My approach to defense against these type of attacks is twofold. 1) Hitman Pro Alert, and 2) Appguard Between them with a bit of overlap they should prevent most of these attacks. Pete
Hmm..... AppGuard. Now I am confused. How it is going to protect against this? AG is a policy based Sandbox and anti-exe and it will not intercept it I guess.
Great, and as you say the results was expected and still they can protect you from most if not all of real in-mem malware AFAIK. The thing is just there's a hole which can't be filled by such approach, so combining anti-exploit will be good for that purpose.
This sentence is pretty confusing: ...but your saying that those exploits are designed to break out of sandbox is wrong, the fact is sandboxes are not desinged to protect such exploits." So, if sandboxes are not designed to protect against all of these exploits both basic and advanced exploits that you mentioned above, when you talked about Google Chrome, does it mean they would compromise the security on the real system even though the whole thing is happening inside Sandboxir or any other sandbox for that matter? Yes, Sandboxie does contain them, for example, but does it prevent all those exploits to get to the real system and what's the point if these exploits always succeed in what they always do-DOS attack, XSS, data stealing and etc.? But can Sandboxie, Google Chrome (both sandboxed and unsandboxed by/with Sandboxie) or any other sandbox and sandboxed web-browser for that matter contain exploits like ROP, heap-spray all other memory exploits and all other exploits? I bet the answer is no. What's the point of having Sandboxie, or Google Chrome (both sandboxed and unsandboxed by/with Sandboxie) or any other sandbox and sandboxed web-browser for that matter? It's completely useless when it comes to protection, this is why it's good to have MBAE, NoScript and etc. instead of Sandboxie or any other sandbox for that matter.
It's not a matter of advancement, but a matter of type of exploit. Just accept a fact that there's no panacea on security, and a fact there're really very many kinds of vulnerability. E.g. how does sandbox protect against crypt vulnerability which is in a encryption program such as Truecrypt or encryption algorithm itself and allows attacker to decrypt encrypted contents? You'll understand such vulnerability affects user's security much, but no AV or Anti-exploit or sandbox are designed to protect against such vulnerability. What you asked in old post is almost about that, sandbox is designed to contain code-execution exploit which is just a small part of exploit in whole exploit field IMO. If you want to protect yourself from different exploit such as XSS, CSRF, DNS rebinding, click-jacking, MITM by stolen cert, TLS vulnerability, or some other application design flow (BTW you don't need to care about DoS, unless you have server), you need different approach or statistics.[TYPO: strategies.] About the last question, it's matter of word definition ("contain") but yes, they contain all code execution exploit unless attacker break out of sandbox which requires additional vulnerability and additional effort for the attacker. However, the point is, some attack can be done even within containment and in-memory malware is the case. As I already mentioned, REAL in-memory malware can be prevented by well-configured HIPS or sandbox, but there're hole which can't be filled by containment approach. This is good reason to combine anti-exploit. OTOH, HIPS or sandbox can prevent other attack than code execution exploit. Of course Noscript too.
Sandboxie provides excellent protection from encryption type malware assuming it comes via a browser in a drive by. For example 1) If the browser downloaded something and it tried to run in the sandbox, it wouldn't be allowed to due to start/run restrictions. But if it did run, it wouldn't be able to contact home because of the Internet access restrictions. But even with all that say it ran and merrily encrypted all my files. My files wouldn't be over written on the real system, the encrypted copies would be written in the sandbox, and when the browser exited the sandbox would be deleted. Bye bye encrypted files, real files fine. Pete
CWS You have sweated and agonized over this sandbox issue. Fact is I bet you can't fine someone who was browsing in Sandboxie, and who got infected. Relax and use SBIE and you will be safe. As to Chrome, I don't use it and don't intend to so I can't speak to it Pete
Sorry, my explanation was not clear. I was referring completely different thing from cryptlocker-like malware. I'm referring to e.g. side-channel attack, related-key attack, or chosen-plaintext attack. They are basically not relevant to code-execution exploit or even malware. I agree, SBIE is good enough to protect against almost all malware ITW. But if you want to protect other threat than malware or code execution exploit, it requires other strategy and knowledge. That's all I want to say.
To be honest, there're too many forms to explain one by one. But often, it occurs when attacker have physical access to the PC. Remember it is not and shouldn't be game over for encryption programs, rather they should protect data in that situation unless attacker know exact password. Those attack enables attacker who do not know password decrypt or read encrypted contents, or modify the data. It also can occur in encrypted communication thus cause TLS vulnerability or wifi hijacking.
Well if the HIPS and the Anti-Exe can't detect the malware, but Anti-Exploit can do, which Anti-Exploit work with the HIPSs ?
i thought there were only 2 ie malwarebytes and hitmanpro.alert? Both have worked fine with outpost and privatefirewall hips.
Definitely more than 2, you're forgetting EMET, ViRobot APT Shield, Crystal Anti-Exploit Protection, etc.
I guess you have three options. MBEA, HPA and EMET. I am using EMET with Defence plus. MBAE world along side Defence Plus too. I am not sure about HPA as I got BSOD with it in my system. But it looks very interesting software and support is good.
Tested it on my XP/SP2 non updated comp. Well to begin with the malware starts off as a file = phase.exe which my AntiExe etc ProcessGuard blocked. I allowed it & PG then blocked another .exe which i also allowed. Zemana then blocked code injection which i allowed. Nothing happening via Task Mananager, so i checked with AutoRuns & nothing new there. I discovered that PG had already auto blocked the code injection into Explorer that i allowed through Zemana. Anyway as it had been game over for the nasty from the start, i didn't bother going any further !
I did a quick search for discussion of the attack vectors for some of this type of malware, and found two. Is anyone aware of other intrusion methods (other than exploiting an Internet Explorer vulnerability)? thanks, -rich Angler exploit kit http://www.securityweek.com/malware-injected-directly-processes-angler-exploit-kit-attack Poweliks: the persistent malware without a file https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html
You can't test a fileless malware using dropped/ captured files. Dropped files will be intercepted by HIPS. On the other hand, PG and Zemana will fail without a peep against any true fileless malware.
The two are bit different. First is really fileless with nothing written to hard disk and does't survive a reboot. 2nd one write into windows registry and survives a reboot.
