Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Ask ExeTools: Best Antivirus & AntiMalware 2017
Register Forum Rules FAQ Calendar

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #17  
Old 11-02-2017, 02:44
ArC ArC is offline
VIP
  
Join Date: Jan 2003
Location: NTOSKRNL.EXE
Posts: 172
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 17 Times in 12 Posts
ArC Reputation: 1
Quote:
Originally Posted by Kerlingen
Since the Windows Firewall has a default "allow all outgoing traffic" rule which you cannot change I would say it's mandatory to use an "internet security" product, not only to block (non-malware) "call home" software, but also to block malware which is not yet detected from connecting to its control server.
Maybe I'm misunderstanding you but you can configure profiles to block outbound traffic by default. The problem is that it's oftentimes not that useful in practice as you need to manually define rules upfront for all apps that should be allowed to access the internet. This easily gets cumbersome if an application uses multiple processes/services of which some need network access (like in case of VMWare Workstation). What's not uncommon either is legitimate installers which launch sub-processes (which need network access) from previously extracted images with randomized filenames. If you've configured the Windows Firewall to block outgoing traffic by default, it will do so without giving the user any hints whatsoever which can make it difficult to figure out what rules to add to get a particular app to work properly.

There're third-party add-on tools to workaround that problem, though. They listen for certain ETW events if I remember correctly and display a message if an app tries to access the network, alongside with options to create (temporary) outbound rules.

Another thing to keep in mind is that rules can be added programmatically which is something some installers do. While this is generally convenient, it can be annoying in cases where one doesn't want (legitimate) software to phone home for example.

Quote:
Originally Posted by TechLord
Finally. most of the security professionals do not have any AV on their system at all
No wonder really as AV software has in the past turned out to be an attack vector (MsMpEng Type Confusion anyone?).

Quote:
Originally Posted by SKiLLa
use a restricted account
https://xkcd.com/1200/
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Black Hat USA 2017 TechLord General Discussion 4 08-31-2017 12:48
Best Antivirus Engine mantovano General Discussion 102 02-16-2011 18:13
Antivirus API just4urim General Discussion 4 02-06-2005 02:49


All times are GMT +8. The time now is 03:34.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )