NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. guest

    guest Guest

    Terminology used in OSA is marketing shortcut to make things simpler for the masses.
    Same as using the term "anti-virus" instead of "anti-malware" (which is what AV became, they aren't just AV anymore)

    Easier to describe "anti-exploit" than "post-exploitation tool"
     
  2. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    I get it I'd just prefer a more technical explanation rather than the condom concept. Cerber uses process hollowing, but Osa or ERP would stop it. Wasn't talking about fileless although Nvt wouldn't be completely useless, imagine a new process being sprawned as a result of the attack, nvt products can see it, you can see it being blocked and noticed something unusual happens, so you take it from there. Its post factum, but it doesn't make osa useless. Also protecting registry settings you get rid of fileless mimikatz thanks to appropriate Policy rules, locked down by Nvt?
     
    Last edited: Jun 4, 2019
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    @guest can you give us a typical malware example to illustrate your point, rather than speaking in allegories?
    For instance, a weaponized Word document tells Winword.exe to spawn svchost.exe (not blocked by NVT EXE Radar Pro) and then tells svchost to load a malicious dll.
    Or a weaponized Word document tells Winword.exe to spawn explorer.exe (not blocked by NVT EXE Radar Pro) and then injects malicious code into explorer.
    I don't know how realistic these examples are, but maybe you can give us a real example from real malware, to demonstrate your point?
     
  4. guest

    guest Guest

    @shmu26

    malicious DLL loaded using API instead of rundll32.exe.

    Good enough for you?
     
  5. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    Thanks guest, this is an interesting case
     
  6. guest

    guest Guest

    You are welcome. :)
     
  7. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    I can see Autoit is used to load .dll , when I can sit on my computer I will check it, I am not a hacker just a hobbyst
     
    Last edited: Jun 3, 2019
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    In any case, malware needs an entry point. An updated OS with secure software and a good anti-exe will, in most cases, deny an entry point to malware of all types.
     
  9. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    He is talking all the time about fileless ,ie some external attack from the browser or live hacking? I was referencing drive based exe with process hollowing capabilities like cerber ransom, which I thought you should be safe from. Turns out I have to study some more on it. let me get this straight, you execute the exe, which has threads suspended but it injects code (or HIV:) despite this ?@guest
     
    Last edited: Jun 3, 2019
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    1 Fileless attacks via browser are almost non-existent nowadays, except for targeted attacks via Internet Explorer.

    2 There are 2 main attack vectors nowadays: weaponized docs and executable files. If you have an updated OS with secure software and a good anti-exe, you are protected from both.
    Even if you use vulnerable software like MS Office or Adobe Reader, a good anti-exe will stop typical, common attacks.
     
  11. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    yes but he is talking as if OS armor or ERP was indeed a defective condom, against process hollowing that is, despite Andreas telling me the inmemory still must be executed on drive (we are not discussing fileless attacks scenario now, at all) as if the malicious code still injects even if the threads are in suspended state (in other words you execute the exe which is stopped but its still injects?), I need to study this since I am extremely confused right now and guest is gone
     
    Last edited: Jun 3, 2019
  12. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    If the exe file is prevented from starting up, it cannot inject or do anything else good or bad. This is exactly the point I was harping on. Malware needs a starting point: either an executable file or a weaponized doc/media file.
     
  13. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    then I don't know what this discussion originated from, anyway i appreciate the hint from guest (missing sources which would help me understand, but I found new interesting books thanks to him)
     
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    I think that guest objected to the way the concepts were stated. I am speaking from a more practical perspective: malware needs an entry point. If you deny an entry point, you are secure.

    The example guest gave was calling into an API in order to load a dll. If a malicious exe was blocked from starting up, it cannot call an API.
     
  15. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    so something like man-driven attack with live connection (hacking) or some sort of autorun from remote locations like a webserver (is that it?), you can see this is getting complicated very fast
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    There are sophisticated network attacks, but they mainly affect a corporate environment, they are not so relevant to home users.
     
  17. guest

    guest Guest

    Exactly, i didn't said OSA was a weak soft, if it was i won't use it right now.
    I simply objected the way @lucd described the mechanic, it is because people are doing quick amalgams that forums are polluted by erroneous infos that become "truth" for the non-initiated.
    Sure a Volvo (anti-exe) and a formula 1 (anti-exploit) are both cars (anti-malware), but they have different purposes,


    you also have embedded malicious code, metasploit stagers using ReflectiveDll (delivered by browser exploit) embarking their own meterpreters without needing the ones in the system, etc... you can Google all this.

    of course, Average Joe probably won't cross such type of attacks, but im not here to talk about Average Joe-targeted malware which performs on-disk.
     
    Last edited by a moderator: Jun 3, 2019
  18. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    Embedded malicious code needs an entry point. The user must execute a file, or load a malicious doc/media file in an exploitable program. Do you know another way, besides browser exploits, which are extremely rare?
     
  19. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    I don't see where I made an error, you are stuck on nuances, we both agreed on what shmu26 said at the end. I did my research, I was discussing file execution from drive being stopped, thus preventing some malware escaping VMs that have inmemory attack model to do that (but executed from drive), and to be honest I was 100% quoting Andreas because I asked him directly about exes with process hollowing and what can I do to protect my VM, you were discussing network attacks. But maybe you like to bash a little bit from time to time and quote condoms. I don't mind since I learned something from you (thats better than nice people that know nothing) but lets move on.
     
    Last edited: Jun 3, 2019
  20. guest

    guest Guest

    what i only said is : Anti-exes aren't anti-exploits, LOLbins aren't exploits, is it so complicated to understand this?
     
  21. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    yes I got that at about 7.13 AM, we were talking about two completely different topics right from the start. to me this is a all very simple, if you are a target of a hacker you're doomed at any rate, it doesn't matter what you have its only a matter of time, thats why discussing "passive" malware on disk (what home user need to be worried about), no live connections with metasploit, no anything of the sort, for that you need an Incident Response Team CSIRT/Security Operation Centers SOC, I was discussing flu but you started with HIV
    an anti-exploit then like Excubits Mem protect then+firewall+prey God+luck
     
    Last edited: Jun 3, 2019
  22. guest

    guest Guest

    if you dont grasp what i said, then there is nothing i can do, sorry.

    so any default-deny solutions is enough, i dont even bother wasting my time for that, i talked about serious stuff that classic solutions may fail to protect, not basic ransomware and other "click-to-be-infected" files.

    My intervention was about the words used, i saw the wrong ones used to qualify/describe something totally different.
     
  23. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,351
    @guest I think that your attempt to correct what you perceived as a misunderstanding has generated mega misunderstanding :)
     
  24. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    194
    Location:
    Poland
    guest I already thanked you for that information, and I think I grasped the concepts. You were discussing serious and important matter.Please tell me more about it. I bought some books on it. Try to give sources of information (so ppl can learn but ofc only if you have time) instead of bashing forum noobs. You claim then OSA is always useless for these scenarios? Best regards
     
    Last edited: Jun 4, 2019
  25. guest

    guest Guest

    @lucd google: stagers, reflectiveDll, powerpick, download cradle, powershell empire, etc...

    Also, research about exploitation VS post-exploitation, LOLbins, etc..

    Most of all, don't correct/state unless you got the facts straight, then you will avoid the bashing.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.