You can't take these incidents to lightly as evidenced by recent threats against Brian Krebs. http://www.vice.com/read/i-interviewed-the-fraudster-who-frames-people-for-heroin-possession
I already understand, you're probably using Bouncer, but that's what I like about EXE Radar, there is no need to monitor individual folders, if you're not on the white list, you can't run. OK I see, but that's another topic. I was talking about malware running from system folders, that's what I meant with "system space".
It's Jetico pfw. I like to monitor in the event it's a harmless and even necessary action. It's usually a temp directory, of course, but I've had to create some bizarre Path rules, for example... Code: C:\Users\Admin1\AppData\Local\Adobe\AIH.*\install_flash_player_ax.exe ... otherwise I'm spending too much time micro-managing legitimate installer actions. Lately I'm drifting away from this kind of nanny state control, opting instead to simply restore a clean working recent image if ever needed, which has always only been required due to something breaking rather than malware-induced. I'm now just sticking with simple whitelisted AppLocker Publisher and Path rules on Windows. Linux, nothing at all other than browser hardening via sandboxing and scripting control. I'm the only user with Linux but there are care-free family members using Windows so I need to exercise a bit more diligence, thus the AppLocker lockdown approach.
I don't get it, why did you need to add these folders? A HIPS or anti-exe will alert about apps no matter where they are launched from, except if it's a legitimate system file.
First, check the HIPS or anti-exec default rules for which folders it is monitoring and what is being monitored. Eset's HIPS for example will by default allow program startups anywhere. Actually, the most critical monitoring is where files can be created and by whom. If the file doesn't exist, it can't be executed.
So I wouldn't be bothered by future legitimate Flash installer attempts in these locations and elsewhere.
I think I misunderstood, these folders are monitored for file creation, correct? Personally I don't see the need for it, because it's often too hard to know if file creation is legit or not. But if you do have the knowledge, then why not.
Yes, legitimate file creation. It's why I wrote rather specific Path rules, to significantly reduce the chances a rogue Flash installer could execute there. I chose Path rules in some cases because both Publisher and File hash rules were not feasible in these cases. File hash are a nuisance when the file is always changing due to regular updates, and Publisher signatures are not always attached to these update files. I like to allow Adobe to check and alert to available updates, then I manually launch them. I also had firewall rules allowing the updater to check only Flash remote IP addresses. Overkill, I know, so I no longer bother with these extreme measures.
