That is the whole point of blocking this dll, so malware with embedded powershell won't run.Some malware can use PowerShell while not using PS executables, except when you block System.Management.Automation DLLs.
Now you see me: Exposing fileless malware
- Thread starter Bot
- Start date
- Status
- Jul 3, 2015
- 8,153
Thanks. I somehow thought it was patched, I guess I confused this exploit with another one that was patched.You forgot about DDE in MS Office.
But it's really cat and mouse, because the bad actors will just keep on finding new ways. So protection is needed, otherwise you end up behind the eight-ball, as Lockdown says.
- Jul 3, 2015
- 8,153
If you are skilled enough to switch to linux, you are surely skilled enough to stay safe and sound on windows...
- Mar 14, 2017
- 273
It's funny because my brother in law (falsely) believes his beloved Apple is super secure compared to Windows and that he can't get infected with anything. Ironically they replaced it with a Windows 10 PC so I have now set them up with an SUA account and a PIN to login with.
I keep saying to people that say the above to me with the following: If you use the built in security features of Windows you're 90% to staying secure. The other 10% is using common sense and maybe purchasing some security software.
- Jul 3, 2015
- 8,153
What happens if you block only the dll, not powershell.exe?
It looks to me like it is behaving similar to when powershell runs as a guarded app. (Appguard)
It looks to me like it is behaving similar to when powershell runs as a guarded app. (Appguard)
- Mar 14, 2017
- 273
Thats a good question. I have the following set in Guarded Apps but I can't remember why:
- Apr 1, 2017
- 1,760
Hi,
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell\Turn on Script Execution(Execution Policy: Allow only signed scripts)
What is signed script?Should I enable this policy for better protection?
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell\Turn on Script Execution(Execution Policy: Allow only signed scripts)
What is signed script?Should I enable this policy for better protection?
That is why I recommend blocking *system.management.automation* because I have no idea of what mess Microsoft has gotten us into and at the same time I do not have the time nor inclination to go on a web expedition to discover what other bypasses are possible. "Security begins with knowledge" is true - and I am all for knowledge - but amassing a 1000 page notebook of bypasses is a bit much. In fact that thought annoys even me.
Last edited by a moderator:
I did not say it (see the red fragment). I said that SRP with DLL checking breaks Edge.
If you know how to disable this DLL using Windows features I would be grateful.
I also did not say that blocking it will break Windows. Personally, I like the blocking idea.
Anyone can see PROS and CONS from my previous post and decide which to choose.
I misunderstood.
- Dec 23, 2014
- 8,119
I am not surprised, it is always very probable because of my Polish-English.
I am not surprised, it is always very probable because of my Polish-English.
It's not your English. Your English is very good.
It is these online communications. When I read online posts, I can read them 5 times and each time they can be interpreted 5 different ways.
So I have to figure out what I think the person making the post meant. That is the HUGE problem with online communications - they are not normal human conversations.
- Jul 3, 2015
- 8,153
So let me guess: you have powershell and cmd in the user space list, and you want them blocked.
So that's why you unticked them in guarded apps. Because guarded apps overrides the user space restrictions. So you needed to untick them, otherwise they will run as guarded apps (as per default appguard settings)
- Jul 3, 2015
- 8,153
Just like there are signed exe files, so there are signed scripts.
- Apr 1, 2017
- 1,760
Yes but I think its a bit different with that digital sign.
Andy Ful don't you want to tell me what is this policy?and will it block all kind of PowerShell attacks or no?
Andy Ful don't you want to tell me what is this policy?and will it block all kind of PowerShell attacks or no?
- Jul 3, 2015
- 8,153
I think that policy only applies to running actual PS script files. It will not block embedded code.
- Dec 23, 2014
- 8,119
Yes, I usually have the same problem.It's not your English. Your English is very good.
It is these online communications. When I read online posts, I can read them 5 times and each time they can be interpreted 5 different ways.
- Dec 23, 2014
- 8,119
We can talk about it, but not here.
- Mar 14, 2017
- 273
You hit the nail on the head, thanks!
I'm curious, is it a good idea to block flash.ocx (Adobe Flash) in AppGuard since this runs in system space?
A good idea would be to uninstall Adobe Flash altogether.
An even better idea would be to uninstall Adobe Flash, and if you have it, uninstall it.
I had use Java for a few months but apart from that period I had neither installed on my system for many, many years... without any issues. As for Adobe Flash, it's all about HTML5 now; Adobe Flash was replaced in the modern world with something faster, a lot more efficient and safer - this is why malware authors stopped targeting Adobe Flash like they were before, because it was starting to become more and more less prevalent due to HTML5.
- Status
Similar threads
