Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Protecting processes from injection via SetWindowsHookEx() ?
Message
<blockquote data-quote="Deleted member 65228" data-source="post: 730819"><p>You can also check the Entry Point for the PE and attempt to find anomalies in it, as well as checking the Imports, Strings, and info in the PE Header to help determine whether it is packed. Don't forget about entropy level.</p><p></p><p>Based on the algorithm conclusion, you can then intercept operations at the start of execution and then decide when to stop the interception and apply the generic signature scanning in-memory.</p><p></p><p>Even if you prevent DSEFix.exe through cutting the legs off with blocking VBoxDrv.sys installation (the vulnerable driver version) coming from an unknown process not from VirtualBox, I'd still recommend looking into memory scanning as it can be beneficial for your real-time protection component.</p><p></p><p>You will want at-least a memory scanner in 2018. Especially once 2019 hits. Standard thing now really IMO.</p></blockquote><p></p>
[QUOTE="Deleted member 65228, post: 730819"] You can also check the Entry Point for the PE and attempt to find anomalies in it, as well as checking the Imports, Strings, and info in the PE Header to help determine whether it is packed. Don't forget about entropy level. Based on the algorithm conclusion, you can then intercept operations at the start of execution and then decide when to stop the interception and apply the generic signature scanning in-memory. Even if you prevent DSEFix.exe through cutting the legs off with blocking VBoxDrv.sys installation (the vulnerable driver version) coming from an unknown process not from VirtualBox, I'd still recommend looking into memory scanning as it can be beneficial for your real-time protection component. You will want at-least a memory scanner in 2018. Especially once 2019 hits. Standard thing now really IMO. [/QUOTE]
Insert quotes…
Verification
Post reply
Top