AppGuard 4.x 32/64 Bit - Releases

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Yes it can't stop the injection but does stop the install of the backdoor. that is all I need to know and understand.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    WannaCry used both EB and DoublePulsar exploits. DP remotely injected a .dll into lsass.exe. Game over.
    Ref.: https://www.exploit-db.com/docs/41896.pdf Note this article was written on 4/17/2017; a month prior to WannaCry being deployed.
     
    Last edited: Jun 5, 2017
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Perhaps you can try to explain this to boredog. :D
     
  4. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I would rather not and instead respect Dan and Lockdowns space of not wanting this to keep being an never ending discussion. I am pretty sure they have plenty else to do. I tried staying out of it but it finally started to bug me. both asked to stop.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I agree, it was just a joke. :D
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    At this point, not funny!!
     
  7. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    The entire matter has reached a level that defies common sense or any semblance of propriety - among other things. It's very unfortunate. Despite the whole affair, AppGuard LLC remains focused on well-established industry best practices, current projects, and the continued development of a multiple award-winning software restriction policy product.
     
  8. guest

    guest Guest

    YES ! someone finally understood what i keep saying !
    Those videos focused on the already compromised network. So of course the exploit do its job easily on AG since AG Consumer isn't designed to stop those kind of exploit.
    All those videos voluntarily ignore the first step of the infection (aka how the malware managed to enter and compromise the network from outside) because they focus of the EB-DP 's SMB propagation and injection part.

    Yes the goal is to block lsass.exe to be injected and there is no hundreds ways to do it :
    1- stop the initial container sent from the attacker (who is outside the network normally) so it can't deploy EB-DP on a system in the network and propagate. (most anti-malware like HIPS/BB/anti-exe/SRP should react at this stage).
    - "someone tried to shot at you with a gun, you are trying to disarm him"

    2- if point 1 failed , you have to stop the already released and propagating EB-DP to inject lsass.exe (anti-exploit or suites with similar features can do it). If this point is also failed , it will be game over.
    - "You failed to disarm him, he manage to shot at you and you are trying to dodge the bullet; if you fail you are hit."

    3- if point 2 failed, EB-DP is now injected into lsass.exe, it create the backdoor and a reverse connection (via rundlll function) made for the attacker to do what he want like loading a keylogger or whatever...this is game over.
    What you can do now is trying to block rundll32.exe to create the reverse connection.
    - "you failed to avoid being hit by the bullet, you try stop the bleeding, if you failed , you will die..."
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, I had to think about it, before I understood what you meant, but initial attack vector still isn't clear. And if you can block DP from running any payload, then it's clearly not game over. If you reboot the machine, then DP should be gone since it's in-memory only, if I understood correctly.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Read the entire exploit-db.com article which clearly explains how the attack was deployed.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Will do so, and I'm also planning to do some more reading about file-less and in-memory malware, because this exploit made me realize that I still don't understand all of the details. Also, this type of malware (combined with ransomware) is currently the hottest subject in IT security. But I've read a lot of "next gen AV" products fail to protect against these threats, so WannaCry was definitely a so called eye opener.
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    IT MAKES YOU WONDER IF ALL THE LEAKED DOC'S WERE LEAKED ON PURPOSE.
     
  13. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    In AppGuard, rundll32 and cmd are on the default Guarded Apps list. Those that know what they're doing on their systems and fully understand that nothing is permanently broken can add both to the User Space list and set to YES and also untick them in the Guarded Apps list.

    Anyhow, it makes no sense to be fixated on exploits that Microsoft patched months ago. Apply the Microsoft security patches or Upgrade to Windows 10 1703 is the recommended best practice. Also, Microsoft has put out repeated advisories over the years not to use SMBv1. Even if you're running unpatched Windows, the system is not at-risk to the very specific exploits unless it is using SMBv1.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here was a recent SMBv3 exploit against Win 10: http://thehackernews.com/2017/02/windows-smb-0day.html . There have been past other ones against SMBv2 also.
     
  15. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    That's why I said "the system is not at-risk to the very specific exploits." Meaning the exploits associated specifically with EternalBlue and DoublePulsar.

    The vast majority of home users have no idea what SMB is - let alone use any version of SMB. This is not a position that is unique to AppGuard, but instead an industry-wide one.

    This whole exploit debate appears from time-to-time. We recommend that users educate themselves about what exploits are, what they are not, learn what PoCs are, what are the recommended best practices for exploit mitigation, and so forth.
     
    Last edited: Jun 6, 2017
  16. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    Always, a "Rhyme or Reason!" Eh, Lockdown.:thumb:

    Johari Window.

    Robert
     
    Last edited: Jun 7, 2017
  17. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    It's just clarification. Nothing else.
     
  18. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    SMB advisories have been issued for over a decade - repeatedly.

    Here is one issued by US CERT and reinterpreted in practical, easily understood language by Emsisoft in 2015 with an easy mitigation:

    http://blog.emsisoft.com/2015/04/15...rability-puts-user-login-credentials-at-risk/

    Only block ports 139 and 445 !, you say. Oh no, no, no... I need nuclear meltdown protection ! The IT security sages tell me that I am not paranoid enough.

    Probably since 2004 or earlier and I have never had a single problem:

    Capture.PNG
     
    Last edited: Jun 7, 2017
  19. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Here is another practical, easy-to-understand explanation of WannaCry and EternalBlue from Emsisoft:

    http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/

    Excerpt of the required conditions to be at-risk to EternalBlue - and through it - susceptibility to DoublePulsar:

    ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol, allowing an attacker to take control over systems which:
    1. have the SMBv1 protocol enabled
    2. are accessible from the internet and
    3. have not been patched by the MS17-010 fix released back in March 2017
    The importance of not running on unpatched Windows (excerpted):
    • ...,make sure to have the latest security updates installed on your Windows computers and servers.
    • Making sure to install critical windows updates is also a very important step in protecting a system, as WCry only seems to be spreading via the SMBv1 exploit currently, which has been patched for 2 months already.
    Just as in the previous post, blocking port 445 is a protection in the same manner.

    Unless you have setup port forwarding, a system behind a NAT router is protected since the hacker is only going to see your router IP address.

    * * * * *

    Please learn the facts.
     
    Last edited: Jun 7, 2017
  20. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    ...and Inbound, too. That's why I need not configure In access with my firewall. Expecpt, System or svchost. And, NetBIOS,TCP/UDP inbound local ports, just in case.

    Robert
     
    Last edited: Jun 7, 2017
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Knock on wood, but I have never had any infection i'm aware of, none that could be detected anyway. I think education goes a long way.
     
  22. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    Those firewall rules are not even necessary since I never have used SMB on any of my systems. You have to have SMB configured and use it in order to be susceptible to the long-reported risks with SMB. Those firewall rules are a secondary just-in-case protection.

    Because the vast majority of home users never use SMB is probably the reason that most of the vendors did not go to extraordinary lengths to protect against SMB in their home products. Today, after WannaCry, vendors are protecting against it because users are screaming for it without any real understanding - because the usual mantra is "The technicals do not matter, any security product must protect against everything and anything - even if our demands and expectations are not grounded in reality nor practicality."
     
  23. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    For anyone concerned about the recently reported CertLock malware that blocks the execution of security softs via disabled certificates, AppGuard prevents it from disallowing certificates - that is if the user allows it to run Guarded in the first place. Since most of you run in Locked Down mode, you do not need to concern yourself over CertLock even being installed on the system. If you run in Protected mode, then a digitally signed CertLock will launch, but will be blocked by AppGuard from tampering with certificates.

    CertLock is installed as a bundled software - which most of you already treat unknown installers like smallpox carriers and prevent bundle installs with your sharp eye.
     
    Last edited: Jun 8, 2017
  24. guest

    guest Guest

    CertLock malware is modifying registry keys in the tree: HKLM\SOFTWARE\Microsoft\SystemCertificates\
    AG is preventing Guarded Apps from doing these changes.
     
  25. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    610
    Location:
    US
    'Verve and Panache!'

    Robert
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.