NVT to Protect against Flash Infection

Discussion in 'NoVirusThanks' started by AtlBo, Dec 15, 2016.

  1. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,519
    Qihoo 360
    Have the elements of Flash all listed in the Whitelisted processes in NVT 3.1.0.0. This is because I chose to allow it during installation along with Windows processes. Once the installation was complete, I unchecked "Allow Windows system protected processes" in settings and "Allow all software from the Programs Files folder". I've been over the list of allowed that were allowed during the installation, and I am fairly confident the setup is malware free.

    I would rather not block Flash player, as I have Firefox set up to show a pop up for me, so that I can choose to run the player on demand. That mentioned, is there anything that I need to do with NVT to protect against possible Flash drive by attacks? I also have all the elements of Flash being monitored in EMET.

    One last question. What should I be wary of when looking at NVT pop ups for a Flash type of attack, should the attack get by EMET? Would it typically be a temp folder thing or more likely something from Windows in the form of a command line? Never seen the details of one of these types of attacks before. NVT is great, but the pop ups can begin to look amazingly alike, so I am trying to understand as much as I can about what to look for from malware attacks.
     
  2. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,293
    13,672
    Utopia
    this is what your vulnerable processes list is for. Keep it up to date (after cumulative windows update, refresh it, because the hashes might have changed)
    you can add to it, too
     
    AtlBo likes this.
  3. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,293
    13,672
    Utopia
    don't think of it as a flash "attack", it is more properly called a flash "exploit".
    That means that the malcoders find a little hole in flash, by which to enter the file system of the computer. Once they are in, in order to get their job done, they need to find a process that can be bent to their will. This is called a "vulnerable" process. They use it to:
    1 download the payload
    2 load dlls
    3 make registry changes and add startup entries and disable AV
    4 ???
     
    AtlBo likes this.
  4. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,519
    Qihoo 360
    Thanks shmu26. Two questions about the Whitelist in NVT. If I set a process as vulnerable, will I always get an alert even if the process is in the Whitelist Safe Applications (as long as the command line is not WLed)? Do I need to double check this? Also, does the Whitelist Safe Applications mean that specific command lines aren't alerted for a process? I want to see all command line activity that I haven't WLed as a command line.
     
  5. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,293
    13,672
    Utopia
    Hi, the vulnerable process list overrides the whitelist, so yes, you will get a prompt, even if you whitelisted that process. You can check it out if you want, but I have found it to be very reliable.

    if you whitelist an application, this means that it can be executed without producing a prompt. But if your nice, friendly whitelisted app then goes and tries to execute a different app, you will get a prompt for that, and you will have to whitelist the command line.
     
  6. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,519
    Qihoo 360
    You know I think I was thrown off by being unable to choose both. That was maybe a couple of days after I started using NVT ERP. I really appreciate you helping out with this shmu26. Great. :)
     
    shmu26 likes this.
Loading...
Similar Threads Forum Date
Microsoft offers several mechanisms to protect against ransomware Microsoft Wednesday at 12:42 PM
Mozilla Files Suit Against FCC to Protect Net Neutrality Security News Wednesday at 10:57 AM
Google How To Protect Against Latest Intel CPU Vulnerabilities for Chrome, Android etc Technology News Jan 4, 2018