Advice Request Kaspersky interactive mode and MS Word

Please provide comments and solutions that are helpful to the author of this topic.
Status
Not open for further replies.
5

509322

shmu26 said:
While on the subject of configuring Application Control: it is best not to modify it any more than necessary, but I do think it's good to move the 4 powershell processes to Untrusted. That way, even if they get launched via dll or other tricks, they still will not be able to do anything.
Click to expand...

The .dll is self-contained and does not rely upon the powershell shell being enabled. In other words, moving them to untrusted is not going to stop powershell from running on the system. Depending upon the type of attack, it could be in-memory only or malware can supply its own self-contained version of powershell that does not require anything that is shipped on the system.

Plus, there is a toggle switch so there is no need to move to Untrusted.
 
Last edited by a moderator:
  • Like
Reactions: shmu26, Venustus and mlnevese
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Lockdown said:
The .dll is self-contained and does not rely upon the powershell shell being enabled. In other words, moving them to untrusted is not going to stop powershell from running on the system.
Click to expand...
Now that is interesting. Thanks for clarification. Is there any easy fix the user can do to protect against that dll?
 
5

509322

shmu26 said:
Now that is interesting. Thanks for clarification. Is there any easy fix the user can do to protect against that dll?
Click to expand...

Block the .dll from loading. Don't enable Office macros, block malware from running in User Space, keep system patched,... the usual stuff.

Malware can even copy Windows files in System Space, paste them in User Space and then execute them. That's one of the reasons I recommend Locked Down mode... it disables the Trusted Publisher List and will block the copy-pasted files from executing.

Is that much of a risk ? - no, it isn't.
 
  • Like
Reactions: mlnevese, harlan4096 and shmu26
shmu26

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Lockdown said:
Malware can even copy Windows files in System Space, paste them in User Space and then execute them. That's one of the reasons I recommend Locked Down mode... it disables the Trusted Publisher List and will block the copy-pasted files from executing.

Is that much of a risk ? - no, it isn't.
Click to expand...
Fortunately, powershell and other common script interpreters are not digitally signed, so the Trusted Publisher List shouldn't allow them or their clones to run from user space.
 
Status
Not open for further replies.

Similar threads

Captain Holly
    • Like
Advice Request Unwanted app removal when using Revo?
Replies
6
Views
587
System utilities
TairikuOkami
TairikuOkami
J
    • Love
    • Applause
Opera launches Opera One R2 – the best Opera Browser to date
Replies
7
Views
745
Opera
Gandalf_The_Grey
Gandalf_The_Grey
oldschool
    • Wow
    • Like
Security News Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany
Replies
1
Views
408
Security News
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top