Yes, for those who know how to use it, and I'm still skeptical if they can really save you from a bad decision. Else, the vast majority won't touch a behavior blocker in their lives, much less know about their existence. The point here is what to do with supply chain attacks. There have to be invented more creative ways for protecting the supply chain and end users. TBH, relying on behavior blockers is not the solution.
No, you're right about that. But that's out of my hands. Keep in mind, most AV's nowadays already make use of behavior blockers that make decisions on their own. But apparently none of them could spot the recent "rogue CCleaner" attack, so they are not good enough.
And just how would they detect a valid signed update download? None of the AI/Next Gen solutions detected it and they are supposed to be monitoring process deviation from norm behavior. Truth of the matter is they are as powerless as anything else in detecting a backdoor embedded in an otherwise legit update download.
Also remember that all that compromised binary did (except for users that got additional payload) was uploading some data to 3rd party server. It would be hard for any solution to monitor trusted apps and then notice that IP addresses they are communicating with are not the same as usually.
Actually, the rogue connection is indeed hard to spot, but blocking of the disk-based payload could have been stopped. But this OSX/Proton attack was even worse, because it got installed together with the legitimate apps. But it should still trigger certain behavior that HIPS/BB would alert about. Actually, we don't know if none of them could detect it, because they were never tested. If they blindly trust certain apps, then it was indeed game over. What's more interesting is that standard AV's like Avast couldn't spot the modification to CCleaner. This tells that you still really can't rely on signature/heuristics.
There was no rouge connection initially, the hacked update came from the Piriform servers. If you are referring to the subsequent backdoor connections, the only effective method to detect those is by aggressive firewall monitoring as have been discussed previously.
Yes, I was talking about the downloading of the second payload. I do believe that GlassWire and HMPA are both monitoring for suspicious connections, but it's not known if it's based on a list of known bad IP addresses. And remember about Hacker Deterrent Pro? It tries to solve this problem of legitimate apps being used by malware to connect out. It's still not clear to me if it actually works in practice, the developer said he would soon publish test results against malware, but haven't heard from him since. https://terraprivacy.com/hacker-deterrent-pro/
Eset does so also. But all do so using blacklists. In the CCleaner incident, the backdoor C&C server was unknown as is the case in most of these attacks.
Emsisoft used to throw up an alert message every time I would update my Geforce experience software. I think even if it told me the media player was doing something weird I would just ignore it. You have to make the decision, this is from a trusted source, it's signed, what's the likelihood that this is malware versus another false positive?
At the moment it's much more likely to be FP. In the future, if attacks on vendors of popular software continue, things can change. Then it could become much harder to distinguish FP from actual malware.
It depends on what type of behavior is triggered. And if it has never triggered weird behavior before, then why it all of a sudden does? It's all about giving apps the least amount of privileges that they need in order to function. And some things should be auto-blocked, like for example outbound connections and access to protected folders.
