NVT to Protect against Flash Infection

[AtlBo]

Have the elements of Flash all listed in the Whitelisted processes in NVT 3.1.0.0. This is because I chose to allow it during installation along with Windows processes. Once the installation was complete, I unchecked "Allow Windows system protected processes" in settings and "Allow all software from the Programs Files folder". I've been over the list of allowed that were allowed during the installation, and I am fairly confident the setup is malware free.

I would rather not block Flash player, as I have Firefox set up to show a pop up for me, so that I can choose to run the player on demand. That mentioned, is there anything that I need to do with NVT to protect against possible Flash drive by attacks? I also have all the elements of Flash being monitored in EMET.

One last question. What should I be wary of when looking at NVT pop ups for a Flash type of attack, should the attack get by EMET? Would it typically be a temp folder thing or more likely something from Windows in the form of a command line? Never seen the details of one of these types of attacks before. NVT is great, but the pop ups can begin to look amazingly alike, so I am trying to understand as much as I can about what to look for from malware attacks.

 

[shmu26]

this is what your vulnerable processes list is for. Keep it up to date (after cumulative windows update, refresh it, because the hashes might have changed)
you can add to it, too

 

[shmu26]

don't think of it as a flash "attack", it is more properly called a flash "exploit".
That means that the malcoders find a little hole in flash, by which to enter the file system of the computer. Once they are in, in order to get their job done, they need to find a process that can be bent to their will. This is called a "vulnerable" process. They use it to:
1 download the payload
2 load dlls
3 make registry changes and add startup entries and disable AV
4 ???

 

[AtlBo]

Thanks shmu26. Two questions about the Whitelist in NVT. If I set a process as vulnerable, will I always get an alert even if the process is in the Whitelist Safe Applications (as long as the command line is not WLed)? Do I need to double check this? Also, does the Whitelist Safe Applications mean that specific command lines aren't alerted for a process? I want to see all command line activity that I haven't WLed as a command line.

 

[shmu26]

Thanks shmu26. Two questions about the Whitelist in NVT. If I set a process as vulnerable, will I always get an alert even if the process is in the Whitelist Safe Applications (as long as the command line is not WLed)? Do I need to double check this? Also, does the Whitelist Safe Applications mean that specific command lines aren't alerted for a process? I want to see all command line activity that I haven't WLed as a command line.

Hi, the vulnerable process list overrides the whitelist, so yes, you will get a prompt, even if you whitelisted that process. You can check it out if you want, but I have found it to be very reliable.

if you whitelist an application, this means that it can be executed without producing a prompt. But if your nice, friendly whitelisted app then goes and tries to execute a different app, you will get a prompt for that, and you will have to whitelist the command line.

 

[AtlBo]

You know I think I was thrown off by being unable to choose both. That was maybe a couple of days after I started using NVT ERP. I really appreciate you helping out with this shmu26. Great.