Serious Discussion Inside Microsoft's plan to kill PPLFault

danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,771
Andy Ful said:
WDAC + ISG is smart deny-by-default in a similar meaning to CyberLock. It is not zero-trust, but it can be a part of Zero Trust Model in the meaning promoted by Microsoft:

Zero Trust Strategy & Architecture | Microsoft Security

Discover how a Zero Trust model enhances security against ransomware by minimizing access. Discover Zero Trust architecture today with Microsoft Security.
www.microsoft.com
Click to expand...
Hehehe, Andy, that is the EXACT verbiage that drives me absolutely insane ;).

WDAC + ISG is quite similar to CyberLock when it is OFF or on AutoPilot, and none of these configurations can possibly be part of a zero trust model, unless the model includes another blocking mechanism / layer that does not auto allow new, non-whitelisted items. ISG, WLC and VoodooAi are all highly effective, but they are not perfect.

ISG or WLC / VoodooAi are likely sufficient when the user is not engaging in risky activities, like browsing the web or checking email. But when the user is engaging in risky activities, auto allowing anything new is dangerous.
 
  • Like
  • +Reputation
Reactions: simmerskool and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,817
I think that ISG or WLC / VoodooAi are sufficient when the home users browse the web or check email.
Such activities are well-tested by AV_Test, AV_Comparatives, and SE Labs.

For example, Microsoft Defender on default settings can miss approximately one malware per 250 samples.
When you add WDAC (ISG), WLC / VoodooAi, or even SAC, the chances are probably one infection per several thousand samples. Most users can see (at maximum) a few malware per year, so they should not worry about the infection, except when one would like to be Matuzalem. :)

A different situation is in enterprises when the machine can likely work in a compromised environment, and the attacker can know the details of the implemented security. WDAC can be configured with Hypervisor-protected Code Integrity, and the policies can be signed. Such protection is much more resistant to attacks via kernel compared to any security based on kernel driver.
 
Last edited:
  • Like
Reactions: kylprq, vtqhtr413 and simmerskool

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Hundred Points
Serious Discussion Machine Learning for Malware Detection (KasperskyLab)
Replies
4
Views
780
General Security Discussions
Andy Ful
Andy Ful
Victor M
    • Like
  • Poll
Serious Discussion Malware or Hacking ?
Replies
0
Views
570
General Security Discussions
Victor M
Victor M
Trident
    • Like
    • Applause
    • +Reputation
  • Poll
Serious Discussion Pre-execution vs post-execution protections explained
Replies
6
Views
1,492
General Security Discussions
Trident
Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top