- Mar 19, 2017
- 69
hello the forum is voodooshield stopping malware without files ?
hello the forum is voodooshield stopping malware without files ?
I believe he meant, Is Voodooshield stopping Fileless malware?
I don't know though.
Voodooshield also uses all Virus Total scanners on each new file. The sensitivity can be changed so that is VT is set to say 2, it is most likely a false possitive.
What does that mean?? where that malware come from if there is no file ?how can I protect myself from such malware?A truly file-less attack
What do you recommend we set this to? I know on VT a lot of innocent things get hit by a couple of the scanners. What's a good number?
It means no file exists at all. No initial file to be executed in-memory (e.g. Portable Executable) and no files being dropped to disk by the payload - this is my definition of a "true" file-less attack however there are different meanings. An example of such attack would be exploiting of a web-browser via malicious JavaScript, as an attempt to execute native shell-code in the address space of the web-browser process responsible for processing the web-page (in which local files such as HTML and JS are downloaded locally for the browser to interpret the files contents -> JavaScript executes for web-page functionality but it's on the local-side, nor server-side like PHP). In that example, no file exists in the sense that the user had to download and execute a binary - the JavaScript file containing the malicious JavaScript code still existed though, but it's a different context. The malicious shell-code now runs under an existent process, instead of under its own process, without requiring independent code execution on the local system to inject the shell-code into the vulnerable process.What does that mean?? where that mawlare come from if there is no file ?how can I protect myself from such malware?
Well no because 99.9% of the time user-interaction is always required. How did the exploit deploy in the first place? In the example of a malicious webpage which deploys a zero-day exploit, you still navigated to that malicious web-page, or another web-page which redirected you there. A different example would be software you're using which connects to somewhere, but the destination has been compromised and this may be possibly abused as an attack vector to gain control of the victims machine if it can be done by the attacker - we saw something similar to this with the initial spread of Petya. It didn't deploy a "file-less" attack, however the company providing banking software was compromised and this led to a rogue update which contained malicious software, even though that isn't a "file-less" attack, it might help you understand better.What if I sandbox browser?! will those attack only come from the browser? can malware magically get to my pc if I don't run anything and sandbox the browser?