Jump to content

Does Behavior Blocker Protect Against File-less Infections?

hjlbx

By hjlbx,
in Other Emsisoft products

 Share

Recommended Posts

hjlbx

hjlbx

Posted
  • Author
Posted

Hello Fabian,

 

I know you and other staff are hard at work making improvements...always...

 

It inspires confidence...

 

As I already have an "Anti-Exploit" solution installed my system should be reasonably well protected.

 

I just wanted to ask simply because if EIS already provided such protection then there is no need to have additional solutions installed; keep it simple...

 

Many Thanks,

 

hjlbx

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

The best "anti-exploit" you can buy in my opinion is a Secunia PSI or one of the many other tools that help you keep track of which applications you have installed and whether or not there are updates available for it. If there is no vulnerable software version to begin with, there is no need for any kind of anti-exploit.

Link to comment
Share on other sites
cutting_edgetech

cutting_edgetech

Posted
Posted

Actually there is not always a patch for vulnerable software so keeping your software up to date does not guarantee you are safe from exploits. Exploits can go unknown for some time before being patched. Even when an exploit is discovered it is not usually patched right away. Sometimes an exploit is not patched for months after being discovered.

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

Actually there is not always a patch for vulnerable software so keeping your software up to date does not guarantee you are safe from exploits. Exploits can go unknown for some time before being patched. Even when an exploit is discovered it is not usually patched right away. Sometimes an exploit is not patched for months after being discovered.

If you are important enough that someone would be willing to spend tens of thousands of US dollars on a reliable zero-day exploit to get your system infected, this naturally won't help you. However, that simply isn't a case that any normal home users should be concerned about.
Link to comment
Share on other sites
hjlbx

hjlbx

Posted
  • Author
Posted

Hello cutting_edgetech,

 

These are the measures I take to minimize any potential "Exploit":

 

1.  Use alternatives to Adobe products (Flash, Reader, Acrobat,..)

2.  Use alternatives to Microsoft products (Word, Excel, Outlook, Windows Media Player,...)  Note:  IE11 is the exception here as EAM/EIS provide protections

3.  Do not install/uninstall Oracle's Java or, especially, Java Runtime Environment (JRE) 

4.  Use an update software such as Secunia PSI and/or FileHippo updater

 

In general, malware succeeds by "exploiting" the greatest number of systems possible.  Consequently, malware artists will always target the vulnerabilities of the most widely installed applications.  So I just don't use them...

 

In my experience EAM/EIS offer a very high level of protection...

 

hjlbx

Link to comment
Share on other sites
Guest Tempus

Guest Tempus

Posted
Posted

If you are important enough that someone would be willing to spend tens of thousands of US dollars on a reliable zero-day exploit to get your system infected, this naturally won't help you. However, that simply isn't a case that any normal home users should be concerned about.

 

Exploits is a reality and a threat for normal users as well. Botnets can be installed through exploits in an non updated pc. You dont have to be a million dollar company, bút it will probably help, of course. Let's take the Caphaw Trojan which gave the opportunity to control a pc, and was installed on your pc by clicking on third-party Youtube ads,  so here was the target the so called normal user base. My point is that it is true when cutting edge tech writers " Exploits can go unknown for some time before being patched " and " Sometimes an exploit is not patched for months after being discovered" for a normal user it can be weeks/month".... and thereby leave a window of opportunity.Is it something that normal user should be concerned about? I don't think that a normal user have to lay awake at night, but an awareness and education of the importance of an overall update of your software profil/programs to minimize the attack surface for exploits is important, even for a normal user. Btw. the more sophisticated coded malware/exploits tools  has a tendency to become accessible for cyber criminals at a much lower price over time. If I have misunderstood anything then please let me know =)

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

If I have misunderstood anything then please let me know =).

Yes, you missed the entire point. Of course exploits are a topic for home users. But these types of exploits are publicly known, meaning the vendors are aware of them and patches are available that you can install to no longer be vulnerable. Cutting_edgetech was referring to "unknown" exploits that only a small number of people (usually only the person who found it) but not the vendor have access to, so they can't be patched by the vendor and therefore can't be dodged by using the latest version of the vulnerable software. These kinds of exploits are highly valuable. Depending on the type of exploit and how reliable it is, we are talking about six figures on the "black market" here. Nobody will spend that kind of money to get into home users' PCs because the return of investment would be abysmal unless you use it on hundreds of thousands of PCs burning the exploit in the process.
Link to comment
Share on other sites
Guest Tempus

Guest Tempus

Posted
Posted

Yes, you missed the entire point. Of course exploits are a topic for home users. But these types of exploits are publicly known, meaning the vendors are aware of them and patches are available that you can install to no longer be vulnerable. Cutting_edgetech was referring to "unknown" exploits that only a small number of people (usually only the person who found it) but not the vendor have access to, so they can't be patched by the vendor and therefore can't be dodged by using the latest version of the vulnerable software. These kinds of exploits are highly valuable. Depending on the type of exploit and how reliable it is, we are talking about six figures on the "black market" here. Nobody will spend that kind of money to get into home users' PCs because the return of investment would be abysmal unless you use it on hundreds of thousands of PCs burning the exploit in the process.

Okay my bad,  I understand your argumentation much better now, and it makes sense...definitely. But even with publicly known exploits there will be,.... very often...,  a window of opportunity before a patch will be released from the vendor. Leaving you, potential vunebly.

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

But even with publicly known exploits there will be,.... very often...,  a window of opportunity before a patch will be released from the vendor. Leaving you, potential vunebly.

In theory maybe. Realistically exploits aren't an issue for home users unless there are large campaigns going on. Most attackers don't have the resources to actually take a description of an exploit or maybe even a file exploiting a vulnerability that was leaked from a targeted attack and weaponize it for their purposes. So they too rely on readily available tools like exploit kits for example. Adoption of new exploits into such readily available tools is a lot slower than most vendors need to fix a high risk vulnerability. In fact, a lot of the exploits that made headlines this year haven't made it into exploit kits yet.

 

One of the vulnerabilities exploit kit makers tend to adopt a lot faster than other kinds of vulnerabilities are Flash vulnerabilities. CVE-2014-0569 was adopted in a particularly timely manner this year. But even there the patch was already available for a week before the first drop sites started to exploit it.

Link to comment
Share on other sites
Guest Tempus

Guest Tempus

Posted
Posted

Thanks Fabian for your opinion(s) regarding " home user and exploits.  As said, your argumentation make sense..... and is appreciated.

Fabian was is your take on browser extensions and exploits. I mean many or some browser extension from 3 party, is or can be very buggy and is often not coded with security in mind, and very often will  they run with the users full privilege. 

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

Fabian was is your take on browser extensions and exploits. I mean many or some browser extension from 3 party, is or can be very buggy and is often not coded with security in mind, and very often will  they run with the users full privilege. 

Depends on what type of extensions you are talking about. Do you mean binary extensions as in "plugins" like Java or Flash or are you talking about browser addons like Adblock? It also heavily depends on the browser you are using and what you are doing as a home user. If you don't use Netflix, chances are you will never need Silverlight. If you don't play Minecraft, you will never need Java. You get the idea.

Link to comment
Share on other sites
Peter2150

Peter2150

Posted
Posted

In a way this all makes me chuckle.   First for the typical home user I agree with Fabian's assesment 1000%.  I run other security software, because I am not a typical home user.  I run my business on my computers, keep no paper records at all, have client financial information on these computers.  Since my business is already a trust business, I feel obligated to close any and all holes, even if the probably of attack is near zero.   Also a bit of research can be enlightening.  Two examples

 

1.  When the Bromium folks published their "work" they claimed to show how kernel exploits could undermine sandboxes, and almost every piece of software out there except of course theirs.  And of course it's only sold to businesses.  Well this kicked off a firestorm of OMG's, what do I do now stuff.  FInally I did a bit of reseach on kernel expolits.  Turned out better then 85% of the hits were bromium posts, the a bunch on kernel exploits in Linux, and finally a few pointing out how hard it was to write kernel exploits.  I now consider it marketing.

 

2.  Then there was the dequ epside and again people were wringing there hands.  Once I realized it came via word docs, I yawned.  EIS, plus most of my other software would have stopped it.  But then a bit of reseach pointed out, it only targeted command and control facilities, and all but two of the attacks were all in one country.  Would the typical  user of EIS/EAM be a target?  I don't think so, so Fabian's conclusions are spot on.

 

Pete

Link to comment
Share on other sites
Guest Tempus

Guest Tempus

Posted
Posted

You get the idea.

Got it.... I didn't mean binary extensions because that was more or less discussed in the previous posts .I was curious to hear your opinion about the huge numbers of browser addons, to browser such as Firefox and Chrome,. (Personally I use IE11). These browser extensions can be, in my opinion,  very buggy, they are  not so often patched , not coded with security in mind,.....  can have doubtful and obscured collection of user information etc. Are those kind of browser addons a concern regarding exploits? I guess exploitation can be on different levels. (Btw. hoped you had a great Christmas.)   =)

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

With a very few exceptions those addons are usually subject to the same kind of sandboxing all JavaScript and websites are. So they are just as prone or not prone to exploits as the website rendering is. Of course a browser addon can act maliciously on purpose within the addon model that the browser provides. It is completely feasible to log form data using a malicious browser addon for example or inject all kinds of nasty code inside any website you want as a browser addon. But that won't happen "on accident".

Link to comment
Share on other sites
  • 6 months later...
pallino

pallino

Posted
Posted

Hello Fabian,

will file-less infections be detected properly now with Emsi 10?

Java, Win and mostly Flash bugs and exploits are being discovered and implemented in kits always faster and more often..Tempus was not too wrong, in my opinion.

We hope Emsi will keep doing the great job they did till now and keep us safe also from unknown malwares.

thank you and good work!

Link to comment
Share on other sites
pallino

pallino

Posted
Posted

Fabian,

thank you.

What additional software would you recommend to properly detect file-less infections?

2. On http://support.emsisoft.com/topic/15469-oas-physical-memory-access-hips-component-question/

you said OA in general does prevent applications from writing into other processes.

Just to be sure, does Emsi AM and/OR Emsi IS offer this feature?

Thank you

Link to comment
Share on other sites
Fabian Wosar

Fabian Wosar

Posted
Posted

There is no tool that covers fileless infections. The point of EMET and other exploit mitigation tools is to make it harder for security vulnerabilities within applications to be exploited so it is more difficult for fileless infections to enter your system. The best approach is obviously to keep your applications up-to-date and reduce your attack surface as much as possible, by removing things like Java, Adobe Acrobat Reader or Flash from your system, or at least switch them into "click to play" mode so they aren't loaded automatically but only if you really want to. But if you can't do that for whatever reason, you can consider tools like EMET.

Link to comment
Share on other sites
pallino

pallino

Posted
Posted

Fabian thank you for the clear answer!

Peter, thank you for the input...I saw your point/ the discussion on wilders, that s why I checked here if Emsi Am/ Is protected from this threat or if addition tools were needed/ suggested.

I hope Emsi will find a way to protect from file-less infections one day!

Link to comment
Share on other sites
Peter2150

Peter2150

Posted
Posted

Fabian thank you for the clear answer!

Peter, thank you for the input...I saw your point/ the discussion on wilders, that s why I checked here if Emsi Am/ Is protected from this threat or if addition tools were needed/ suggested.

I hope Emsi will find a way to protect from file-less infections one day!

 

Hi pallino

 

I think you can rest easy.  If you are on Wilders you have an idea of my setup.   I've done quite a bit of playing with malware that people try and foist on me and inevitably the first one to catch it is EIS.   You are in good hands, with EMSISOFT!!

 

Pete

  • Upvote 1
Link to comment
Share on other sites
pallino

pallino

Posted
Posted

Hi pallino

I think you can rest easy. If you are on Wilders you have an idea of my setup. I've done quite a bit of playing with malware that people try and foist on me and inevitably the first one to catch it is EIS. You are in good hands, with EMSISOFT!!

Pete

Thank you Pete!

I m still reading on Wilders, I have sooo many pages open it will take me some days to read them all! :-)

I still didn't get to the part where I see your setup, on what page is it? Thank you!

I ll keep the anti-exploit with Emsi to cover more entry points and "sleep well". :-)

It s good to hear I m in good hands! :-)

Link to comment
Share on other sites
pallino

pallino

Posted
Posted

Fabian,

what did you mean before with filess infections " won't be detected properly "?

When does Emsi detect them and when not?

E.g, if a "new"/ unknown Bedep variant is dropped, will BB be able to detect it or can it only be detected through generic signature/ heuristic?

Thank you for your help and clarification !

Link to comment
Share on other sites
  • 1 year later...
pallino

pallino

Posted
Posted

Hello Fabian,

 

how does Emsisoft now handles filess infections?

Did something change in Emsi 11 and/or will it in the upcoming 12 or is still protecting the customer through his anti-exploit and  BB protecting from process injection?

 

Can Emsi now scan for all the content of the memory, indipendent if it's used by loaded files or not?

 

thank you

Link to comment
Share on other sites
  • 3 weeks later...
pallino

pallino

Posted
Posted

Thank you Arthur.

Can you pls check with Fabian

how Emsisoft now handles filess infections?

Did something change in Emsi 11 and/or will it in the upcoming 12 or is still protecting the customer through his anti-exploit and BB protecting from process injection?

Can Emsi now scan for all the content of the memory, indipendent if it's used by loaded files or not?

thank you

Link to comment
Share on other sites
  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2022 Emsisoft - 05/25/2022 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...