Battle VoodooShield vs. Re:HIPS vs. RansomOff vs. OSArmor

imuade

Level 12
Thread author
Verified
Top Poster
Well-known
Jul 29, 2018
566
Hi there, what's your opinion about these SWs which can run alongside a traditional AV ?
If you wanna add any other app, please do it. But please, just add FREE SW (for example, SecureAPlus is not an option since it's free for 1 year only)
 
  • Like
Reactions: vtqhtr413

Moonhorse

Level 38
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,728
ommon script interpreters
hmm script hosts + powershell hardening also file type associatons like i have disabled .reg completely

Im just newbie, so theres alot stuff i dont probably understand right and its hard to say what OSA has that syshardener doesnt and wich syshardener have over OSA

I just went with evjl rainds recommendations and decided to block all after since im not programmer and i dont have reason to edit registry or run anything throught powershell anyways

From what i know evjl has told that avast is weak against scripts, so syshardener covers that side

But maybe someone can answer right way, havent you ever tried syshardener?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
hmm script hosts + powershell hardening also file type associatons like i have disabled .reg completely

Im just newbie, so theres alot stuff i dont probably understand right and its hard to say what OSA has that syshardener doesnt and wich syshardener have over OSA

I just went with evjl rainds recommendations and decided to block all after since im not programmer and i dont have reason to edit registry or run anything throught powershell anyways

From what i know evjl has told that avast is weak against scripts, so syshardener covers that side

But maybe someone can answer right way, havent you ever tried syshardener?
I have used it, but I don't have it installed right now. I don't remember all the options there, it's a long list.
What I do remember is that syshardener does a great job at dissociating file types, and makes some smart Windows firewall rules, and it disables windows script host and powershell, as well as putting powershell in constrained language.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I don't see the point of using ReHIPS without its sandboxing... Rehips is first a sandbox...

If you just use the Application Control module, better go with OSA or ERP.
It's true that ERP has stronger vulnerable process protection than ReHIPS. It monitors more processes, it is more aggressive, and has better fine-grained control.
If the user finds that ERP works reliably and smoothly, without impairing system performance, it is the better choice.
 
5

509322

From what i know evjl has told that avast is weak against scripts, so syshardener covers that

1. Despite some AV\IS doing well in specific script tests, the fact of the matter is that they are all weak against scripts.

1.1. Users place too much emphasis upon on-disk scripts while they ignore the threat of post-exploit in-memory only code (this is the "Gotcha").

2. The current prevention methodology is to report malicious scripts to the vendors. To make that prevention work, they have to "collect it all to know it all" - and that is just ludicrous, if not insane. The current state of malicious script prevention has taken years of gathering malicious reports and identifying patterns and making signatures or behavioral algorithms.

3. Interfacing with AMSI is not a straight-forward thing. It is not correct to think that vendor A who uses AMSI and vendor B who uses AMSI will perform the same against malicious scripts. A lot of discrepancies with handling malicious scripts between multiple vendors using AMSI has to do with Microsoft withholding or just not publishing every last bit of AMSI nitty-gritty. Ask @Eddie Morra .

4. The only way to decisively deal with malicious scripts on disk and especially in-memory is to disable the interpreter or sponsor - which is more less what OSA and SysHardener do. That means disabling them in both the Admin and Standard User Accounts. It makes no sense to enable interpreters in the Admin account full-time. In the worst case scenario, it sets up a Grand Slam home-run for the malc0der.
 
5

509322

What do you say about the ReHIPS approach, which is to enable interpreters for SYSTEM?

Exploit. Smashed.

SYSTEM does not need any of the vulnerable programs and sponsors on the extended VP list to function correctly.

Windows might need one or two depending upon the Windows version. For example, csc.exe on W8.1 or earlier builds of W10.
 
Last edited by a moderator:
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
You can run ReHIPS in Permissive mode, if you want it to function like OSArmor
I wish to correct this claim. I did some more testing this morning, and ReHIPS did not alert for new command line strings when in Permissive mode. It will only block that which already has an express block rule. In short, Permissive mode is not a replacement for OSArmor, unless you edit the default rules and set them to block script interpreters. :emoji_disappointed:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top