Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Comodo
Xcitium Endpoint Security was obliterated by an exploit!
Message
<blockquote data-quote="Adrian Ścibor" data-source="post: 1106596" data-attributes="member: 71496"><p>Hello Vitao,</p><p></p><p>Interesting...</p><p></p><p>Let me ask you about some cases:</p><p></p><p>1. To the best of my knowledge, Xcitium is using the new 2023 security policy - "Windows Security Profile 8.1". I ask because I didn't notice that you showed the configuration of the agent OR I missed something. It was previously a 2016 configuration, so very old and not adapted to the new versions of Xcitium Endpoint agent. In this configuration HIPS is enabled by default, so please let me know what about of that:</p><p></p><p>[ATTACH=full]286057[/ATTACH]</p><p></p><p>2. In our test we always use "BLOCK REQUESTS" for HIPS rules configuration because the setting is recommended by Vendor. I do not know why the default configuration have "allow request". Perhaps this is something that requires contact with technical support.</p><p></p><p>I wonder about the effectiveness of the exploit when HIPS will be changed to Block all Requests....</p><p></p><p>[ATTACH=full]286058[/ATTACH]</p><p></p><p>3. As for EDR feature and logging in the admin dashboard: I know from experience that it takes 20-60 minutes for logs and technical information to jump here, so you have to wait with the VM as enabled to see anything new in the dash. In particular, browse the EDR Search Query tab to find interesting Indicators of Compromise:</p><p></p><p>[ATTACH=full]286059[/ATTACH]</p><p></p><p></p><p>4. EDITED - added:</p><p>You didn't show the vector of malware delivering - based on my experience, delivering malware to the VM by "drag and drop" falsifies the results because the protocol is not real, so the file is losing metadata on Mark-of-the-Web as well. Without this mark you can bypass Microsoft Smart Screen alert like this:</p><p></p><p>[ATTACH=full]286060[/ATTACH]</p><p></p><p>You can check the MOTW by the command:</p><p></p><p>dir file.extension /R</p><p></p><p>example:</p><p></p><p>dir file.exe /R</p><p></p><p>[ATTACH=full]286061[/ATTACH]</p><p></p><p>Which it doesn't exclude your good work...</p><p></p><p>But I wanted to ask about these details only.</p></blockquote><p></p>
[QUOTE="Adrian Ścibor, post: 1106596, member: 71496"] Hello Vitao, Interesting... Let me ask you about some cases: 1. To the best of my knowledge, Xcitium is using the new 2023 security policy - "Windows Security Profile 8.1". I ask because I didn't notice that you showed the configuration of the agent OR I missed something. It was previously a 2016 configuration, so very old and not adapted to the new versions of Xcitium Endpoint agent. In this configuration HIPS is enabled by default, so please let me know what about of that: [ATTACH type="full" alt="Zrzut ekranu 2024-10-31 o 13.41.03.png"]286057[/ATTACH] 2. In our test we always use "BLOCK REQUESTS" for HIPS rules configuration because the setting is recommended by Vendor. I do not know why the default configuration have "allow request". Perhaps this is something that requires contact with technical support. I wonder about the effectiveness of the exploit when HIPS will be changed to Block all Requests.... [ATTACH type="full" alt="Zrzut ekranu 2024-10-31 o 13.53.04.png"]286058[/ATTACH] 3. As for EDR feature and logging in the admin dashboard: I know from experience that it takes 20-60 minutes for logs and technical information to jump here, so you have to wait with the VM as enabled to see anything new in the dash. In particular, browse the EDR Search Query tab to find interesting Indicators of Compromise: [ATTACH type="full" alt="Zrzut ekranu 2024-10-31 o 14.02.28.png"]286059[/ATTACH] 4. EDITED - added: You didn't show the vector of malware delivering - based on my experience, delivering malware to the VM by "drag and drop" falsifies the results because the protocol is not real, so the file is losing metadata on Mark-of-the-Web as well. Without this mark you can bypass Microsoft Smart Screen alert like this: [ATTACH type="full"]286060[/ATTACH] You can check the MOTW by the command: dir file.extension /R example: dir file.exe /R [ATTACH type="full"]286061[/ATTACH] Which it doesn't exclude your good work... But I wanted to ask about these details only. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
