Easy security for anti-exploit & anti-ransomware

Discussion in 'other anti-malware software' started by Windows_Security, Apr 5, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    @markloman
    Thank you for explanation, I didn't know they were using this techniques.
    I guess that with no-executon set, ransomware wouldn't be able to start, but once it runs "read only" wouldn't protect your data.
    There is possibility to deny explorer.exe from making changes to your data folders and only use 3rd party managers (Total Commander...) to change data in that folders.
     
  2. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Moral of the story, just run HitmanPro.Alert 3 with CryptoGuard to prevent ransomware.
     
  3. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Hi markloman - may I ask if these first require files to be dropped and executed, or do they run from memory like the Angler exploit kit?
     
  4. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Hi kees, many thanks for taking the time to give an overview to your approach to using Secure Folders. I've had it for a few weeks, still trying to think of convenient ways to add to my current setup without just duplicating SSRP.

    Could you please provide a link or more detail on this?
     
  5. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    i dont added explorer.exe and kmplayer.exe yet to trusted app but in folder with no execution i am able to run kmplayer with clicking video file
    is this normal?
     
  6. Yes kmplayer only reads files, so it is allowed to execute.
     
  7. See post 6: http://www.sevenforums.com/tutorials/87750-run-command-enable-disable.html
     
  8. Update op post #3 thanks Mark Loman
     
  9. CTB Locker copies itself to CSIDL_COMMON_APPDATA and TEMP folder so this should be blocked by SecureFolders
    CryptoWall3, svchost,exe is not on the trusted list so this should be blocked by SecureFolders
    VaultCrypt, with Windows7 tweak access to cmd is blocked
    TeslaCrypt process is not on the is not on the trusted list so this should be blocked by SecureFolders
    CryptoFortress process is not on the is not on the trusted list so this should be blocked by SecureFolders
     
    Last edited by a moderator: Apr 6, 2015
  10. See answer in post #34, Most ransomware execute something from TEMP or Appdata folder during the process.

    I thought HMPA 3 did not provide encryption protection anymore? Is the moral of the story that HMPA 3 is finally out of beta? Great news :thumb:
     
    Last edited by a moderator: Apr 6, 2015
  11. As an additional measure one could add svchost and explorer to EMET, see answer in post #34
     
  12. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    CryptoGuard is still a feature of HMP.Alert afaik. Although you need a license.
     
  13. Sorry I meant the free version. Crypto guard is free in V2 but afaik not anymore in V3. Is HMP Alert 3 out of beta? Has it improved a lot over the beta version which was tested (and did not so well on exploit protection)?
     
  14. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    thank you
    edit:is safe to remove explorer.exe?
     
  15. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    1. Alert in still in beta (RC)
    2. CG 3 in HMPA 3 is better than CG 2 in HMPA 2 according to mark and erik
    3. The exploit protection offered by HMPA should be at least as good as MBAE.
     
  16. No you need a file manager, only when you use an alternative file manager and you trust this alternative file manager in securefilders (as Minimalist suggested), you can remove explorer from the trusted list. Alternatively I have added explorer.exe to EMET
     
  17. 1. OK, so your advising beta software over released and tested software?
    2. Fine, but it is not free anymore as I understood, is that correct?
    3. That is a truly remarkable statement, did the Loman brothers reverse engineer MBAE? (how can they know/claim this)?
     
  18. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    1. That's not what I'm saying. It's up to you to decide whether you run beta versions of software
    2. No longer free, but with a good reason --> https://www.wilderssecurity.com/thre...iscussion-thread.324841/page-164#post-2460905
    3. My opinion with regard to the exploit protection offered by HMPA/MBAE/EMET is not based on claims made by other people. I like to verify things myself before making a statement. Hint: WinDbg
     
  19. So you reversed engineer the code using a debugger, disassembled the code and painstakingly interpreted every command and register, while checking other parts of the memory depending on the use-case/test-case exploit you were running? How many test exploit did you need to assess both HPMA and MBAE? How many hours did you spend?

    I am deeply impressed. We got another pro on the forum with skills comparable to "malware don't need coffee", you should get your qualification upgraded from registered member to malware specialist
     
    Last edited by a moderator: Apr 7, 2015
  20. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Sure, but how many acronyms follow his name?
     
  21. 142395

    142395 Guest

    Thank you Kees, it's briliant! Tho I won't do exactly the same, I partly borrowed your idea especially about EMET ASR and NoRun tweak.

    As to ransomware, it's not sth I fear (at least currently)... I disabled cryptgurad in HMPA, as I have redundant backups and they are (legitimately) encrypted by Veracrypt etc., so I really don't care about ransom at all.
    Possible worst damage is I may loose at most half a day work, but that's all.
     
  22. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    No, I did not perform any reverse engineering. All my testing was based on behavioral analysis using POC code. Reverse engineering the libraries of MBAE and HMPA without symbols would just take me too much time and is not worth it.

    I am not an expert in the field of IT Security, I just like to fiddle with some stuff in my spare time. (If I can find some)
     
  23. Well I also like to have a physical copy. That is why I have a quick backup on X and have my NAS disconnected from the network (using simple electric socket plug-in timer the Nas is switched on-line/offline, its automatic background backup kicks into action during the night).
     
  24. 142395

    142395 Guest

    Oh, that's smart way!:thumb:
     
  25. Behold Eck

    Behold Eck Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    574
    Location:
    The Outer Limits
    That`s the kind of test I meant.:thumb:

    Regards Eck:)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.