Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 848708" data-attributes="member: 32260"><p>AppData and ProgramData are hidden folders, so the average user cannot run executables directly from these folders. But, AppData is commonly used by exploits to drop/run scripts and next EXE or DLL payloads. This can be done with standard rights (no elevation required)!</p><p></p><p>Whitelisting AppData and ProgramData for all files would not invalidate the H_C default-deny protection on the pre-execution stage, but there would be close to 0 protection on the post-exploitation stage. For example, when you open a weaponized document and click an embedded malicious OLE (usually script or scriptlet) then the malicious file is copied to AppData\Local\Temp and executed from there. A similar thing is done when executing something from archives (without unpacking it). The UAC setting Validate Admin Signatures is pretty much useless on the post-exploitation stage due to UAC bypasses (an easy task for scripts). It can be useful only on the pre-execution stage to prevent users from running & elevate unsigned malicious applications that pretend to be the legal applications.</p><p></p><p>So, if you would like to whitelist AppData for all files, then you would have to block scripts by Windows Policies or block scripting Interpreters by SRP - both do not allow whitelisting. The biggest problem would be probably with Command Prompt (cmd.exe and BAT, CMD scripts).</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 848708, member: 32260"] AppData and ProgramData are hidden folders, so the average user cannot run executables directly from these folders. But, AppData is commonly used by exploits to drop/run scripts and next EXE or DLL payloads. This can be done with standard rights (no elevation required)! Whitelisting AppData and ProgramData for all files would not invalidate the H_C default-deny protection on the pre-execution stage, but there would be close to 0 protection on the post-exploitation stage. For example, when you open a weaponized document and click an embedded malicious OLE (usually script or scriptlet) then the malicious file is copied to AppData\Local\Temp and executed from there. A similar thing is done when executing something from archives (without unpacking it). The UAC setting Validate Admin Signatures is pretty much useless on the post-exploitation stage due to UAC bypasses (an easy task for scripts). It can be useful only on the pre-execution stage to prevent users from running & elevate unsigned malicious applications that pretend to be the legal applications. So, if you would like to whitelist AppData for all files, then you would have to block scripts by Windows Policies or block scripting Interpreters by SRP - both do not allow whitelisting. The biggest problem would be probably with Command Prompt (cmd.exe and BAT, CMD scripts). [/QUOTE]
Insert quotes…
Verification
Post reply
Top
