Microsoft Anti Ransomware bypass (not a vulnerability for Microsoft)

Status
Not open for further replies.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Okay, so that is more like what I was thinking originally.

So it sounds like default OSA exploit protection is blocking MS Office from executing the most commonly abused Windows processes, and OSA will expand the list of blocked processes if advanced options are enabled.
Yes. It also blocks DDE via AntiExploitMicrosoftWord rule (tested one hour ago).:)
 
5

509322

What about Windows Defender Exploit Guard, or OSA?
Won't they stop Office apps from running python etc in the first place?

I have told you guys, the only way to stop something from smashing a system is not rules, but disabling the process completely. But you guys want the easier, softer way. And the easier, softer way is rules-based. And rules can be bypassed because someone has to constantly be on top of the new ways attacks are crafted and create new rules to block the new attacks.

And that's what's called the 8-Ball Rule.
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I have told you guys, the only way to stop something from running is not rules, but disabling the process completely.
OSA advanced tab allows total blocking of processes. And whatever is missing from the list can be added manually to the custom block list.
Doesn't that do the job?
 
  • Like
Reactions: Andy Ful

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
rules can be bypassed because someone has to constantly be on top of the new ways attacks are crafted and create new rules to block the new attacks.

And that's what's called the 8-Ball Rule.
That is what worries me about OSA. Right now, the dev is working hard on it, and it's a great app, but if and when he turns his energies elsewhere, it could quickly become obsolete. Behavior blocking needs updates.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
That is what worries me about OSA. Right now, the dev is working hard on it, and it's a great app, but if and when he turns his energies elsewhere, it could quickly become obsolete. Behavior blocking needs updates.
That is a problem of any default-allow type security, based on blacklist rules. Fighting the new malware/vulnerabilities requires the updated blacklist. But, this solution is usable in open systems (frequent software installations) or for people who are not trained (or do not like) to troubleshoot the Windows events.
The most of the trouble is on the vendor side, so most users like this.
.

On the contrary, the default-deny type security is based on the whitelist rules. Fighting the new malware/vulnerabilities does not require many updates from the vendor side. The user can add entries to the whitelist when that is required by new software installations. It is usable in semi-closed systems or for the users who do not have problems with troubleshooting the Windows events.
The most of the trouble is on the user side, so most users do not like this.
.
Generally speaking, the properly adjusted default-deny type security will be always stronger than default-allow one. Why? If you do not drink alcohol, then you will not suffer from the hangover.:sick::)
.

Edit
OSArmor is a mixed default-allow and default-deny protection, so it will require updates more frequently than the programs based on default-deny SRP, anti-exe or sandboxing.
 
Last edited:
  • Like
Reactions: shmu26
5

509322

That is a problem of any default-allow type security, based on blacklist rules. Fighting the new malware/vulnerabilities requires the updated blacklist. But, this solution is usable in open systems (frequent software installations) or for people who are not trained (or do not like) to troubleshoot the Windows events.
The most of the trouble is on the vendor side, so most users like this.
.

On the contrary, the default-deny type security is based on the whitelist rules. Fighting the new malware/vulnerabilities does not require many updates from the vendor side. The user can add entries to the whitelist when that is required by new software installations. It is usable in semi-closed systems or for the users who do not have problems with troubleshooting the Windows events.
The most of the trouble is on the user side, so most users do not like this.
.
Generally speaking, the properly adjusted default-deny type security will be always stronger than default-allow one. Why? If you do not drink alcohol, then you will not suffer from having the hangover.:sick::)

Security begins with knowledge.
 
5

509322

Or you can handle security for Average Joes like Microsoft does... just send down the base features and don't say anything about anything. Because that is exactly how Microsoft handles security on Windows Home.

Whereas Microsoft makes numerous releases regarding security for its Enterprise customers, Home users are left holding the crap bag having to filter out what in those Enterprise releases applies to them - if anything.

Documentation for Windows Home security ? Forget it.

Like I keep saying, if you are an Average Joe just needing the usual stuff like a browser and an occasional text editor, then you're absolutely better off using Chromebook.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Security begins with knowledge.
The computer world goes in the same direction as the car industry. The user is not interested how something works. He is interested to have something that will work well without troubling the owner. There are so many interesting things around the world.:)
 
  • Like
Reactions: upnorth

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Or you can handle security for Average Joes like Microsoft does... just send down the base features and don't say anything about anything. Because that is exactly how Microsoft handles security on Windows Home.

Whereas Microsoft makes numerous releases regarding security for its Enterprise customers, Home users are left holding the crap bag having to filter out what in those Enterprise releases applies to them - if anything.

Documentation for Windows Home security ? Forget it.

Like I keep saying, if you are an Average Joe just needing the usual stuff like a browser and an occasional text editor, then you're absolutely better off using Chromebook.
(y)(y)(y)
Windows Home would be fully functional and much safer if Microsoft would be so kind to cut 1/2 of the OS code.:)
Then I would accept even their information politics.
 
5

509322

The computer world goes in the same direction as the car industry. The user is not interested how something works. He is interested to have something that will work well without troubling the owner. There are so many interesting things around the world.:)

(y)(y)(y)
Windows Home would be fully functional and much safer if Microsoft would be so kind to cut 1/2 of the OS code.:)
Then I would accept even their information politics.

Hey, it is because of Microsoft and all the trouble that it causes that salaries keep increasing. So none of us in the industry can complain too much. :love:
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Hey, it is because of Microsoft and all the trouble that it causes that salaries keep increasing. So none of us in the industry can complain too much. :love:
Do not worry. One-half of many vulnerabilities will be still much trouble for home users.:alien:
Furthermore, there are some other OS-es to protect.:)
 
Last edited:
5

509322

Do not worry. One-half of many vulnerabilities will be still much trouble for home users.:alien:

They should do anti-nuclear attack drills like we did in grade school. "Duck and cover." It will protect them better because it will keep them off the computer.
 
  • Like
Reactions: shmu26

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
They should do anti-nuclear attack drills like we did in grade school. "Duck and cover." It will protect them better because it will keep them off the computer.
I think that more time off the computer would be healthier for everybody (especially for me).:):coffee:
 
D

Deleted member 65228

I think that more time off the computer would be healthier for everybody (especially for me).
I make myself do at least 1-2hr total of workout on any day I touch a computer now. Took me awhile to accept it but sitting at a computer often is bad
 
  • Like
Reactions: Andy Ful and shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I make myself do at least 1-2hr total of workout on any day I touch a computer now. Took me awhile to accept it but sitting at a computer often is bad
So that means you work out 7 hours a week minimum. Wow! In your case, computer use is good for your health.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
OSArmor is very good at blocking vulnerable programs/scripts embedded in MS Office documents opened by MS Office. In fact, I could not bypass OSArmor when all available mitigations were ticked (including Advanced). I tested embedded scripts and embedded OLE, so I cannot say anything about other possibilities like, for example, the popular DDE.
In the default settings, some embedded files can be run, for example, MSI files can be run via OLE (but not EXE files).
If the Office application is not on the Anti-Exploit list in OSArmor (like Softmaker Office), then the protection is not so strong, especially with OLE.
The final version 1.4 will cover all the above issues (most of them are covered already in the last test34 version), so OSArmor Exploit-Protection feature for popular Office applications (MS Office, Apache OpenOffice, LibreOffice, Kingsoft WPS Office, and Softmaker Office) will be really strong.:)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top