Reply to thread

Message

<blockquote data-quote="Andy Ful" data-source="post: 944303" data-attributes="member: 32260">I tried to find the difference between using the enforcement for &#039;All users&quot; and the default H_C enforcement (All users except Administrators). I examined the tests on MH made by [USER=64646]@askalan[/USER]. The tests were made with the H_C Strict_Recommended_Settings (with antivirus disabled), but the results would be the same in the Real-World Scenario with the H_C Basic_Recommended_Settings + SmartScreen (although they could be different for malware from USB drives).After several months of testing, there was only one malware that could infect the system. This malware did not bypass directly the SRP restrictions, but it could infect the system when the user was tricked to install the malware as an application (malware had the ability to bypass SmartScreen and the user had to allow the malware elevation via UAC prompt).[URL unfurl=&quot;true&quot;]https://malwaretips.com/threads/buhtrap-ransomware-signed-07-02-2019.90379/post-797052[/URL]The infection chain could be broken with &#039;All users&#039; enforcement because the malware dropped/executed a script that would be blocked by SRP with this enforcement even when malware used high privileges. In the test with the default H_C enforcement, the malware was allowed to run with high privileges so SRP restrictions for Windows Script Host did not apply.I suspect that this difference would be only theoretical, because most users would think that the file allowed by SmartScreen is most probably clean. Furthermore, such malware is used mostly in targeted attacks on enterprises, organizations, etc. Rarely, the targets can be the home users as in the case of IOBit malware (this one was blocked via anti-DLL-hijacking protection when InstallBySmartScreen or RunBySmartScreen was used).Sometimes such malware can be reused in widespread attacks, but then most AVs will detect it as malware.</blockquote>

[QUOTE="Andy Ful, post: 944303, member: 32260"] I tried to find the difference between using the enforcement for 'All users" and the default H_C enforcement (All users except Administrators). I examined the tests on MH made by [USER=64646]@askalan[/USER]. The tests were made with the H_C Strict_Recommended_Settings ([B]with[/B] [B]antivirus disabled[/B]), but the results would be the same in the Real-World Scenario with the H_C Basic_Recommended_Settings + SmartScreen (although they could be different for malware from USB drives). After several months of testing, there was only one malware that could infect the system. [B]This malware did not bypass directly the SRP restrictions, but it could infect the system when the user was tricked to install the malware as an application (malware had the ability to bypass SmartScreen [B]and the user had to allow the malware elevation via UAC prompt)[/B].[/B] [URL unfurl="true"]https://malwaretips.com/threads/buhtrap-ransomware-signed-07-02-2019.90379/post-797052[/URL] The infection chain could be broken with [B]'All users' enforcement[/B] because the malware dropped/executed a script that would be blocked by SRP with this enforcement even when malware used high privileges. In the test with the default H_C enforcement, the malware was allowed to run with high privileges so SRP restrictions for Windows Script Host did not apply. I suspect that this difference would be only theoretical, because most users would think that the file allowed by SmartScreen is most probably clean. Furthermore, such malware is used mostly in targeted attacks on enterprises, organizations, etc. Rarely, the targets can be the home users as in the case of IOBit malware (this one was blocked via anti-DLL-hijacking protection when InstallBySmartScreen or RunBySmartScreen was used). Sometimes such malware can be[B] reused[/B] in widespread attacks, but then most AVs will detect it as malware. [/QUOTE]

Verification