Wilder's "Other anti-malware software" includes threads for at least two security apps that are largely based on whitelisting. I have always had a lot of confidence in whitelist apps as offering great security. I still do. However, I am fully aware that NO security app is bullet-proof. Even so I was somewhat surprised when I ran across an online article titled, "Bypassing Application Whitelisting: How IT Teams Can Detect it." Here is another similar article that includes a very interesting table. I'm no IT (Information Technologist) so I am neither qualified nor interested in the "Detect It" part of the articles. What the articles did re-convince me of, however, is that Behavior Blockers (BB) are an fairly essential security adjunct. Many AVs include a BB. These AVs include but are not limited to ESET, WiseVector, & MS Defender. In addition, SpyShelter includes a Host-based Intrusion Prevention System (HIPS) -- first cousin to a BB (it's what I use). I shall continue to be a fan of whitelist-based security apps, but only when used in conjunction with a BB. YMMV
Basically those articles are saying that you need to worry about vulnerable applications and processes. Stuff like Powershell and MS Office. This is not such new info. The whitelist security apps that I know of have extensive protection for exactly this.
Other than fingerprinting, please identify the extensive protections that you mentioned. Specifically, what is their ability to detect a whitelisted app that is performing an irregular activity? Further, are you inferring that a Behavior Blocker is not a good adjunct to a whitelisting app? ~~~~~~~~~~~~~~~~~~~~~~~ @ Everyone -- Please be aware that I am NOT trying to downplay the security value of whitelisting apps. Voodoo Shield and SecureAPlus are whitelist/default-deny apps that have long discussion/support threads here at Wilders. Either of them would be excellent security adjuncts on just about any layered computer security set-up. However, the articles linked above re-convince me that a BB is a very important security component -- for spotting 0-day & for "keeping an eye" on any unusual activities by apps, even those that are whitelisted.
@bellgamin @shmu26 is right. If you look at, for example, a Locky Ransomware analysis here: https://www.knowbe4.com/locky-ransomwarehttps://www.wilderssecurity.com with a screenshot of the infection chain you will see the sequence of events utilizes office macros, batch file and common Windows LOLBin (Living off the land Binaries), in this LOLBin case Cscript.exe in its attack sequence. I believe you use OSArmor on Windows 7, and that alone will stop this type of attack chain very early in the sequence. So too will Windows Defender fortified with Hard_Configurator or Simple Windows Hardening if one is using Windows 10 or 11. This is why I was questioning you in a recent thread of yours where you were looking for an App to prevent process kill If you stop the infection chain early, then there is no need for an app like that. I know you are concerned about a "just in case" scenario, and you found your solution in SpyShelter, but imho, this kind of app is overkill if you already have security in place that prevents the early infection sequences of typical malware from executing in the first place. EDIT for the record, I use both OSA and Defender hardened with Hard_Configurator, and there are highly knowledgeable and well respected members in another forum who advised my setup is overkill, and that all I really need as a home user is Defender with H_C. They are most likely right. Even the developer of H_C agreed, and he has repeatedly been able to prove that Defender with H_C will stop all kinds of recent common malware attacks, especially Ransomware. I just can't let go of OSA, not only because I have a paid license for it, but because I like it as an effective lightweight security app that's so effective at stopping common attack methods, and also for a "just in case" scenario
In my posts #1 & #3, I commented that whitelist apps offer better protection when supported by a Behavior Blocker. OSArmor IS a Behavior Blocker, NOT a whitelist app. As to Windows Defender in your comment (it has been officially renamed to Microsoft Defender) I already said (Post #1) that MS Defender provides equivalent BB support for use with a whitelist app. This thread has nothing to do with protecting from process kill. I am solely discussing implications of the articles I linked in Post #1 concerning whitelist apps.
Actually, for fun, i started to test different AV vendors Behavior Blockers to see how effective they are. Downloaded all kind of latest malware samples from bazaar, stealers, droppers, signed, scripts, RATs etc and running them and to see how a BB performs against them. Yesterday I tested Symantec Endpoint Protection, only SONAR and BloodHound components active. Symantec Endpoint performed quite good, SONAR caught most of them. Today morning i started to test G-Data Antivirus(with windows own firewall), which is well known for it's effective BB components called BEAST and DeepRay (equivalent for Norton/Symantec SONAR/BloodHound). So far so good for G-Data BB: https://imgur.com/a/ffrUs4r Tested on LIVE Windows 10 LTSC 1809 environment with prepaid mobile connection. Between tests, i restored base system image with macrium reflect. My test is FAR from optimal and not thoroughly tested as it should be, every vendors BB works/behave differently, some BBs works more locally, others, like BEAST uploads malware to G-Data online "FileCloud" sandbox for analyzing(it analyze it quite fast). More info about G-Data DeepRay and BEAST. Yes, its look good on the paper Like any other HW or SW. And no, im not a G-Data Fanboy
More than several moons ago Emsisoft used to get slammed by AV-Comparatives in the ratings for effectively blocking malware because of their so-called "user" required interactivity. All of the AM/AV apps would have the bar illustratively colored bar graph thing going on and Emsisoft would stick out like the proverbial sore thumb with a little bit of yellow splashed in (as "user required input" or some such perhaps slanted and biased nonsense) on the specific bar graph as a reduction for its final percentage tally in successfully blocked malware. All meant here as a passive observation--- but one could argue that the gradual phasing out of BB's is becoming increasingly trendy with most of the marketable AV apps and exponentially so over time. Set to quarantine, take the time to research, and then ultimately decide on the best resolution. And then with the advent of apps such as Sandboxie, ... plenty enough subject material for a multi-paged essay. Both white listing and BB's apps maybe should deserve a permanent residence as anti-malware options, and yet reserved for the hands of the truly advanced user. Eventually cars will be driverless as we can sit in the passenger's seat and sip a martini. White listing and BB's will always remain relevant on many levels and with many different approaches, just a whole lot more automated for the AM/AV vendors that care to remain relevant by 2023 and beyond.
From what I have observed, the stand-alone BB/HIPS are less available because one or the other of them is now a component of most AVs. Mamutu, anyone?
Mamutu being an Emsisoft product last updated on or around Nov 7th, 2011. And in the context of your recollection; I don't know whether to be scared, speechless, or both. The game is a foot whether BB's and white listing apps remain relevant until they don't. The heart-ache and the thousand natural shocks that AV's are heir to.... Aye, there's the rub.
I mentioned Mamutu only because it was one of the first well-known behavior blockers. It began as a stand-alone but was soon absorbed as a component of Emsisoft's AV. Safe computing = Use good security apps. Image often. Stay alert when using internet-facing apps. Easy-peasy!
No doubt there's a mint to be made if anyone ventures into selling tee shirts with that exact proverb in a pithy bold print.
Not so long ago, I would have written, "Use good layered security." Nowadays, however, top-tier AV apps are already layered. For instance, the AV I use has: (a) firewall, (b) signature-based detection, (c) behavior-based detection, (d) reputation-based detection, (e) digital signature checking, (f) other stuff. Layering is partly the point of this thread. The protection offered by a stand-alone whitelist/anti-exe/default-deny app will be enhanced if layered with a behavior-blocker.
No. See below for just one example of several specimen sets of AV names, titled as such for marketing & pricing purposes. (Suites are most likely to be found in pricey hotels. )
LOL. I want the deluxe suite... Per the title of this thread, anything can be circumvented. Whitelisting is just another thing to exploit.
The sad thing is that an AV's use of the word "suite" often means BLOAT -- the inclusion of components that have little or nothing to do with security -- registry cleaners, for instance. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Another thing I find dodgy about whitelisters is that they pretty much give carte blanche to rundll32.exe. Yes, I know it's a difficult executable to place safeguards on and still not generate a LOT of alerts. Even so, does that mean its possible mis-use should be all-but-totally ignored?
I stopped using EXE Radar because I got fed up having to approve app installation, similar to UAC which is pretty much pointless. So no more whitelisting for me, I still prefer behavior blocking tools like MBAE, HMPA, OSA and SpyShelter.
