Raynor

Setting Behaviour Blocker to "Custom" = Safer ?

Recommended Posts

Now here's a thing which I've been wondering about for quite some time now :wacko::

 

Usually, the behaviour blocker automatically creates "All allowed" application rules

when encountering digitally signed and thus trusted apps.

 

I've been wondering if it might be safer to manually set the behaviour blocker to "custom montoring",

at least for internet-facing, potentially exploitable apps.

 

 

My reasoning:

 

Let's say there is a critical vulnerability in a trusted program (e.g. Firefox) that can lead to

arbitrary code execution / injection. If this vulnerability were executed, the program would

be able to do some nasty stuff to the system.

 

Wouldn't this unexpected and malicious behavior then be automatically tolerated by the behaviour blocker
because the program itself is trusted and thus has been set to "All Allowed" ?

 

 

Thanks for any insights,

Raynor
 

Share this post


Link to post
Share on other sites

In the case of Firefox, the firewall wouldn't be able to help, since Firefox needs to be able to get out to the Internet to load webpages, and any exploit it would attempt to load and run it would do so as if it were a normal webpage (it's all loaded over HTTP/HTTPS).

As for the exploit itself, EIS isn't going to detect it, beyond perhaps the File Guard detecting a malicious HTML/JavaScript/etc. being saved in a browser/Flash/Java cache somewhere. What EIS will do is block whatever the exploit saves on your computer and executes, thus stopping the infection. The point of an exploit is to get a malicious executable (usually called a "dropper") to run on your computer, and then this "dropper" will install the infection, so we focus on stopping the dropper since it's what's actually dangerous.

Setting Firefox to be monitored won't change any of this, and could potentially lead to strange problems with Firefox.

Share this post


Link to post
Share on other sites

First of all, thank you for you reply.

 

In the case of Firefox, the firewall wouldn't be able to help, since Firefox needs to be able to get out to the Internet to load webpages, and any exploit it would attempt to load and run it would do so as if it were a normal webpage (it's all loaded over HTTP/HTTPS).

 

Yes, I'm aware of that - I'm only talking about setting the Behaviour Blocker to "Custom".

 

 

As for the exploit itself, EIS isn't going to detect it, beyond perhaps the File Guard detecting a malicious HTML/JavaScript/etc. being saved in a browser/Flash/Java cache somewhere. What EIS will do is block whatever the exploit saves on your computer and executes, thus stopping the infection. The point of an exploit is to get a malicious executable (usually called a "dropper") to run on your computer, and then this "dropper" will install the infection, so we focus on stopping the dropper since it's what's actually dangerous.

Setting Firefox to be monitored won't change any of this, and could potentially lead to strange problems with Firefox.

 

 

What I've been thinking is that "Is it not theoretically possible to cause a legitimate process/app, e.g. Firefox, to misbehave by exploiting well, an exploit.

In other words, is it not (at least theoretically) feasible that an exploit could be used to make a normal program misbehave by making it execute arbitrary code.,

 

But thinking about it further ... yes, after all, for an infection to happen, at some point some executable needs to be dropped somewhere ...

 

But couldn't perhaps Firefox itself be "abused" to act as the dropper. This would then be tolerated without any alerts being shown, wouldn't it (because Firefox is trusted and set to "Allow all" in the

Behaviour blocker")?

 

I'm talking about protecting against that specific vector.

 

... I'm still a bit confused :unsure::wacko: ... but maybe I'm overthinking the whole issue. :D

Share this post


Link to post
Share on other sites

... In other words, is it not (at least theoretically) feasible that an exploit could be used to make a normal program misbehave by making it execute arbitrary code.,

Yes, and in that case there would be some sort of file that contained that code (an executable for instance), and that file would need to be monitored rather than Firefox.

 

But couldn't perhaps Firefox itself be "abused" to act as the dropper. This would then be tolerated without any alerts being shown, wouldn't it (because Firefox is trusted and set to "Allow all" in the

Behaviour blocker")?

In theory such a thing might be possible, such as in the case of malicious extensions, however the dropper needs to drop something, and protection isn't going to ignore whatever was installed when it executes.

Share this post


Link to post
Share on other sites

In theory such a thing might be possible, such as in the case of malicious extensions, however the dropper needs to drop something, and protection isn't going to ignore whatever was installed when it executes.

 

Ah, I see. Thanks a lot for clearing this up.

 

So I'll just leave the behavior blocker set to "allow all" for trusted / digitally signed programs :lol:.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.