Using AG, ERP, SBIE to protect against in-memory fileless, C#/C++ DLLs, .NET/Powershell malware

Discussion in 'malware problems & news' started by Mr.X, Dec 1, 2015.

  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    After reading these topics I found quite a bit disturbing knowing I could be exposed to an advanced threat like those exposed there:
    In memory fileless malwar detection ..... any antimalware software?
    C# DLLs are different from C++ DLLs. Bouncer and SOB can actually block C++ DLLs.
    The rise of .NET and Powershell malware

    But how can I mitigate damage to some extent using AppGuard, Exe Radar Pro and Sandboxie?
    Is it even possible?
    I don't want anything related to Bouncer cause I do not pretend to use it.
    SOB, perhaps in the near future till it gets fixed for Win8.1 and stays free.

    With this thread I wish to centralize all possible knowledge using these three programs.

    Thanks in advance for your contribution.
     
    Last edited: Dec 1, 2015
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    If you read thru that whole thread there is a bottom line. Almost all the time the malware is delivered in emails with attachments that only the lamest should fall for. I am running all three security programs you mentioned plus HMPA. You are well protected.

    SBIE, protects your system, but also your data. But I wouldn't rely on it alone

    Appguard protects your system and your data with privacy settings.

    ERP, stops new applications, but also scripts as it prevents WSscript from running without you knowledge.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    IMO you shouldn't worry to much. Those infection scenarios are very unlikely for regular users. You are more likely to accidently run something that you shouldn't and get infected that way. All three could help you at preventing that.
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thanks guys I was coming to same conclusion but I still believe there's need to add some configuration to ERP and AG.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Like already has been said, you're best bet is stop malicious apps/payloads from running in the first place. AG, ERP, but also HMPA and MBAE can all block exploits. SBIE can also do it with a little bit of extra configuration, but why bother if you're already using ERP. But only HMPA and MBAE can block in-memory exploits.

    And if malware manages to run (via exploit), it can't infect the rest of the system, because it's contained by SBIE. If by mistake you run or install malware yourself, it gets a bit trickier, you then have to rely on HIPS to interfere, but you also need knowledge about what's normal behavior and what's not, it all depends on the nature of the app.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I don't use either of those so can't give you any configuration tips. If you are using SBIE you can prevent malware from running (same as with ERP or SRP that I'm using). Fileless malware will have problem with persistence since it won't be able to write to registry. So after closing SBIE and ending all sandboxed processes you should be fine. Also any malware should exploit browser and at the same time break out of sandbox. The same goes for DLL loading and .NET/Powershell malware.
    IMO very unlikely if you're not under targeted attck.
     
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Thank you both. Yes I have SBIE configured to prevent any program from running in the first place, except those I allow per sandbox. Still feel I need some extra tweaks to ERP and AppGuard. Going to study those two again, LOL, in the next few days.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    ERP is fairly easy. Basically I've whitelisted everything on my system as I trust it. I do take advantage of the advanced tab for the higher risk stuff. Also I run in alert mode so I know what is going on.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.