Of course I was aware of the fact that Poweliks only resides in the Registry. But there is a difference between diskless *malware* and diskless *infection*. Diskless infection could also mean that an executable would simply be injected directly into iexplore.exe, etc. and you don't specifically need a Poweliks for that. Link: http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
I wanted to try their app but Buy Now button doesn't work on website. I couldn't join their beta testing program also. Did they choose beta testers from this wilders forum? How they choose beta testers ?
Yes exactly. Does Bedep work from inside the exploited process, without starting a separate process, and without dropping files to disk?
Yes. However, it also can directly create files for persistency (dll) or attack windows scheduler. From there, the dropper-like features normally grab more payloads.
Rasheed187, check ropchain's last post link by kafeine: http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
They have posted a new video on YouTube in which they are comparing Trapmine with AppGuard, but I don't know whether a calculator is a very suitable payload for this comparison... (https://www.youtube.com/watch?v=ZA8krcekVGQ)
No, it's not. Calculator is a located in protected system space and thus allowed to run by policy. Usual disk-based payloads are written to non procected areas and thus would not be permitted to execute. Further several of AppGuards other layers were not shown, which are specifically effective against fileless malware. Since calculator was launched by IE, it would have inherited its guarded status (and possibly privacy mode, if enabled). In addition to that IE would not have been able to write to the memory of other processes, neither would have calculator, because of the guarded status inheritance. Hence even fileless malware would have been contained inside either the compromised process or its child process, and it's ability to establish a persistent infection or exfiltrate data (depending on configuration of privacy mode) would have been severely limited. This video is very misleading in my opinion and I think less of them putting something like this online.
Yes, I read that months ago, but I didn't understand everything. But from what I understood, there is no such thing as in-memory ransomware and banking trojans, that's what I'm worried about.
Wow, this is some aggressive marketing. What they are trying to say is however true, apps who use the "anti-executable" method as exploit protection, can not protect against advanced file-less (in-memory) exploit attacks. With that I mean, they can't stop the payload from running. AppGuard however, has the ability to mitigate the risk with its isolation capabilities, sort of like Sandboxie.
Well, most vendors are putting effort into showing the effectiveness of their products. (Hint: "Exploit prevention comparison" on http://www.surfright.nl/en/alert ) Personally I don't care, I will just run some POC code to check whether mitigation software is able to stop payloads. Furthermore, They are just launching calc.exe so I do not think that they are trying to say that only running an anti-executable is enough. As a side note: Also Trapmine is not flawless, but the anti-ROP functionality should be comparable to that of EMET, MBAE, etc. (most of the ROP tests available in the HMPA Test Tool can be blocked). And the usage of 100-150 MB RAM for the main process is quite a lot.
Hi Dear Wilders Members, We believe that all these applications have good capabilities to protect end users from cyber threats! Of course, every product has some strong points and weak points. Nobody is perfect. The reason behind posting a video about AppGuard was their product-sheet. They were claiming they have patented exploit prevention techniques. Actually, we just wanted to show that they are not anti-exploit software. We wanted to point that it's a kind of anti-exe solution and anti-exe solutions are not always enough to block exploits alone. Anyway, we've deleted the video about comparison between Trapmine and AppGuard. We think it causes some misunderstand. Our aim is not slandering any vendor and product. All security companies are aiming to make the internet safer place. Thus, we support and appreciate all the good work in this field. Hitman, MBAE, AppGuard and all other vendors do very well their job. There is no doubt about this. Regards, - Celil
I fully agree that only an anti-executable is not enough and I am fine with showing this in a video. AppGuard however is not a mere anti-executable. It has policy based anti-executable capabilities, but aside from that, it also has MemoryGuard, Guarded Execution and PrivacyMode. These features are relevant when in-memory-malware tries to fulfill its purpose and just launching the calculator does not mean these features have failed as well.
Actually that was poor wording on my part. Even if you weren't part of the team it is still a welcome to Wilders.
"I wanted to try their app but Buy Now button doesn't work on website. I couldn't join their beta testing program also. Did they choose beta testers from this wilders forum? How they choose beta testers ?" I think thery did. I also tried joing a few months ago and also tried asking a few questions but never did hear back a word. Then I thought ok, I will buy it and check it out but the buy option didn't work and then I wondered why. Didn't seem too important enough to make any sales at the time.
Nice of you to drop by! And now I understand why you posted the video. There is indeed a difference between apps like for example AppGuard and VoodooShield and "anti-exploit" tools which make use of advanced "memory corruption mitigation" techniques. I also had some lengthy discussions about this subject on this forum. Yes, they all have their strenghts and weak points. I hope in the future you will release a consumer version, but I understand why you haven't done so, there's more money in the corporate market, plus you get less support requests.
Correct, I didn't really mind it, it's perfectly normal, but I didn't expect them to open the "attack".
commissioning an exploit prevention comparison is also a sort of "attack". I can't blame any party, as long as a product works it's okay, I suppose. That's what marketing is all about. I am sure that most people are able to understand that *every* company employs marketing techniques and that marketing does not involve commending software of competitors.
