Serious Discussion Inside Microsoft's plan to kill PPLFault

danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,662
Andy Ful said:
WDAC + ISG is smart deny-by-default in a similar meaning to CyberLock. It is not zero-trust, but it can be a part of Zero Trust Model in the meaning promoted by Microsoft:

Zero Trust Model - Modern Security Architecture | Microsoft Security

A Zero Trust model provides security against ransomware and cybersecurity threats by assigning the least required access needed to perform specific tasks.
www.microsoft.com
Click to expand...
Hehehe, Andy, that is the EXACT verbiage that drives me absolutely insane ;).

WDAC + ISG is quite similar to CyberLock when it is OFF or on AutoPilot, and none of these configurations can possibly be part of a zero trust model, unless the model includes another blocking mechanism / layer that does not auto allow new, non-whitelisted items. ISG, WLC and VoodooAi are all highly effective, but they are not perfect.

ISG or WLC / VoodooAi are likely sufficient when the user is not engaging in risky activities, like browsing the web or checking email. But when the user is engaging in risky activities, auto allowing anything new is dangerous.
 
  • Like
  • +Reputation
Reactions: simmerskool and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,142
I think that ISG or WLC / VoodooAi are sufficient when the home users browse the web or check email.
Such activities are well-tested by AV_Test, AV_Comparatives, and SE Labs.

For example, Microsoft Defender on default settings can miss approximately one malware per 250 samples.
When you add WDAC (ISG), WLC / VoodooAi, or even SAC, the chances are probably one infection per several thousand samples. Most users can see (at maximum) a few malware per year, so they should not worry about the infection, except when one would like to be Matuzalem. :)

A different situation is in enterprises when the machine can likely work in a compromised environment, and the attacker can know the details of the implemented security. WDAC can be configured with Hypervisor-protected Code Integrity, and the policies can be signed. Such protection is much more resistant to attacks via kernel compared to any security based on kernel driver.
 
Last edited:
  • Like
Reactions: vtqhtr413 and simmerskool

Similar threads

bjm_
    • Like
New Update Sandboxie-Plus 1.13.0 + 1.13.1 (Experimental) + 1.13.2
Replies
9
Views
870
Sandboxie
bjm_
bjm_
Gandalf_The_Grey
    • Like
Mozi malware botnet goes dark after mysterious use of kill-switch
Replies
1
Views
541
News Archive
ForgottenSeer 97327
F
Ink
    • Like
    • +Reputation
New Update DashLane Free plan users will be limited to 25 passwords
Replies
1
Views
562
Passwords and passkeys
entropism
E

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top