Microsoft Anti Ransomware bypass (not a vulnerability for Microsoft)

Andy Ful · Feb 6, 2018

shmu26 said:
Okay, so that is more like what I was thinking originally.

So it sounds like default OSA exploit protection is blocking MS Office from executing the most commonly abused Windows processes, and OSA will expand the list of blocked processes if advanced options are enabled.

Yes. It also blocks DDE via AntiExploitMicrosoftWord rule (tested one hour ago).

509322 · Feb 6, 2018

shmu26 said:
What about Windows Defender Exploit Guard, or OSA?
Won't they stop Office apps from running python etc in the first place?

I have told you guys, the only way to stop something from smashing a system is not rules, but disabling the process completely. But you guys want the easier, softer way. And the easier, softer way is rules-based. And rules can be bypassed because someone has to constantly be on top of the new ways attacks are crafted and create new rules to block the new attacks.

And that's what's called the 8-Ball Rule.

shmu26 · Feb 7, 2018

Lockdown said:
I have told you guys, the only way to stop something from running is not rules, but disabling the process completely.

OSA advanced tab allows total blocking of processes. And whatever is missing from the list can be added manually to the custom block list.
Doesn't that do the job?

509322 · Feb 7, 2018

shmu26 said:
OSA advanced tab allows total blocking of processes. And whatever is missing from the list can be added manually to the custom block list.
Doesn't that do the job?

You might as well just use NVT ERP or SRP then, if you start adding processes to that list.

shmu26 · Feb 7, 2018

Lockdown said:
rules can be bypassed because someone has to constantly be on top of the new ways attacks are crafted and create new rules to block the new attacks.

And that's what's called the 8-Ball Rule.

That is what worries me about OSA. Right now, the dev is working hard on it, and it's a great app, but if and when he turns his energies elsewhere, it could quickly become obsolete. Behavior blocking needs updates.

Andy Ful · Feb 7, 2018

shmu26 said:
That is what worries me about OSA. Right now, the dev is working hard on it, and it's a great app, but if and when he turns his energies elsewhere, it could quickly become obsolete. Behavior blocking needs updates.

That is a problem of any default-allow type security, based on blacklist rules. Fighting the new malware/vulnerabilities requires the updated blacklist. But, this solution is usable in open systems (frequent software installations) or for people who are not trained (or do not like) to troubleshoot the Windows events.
The most of the trouble is on the vendor side, so most users like this.
.
On the contrary, the default-deny type security is based on the whitelist rules. Fighting the new malware/vulnerabilities does not require many updates from the vendor side. The user can add entries to the whitelist when that is required by new software installations. It is usable in semi-closed systems or for the users who do not have problems with troubleshooting the Windows events.
The most of the trouble is on the user side, so most users do not like this.
.
Generally speaking, the properly adjusted default-deny type security will be always stronger than default-allow one. Why? If you do not drink alcohol, then you will not suffer from the hangover.
.
Edit
OSArmor is a mixed default-allow and default-deny protection, so it will require updates more frequently than the programs based on default-deny SRP, anti-exe or sandboxing.

509322 · Feb 7, 2018

Andy Ful said:
That is a problem of any default-allow type security, based on blacklist rules. Fighting the new malware/vulnerabilities requires the updated blacklist. But, this solution is usable in open systems (frequent software installations) or for people who are not trained (or do not like) to troubleshoot the Windows events.
The most of the trouble is on the vendor side, so most users like this.
.
On the contrary, the default-deny type security is based on the whitelist rules. Fighting the new malware/vulnerabilities does not require many updates from the vendor side. The user can add entries to the whitelist when that is required by new software installations. It is usable in semi-closed systems or for the users who do not have problems with troubleshooting the Windows events.
The most of the trouble is on the user side, so most users do not like this.
.
Generally speaking, the properly adjusted default-deny type security will be always stronger than default-allow one. Why? If you do not drink alcohol, then you will not suffer from having the hangover.

Security begins with knowledge.

509322 · Feb 7, 2018

Or you can handle security for Average Joes like Microsoft does... just send down the base features and don't say anything about anything. Because that is exactly how Microsoft handles security on Windows Home.

Whereas Microsoft makes numerous releases regarding security for its Enterprise customers, Home users are left holding the crap bag having to filter out what in those Enterprise releases applies to them - if anything.

Documentation for Windows Home security ? Forget it.

Like I keep saying, if you are an Average Joe just needing the usual stuff like a browser and an occasional text editor, then you're absolutely better off using Chromebook.

Andy Ful · Feb 7, 2018

Lockdown said:
Security begins with knowledge.

The computer world goes in the same direction as the car industry. The user is not interested how something works. He is interested to have something that will work well without troubling the owner. There are so many interesting things around the world.

Andy Ful · Feb 7, 2018

Lockdown said:
Or you can handle security for Average Joes like Microsoft does... just send down the base features and don't say anything about anything. Because that is exactly how Microsoft handles security on Windows Home.

Whereas Microsoft makes numerous releases regarding security for its Enterprise customers, Home users are left holding the crap bag having to filter out what in those Enterprise releases applies to them - if anything.

Documentation for Windows Home security ? Forget it.

Like I keep saying, if you are an Average Joe just needing the usual stuff like a browser and an occasional text editor, then you're absolutely better off using Chromebook.

Windows Home would be fully functional and much safer if Microsoft would be so kind to cut 1/2 of the OS code.

Then I would accept even their information politics.

509322 · Feb 7, 2018

Andy Ful said:
The computer world goes in the same direction as the car industry. The user is not interested how something works. He is interested to have something that will work well without troubling the owner. There are so many interesting things around the world.

Andy Ful said:
Windows Home would be fully functional and much safer if Microsoft would be so kind to cut 1/2 of the OS code.
Then I would accept even their information politics.

Hey, it is because of Microsoft and all the trouble that it causes that salaries keep increasing. So none of us in the industry can complain too much.

Andy Ful · Feb 7, 2018

Lockdown said:
Hey, it is because of Microsoft and all the trouble that it causes that salaries keep increasing. So none of us in the industry can complain too much.

Do not worry. One-half of many vulnerabilities will be still much trouble for home users.

Furthermore, there are some other OS-es to protect.

509322 · Feb 7, 2018

Andy Ful said:
Do not worry. One-half of many vulnerabilities will be still much trouble for home users.

They should do anti-nuclear attack drills like we did in grade school. "Duck and cover." It will protect them better because it will keep them off the computer.

Andy Ful · Feb 7, 2018

Lockdown said:
They should do anti-nuclear attack drills like we did in grade school. "Duck and cover." It will protect them better because it will keep them off the computer.

I think that more time off the computer would be healthier for everybody (especially for me).

Deleted member 65228 · Feb 7, 2018

Andy Ful said:
I think that more time off the computer would be healthier for everybody (especially for me).

I make myself do at least 1-2hr total of workout on any day I touch a computer now. Took me awhile to accept it but sitting at a computer often is bad

shmu26 · Feb 7, 2018

Opcode said:
I make myself do at least 1-2hr total of workout on any day I touch a computer now. Took me awhile to accept it but sitting at a computer often is bad

So that means you work out 7 hours a week minimum. Wow! In your case, computer use is good for your health.

Andy Ful · Feb 8, 2018

Andy Ful said:
OSArmor is very good at blocking vulnerable programs/scripts embedded in MS Office documents opened by MS Office. In fact, I could not bypass OSArmor when all available mitigations were ticked (including Advanced). I tested embedded scripts and embedded OLE, so I cannot say anything about other possibilities like, for example, the popular DDE.
In the default settings, some embedded files can be run, for example, MSI files can be run via OLE (but not EXE files).
If the Office application is not on the Anti-Exploit list in OSArmor (like Softmaker Office), then the protection is not so strong, especially with OLE.

The final version 1.4 will cover all the above issues (most of them are covered already in the last test34 version), so OSArmor Exploit-Protection feature for popular Office applications (MS Office, Apache OpenOffice, LibreOffice, Kingsoft WPS Office, and Softmaker Office) will be really strong.

Search

Microsoft Anti Ransomware bypass (not a vulnerability for Microsoft)

Andy Ful

From Hard_Configurator Tools

509322

shmu26

Level 85

509322

shmu26

Level 85

Andy Ful

From Hard_Configurator Tools

509322

509322

Andy Ful

From Hard_Configurator Tools

Andy Ful

From Hard_Configurator Tools

509322

Andy Ful

From Hard_Configurator Tools

509322

Andy Ful

From Hard_Configurator Tools

Deleted member 65228

shmu26

Level 85

Andy Ful

From Hard_Configurator Tools

Similar threads