Interestingly, one of Kaspersky's mitigation recommendations was to start monitoring outbound firewall connections for processes that normally do not do Internet activity such as notepad.exe and calc.exe. Guess they also have "thrown in the towel" as to preventing all fileless malware.
AppGuard does not block "fileless" or in-memory-only malware; AppGuard prevents persistence mechanisms, blocks tampering with protected areas of the registry, and works to block any payload. Technically, "fileless" malware is a misnomer. They just mean no files dropped to the hard drive. However, the system has to be altered in some fashion to obtain persistence - whether it is creating persistence via the registry or by some other means. First, there has to be a successful exploit of a targeted vulnerable program - like a browser - or the user has to run a malicious program. As far as PowerShell, it doesn't matter how it is run - whether via the Shell, a *.dll, or an executable, and whatever language mode - it will run Guarded and so will children. The execution of scripts is blocked. So the deck is stacked in favor of the AppGuard user against fileless malware.
Or you could use VoodooShield: https://www.wilderssecurity.com/threads/voodooshield.313706/page-630#post-2670410
Not all fileless malware needs to maintain persistence. A recent example is fileless ransomware. Once it encrypts your files, it's job is done.
Regarding AppGuard: Guarded Applications have write-access to the User Space and can delete files from the user. The access to the registry was blocked, persistance mechanisms were blocked, access to C:\Windows & C:\Program Files\ was blocked, but the files from the user are gone or encrypted... The user should not forget to make use of the "Protected/Private"-folder feature of AppGuard. Now important files can't be modified from Guarded Applications.
Anyway, every decent AG's users should be in Lockdown Mode and shouldn't mistaken Guarded Apps as a sandbox, it just restrict the Apps to reach some areas.
It's been months... I can't remember precisely what I did, but when I tested it, it worked as expected. It's something I have to revisit at some point.
@Peter2150 I reviewed what I did. An un-convoluted answer that does not cover all the permutations in detail = "Yes."
ROFL. So instead of a "straight forward" answer, this is a curved answer. Anyway thanks for confirming.
~ Removed Off Topic Remarks ~ In this case "Yes" is a lazy answer to save me from typing out a long, convoluted reply that covers all the low-down, nitty-gritty.
