Tag Archives: UAC

AppGuard is an important part of a comprehensive security stack

16 July 2016

In the past weeks I tried hard to get an idea of the capabilities of Blue Ridge Networks AppGuard. To be honest, I would not like to miss AppGuard anymore. AppGuard creates the really good feeling that, under certain conditions, many cyber-attacks are simply rendered ineffective.

AppGuard is a perfect means against all kind of Trojans and downloaders, in particular zero days. Characteristic for this kind of malware is that the malware directly drops a malicious program or downloads a malicious program from the attacker’s server and executes it afterwards. This includes e.g. most of the known Ransomware.

The User Space and MemoryGuard concept just blocks this kind of malware out-of-the-box, provided that the User Space concept is not undermined by a user who is working with high privileges permanently. In fact, if the user works with privileges which allow the Trojan program to store files outside the User Space, the concept will no longer work.

It is strongly recommended to work with the least possible privileges under normal conditions. For the case higher privileges are requested, set up an extra account with the required privileges and supply the credentials of this account if UAC requests higher privileges.

More advanced malware may try to use the Windows auto-elevation feature to acquire higher privileges and to compromise AppGuard. To protect from auto-elevation attacks just set UAC to ‘Always notify me’.

This works even in the case of a gaming computer, where e.g. WOW and TeamSpeak are heavily used. Why shouldn’t it work on a standard system?

In addition, it is strongly recommended to disable macro execution in all kind of office software, e.g. Microsoft Office, OpenOffice or LibreOffice.

Memory Guard protects against all kind of zero-day drive-by downloads, PuP (Potentially unwanted Programs) or file-less malware.

My comprehensive security stack

My comprehensive security stack. Click to enlarge.

 

AppGuard does not protect against any kind of password phishing attacks. Although popular internet browsers block many malicious URLs through URL reputation, e.g. SmartScreen Filtering in Internet Explorer or Firefox, this will not protect in the case of zero-days.

To reduce the likelihood of credential theft, turn on Two-Factor Authentication (TFA) for as many as possible internet services you use. If TFA cannot be enabled, choose a strong password and take care, means:

User awareness is the basic part of the entire security stack!

To put it succinctly: The proposed security stack will dramatically reduce the risk of cyber-attacks. Blue Ridge Networks AppGuard is an important component of this stack, in particular for the protection against all kind of zero-days.

Have a good weekend.

Advertisements

AppGuard successfully protects against PowerShell based zero-day malware

9 July 2016

To get a feel for the impact AppGuard has on daily operations I worked mainly on my test system in the past weeks. My test system is a 6 years old Dell Inspiron 1445 with 4 GB of RAM and a 240 GB SSD.  The latest version of Windows 10 is deployed and all out-of-the-box Windows security options like Windows Defender and SmartScreen are activated.

I work with standard user rights; UAC is set to ‘Always notify me’. Macro protection for the office suite is set to ‘Disable all macros with notification’. AppGuard is installed on top of this security stack to protect from all kind of zero days.

The impact on my daily work is hardly noticeable. Standard malware is blocked either by Defender or by SmartScreen. Even the download of e.g. JavaScript based malware from malwr.com for test purposes is a challenging task.

AppGuard does a really good job in blocking the execution all kind of zero-day malware from user space. But how well works AppGuard in the case of somewhat more advanced malware?

I searched for a new PowerShell based malware on malwr.com and found Invoice_201604469.doc.

A check on VirusTotal showed that only 3 of 56 anti-malware products identified malware:

Antivirus Result Update
Fortinet WM/Poseket.A!tr.dldr 20160706
Qihoo-360 heur.macro.powershell.a 20160706
Symantec W97M.Downloader 20160706

As always, the AutoOpen macro is password protected. But LibreOffice overrides the password protection and reveals a master piece of code:

AutoOpen Macro with Powershell code

AutoOpen Macro with PowerShell Code

I opened the document and followed the instructions to execute the AutoOpen macro.

Invoice_201604469.doc

Invoice_201604469.doc. Click to enlarge.

The effect was enormous. AppGuard’s MemoryGuard blocked the execution of the PowerShell script and prevented the download of the payload 18293.exe:

Blocked Program Message

Blocked Program Message 1

Blocked Program Message

Blocked Program Message 2

Thus the command shell wasn’t able to start the payload and Windows displayed the last error message:

Windows Error Message

Windows Error Message

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

This concludes my tests. The experiments of the past weeks show that User Space and MemoryGuard are useful security features. They complete the Windows built-in security features, and provide additional protection, in particular in the case of zero-day malware.

Have a good weekend.

Windows 10 free update phase ends in July 2016

2 July 2016

It’s high time to migrate to Windows 10. The free update phase ends in July 2015, one year after the first release of the most secure Windows operating system ever.

Windows 10 is the best choice for home users and SME. The core Windows 10 OS with the integrated SmartScreen application and URL reputation check and Windows Defender already provides a good security out-of-the-box, at no additional cost.

With UAC set to ‘Always notify me’ and with the rigorous waiving to work constantly with administrative privileges, a high security level is achieved with small impact on usability

It’s time to get started!

Have a good weekend.

Is your help desk prepared for this type of malware?

6 February 2016

Some variants of the W2KM_DRIDEX.BM trojan behave really strange if User Account Control (UAC) is set to the highest level ‘Always notify me’. In this case the malware attempts several times to elevate its own privileges. For a detailed description of the malware see post ‘Analysis of an Undetected Dridex Sample‘ in the REAQTA blog.

Although this behavior is really annoying everything went well so far. UAC did exactly what it was designed for: Notify the user that something requests higher privileges. Without approval by the user UAC blocks further execution, thus prevents Dridex from becoming persistent.

What next? In the best case, if the user cannot elevate the program, he calls the help desk. But is the help desk staff ready for this? What’s the proper response to this challenge?

The proper response is to quarantine the computer and disinfect the system. Or tell the user to keep calm, create an incident ticket and send it to the SOC.

The worst possible response would be to approve the request by entering the credentials of a privileged account. In this case Dridex starts over, becomes persistent and the attacker can start his malicious work.

Golden Triangle of IT Security

Golden Triangle of IT Security

IT security is created by a combination of people, processes and technology. Even if processes and technology complement each other perfectly, people may become the critical factor. In particular, if helpdesk staff turnover is high, awareness training and knowledge management become a major issue.

Have a good weekend.