MRG Effitas 360 Degree Assessment & Certification Q4 2016

From the Kaspersky article:

The only browser that does this by default is Edge. In IE11, advanced EPM has to enabled. In Chrome, the applicable option for same has to be enable. I don't know if FireFox supports AppContainer at all. Additionally in IE11, only the spawned child instance is running in AppContainer; the parent process is not.

I will also state this. If you are using Edge as your browser, I strongly advise you run as a SUA.

 

Some malware can run on SUA, but only those which doesn't require elevation; those which need access to specific folders and the registry are hampered to a certain extent.

Appcontainer run at a Integrity Level below "untrusted" , which is the deepest IL a 3rd party sandbox can attain. on top of that Metro Apps have limited access to the system (only to areas needed for their function) ; it is what make Appcontainer efficient.
AFAIK, FF doesn't use Appcontainer, Chrome can because its sandbox uses Windows security mechanism; FF was always behind in term of security , their latest new features is more about privacy than security.
It is why i ditched it long ago. You like FF , you need a 3rd party Sandbox.

I will add you need use SUA as default account for daily tasks. When you go to hospital , they don't do surgery in the lobby room

 

Yes exactly, it paints the wrong picture. If malware can still steal/encrypt data and money and invade privacy (key/screen logger) inside SUA, then I wouldn't call it true mitigation. It's also bad marketing, I would focus much more on the sandboxing and white-listing capabilities, since that will actually stop malware from doing any serious damage.

To be honest, I didn't fully understand that article. Is he saying that most of the monitored malware need or try to get admin access, or was the malware capable of actually getting admin rights?

 

Most malware was running at high or system integrity level. Since they are testing all kinds of malware they probably don't employ SUA and UAC protections when they test run it. Would malware also run with limited rights? Maybe some. But since it was designed to run with full rights I assume that a lot of it wouldn't run correctly under limited rights.

 

The last sentence in the article sums up things nicely:

 

Most advanced Malware needs to run at high IL to do they nasty stuff; those running at low IL are mostly worms and some ransomwares, etc...and can be taken care by any basic AVs.

 

I see that since I last read this thread last Sunday, this thread has descended into fear mongering nonsense FUD.
It's so sad.

In post#115 a user posted a link and worded the post so it sounded like his link was a "how-to-do" checklist on bypassing SUA.

I posted a correction in post #116

Since then, I now see that the same user has posted in post #117 and this time even more clearly than in post #115 claimed that the list in the link are a list of weaknesses that can elevate from any given user.

That is not correct.

The list in that link are a list of possibilities IF an attacker can find privileges and permissions to access those.
On SUA a attacker will not have that, unless Admin grants privilege or if Admin has made a mess of ACLs.

Furthermore, the list that are linked to on post #115 are for some parts a historic view on what was once possible, since a number of the items are not even possible on non-SUA accounts when you watch the evolution from Win7->Win8.x->Win10->Win10 latest insider.

 

There is 4 kinds of users:

1- The noob , with no clues about his OS and security.

2- The Security Newcomer, a bit better than the Noob, but his only skills is to know how to use some security apps; however he can't manage to use and secure his OS without 3rd party security Apps. This kind is often the one stockpiling dozens of security apps at same time or the Fanboy believing his favorite app will save the world from malware.

3- The Paranoid Security Geek, knows his OS and security well enough but believes that all hackers and malware are targeting him, hence he can't trust/believe the native security features of his OS (and sometimes even his 3rd party security apps too) ; and fuel his paranoia with bypass/vulnerabilities/PoC articles showing cases that will surely never apply to him.

4- The Wise Security Geek, know his OS and Security as the Paranoid, but learned/experienced with time that safe behaviors are the basic principles of security, hence he will surely never encounter a malware. This one doesn't especially need any 3rd party security apps (however he may like to use some) but rather tighten/tweak his OS native security to remove potential vulnerabilities/attack vectors.

You can see those kind of users in any security forums, and type 3 & 4 often argues over and over about the same topics.

 

https://blog.avast.com/a-cybersecurity-primer

 

I think many 3 on here.

 

yes way too many

 

That is what wasn't clear to me, did they collect data from malware that they executed themselves in a testing environment, or did they collect data from other users?

I wouldn't call people who choose to rely on SUA or "UAC on Max" (thinking only this will keep them safe) "wise", in fact I would call them "very paranoid" LOL.

 

It seems that data was collected from KSN - so from other users using their software. They also used statistics from Windows Vista to Windows 10.

 

Yes correct, but AV's might miss certain malware, and here are some examples of malware that can work inside SUA, see links. The good news is that without any admin rights, they are quite easy to get rid of, the bad news is that they can still do some nasty stuff like file encryption and browser hijacking.

http://www.tidos-group.com/blog/201...ophisticated-trojan-in-2008-reinvents-itself/
https://kiandra.com.au/cryptolocker-time-to-take-notice/

 

Yes, if the user can access his data, the malware which is running with the same rights has access to it too:

 

Hahaha this is another point of view.

By "wise" i meant that your first line of defense is your knowledge, safe habits and what the OS offers you, not any security apps; however they can use those apps as fail-safe (if they feel the need) but they don't primarily rely on them.

IMO, security apps are assistant, they complement your skills & habits, they are here to fill the leftover attack vectors you may be exposed.
For example someone who only visit the same sites, download only safe and reputed programs from trusted sources (by checking the checksum); this user won't need 3rd party Apps (on Win10, i dont care of previous obsolete versions); unlike the one visiting the dark web, downloading and installing unknown programs from torrents, using cracks, etc...

To me the user is the first line of defense, security softs come after. This is my actual view of computer security, after being an ultra-paranoid for years.

 

Really?

----------------------
i.e. =

 

yes really, why? is it so surprising? reality is different than reading an article.

Did you personally encountered and suffered this kind of attack? me? not at all ; and:

1- i surf since 20+ years never got any, ah yes i don't go to fancy obscure sites...
2- i use up-to-date safe browsers with built-in sandboxing abilities (Chrome or Edge), not crappy-weak FF.

Chances to suffer those attack ? 0.001%

Possible other Mitigation: OS tweakings, websites checker, etc...
3rd party Prevention: isolation/virtualization via sandboxing apps

chances to suffer this attacks : 0.0000000000000000000000000000000000001%

Remediation: system restoration, take 1mn to 30mn depend the soft used.

Chances of issue solved : 100%

thanks

 

The only time I've ever been infected when using a computer with the latest Windows and software updates installed, is when I have manually opened an infected file. Typically I've been using Windows as an administrator, with UAC dsabled. I only use Windows firewall and usually an antivirus for protection, and do absolutely nothing to harden or secure the system further. I've even visited plenty of websites that either my browser or Google have warned not me to visit because they are dangerous.

That's not to say that drive by downloads don't exist, and I'm not saying that I will never get infected by one. But, I haven't been infected from visiting thousands of websites.

 

Whatever.......

 

Indeed your example is the "real world" but some people in security forum like distributing FUD even if the probability of getting victim is minimal ; they mix Proof of Concept and Prevalence.

For common users , it doesn't matters much that malware abc.exe can do or not, what matters is to avoid to be on its path.

Take example of banking malware, people worry soooooooooooo much about them , setting up dozen of tools to prevent being infected by them.
but guess what? the banks' network (or other payment system networks) security is so weak that any hacker can get all your infos they need without even breaching your system...

 

I am probably 2.something, but will hopefully get to 4, skipping 3 .

Edit: And a configuration similar to yours.

 

I just wanted to say a bit about FUD.

Those of you that have ben using computer long enough and I know a bunch here that have will remember a few what most on forums thought were FUDS.
Lets go with rootkits first. I was one of the FUD people during those times. Then came along Russ R from Sysinternals that created a program called rootkitreveler, I think it was. Bare with me my memory is not that good as it used to be so I can't give appx years for this. Most up till this point thought normal users would never get a rootkit. voila!!!! Russ's new program discovered Sony was using a rootkit on it's music CD's. Of course I had to run right out and buy one. I can't remember now but there was a marking on the infected CD's. We all know how rootkits bloomed after that. Norton was using for for it's recycle bin and the list goes on.

Now let's move on to malware that infects hardware, which not many still talk about. You could read about it on various sites such as rootkit dot com.
Anyway all you old timers I am sure remember this. A bunch of POC's showed up. Every thing from video cards to hypervisors. The main one you all know is Strutnex. I think that was first identified in 2010.
an example person some of you may remember? https://en.wikipedia.org/wiki/Joanna_Rutkowska

Anyway I just wanted to say not all what some consider FUD today is going to be FUD tomorrow.

 

I couldn't agree more.
Something that is "advanced" today will be normal tomorrow.

 

@boredog :
The two of us are definitely not talking about the same problem.
When I in post #132 posted about, that this thread has descended into fear mongering nonsense FUD, it was due to a very specific reason.

Wilders, like so many other forums, suffers from the problem that a tiny subset of users with nothing better to do, will repeatedly fill up threads with fear mongering nonsense FUD.

It diminishes the readability of the threads, because anyone entering forum will first have to read through parts of a thread to find out which members and their posts can definitely not be trusted, then reread thread from beginning while leaving out all that irrelevant junk.
Two-thirds of practically every single thread can be deleted without losing any meaningful information.

Everybody can by accident post something not entirely correct, someone else will correct it and then the original poster can say "oops, glad it got corrected".

But as you can see in this thread and in the majority of other threads, there's a handful of members that has it as a hobby to post incorrect claims.
It's the same people that repeatedly post incorrect claims.
Every single time you see the same pattern.
- A problematic member will post a incorrect claim.
- Others will post that it's not correct and link to the correct explanation.
- The problematic member will completely ignore it and instead just post a new incorrect claim.
- Others will post that it's not correct and link to the correct explanation.
- The problematic member will completely ignore it and instead just post a new incorrect claim.
- Again and again and again.

For 5-10-30 pages every single time, making threads painful to read when you have to constantly scroll past all that incorrect nonsense.