CyberLock is able to read the MOTW feature, but it is my opinion that MOTW is a much better fit with allow-by-default products, as opposed to deny-by-default products.
The idea is not to allow scripts or files that do not have MOTW but be stricter for scripts or files that have it.
But CyberLock is going to block it either way if it is not explicitly whitelisted / previously allowed. So we really do not care where the script came from, we are going to block it either way.
We could add a similar capability, but I kind of like the way CyberLock already blocks drivers from even being installed in the first place. It would be very difficult to install a driver without CyberLock blocking the install.
malwaretips.com
The question for me is what's better to block high privilege sophisticated attacks using exploitation or Vulnerable drivers. Does a kernel mode driver like Cyberlock block as effectively as WDAC. Assuming the attack have admin and above privileges.We could add a similar capability, but I kind of like the way CyberLock already blocks drivers from even being installed in the first place. It would be very difficult to install a driver without CyberLock blocking the install.
Then again, we might be adding a WDAC mode to CyberLock, and if that is the case, it would be easy to include the WDAC drivers option. I am just waiting to see if people think it is a good idea or not to add a WDAC mode to CyberLock. Or we could have a separate WDAC version of CyberLock. Or maybe even add WDAC to DefenderUI, along with other Microsoft Defender components.
Reply to thread
Isn't everything lost already if the attacker has admin and above privileges? As an admin can't you just stop/install/whitelist whatever you please?
The latest stable version is on the hompage CyberLock™ - The User-Friendly Toggling Computer Lock.. The versions posted here I would consider prerelease/test versions for people interesting to try new features earlier. Like the MS insider program.
Magika could help identify file types without the file extension at the end of file.
You could argue either way on this topic, but one thing is for certain, a kernel mode driver like CyberLock's has tons of advantages over WDAC, and very few, if any, disadvantages. Don't get me wrong, WDAC is pretty cool and it has its place, but in terms of properly protecting a computer, there is simply no comparison.
I would suggest that everything is lost already if an attacker can execute any code on your machine
.
This is probably the best place, or we can add you to the beta test group if you like, that way you will receive updates.
CyberLock is not a security suite, so KTS has a lot more components that a full security suite would have. Whereas CyberLock's zero-trust / application whitelisting component is much more advanced, automated and user-friendly.
Thank you for the suggestion, we will probably do this soon.
Thank you, we looked into this, and while it is a very cool project, it does not cover most of the file types that we are interested in.
