Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Sandboxes against a simple API exploit
Message
<blockquote data-quote="hjlbx" data-source="post: 420078"><p>[USER=2913]@yesnoo[/USER] </p><p></p><p>What follows is an explanation - not for you since you are fully aware of the issue - but for others...</p><p></p><p>You are absolutely correct. This is because even when a Trusted file is updated (just by the process of updating legitimately and automatically) it is now "modified." How CIS handles the updating (modification) of Trusted files is problematic. </p><p></p><p>Once a Trusted file has updated (been modified), CIS changes the file rating from Trusted to Unrecognized. The consequence of this File Rating change is that - depending upon CIS settings - the Trusted file (which has now been re-rated as Unrecognized by the act of updating) will generate alerts (HIPS, Firewall) and be auto-sandboxed. </p><p></p><p>Remember - the core functionality of CIS is such that only Unrecognized files generate alerts and auto-sandboxing.</p><p></p><p>On the one hand, this CIS behavior increases security by protecting against malicious file changes - even to Trusted files. On the other hand, the vast majority of CIS users do not know this is how CIS works. So when a bunch of Microsoft files (after Windows update for example) are modified, the user doesn't understand why CIS is now treating Trusted files as Unrecognized.</p><p></p><p>There's no direct, easy solution to this issue. Since CIS monitors all executable file types, if it were to shoot an alert to the user every time a legitimate file is updated, it would mean a huge number of alerts. So, in the current CIS alert system, that isn't going to work.</p><p></p><p>The current solution is for user to manage file changes by CIS manually...</p><p></p><p>My solution is to periodically add the entire WIndows and Program directories to the Trusted File List. </p><p></p><p>NOTE: Any malware installed to those directories can be white-listed if you are not paying attention !!!</p></blockquote><p></p>
[QUOTE="hjlbx, post: 420078"] [USER=2913]@yesnoo[/USER] What follows is an explanation - not for you since you are fully aware of the issue - but for others... You are absolutely correct. This is because even when a Trusted file is updated (just by the process of updating legitimately and automatically) it is now "modified." How CIS handles the updating (modification) of Trusted files is problematic. Once a Trusted file has updated (been modified), CIS changes the file rating from Trusted to Unrecognized. The consequence of this File Rating change is that - depending upon CIS settings - the Trusted file (which has now been re-rated as Unrecognized by the act of updating) will generate alerts (HIPS, Firewall) and be auto-sandboxed. Remember - the core functionality of CIS is such that only Unrecognized files generate alerts and auto-sandboxing. On the one hand, this CIS behavior increases security by protecting against malicious file changes - even to Trusted files. On the other hand, the vast majority of CIS users do not know this is how CIS works. So when a bunch of Microsoft files (after Windows update for example) are modified, the user doesn't understand why CIS is now treating Trusted files as Unrecognized. There's no direct, easy solution to this issue. Since CIS monitors all executable file types, if it were to shoot an alert to the user every time a legitimate file is updated, it would mean a huge number of alerts. So, in the current CIS alert system, that isn't going to work. The current solution is for user to manage file changes by CIS manually... My solution is to periodically add the entire WIndows and Program directories to the Trusted File List. NOTE: Any malware installed to those directories can be white-listed if you are not paying attention !!! [/QUOTE]
Insert quotes…
Verification
Post reply
Top