Fileless attacks

Discussion in 'other anti-malware software' started by lunarlander, May 6, 2017.

  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Search the Malware section of Wilders. Numerous postings on the subject there.
     
  3. guest

    guest Guest

    and especially from @itman :p
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,418
    Location:
    Slovakia
    I have disabled WSH and removed powershell, that should take care of it. SmadAV has got the same idea. :cool:
     

    Attached Files:

  5. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    VooDooShield would prevent powershell to run and Comodo would run it virtualized, since the father process is unknown
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Overall, I will say this about fileless malware. There are two phases to it.

    Phase 1 is the payload download and resultant execution in memory of it. The payload download can be accomplished through multiple ways currently in existence that malware does so. The current preferred method by this malware is through use of phishing e-mails or exploiting an existing OS or app software vulnerability. Almost all the e-mail attacks require the user to open an attachment, click on an infected embedded link, etc.. Also many of these email attacks require the target to disable existing e-mail protections such as opening a Word or .pdf document outside of protected mode, enabling macro or VBA script execution, etc.. Exploit prevention can be had by first, keeping all OS and app software up to date with all available patches applied and second, by employing anti-exploit security software. Additional protections are sandboxing Internet facing apps such as browsers, pdf readers, etc..

    Phase 2 is the persistence phase where the malware runs at each subsequent machine startup. This phase does require the malware to store data on the OS installation medium. At the minimum, OS registry modification is required. Although conventional security software should be able to detect this activity, the problem is the malware by this time is well entrenched in the system. As such, it can employ an arsenal of attack strategies to avoid disk activity detection such as using legit Windows OS processes to perform the activity.

    You want to stop fileless malware prior to payload execution. Once the payload successfully runs, it is a downhill losing battle thereafter.

    -EDIT- As far as fileless malware protection, a large percentage of fileless malware employ scripts. Short of outright blocking/monitoring of Powershell, Java, and Window's scripts as many Wilders members do, your best protection is to upgrade to Win 10 if not already done so.

    Win 10 employs the Anti-malware Scan Interface i.e. AMSI to monitor the execution of packed and obfuscated malware scripts. Windows Defender on Win 10 uses AMSI by default. If you use a third party AV solution, ensure it also deploys AMSI.

    Additionally, the third party AV solution should employ advanced memory scanning i.e. AMS features that allow it to monitor process execution. Since AMS is post execution monitoring, there is always a chance of partial malware infection but the degree of this will be limited in scope and can be usually easily remedied after malware termination by the AV solution.
     
    Last edited: May 7, 2017
  7. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    Hi,

    I think I'll block script engines like others do.

    powershell.exe
    powershell_ise.exe
    wscript.exe
    cscript.exe
    mshta.exe
    ScriptRunner.exe (only on Win 10 Pro)
     
    Last edited: May 10, 2017
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    How are you blocking them and are you blocking both 32bit and 64?
     
  9. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    326
    Hi boredog,

    I block them using Software Restriction Policy on Win 10 Pro, and Simple Software Restriction Policy on Win 10 Home. (SSRP is a free application ) . But just stating the EXE name, and not a path, you block both 32bit and 64bit where ever they reside.
     
  10. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    What is this? does it cover both the sys32 folder and the syswow64 folder for the same exe's?

    Currently I use Appguard for these exe's.
     
    Last edited: May 10, 2017
  11. guest

    guest Guest

    "Simple Software-Restriction Policy - A security enhancement for Windows XP, 7, 8, 10 (Home or Pro)"
    http://iwrconsultancy.co.uk/softwarepolicy

    https://www.wilderssecurity.com/thr...-policies-on-any-windows-edition-free.359155/
     
  12. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    mood I know you use Appguard also but do you use this tool also?
     
  13. tonino

    tonino Registered Member

    Joined:
    Jan 2, 2017
    Posts:
    62
    Location:
    somewhere
  14. guest

    guest Guest

    No, i don't use this tool :)
     
  15. guest

    guest Guest

    SSRP or Hard Configurator isn't needed when you use Appguard; Appguard does the same but simpler and has additional strong features like Memory Guard.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.