded to hard disk), which can contain the legal EXE file alongside the malicious DLL to apply DLL hijacking. Usually, the attack starts from the script or shortcut that drops the malicious DLL and runs the EXE file - this method is prevented by H_C settings.</p><p>But in theory, the attacker could also use social engineering to convince the user to run the EXE file directly - this would bypass SmartScreen even if unpacked files had MOTW.</p><p></p><p>I will try to prevent the above in the next H_C version.<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite135" alt=":giggle:" title="Giggle :giggle:" loading="lazy" data-shortname=":giggle:" /></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 839048, member: 32260"] [B]Bypassing SmartScreen.[/B] It is worth to know that SmartScreen Application Reputation check, can be bypassed by DLL hijacking. Simply, the checked executable could be a legal (vulnerable) program with malicious DLL located in the same folder. This DLL will be loaded by the program after SmartScreen check and DLL will not be checked by SmartScreen. Such a method is often used via infected USB drives. Both "Run As SmartScreen" and "Run By SmartScreen" can prevent DLL hijacking when used on executables located on USB drives. The attackers can also use the packed spam attachments (ZIP, ARJ, 7-ZIP, etc. downloaded to hard disk), which can contain the legal EXE file alongside the malicious DLL to apply DLL hijacking. Usually, the attack starts from the script or shortcut that drops the malicious DLL and runs the EXE file - this method is prevented by H_C settings. But in theory, the attacker could also use social engineering to convince the user to run the EXE file directly - this would bypass SmartScreen even if unpacked files had MOTW. I will try to prevent the above in the next H_C version.:giggle: [/QUOTE]
Insert quotes…
Verification
Post reply
Top
