- Jul 29, 2018
- 566
VoodooShield vs. Re:HIPS vs. RansomOff vs. OSArmor
- Thread starter imuade
- Start date
- Jul 3, 2015
- 8,153
Does syshardener at max settings disable all the common script interpreters?
- May 29, 2018
- 2,608
hmm script hosts + powershell hardening also file type associatons like i have disabled .reg completely
Im just newbie, so theres alot stuff i dont probably understand right and its hard to say what OSA has that syshardener doesnt and wich syshardener have over OSA
I just went with evjl rainds recommendations and decided to block all after since im not programmer and i dont have reason to edit registry or run anything throught powershell anyways
From what i know evjl has told that avast is weak against scripts, so syshardener covers that side
But maybe someone can answer right way, havent you ever tried syshardener?
- Jul 3, 2015
- 8,153
I have used it, but I don't have it installed right now. I don't remember all the options there, it's a long list.
What I do remember is that syshardener does a great job at dissociating file types, and makes some smart Windows firewall rules, and it disables windows script host and powershell, as well as putting powershell in constrained language.
- Jul 3, 2015
- 8,153
It's true that ERP has stronger vulnerable process protection than ReHIPS. It monitors more processes, it is more aggressive, and has better fine-grained control.
If the user finds that ERP works reliably and smoothly, without impairing system performance, it is the better choice.
1. Despite some AV\IS doing well in specific script tests, the fact of the matter is that they are all weak against scripts.
1.1. Users place too much emphasis upon on-disk scripts while they ignore the threat of post-exploit in-memory only code (this is the "Gotcha").
2. The current prevention methodology is to report malicious scripts to the vendors. To make that prevention work, they have to "collect it all to know it all" - and that is just ludicrous, if not insane. The current state of malicious script prevention has taken years of gathering malicious reports and identifying patterns and making signatures or behavioral algorithms.
3. Interfacing with AMSI is not a straight-forward thing. It is not correct to think that vendor A who uses AMSI and vendor B who uses AMSI will perform the same against malicious scripts. A lot of discrepancies with handling malicious scripts between multiple vendors using AMSI has to do with Microsoft withholding or just not publishing every last bit of AMSI nitty-gritty. Ask @Eddie Morra .
4. The only way to decisively deal with malicious scripts on disk and especially in-memory is to disable the interpreter or sponsor - which is more less what OSA and SysHardener do. That means disabling them in both the Admin and Standard User Accounts. It makes no sense to enable interpreters in the Admin account full-time. In the worst case scenario, it sets up a Grand Slam home-run for the malc0der.
- Jul 3, 2015
- 8,153
What do you say about the ReHIPS approach, which is to enable interpreters for SYSTEM?
Exploit. Smashed.
SYSTEM does not need any of the vulnerable programs and sponsors on the extended VP list to function correctly.
Windows might need one or two depending upon the Windows version. For example, csc.exe on W8.1 or earlier builds of W10.
Last edited by a moderator:
- Jul 3, 2015
- 8,153
I wish to correct this claim. I did some more testing this morning, and ReHIPS did not alert for new command line strings when in Permissive mode. It will only block that which already has an express block rule. In short, Permissive mode is not a replacement for OSArmor, unless you edit the default rules and set them to block script interpreters. :emoji_disappointed:
Similar threads
-
- Locked
