Advice Request Why are we even messing with anything other than WD these days?

[roger_m]

Once I was finished installing software, it was time to lock the system down, so I installed VS. WLC immediately found and infection, and it turned out to be a particularly difficult infection to remove (it took me a couple of hours to figure it out).

How did you get infected so quickly? I use my main computer for 12+ hours a day with only an antivirus to protect it and don't ever get infected. I visit countless websites every day and never even encounter any malware. The only time I get an alert from my antivirus, is for occasional false positives. One exception to that, is on very rare occasions, when I download an installer it will be a repackaged installer, rather the original one. But it's important to note, that not only does my antivirus detect and automatically quarantine these, but even if the installer did contain or would download malware, I would of course have to actually launch the installer to get infected.

You may ask, how am I sure that my system is clean, as maybe I am infected by a threat that my AV doesn't detect. I know my system is clean, as multiple second opinion scanners find no malware.

 

[ForgottenSeer 72227]

I had already spent around 15 or so hours installing software and configuring my system, and I had it "just right". The last thing I wanted to do was to reformat again.

Just for curiosity sake, do you typically make system images for your computers? I guess you could always do a clean install, once configured the way you want it, just make a system image of that. Something happens, just restore that image, pretty much bringing you to that point again without having to spend another 15h configuring it.

PS: I know you are very technically adept I'm just curious if you take system images, or just back up your data?

 

[bayasdev]

How did you get infected so quickly? I use my main computer for 12+ hours a day with only an antivirus to protect it and don't ever get infected. I visit countless websites every day and never even encounter any malware. The only time I get an alert from my antivirus, is for occasional false positives. One exception to that, is on very rare occasions, when I download an installer it will be a repackaged installer, rather the original one. But it's important to note, that not only does my antivirus detect and automatically quarantine these, but even if the installer did contain or would download malware, I would of course have to actually launch the installer to get infected.

You may ask, how am I sure that my system is clean, as maybe I am infected by a threat that my AV doesn't detect. I know my system is clean, as multiple second opinion scanners find no malware.

I've never got infected using Windows the last 3-4 years, and I often run unknown software without taking any security measure aside from the AV itself.
Well that was in the past, now I'm an "enlightened" Linux user

 

[blackice]

The worst thing that ever made it’s way on my PC with WD was mild adware, and that was 6-7 years ago when it was MSE on Win7. So I guess WD never failed me. I don’t download a lot of esoteric files or anything. Just a boring user, which WD (or rather MD) is good for.

 

[danb]

Yes, I do not have any license. It would be easier for me to have one (instead of installing a trial several times). You know my email. Thank you.
...

Enterprises have many more vectors of attack as compared to home users.
Nowadays, most attacks start from emails with phishing links. The second initial vector is related to email attachments. Both vectors often use documents as payloads. One popular method uses the MS Office old equation editor exploit. But, there are several exploiting possibilities too, because many enterprises do not update properly MS Office.

Top 10 Routinely Exploited Vulnerabilities | CISA

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government are providing this technical guidance to advise IT security professionals at public and private sector organizations to place an increased priority on patching...

www.us-cert.gov

.

But it seems that exploits in Enterprises are especially popular in successful attacks on servers. Here is the useful report (not new):

Server-side exploits dominate the threat landscape - Help Net Security

During 2017, 76% of exploits affected server–side applications. Skybox Security CTO Ron Davidson points out that dealing with server–side vulnerabilities is always more difficult because the higher–value assets require more consideration.

www.helpnetsecurity.com

Such malware is not used to attack home users. Servers use different Windows editions (often different OS too, like Linux servers) and different software as compared to home users. Furthermore, the attacks are often targetted to enterprise servers and not home users. Here is a useful reference for Windows Server 2008:

Top 20 Critical Windows Server 2008 Vulnerabilities And Remediation Tips | UpGuard

Learn about the top 20 Windows Server 2008 vulnerabilities, exploits, and security flaws that can lead to a data breach and how to fix them.

www.upguard.com

The cybercriminals are not stupid. Using well known (not new) exploits is the simplest way to bypass enterprise security and obtain persistence, so they are often used in attacks. The popularity of the WannaCry ransomware family is the simplest example of it.

Cool, I will email you, I checked and have a couple of different options that might work for you.

I agree with pretty much this entire post. I am just saying that we do not have the luxury of choosing the attack vector that is going to nail us... the attacker gets to choose that. So instead of guessing and ending up in tears, it is best to cover all vectors. I have read several places that approximately 20% of all enterprise attacks spill over into consumer land. Whether this is true or not, I have no idea. And 20% is not a huge number, but it is significant.

 

[danb]

How did you get infected so quickly? I use my main computer for 12+ hours a day with only an antivirus to protect it and don't ever get infected. I visit countless websites every day and never even encounter any malware. The only time I get an alert from my antivirus, is for occasional false positives. One exception to that, is on very rare occasions, when I download an installer it will be a repackaged installer, rather the original one. But it's important to note, that not only does my antivirus detect and automatically quarantine these, but even if the installer did contain or would download malware, I would of course have to actually launch the installer to get infected.

You may ask, how am I sure that my system is clean, as maybe I am infected by a threat that my AV doesn't detect. I know my system is clean, as multiple second opinion scanners find no malware.

Yeah, I was surprised it happened so quickly as well... otherwise I would have taken stronger precautions.

In all fairness, you are scanning with a blacklist scanner. and it is going to miss a lot more than WLC ever would (especially with a dwell time of 150-800 days). While reading your post, I just now realized that I did not start noticing this issue until several months ago when WLC was released. Remember, this all just came up recently and I am just now putting two and two together.

Anyway, you might try scanning your computer with WLC and see what it finds. If it detects any items as Not Safe, it would be wise to investigate. If all of the items are detected as Safe, there is a great chance your computer is perfectly clean.

If you are interested, here is a link... it uninstalls perfectly too.

http://www.whitelistcloud.com/Download/InstallWhitelistCloud.exe

So instead of scanning your system for malicious files, WLC scans your system for safe files. The reason whitelist scanners are not used to scan the drive is because if you were to scan the entire drive with a whitelist scanner, there would be tons of false positives. But a year ago or so I realized, well, we can at least scan the running process with a whitelist scanner, and maybe even eventually a smart scan that scans the running processes and common malware locations.

Anyway, if you or anyone else scans their computer with WLC, please let us know! You might be surprised what it finds.

 

[danb]

Just for curiosity sake, do you typically make system images for your computers? I guess you could always do a clean install, once configured the way you want it, just make a system image of that. Something happens, just restore that image, pretty much bringing you to that point again without having to spend another 15h configuring it.

PS: I know you are very technically adept I'm just curious if you take system images, or just back up your data?

Yeah, exactly, I spent all of that time creating a "golden image" so I could create an image with EaseUS Todo Backup, which I did. Before Windows 7 I used to reimage my box every 2-3 months with Norton Ghost (it was amazing). But since Windows 7, pretty much every install has lasted the life of the computer. My previous image was a Windows 8.1 image that lasted almost 4 years. And actually I have been reading that there have been issues with cloning and SSD's, and that clean installs are recommended for SSD's (directly from Samsung). So I have a golden image that will get me by in a pinch, but if anything happens I will ultimately reformat the drive anyway.

 

[danb]

The worst thing that ever made it’s way on my PC with WD was mild adware, and that was 6-7 years ago when it was MSE on Windows 7. So I guess WD never failed me. I don’t download a lot of esoteric files or anything. Just a boring user, which WD (or rather MD) is good for.

Yeah, the only other infection I ever had was a PUA codec scam. This recent infection was not terrible, but it was persistent and well hidden.

Infections in general are not all that common, but when they happen to you they can be devastating. Believe me, I have seen how shocked people are and how violated they feel after being infected. It is the same way with car wrecks. Most likely you are not going to be involved in a car wreck anytime soon... but car wrecks can be devastating, so it is wise to take the appropriate precautions just in case.

On side note... although my personal real life experiences with malware have been extremely limited, every week or two I have terrible nightmares that my computer was infected and I lost all of my data... source code and everything.

 

[roger_m]

Anyway, if you or anyone else scans their computer with WLC, please let us know! You might be surprised what it finds.

It's running a scan now. It's been over an hour so far. I'll post again when it's finished.

 

[blackice]

Yeah, I was surprised it happened so quickly as well... otherwise I would have taken stronger precautions.

In all fairness, you are scanning with a blacklist scanner. and it is going to miss a lot more than WLC ever would (especially with a dwell time of 150-800 days). While reading your post, I just now realized that I did not start noticing this issue until several months ago when WLC was released. Remember, this all just came up recently and I am just now putting two and two together.

Anyway, you might try scanning your computer with WLC and see what it finds. If it detects any items as Not Safe, it would be wise to investigate. If all of the items are detected as Safe, there is a great chance your computer is perfectly clean.

If you are interested, here is a link... it uninstalls perfectly too.

http://www.whitelistcloud.com/Download/InstallWhitelistCloud.exe

So instead of scanning your system for malicious files, WLC scans your system for safe files. The reason whitelist scanners are not used to scan the drive is because if you were to scan the entire drive with a whitelist scanner, there would be tons of false positives. But a year ago or so I realized, well, we can at least scan the running process with a whitelist scanner, and maybe even eventually a smart scan that scans the running processes and common malware locations.

Anyway, if you or anyone else scans their computer with WLC, please let us know! You might be surprised what it finds.

Malwarebyte blocks the 'suspicious download'
Everybody is flagging everything as unsafe these days.

 

[danb]

It's running a scan now. It's been over an hour so far. I'll post again when it's finished.

It must have hung up on something, the scans are usually really quick. You might want to exit out of WLC and open it again. If the problem persists, there is a log in C:\ProgramData\WhitelistCloud\DeveloperLog.log that we can look at. I thought I updated the stand alone version to work with the new webserver and to accept files above 100mb, but I should double check.

Malwarebyte blocks the 'suspicious download'
Everybody is flagging everything as unsafe these days.

Thank you for letting me know! Yeah, we are moving toward zero trust and we do not even realize it .

 

[roger_m]

It must have hung up on something, the scans are usually really quick. You might want to exit out of WLC and open it again.

It worked the third time I ran it. It flagged one file which is actually safe (confirmed by VirusTotal), so I whitelisted it.

 

[Deletedmessiah]

Mods won't like off topic posts. We should discuss whitelist cloud in its own thread: Update - Whitelist Cloud Beta
I just tried it myself.

 

[Andy Ful]

Back to the topic.
As one could see from my discussion with @danb, the WD free (default settings with BAFS + SmartScreen) cannot be especially effective in enterprises. They have much bigger attack area due to exploits and local network vulnerabilities. Several effective solutions are known which include among others:

1. Software/system updates (can be painful due to backward compatibility and costly because of software licenses).
2. Using strong security with ATP and Network Intrusion Detection including behavioral analytics (deep packet inspection).
3. Data encryption and backup.
4. Applying the principle of least privilege (or more restrictive strategies like 0-tolerance policy).
5. Security training courses for staff.
6. etc.

See for example how Microsoft Treat Protection can fight the attacks on the servers:

The science behind Microsoft Threat Protection: Attack modeling for finding and stopping evasive ransomware

The linchpin of successful cyberattacks, exemplified by nation state-level attacks and human-operated ransomware, is their ability to find the path of least resistance and progressively move across a compromised network. Determining the full scope and impact of these attacks is one the most...

malwaretips.com

 

[TheBlueCreeper512]

WD is very nice for default protection but I find that the Windows Security application is very buggy, also just today I was installing COMODO Firewall as a supplement to WD, it detected PUA:Win32/FusionCore, I knew what it was, the installer bundles a bunch of crap nobody needs, but the installer won't work without the two DLLs that WD detected, so I ignored them, after installing CF, I didn't really like it and I got rid of it, I decided to quarantine the two DLLs that WD detected, but apparently the files are gone from my AppData\Local\Temp folder, but WD still detects it, the worst thing is that when I tell WD to "Start Actions", it just goes in a loop where it tells me to run a quick scan, finds the same nonexistent threat, I press Start Actions and it does this all over again, I even use the repair upgrade option with the Media Creation Tool, and it still does the same thing. I really want to like Windows Defender, but I just can't, not with all these bugs.

TL;DR: WD keeps detecting the same nonexistent threat, even after a repair upgrade.

 

[Andy Ful]

WD is very nice for default protection but I find that the Windows Security application is very buggy, also just today I was installing COMODO Firewall as a supplement to WD, it detected PUA:Win32/FusionCore, I knew what it was, the installer bundles a bunch of crap nobody needs, but the installer won't work without the two DLLs that WD detected, so I ignored them, after installing CF, I didn't really like it and I got rid of it, I decided to quarantine the two DLLs that WD detected, but apparently the files are gone from my AppData\Local\Temp folder, but WD still detects it, the worst thing is that when I tell WD to "Start Actions", it just goes in a loop where it tells me to run a quick scan, finds the same nonexistent threat, I press Start Actions and it does this all over again, I even use the repair upgrade option with the Media Creation Tool, and it still does the same thing. I really want to like Windows Defender, but I just can't, not with all these bugs.

TL;DR: WD keeps detecting the same nonexistent threat, even after a repair upgrade.

It can be a bug, but for DLLs in the Temp directory, it can be a true detection if some background process tries constantly to drop a DLL there. Is this issue present after the reboot? The issue can be also related to the conflict between WD and CF when they both try to remediate the detected DLL (CF can put this DLL in the sandbox or block it via HIPS). Generally, such problems are common when one uses two security solutions.

 

[TheBlueCreeper512]

It can be a bug, but for DLLs in the Temp directory, it can be a true detection if some background process tries constantly to drop a DLL there. Is this issue present after the reboot? The issue can be also related to the conflict between WD and CF when they both try to remediate the detected DLL (CF can put this DLL in the sandbox or block it via HIPS). Generally, such problems are common when one uses two security solutions.

The two DLLs detected by WD were a part of the CF installer, if CF detects a PUA in its in own installer and tries to sandbox, well that would be counter intuitive... And even after uninstalling and deleting the installer and reboot and a repair upgrade with the Media Creation Tool, WD still detects the DLL files, the funny thing is is that when I run a custom scan, and choose any where besides my AppData\Local\Temp folder, it still detects the two nonexistent threats, the only way I got rid of the issue was just putting the detection as an allowed threat.

 

[Andy Ful]

The two DLLs detected by WD were a part of the CF installer, if CF detects a PUA in its in own installer and tries to sandbox, well that would be counter intuitive... And even after uninstalling and deleting the installer and reboot and a repair upgrade with the Media Creation Tool, WD still detects the DLL files, the funny thing is is that when I run a custom scan, and choose any where besides my AppData\Local\Temp folder, it still detects the two nonexistent threats, the only way I got rid of the issue was just putting the detection as an allowed threat.

Interesting. Could you post here the link to the installer? I will try to test it on my machine.

 

[TheBlueCreeper512]

Interesting. Could you post here the link to the installer? I will try to test it on my machine.

http://download.comodo.com/cis/download/installs/2000/partners/cmd_fw_installer.exe taken directly from here, steps to reproduce the problem: When I ran the installer for the first time, WD sent a notification that a PUA was detected, I ignored it because when I tell WD to remove the threat, the installer breaks, as in it will get to a black box with "Please wait" and then the installer just seemingly terminates itself. After installing CF and playing around with it, I went back to WD and told it remove the threat, and it goes in the loop that I told you in my original comment, I uninstall CF, same thing, and basically I from here I did everything I did in my original comment and still haven't found a solution besides adding it as an allowed threat. Maybe I'm doing something wrong...

 

[Andy Ful]

...
I have read several places that approximately 20% of all enterprise attacks spill over into consumer land. Whether this is true or not, I have no idea. And 20% is not a huge number, but it is significant.

It is probable. But, such attacks have a much lower impact on the home users, except those who use unsupported Windows versions or unpatched system /software (especially MS Office, Java, Adobe). Anyway, It does not mean that one could ignore such malware. There are many "spray and pray" spam campaigns that can hit the home users even on updated Windows 10.