Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="Andy Ful" data-source="post: 955903" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">Simple Windows Hardening vs. advanced attacks.</span></strong></p><p></p><p>In another thread, I posted the article about testing EDRs. The attack vectors were as follows:</p><p></p><p></p><p>Although such attacks are prevented by H_C in the Recommended Settings, the SWH alone can block only some of them. The malicious CPL and HTA files will be blocked by SWH. But EXE and DLL files will be blocked only when the user would try to open the file from an email client or archiving application (supported by SWH).</p><p></p><p>Anyway, in the Home environment, the execution of EXE files will be detected/blocked in most cases by the AV because never seen malware is rarely used in widespread attacks. Even if the malware will be never-seen one, then it will be often blocked by SmartScreen Application Reputation (files downloaded from the Internet).</p><p>If one uses Defender with ConfigureDefender settings, then the EXE malware will be also prvented while using USB drives. With ConfigureDefender MAX settings the EXE file (malicious) will be blocked by the ASR prevalence rule.</p><p></p><p>The only problem can be with the attack based on the legal EXE file vulnerable to DLL side loading. This attack can be prevented only when running suspicious EXE files by using <strong>RunBySmartScreen </strong>(as suggested in the SWH manual). Unfortunately, the standard AVs will often allow such an attack. Fortunately, this attack vector is rare (so far) in widespread attacks.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 955903, member: 32260"] [B][SIZE=5]Simple Windows Hardening vs. advanced attacks.[/SIZE][/B] In another thread, I posted the article about testing EDRs. The attack vectors were as follows: Although such attacks are prevented by H_C in the Recommended Settings, the SWH alone can block only some of them. The malicious CPL and HTA files will be blocked by SWH. But EXE and DLL files will be blocked only when the user would try to open the file from an email client or archiving application (supported by SWH). Anyway, in the Home environment, the execution of EXE files will be detected/blocked in most cases by the AV because never seen malware is rarely used in widespread attacks. Even if the malware will be never-seen one, then it will be often blocked by SmartScreen Application Reputation (files downloaded from the Internet). If one uses Defender with ConfigureDefender settings, then the EXE malware will be also prvented while using USB drives. With ConfigureDefender MAX settings the EXE file (malicious) will be blocked by the ASR prevalence rule. The only problem can be with the attack based on the legal EXE file vulnerable to DLL side loading. This attack can be prevented only when running suspicious EXE files by using [B]RunBySmartScreen [/B](as suggested in the SWH manual). Unfortunately, the standard AVs will often allow such an attack. Fortunately, this attack vector is rare (so far) in widespread attacks. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
