NVT to Protect against Flash Infection

Status
Not open for further replies.

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Have the elements of Flash all listed in the Whitelisted processes in NVT 3.1.0.0. This is because I chose to allow it during installation along with Windows processes. Once the installation was complete, I unchecked "Allow Windows system protected processes" in settings and "Allow all software from the Programs Files folder". I've been over the list of allowed that were allowed during the installation, and I am fairly confident the setup is malware free.

I would rather not block Flash player, as I have Firefox set up to show a pop up for me, so that I can choose to run the player on demand. That mentioned, is there anything that I need to do with NVT to protect against possible Flash drive by attacks? I also have all the elements of Flash being monitored in EMET.

One last question. What should I be wary of when looking at NVT pop ups for a Flash type of attack, should the attack get by EMET? Would it typically be a temp folder thing or more likely something from Windows in the form of a command line? Never seen the details of one of these types of attacks before. NVT is great, but the pop ups can begin to look amazingly alike, so I am trying to understand as much as I can about what to look for from malware attacks.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
this is what your vulnerable processes list is for. Keep it up to date (after cumulative windows update, refresh it, because the hashes might have changed)
you can add to it, too
 
  • Like
Reactions: AtlBo

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
don't think of it as a flash "attack", it is more properly called a flash "exploit".
That means that the malcoders find a little hole in flash, by which to enter the file system of the computer. Once they are in, in order to get their job done, they need to find a process that can be bent to their will. This is called a "vulnerable" process. They use it to:
1 download the payload
2 load dlls
3 make registry changes and add startup entries and disable AV
4 ???
 
  • Like
Reactions: AtlBo

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Thanks shmu26. Two questions about the Whitelist in NVT. If I set a process as vulnerable, will I always get an alert even if the process is in the Whitelist Safe Applications (as long as the command line is not WLed)? Do I need to double check this? Also, does the Whitelist Safe Applications mean that specific command lines aren't alerted for a process? I want to see all command line activity that I haven't WLed as a command line.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Thanks shmu26. Two questions about the Whitelist in NVT. If I set a process as vulnerable, will I always get an alert even if the process is in the Whitelist Safe Applications (as long as the command line is not WLed)? Do I need to double check this? Also, does the Whitelist Safe Applications mean that specific command lines aren't alerted for a process? I want to see all command line activity that I haven't WLed as a command line.
Hi, the vulnerable process list overrides the whitelist, so yes, you will get a prompt, even if you whitelisted that process. You can check it out if you want, but I have found it to be very reliable.

if you whitelist an application, this means that it can be executed without producing a prompt. But if your nice, friendly whitelisted app then goes and tries to execute a different app, you will get a prompt for that, and you will have to whitelist the command line.
 

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
You know I think I was thrown off by being unable to choose both. That was maybe a couple of days after I started using NVT ERP. I really appreciate you helping out with this shmu26. Great. :)
 
  • Like
Reactions: shmu26
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top