Tag Archives: Smartscreen Filter

AppGuard successfully protects against PowerShell based zero-day malware

9 July 2016

To get a feel for the impact AppGuard has on daily operations I worked mainly on my test system in the past weeks. My test system is a 6 years old Dell Inspiron 1445 with 4 GB of RAM and a 240 GB SSD.  The latest version of Windows 10 is deployed and all out-of-the-box Windows security options like Windows Defender and SmartScreen are activated.

I work with standard user rights; UAC is set to ‘Always notify me’. Macro protection for the office suite is set to ‘Disable all macros with notification’. AppGuard is installed on top of this security stack to protect from all kind of zero days.

The impact on my daily work is hardly noticeable. Standard malware is blocked either by Defender or by SmartScreen. Even the download of e.g. JavaScript based malware from malwr.com for test purposes is a challenging task.

AppGuard does a really good job in blocking the execution all kind of zero-day malware from user space. But how well works AppGuard in the case of somewhat more advanced malware?

I searched for a new PowerShell based malware on malwr.com and found Invoice_201604469.doc.

A check on VirusTotal showed that only 3 of 56 anti-malware products identified malware:

Antivirus Result Update
Fortinet WM/Poseket.A!tr.dldr 20160706
Qihoo-360 heur.macro.powershell.a 20160706
Symantec W97M.Downloader 20160706

As always, the AutoOpen macro is password protected. But LibreOffice overrides the password protection and reveals a master piece of code:

AutoOpen Macro with Powershell code

AutoOpen Macro with PowerShell Code

I opened the document and followed the instructions to execute the AutoOpen macro.


Invoice_201604469.doc. Click to enlarge.

The effect was enormous. AppGuard’s MemoryGuard blocked the execution of the PowerShell script and prevented the download of the payload 18293.exe:

Blocked Program Message

Blocked Program Message 1

Blocked Program Message

Blocked Program Message 2

Thus the command shell wasn’t able to start the payload and Windows displayed the last error message:

Windows Error Message

Windows Error Message

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

This concludes my tests. The experiments of the past weeks show that User Space and MemoryGuard are useful security features. They complete the Windows built-in security features, and provide additional protection, in particular in the case of zero-day malware.

Have a good weekend.

Why is Internet Explorer security such a challenge? More tips to minimize the risk

29 November 2014

In his Report ‘Why is Internet Explorer security such a challenge?‘ Stephen Bigelow talks about Internet Explorer (IE) security and attack trends. In section ‘Tips to minimize the risk’ he introduces the standard mitigation measures.

In addition, IE 11 and Windows 8 provide security functions which can be activated or adjusted to make Internet use less risky:

1. Set User Account Control (UAC) to ‘Always notify me’

With UAC set to ‘Always notify me’ you will be notified if malicious code which is executed in Internet Explorer tries to install software or tries to make changes to your computer.

2. Activate SmartScreen Filtering to reduce the risk of phishing attacks

SmartScreen Filtering was introduced with IE8 and was integrated in the OS with Windows 8. SmartScreen Filtering checks web sites and files, after you clicked on the link, against a list of harmful sites and blocks downloads from these sites.

If the SmartScreen Filter blocks a malicious site you will get an error message like

SmartScreen Filter Error Message

SmartScreen Filter Error Message

To activate SmartScreen Filtering check Enable SmartScreen Filter in the IE Advanced Security Options.

3. Activate Enhanced Protection Mode (EPM) in the Internet Explorer Advanced Security Options

With EPM activated IE runs in an AppContainer at low integrity level. Write access to resources at medium or high integrity level, e.g. Windows system resources, is blocked.

4. Try to work without administrative rights

From my point of view this is the most important advice at all. Without administrative privileges it is very unlikely that malicious code executed by Internet Explorer could attack the operating system because this is blocked by the User Account Control (UAC) in Windows.

Even if you activate only SmartScreen Filtering and EPM, Internet use will become less risky.

Moon over Wangalm, Austria. 47°22'54.1"N 11°06'35.4"E

Moon over Wangalm, Austria. 47°22’54.1″N 11°06’35.4″E

Have a nice weekend.