AppGuard 4.x 32/64 Bit

Discussion in 'other anti-malware software' started by Jryder54, Oct 29, 2013.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,959
    Location:
    U.S.A.
    WannaCry used both EB and DoublePulsar exploits. DP remotely injected a .dll into lsass.exe. Game over.
    Ref.: https://www.exploit-db.com/docs/41896.pdf Note this article was written on 4/17/2017; a month prior to WannaCry being deployed.
     
    Last edited: Jun 5, 2017
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    Perhaps you can try to explain this to boredog. :D
     
  3. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,474
    I would rather not and instead respect Dan and Lockdowns space of not wanting this to keep being an never ending discussion. I am pretty sure they have plenty else to do. I tried staying out of it but it finally started to bug me. both asked to stop.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    Yes I agree, it was just a joke. :D
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,985
    At this point, not funny!!
     
  6. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    The entire matter has reached a level that defies common sense or any semblance of propriety - among other things. It's very unfortunate. Despite the whole affair, AppGuard LLC remains focused on well-established industry best practices, current projects, and the continued development of a multiple award-winning software restriction policy product.
     
  7. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,825
    Location:
    Europe then Asia
    YES ! someone finally understood what i keep saying !
    Those videos focused on the already compromised network. So of course the exploit do its job easily on AG since AG Consumer isn't designed to stop those kind of exploit.
    All those videos voluntarily ignore the first step of the infection (aka how the malware managed to enter and compromise the network from outside) because they focus of the EB-DP 's SMB propagation and injection part.

    Yes the goal is to block lsass.exe to be injected and there is no hundreds ways to do it :
    1- stop the initial container sent from the attacker (who is outside the network normally) so it can't deploy EB-DP on a system in the network and propagate. (most anti-malware like HIPS/BB/anti-exe/SRP should react at this stage).
    - "someone tried to shot at you with a gun, you are trying to disarm him"

    2- if point 1 failed , you have to stop the already released and propagating EB-DP to inject lsass.exe (anti-exploit or suites with similar features can do it). If this point is also failed , it will be game over.
    - "You failed to disarm him, he manage to shot at you and you are trying to dodge the bullet; if you fail you are hit."

    3- if point 2 failed, EB-DP is now injected into lsass.exe, it create the backdoor and a reverse connection (via rundlll function) made for the attacker to do what he want like loading a keylogger or whatever...this is game over.
    What you can do now is trying to block rundll32.exe to create the reverse connection.
    - "you failed to avoid being hit by the bullet, you try stop the bleeding, if you failed , you will die..."
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    Yes, I had to think about it, before I understood what you meant, but initial attack vector still isn't clear. And if you can block DP from running any payload, then it's clearly not game over. If you reboot the machine, then DP should be gone since it's in-memory only, if I understood correctly.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,959
    Location:
    U.S.A.
    Read the entire exploit-db.com article which clearly explains how the attack was deployed.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,473
    Location:
    The Netherlands
    Will do so, and I'm also planning to do some more reading about file-less and in-memory malware, because this exploit made me realize that I still don't understand all of the details. Also, this type of malware (combined with ransomware) is currently the hottest subject in IT security. But I've read a lot of "next gen AV" products fail to protect against these threats, so WannaCry was definitely a so called eye opener.
     
  11. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,474
    IT MAKES YOU WONDER IF ALL THE LEAKED DOC'S WERE LEAKED ON PURPOSE.
     
  12. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    In AppGuard, rundll32 and cmd are on the default Guarded Apps list. Those that know what they're doing on their systems and fully understand that nothing is permanently broken can add both to the User Space list and set to YES and also untick them in the Guarded Apps list.

    Anyhow, it makes no sense to be fixated on exploits that Microsoft patched months ago. Apply the Microsoft security patches or Upgrade to Windows 10 1703 is the recommended best practice. Also, Microsoft has put out repeated advisories over the years not to use SMBv1. Even if you're running unpatched Windows, the system is not at-risk to the very specific exploits unless it is using SMBv1.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,959
    Location:
    U.S.A.
    Here was a recent SMBv3 exploit against Win 10: http://thehackernews.com/2017/02/windows-smb-0day.html . There have been past other ones against SMBv2 also.
     
  14. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    That's why I said "the system is not at-risk to the very specific exploits." Meaning the exploits associated specifically with EternalBlue and DoublePulsar.

    The vast majority of home users have no idea what SMB is - let alone use any version of SMB. This is not a position that is unique to AppGuard, but instead an industry-wide one.

    This whole exploit debate appears from time-to-time. We recommend that users educate themselves about what exploits are, what they are not, learn what PoCs are, what are the recommended best practices for exploit mitigation, and so forth.
     
    Last edited: Jun 6, 2017
  15. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    351
    Always, a "Rhyme or Reason!" Eh, Lockdown.:thumb:

    Johari Window.

    Robert
     
    Last edited: Jun 7, 2017
  16. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    It's just clarification. Nothing else.
     
  17. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    SMB advisories have been issued for over a decade - repeatedly.

    Here is one issued by US CERT and reinterpreted in practical, easily understood language by Emsisoft in 2015 with an easy mitigation:

    http://blog.emsisoft.com/2015/04/15...rability-puts-user-login-credentials-at-risk/

    Only block ports 139 and 445 !, you say. Oh no, no, no... I need nuclear meltdown protection ! The IT security sages tell me that I am not paranoid enough.

    Probably since 2004 or earlier and I have never had a single problem:

    Capture.PNG
     
    Last edited: Jun 7, 2017
  18. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    Here is another practical, easy-to-understand explanation of WannaCry and EternalBlue from Emsisoft:

    http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/

    Excerpt of the required conditions to be at-risk to EternalBlue - and through it - susceptibility to DoublePulsar:

    ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol, allowing an attacker to take control over systems which:
    1. have the SMBv1 protocol enabled
    2. are accessible from the internet and
    3. have not been patched by the MS17-010 fix released back in March 2017
    The importance of not running on unpatched Windows (excerpted):
    • ...,make sure to have the latest security updates installed on your Windows computers and servers.
    • Making sure to install critical windows updates is also a very important step in protecting a system, as WCry only seems to be spreading via the SMBv1 exploit currently, which has been patched for 2 months already.
    Just as in the previous post, blocking port 445 is a protection in the same manner.

    Unless you have setup port forwarding, a system behind a NAT router is protected since the hacker is only going to see your router IP address.

    * * * * *

    Please learn the facts.
     
    Last edited: Jun 7, 2017
  19. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    351
    ...and Inbound, too. That's why I need not configure In access with my firewall. Expecpt, System or svchost. And, NetBIOS,TCP/UDP inbound local ports, just in case.

    Robert
     
    Last edited: Jun 7, 2017
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,217
    Location:
    USA
    Knock on wood, but I have never had any infection i'm aware of, none that could be detected anyway. I think education goes a long way.
     
  21. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    Those firewall rules are not even necessary since I never have used SMB on any of my systems. You have to have SMB configured and use it in order to be susceptible to the long-reported risks with SMB. Those firewall rules are a secondary just-in-case protection.

    Because the vast majority of home users never use SMB is probably the reason that most of the vendors did not go to extraordinary lengths to protect against SMB in their home products. Today, after WannaCry, vendors are protecting against it because users are screaming for it without any real understanding - because the usual mantra is "The technicals do not matter, any security product must protect against everything and anything - even if our demands and expectations are not grounded in reality nor practicality."
     
  22. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    AppGuard LLC, Virginia, U.S.
    For anyone concerned about the recently reported CertLock malware that blocks the execution of security softs via disabled certificates, AppGuard prevents it from disallowing certificates - that is if the user allows it to run Guarded in the first place. Since most of you run in Locked Down mode, you do not need to concern yourself over CertLock even being installed on the system. If you run in Protected mode, then a digitally signed CertLock will launch, but will be blocked by AppGuard from tampering with certificates.

    CertLock is installed as a bundled software - which most of you already treat unknown installers like smallpox carriers and prevent bundle installs with your sharp eye.
     
    Last edited: Jun 8, 2017
  23. mood

    mood Registered Member

    Joined:
    Oct 27, 2012
    Posts:
    2,549
    CertLock malware is modifying registry keys in the tree: HKLM\SOFTWARE\Microsoft\SystemCertificates\
    AG is preventing Guarded Apps from doing these changes.
     
  24. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    351
    'Verve and Panache!'

    Robert
     
  25. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,296

    Not Appguard 5xx per se. If you want a trial, run AOL Tech Fortress for 30 days. After that, its $3.99 a month.
     
Loading...