NoVirusThanks OSArmor: An Additional Layer of Defense

Terminology used in OSA is marketing shortcut to make things simpler for the masses.
Same as using the term "anti-virus" instead of "anti-malware" (which is what AV became, they aren't just AV anymore)

Easier to describe "anti-exploit" than "post-exploitation tool"

 

I get it I'd just prefer a more technical explanation rather than the condom concept. Cerber uses process hollowing, but Osa or ERP would stop it. Wasn't talking about fileless although Nvt wouldn't be completely useless, imagine a new process being sprawned as a result of the attack, nvt products can see it, you can see it being blocked and noticed something unusual happens, so you take it from there. Its post factum, but it doesn't make osa useless. Also protecting registry settings you get rid of fileless mimikatz thanks to appropriate Policy rules, locked down by Nvt?

 

@guest can you give us a typical malware example to illustrate your point, rather than speaking in allegories?
For instance, a weaponized Word document tells Winword.exe to spawn svchost.exe (not blocked by NVT EXE Radar Pro) and then tells svchost to load a malicious dll.
Or a weaponized Word document tells Winword.exe to spawn explorer.exe (not blocked by NVT EXE Radar Pro) and then injects malicious code into explorer.
I don't know how realistic these examples are, but maybe you can give us a real example from real malware, to demonstrate your point?

 

@shmu26

malicious DLL loaded using API instead of rundll32.exe.

Good enough for you?

 

Thanks guest, this is an interesting case

 

You are welcome.

 

I can see Autoit is used to load .dll , when I can sit on my computer I will check it, I am not a hacker just a hobbyst

 

In any case, malware needs an entry point. An updated OS with secure software and a good anti-exe will, in most cases, deny an entry point to malware of all types.

 

He is talking all the time about fileless ,ie some external attack from the browser or live hacking? I was referencing drive based exe with process hollowing capabilities like cerber ransom, which I thought you should be safe from. Turns out I have to study some more on it. let me get this straight, you execute the exe, which has threads suspended but it injects code (or HIV despite this ?@guest

 

1 Fileless attacks via browser are almost non-existent nowadays, except for targeted attacks via Internet Explorer.

2 There are 2 main attack vectors nowadays: weaponized docs and executable files. If you have an updated OS with secure software and a good anti-exe, you are protected from both.
Even if you use vulnerable software like MS Office or Adobe Reader, a good anti-exe will stop typical, common attacks.

 

yes but he is talking as if OS armor or ERP was indeed a defective condom, against process hollowing that is, despite Andreas telling me the inmemory still must be executed on drive (we are not discussing fileless attacks scenario now, at all) as if the malicious code still injects even if the threads are in suspended state (in other words you execute the exe which is stopped but its still injects?), I need to study this since I am extremely confused right now and guest is gone

 

If the exe file is prevented from starting up, it cannot inject or do anything else good or bad. This is exactly the point I was harping on. Malware needs a starting point: either an executable file or a weaponized doc/media file.

 

then I don't know what this discussion originated from, anyway i appreciate the hint from guest (missing sources which would help me understand, but I found new interesting books thanks to him)

 

I think that guest objected to the way the concepts were stated. I am speaking from a more practical perspective: malware needs an entry point. If you deny an entry point, you are secure.

The example guest gave was calling into an API in order to load a dll. If a malicious exe was blocked from starting up, it cannot call an API.

 

so something like man-driven attack with live connection (hacking) or some sort of autorun from remote locations like a webserver (is that it?), you can see this is getting complicated very fast

 

There are sophisticated network attacks, but they mainly affect a corporate environment, they are not so relevant to home users.

 

Exactly, i didn't said OSA was a weak soft, if it was i won't use it right now.
I simply objected the way @lucd described the mechanic, it is because people are doing quick amalgams that forums are polluted by erroneous infos that become "truth" for the non-initiated.
Sure a Volvo (anti-exe) and a formula 1 (anti-exploit) are both cars (anti-malware), but they have different purposes,

you also have embedded malicious code, metasploit stagers using ReflectiveDll (delivered by browser exploit) embarking their own meterpreters without needing the ones in the system, etc... you can Google all this.

of course, Average Joe probably won't cross such type of attacks, but im not here to talk about Average Joe-targeted malware which performs on-disk.

 

Embedded malicious code needs an entry point. The user must execute a file, or load a malicious doc/media file in an exploitable program. Do you know another way, besides browser exploits, which are extremely rare?

 

I don't see where I made an error, you are stuck on nuances, we both agreed on what shmu26 said at the end. I did my research, I was discussing file execution from drive being stopped, thus preventing some malware escaping VMs that have inmemory attack model to do that (but executed from drive), and to be honest I was 100% quoting Andreas because I asked him directly about exes with process hollowing and what can I do to protect my VM, you were discussing network attacks. But maybe you like to bash a little bit from time to time and quote condoms. I don't mind since I learned something from you (thats better than nice people that know nothing) but lets move on.

 

what i only said is : Anti-exes aren't anti-exploits, LOLbins aren't exploits, is it so complicated to understand this?

 

yes I got that at about 7.13 AM, we were talking about two completely different topics right from the start. to me this is a all very simple, if you are a target of a hacker you're doomed at any rate, it doesn't matter what you have its only a matter of time, thats why discussing "passive" malware on disk (what home user need to be worried about), no live connections with metasploit, no anything of the sort, for that you need an Incident Response Team CSIRT/Security Operation Centers SOC, I was discussing flu but you started with HIV

an anti-exploit then like Excubits Mem protect then+firewall+prey God+luck

 

if you dont grasp what i said, then there is nothing i can do, sorry.

so any default-deny solutions is enough, i dont even bother wasting my time for that, i talked about serious stuff that classic solutions may fail to protect, not basic ransomware and other "click-to-be-infected" files.

My intervention was about the words used, i saw the wrong ones used to qualify/describe something totally different.

 

@guest I think that your attempt to correct what you perceived as a misunderstanding has generated mega misunderstanding

 

guest I already thanked you for that information, and I think I grasped the concepts. You were discussing serious and important matter.Please tell me more about it. I bought some books on it. Try to give sources of information (so ppl can learn but ofc only if you have time) instead of bashing forum noobs. You claim then OSA is always useless for these scenarios? Best regards

 

@lucd google: stagers, reflectiveDll, powerpick, download cradle, powershell empire, etc...

Also, research about exploitation VS post-exploitation, LOLbins, etc..

Most of all, don't correct/state unless you got the facts straight, then you will avoid the bashing.