After reading these topics I found quite a bit disturbing knowing I could be exposed to an advanced threat like those exposed there: In memory fileless malwar detection ..... any antimalware software? C# DLLs are different from C++ DLLs. Bouncer and SOB can actually block C++ DLLs. The rise of .NET and Powershell malware But how can I mitigate damage to some extent using AppGuard, Exe Radar Pro and Sandboxie? Is it even possible? I don't want anything related to Bouncer cause I do not pretend to use it. SOB, perhaps in the near future till it gets fixed for Win8.1 and stays free. With this thread I wish to centralize all possible knowledge using these three programs. Thanks in advance for your contribution.
If you read thru that whole thread there is a bottom line. Almost all the time the malware is delivered in emails with attachments that only the lamest should fall for. I am running all three security programs you mentioned plus HMPA. You are well protected. SBIE, protects your system, but also your data. But I wouldn't rely on it alone Appguard protects your system and your data with privacy settings. ERP, stops new applications, but also scripts as it prevents WSscript from running without you knowledge.
IMO you shouldn't worry to much. Those infection scenarios are very unlikely for regular users. You are more likely to accidently run something that you shouldn't and get infected that way. All three could help you at preventing that.
Thanks guys I was coming to same conclusion but I still believe there's need to add some configuration to ERP and AG.
Like already has been said, you're best bet is stop malicious apps/payloads from running in the first place. AG, ERP, but also HMPA and MBAE can all block exploits. SBIE can also do it with a little bit of extra configuration, but why bother if you're already using ERP. But only HMPA and MBAE can block in-memory exploits. And if malware manages to run (via exploit), it can't infect the rest of the system, because it's contained by SBIE. If by mistake you run or install malware yourself, it gets a bit trickier, you then have to rely on HIPS to interfere, but you also need knowledge about what's normal behavior and what's not, it all depends on the nature of the app.
I don't use either of those so can't give you any configuration tips. If you are using SBIE you can prevent malware from running (same as with ERP or SRP that I'm using). Fileless malware will have problem with persistence since it won't be able to write to registry. So after closing SBIE and ending all sandboxed processes you should be fine. Also any malware should exploit browser and at the same time break out of sandbox. The same goes for DLL loading and .NET/Powershell malware. IMO very unlikely if you're not under targeted attck.
Thank you both. Yes I have SBIE configured to prevent any program from running in the first place, except those I allow per sandbox. Still feel I need some extra tweaks to ERP and AppGuard. Going to study those two again, LOL, in the next few days.
ERP is fairly easy. Basically I've whitelisted everything on my system as I trust it. I do take advantage of the advanced tab for the higher risk stuff. Also I run in alert mode so I know what is going on.