19.03.2018, 10:27
Wersja testowa 42
i test 43 z wczoraj
Cytat:+ Improved detection of PowerShell malformed commands
+ Change Registry value ServicesPipeTimeout to 180000 via setup file
+ Modified the service to fix a rare crash on session change
+ Improved detection of fake system processes
+ Improved Block command-lines that match *\Start Menu\Programs\Startup\*
+ Added BitLocker Service on "Prevent important Windows Services from being disabled"
+ Improved Block unknown processes on Windows folder
+ Improved Block execution of .reg scripts
+ Block execution of xcopy\robocopy.exe
+ Block execution of diskpart.exe
+ Block execution of format.com
+ Block execution of tasklist.exe
+ Block execution of systeminfo.exe
+ Block execution of whoami.exe
+ Fixed some false positives
i test 43 z wczoraj
Cytat:+ Improved detection of system processesW tej wersji pojawiła się nowa sekcja związana z blokowaniem możliwości łamania zabezpieczeń UAC
+ Improved detection of suspicious processes
+ Block known UAC-bypass attempts
+ Block new and unknown UAC-bypass attempts (experimental)
+ Block known system processes used for UAC-bypass
+ Block ALL "autoelevate" system processes
+ Merged "Block execution of sdctl.exe\sysprep.exe\etc" with "Block known system processes used for UAC-bypass"
+ Block execution of Logoff.exe
+ Block execution of Vssadmin.exe
+ Block execution of Makecab.exe
+ Block execution of LxRun.exe
+ Block execution of Bash.exe
+ Block execution of Sdbinst.exe
+ Minor fixes and optimizations
+ Fixed some false positive
Cytat:"Block known UAC-bypass attempts"
This option should not generate FPs (even if I added the orange icon).
It should block known (public) UAC-bypass attempts.
The other 3 options, may generate FPs:
"Block new and unknown UAC-bypass attempts (experimental)"
This experimental option should mitigate new and unknown UAC-bypass attempts that exploit system processes to elevate the malware payload. In my tests it performed well with very low FPs (on the work-PC, with just a few programs installed).
"Block known system processes used for UAC-bypass"
This option blocks the execution of known system processes used to bypass UAC, for example slui.exe, sdctl.exe, fodhelper.exe, wusa.exe, mmc.exe, dccw.exe, BitlockerWizardElev.exe, and some more. By preventing their execution we mitigate entirely the UAC bypass attempt, but in exchange we may get a few alerts (FPs) when they are legitimately executed by the OS.
"Block ALL "autoelevate" system processes"
This option blocks ALL autoelevate system processes and may be particularly useful for companies or officies to mitigate new and unknown UAC bypass attempts that exploit "autoelevate" system processes (generally used in targeted attacks against companies). This option may generate alerts (FPs) depending on the PC usage, i.e if the office PC is used to print\edit documents, read emails, open the web browser, open a few programs and such (doing the same routine all days), you may even get no alerts.
[Aby zobaczyć linki, zarejestruj się tutaj]
"Bezpieczeństwo jest podróżą, a nie celem samym w sobie - to nie jest problem, który można rozwiązać raz na zawsze"
"Zaufanie nie stanowi kontroli, a nadzieja nie jest strategią"
"Zaufanie nie stanowi kontroli, a nadzieja nie jest strategią"