Is Antiexecutable enough or good enough against Vruses.

Good article.

As it points out it can stop plenty (though frankly I think they give it a bit too much credit for a few of those situations) and it can also be circumvented - if you exploit any whitelisted program (what else would run?) they attacker has everything they need right there.

 

Here's a nice demo that can bypass both blacklisting and whitelisting security layers even a tightly configured classical HIPS...

shellcodised backdoors (fratus or parsifal) running entirely in memory of a trusted process like internet explorer for e.g...

http://benjamin.caillat.free.fr/ressources/backdoors/videos_en/attack_presentation.avi

the white paper... http://www.blackhat.com/presentatio...t-Europe-09-Caillat-Wishmaster-whitepaper.pdf

Alternative to this method is the VNC and meterpreter shells(dlls running entirely from memory) from Metasploit. Since those dlls are not written to disk even if Classical HIPS or AE2 is configured to block loading of non-whitelisted dlls, those will not be blocked.

 

On my other computer all i run is Faronics Anti-Executable and Sandboxie. If i decide to download anything i'll just do a quick check with dr web linkchecker.

 

There are many hyped up threats, for instance user land is allowed to load printer drivers, etc.

Either you try to cover all the attack vectors (like Comodo) or apply a deny execute (like AE). Injected dll's are also new dll's. What remains is side by side memory intrusions. I think AE also calculates the valid memory hash in some form, changing it would make it a new executable. AppGuard applies a deny execute of threatgates plus memory protection and that is also very effective (while in theory less restrictive than AE).

One can staple a lot of theoretical threats, PoC's and exploits, but I also use a car or an aeroplane while I know I have a chance of crashing. There are many ways for effective protection.

 

Therefore, you drive without the seat-belt. My brave man!

You realize that crap that happens, regardless of their nature, humans never considered the chance they could happen, and therefore disregarded any protection/preventive measures that could have mitigated such risks?

Someone did think that this planet we call Earth was squared. They couldn't be more wrong.

 

I don't see these much hyped threats to be the norm too. I presented these in the cases of targeted attacks especially in company networks with juicy trade secrets for e.g or in state sponsored hacking.

I think aigle complained about the difficulty in configuring HIPS(like those built in Comodo) in catching those theoretical malicious dll loaded by lnk exploit such in the Stuxnet for eg. And that dll touches the disk or written to disk. You can configure a very restrictive classical HIPS to prevent that. Yes, you can have them prevent memory intrusions and the hash rules.

But the dll loading from memory as presented by Didier Stevens and the xored reflective dll injections by metapsploit will be difficult to detect and is not even registered and so Process explorer and some antirootkits for eg. will not even detect those dlls. I tried the demo xls of D. Stevens and it bypassed almost every Classical HIPS even with memory protections.

Not spreading any fud but these memory intrusions are very easy to prevent by adding various security layers like EMET, NoScript, disabling VBA macro, etc.

And of course, you can just restart the targeted browser to kill that rogue memory thread or injected dll. These attacks are non persistent. To be persistent, an executable has to be installed and any whitelisting will catch that. But if during memory attacks, the passwords and other datas are keylogged and stolen, then the attacks succeeded. But then again in my testing of the memory cmd dll of Didier Stevens it can't read or access my files due to my tightly configured classical HIPS and obviously in the event it tried to connect out and do reverse shell, it would not be successful because of the application firewall.

For five years, I am malware free even without an AV and with just those security layers like whitelisting.

And as I have said in post #25 of this thread, AE is good enough against viruses.

 

I wrote there are many effective ways of protection. Did not write to use no protection. So where is this comment based on?

Also the square versus round discussion was some time ago, I believe the evolution theory also. Both discussion have in common that they were discussed between science and religion. The common factor with security is that it is dogma versus ratio.. With to much anxiety/paranoia a side switch is easily made.

 

Agree

 

My point is that I understood you were trying to minimize these theoretical threats, PoCs or exploits. Something stops being theoretical once it stops being just a theory, and someone comes up with ways to actually put it into practice. Whether we'll see it become mainstream, I got my doubts, because there's easier decoy out there, to catch home users.

You did say that there are effective ways to protect, and the reason for that being, that someone did see those theoretical threats as a problem that could be very much become real. This doesn't mean they aren't happening now, in targeted attacks. Just because you can't see something, it doesn't mean it isn't there.

Whether it was a long time ago, or it was between science and religion, that's really way beside the point. The point I tried to make is that, at a given moment humans think they're right, and at a later moment, crap happens - they were wrong about it.

Maybe I could have pointed a different one. Quite a few years back no one, with the power to do something about it, believed it was possible for violent crimes to escalate in our country. Now, we're in a day and age where policemen themselves are afraid of the criminals. Why did this happen? Reactionary approach, instead of thinking ahead of the time.

Why are malware authors always ahead? I'm pretty sure that at the very beginning no one even considered the remote chance that all this malware thingy would become a profit and would proliferate malware in such a way, that antivirus would be doing a very lousy job at protecting users.

Yes, Kees1958, we have now effective ways of protecting against these threats, but if everyone were to minimize these theoretical threats, then we wouldn't have such protection, would we?

Which was what I felt you were trying to do with One can staple a lot of theoretical threats, PoC's and exploits, but I also use a car or an aeroplane while I know I have a chance of crashing.

Once we start seeing these theoretical threats coming after the home users, then maybe we'll see mainstream applications that will protect them. I'm not talking about geek tools.

 

Okay, shoot me I am problably to optimistic.

Since Vista there is a proper operating system for most PC's. Windows 7 replaced heaps of XP installs, so most people have better security.

Chrome made its entry. Besides PC's there are now many tablets and smart phones. Those devices started with reasonable secure OS-ses. Also the availability of Apps increases security, because one does not access its web hang outs from the public high way (browser), but from dedicated aps. Reducing the chances of interception and deception on the route from end user to web based service supplier.

Most banking corporations demand a calculated token (PPI). There are freeware options to deal with browser/man in the middle attacks. Free antivirusses options are increased enormeous. Most cable companies/ISP are rolling out digital services, increasing the numer of router/firewall's at house holds.

I would call these chances improvements

 

There's nothing wrong with being too optimistic. I think fatality is present in my genes...

And, that was my point. But, it took quite a while for someone, in Microsoft, with a vision to figure it out - that there was an actual problem that had to be dealt with.

It was only with Windows Vista that Microsoft finally understood there was a problem with running as a full-blown Administrator. And, although some already consider Windows Vista to be an ancient operating system, it isn't that old.

And, those are all great and welcome improvements.

But, these improvements will eventually make attackers to have to resort to other measures.

For instance, Windows 8 will expand SmartScreen Filtering to Explorer, and many more improvements. The more control the user can have over what can run and execute in their systems - I'm referring to the disk itself - then, the way attacks are carried will change over time. When will that happen? Probably not any time soon. But, it wouldn't hurt to think ahead of the time, though.