can be executed: alert

Started by shmu26, January 06, 2017, 11:56:50 AM

Previous topic - Next topic

shmu26

trying to understand how this setting works.
If I search in windows explorer for a process that has this setting, and I click on it to run it, it will start up without triggering an alert.
why is that?

aDVll

Quote from: shmu26 on January 06, 2017, 11:56:50 AM
trying to understand how this setting works.
If I search in windows explorer for a process that has this setting, and I click on it to run it, it will start up without triggering an alert.
why is that?
It's signed and in trusted vendors? It's launched by a safe application set to just allow child?

Show me the logs of when it happens and will tell you.

shmu26


aDVll

#3
Explorer is to inspect so it launches powershell because you use standard mode and Microsoft is in the trusted vendor list. So it doesn't ask and allows it.

If you want to block powershell completely for some reason use block instead of alert because removing MS from trusted vendor list is a bad idea. Too many alerts.

fixer

#4
Thanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.

Quote from: aDVll on January 06, 2017, 12:47:23 PM
removing MS from trusted vendor list is a bad idea. Too many alerts.
It gives alerts for programs absent in RulesPack. Can you give a list of these programs so we could add them to RulesPack?

aDVll

#5
Quote from: fixer on January 06, 2017, 03:06:47 PM
Thanks for the report. Now when I think about it, it doesn't seem right. If explicit Alert is desired, it should show alert, even if the file is in trusted signers. We'll change this behavior, added in TODO list.

Quote from: aDVll on January 06, 2017, 12:47:23 PM
removing MS from trusted vendor list is a bad idea. Too many alerts.
It gives alerts for programs absent in RulesPack. Can you give a list of these programs so we could add them to RulesPack?
It's mostly their store programs that change version often. I would report all but first not all use them(i do because they run in appcontainer) and second change all the time. I can list all if you wish but i was waiting until you add folder and wildcard support to fix it that way.

shmu26


shmu26

okay, so here's an idea for the devs, based on what I was trying to do here:
ReHIPS will detect when the user disables isolation for a key app, and will activate a vulnerable processes list, along the lines of NVT ERP.
This will make ReHIPS much for flexible for  a wide base of users, some of whom will inevitably will want to disable isolation for certain apps

aDVll

Quote from: shmu26 on January 07, 2017, 07:58:44 PM
okay, so here's an idea for the devs, based on what I was trying to do here:
ReHIPS will detect when the user disables isolation for a key app, and will activate a vulnerable processes list, along the lines of NVT ERP.
This will make ReHIPS much for flexible for  a wide base of users, some of whom will inevitably will want to disable isolation for certain apps
It already does though buddy. You set it to inspect or alert and with the change Fixer mentioned above you can actually easily have a vulnerable process list as you wish. There is 0 reason to have an extra tab for them and rehips already has pretty secure rules for them.
Might be missing what you want.

shmu26

fixer's proposed change is great.
The idea here is to take the work out of it, for intermediate users who disable isolation on some apps . ReHIPS could build them a  nice vulnerable processes list, to trigger execution alerts for whatever they need to keep themselves safe. The pros on the ReHIPS team know what processes need to be alerted when you don't have isolation.
Just an idea, take it or leave it...

aDVll

Quote from: shmu26 on January 07, 2017, 09:17:16 PM
fixer's proposed change is great.
The idea here is to take the work out of it, for intermediate users who disable isolation on some apps . ReHIPS could build them a  nice vulnerable processes list, to trigger execution alerts for whatever they need to keep themselves safe. The pros on the ReHIPS team know what processes need to be alerted when you don't have isolation.
Just an idea, take it or leave it...
I see what you are saying but it does do that already. The point is not to block the execution of vulnerable processes but them executing something else. The dev team i believe did a good job of setting all of those to inspect so you get a notification.
Let's say potato.exe is a malware downloader and i allow it to run powershell. Good it run it and it tries to execute the actual malware and i get an alert because powershell is on inspect by default.

Don't get me wrong i am trying to understand what you mean. You want to also block the execution of powershell in my example when i change 1 isolated application to allow?

shmu26

I want it not to block powershell, but to alert upon execution.
why? Because maybe powershell -- or another process -- will be abused by an exploit to make certain system changes such as modifying the registry, or loading dlls, or disabling all security softs from startup. These are changes that, as far as I understand, do not necessarily require executing a second process, so they won't be blocked or alerted, as things stand now. 
Once you take away the isolation, you become vulnerable to this kind of thing.
Please correct me if I am out to lunch on this issue

aDVll

#12
Quote from: shmu26 on January 07, 2017, 11:11:05 PM
I want it not to block powershell, but to alert upon execution.
why? Because maybe powershell -- or another process -- will be abused by an exploit to make certain system changes such as modifying the registry, or loading dlls, or disabling all security softs from startup. These are changes that, as far as I understand, do not necessarily require executing a second process, so they won't be blocked or alerted, as things stand now. 
Once you take away the isolation, you become vulnerable to this kind of thing.
Please correct me if I am out to lunch on this issue
Powershell and things like that need to execute something to do harm. Them just running doesn't do anything it's just like you run it manually. When they try to execute something you will get an alert by default.

shmu26

okay, but powershell at its present settings will just inspect children. So if a valid windows process is invoked by the command line, it will run.

aDVll

Quote from: shmu26 on January 07, 2017, 11:32:48 PM
okay, but powershell at its present settings will just inspect children. So if a valid windows process is invoked by the command line, it will run.
Cool the valid windows process runs. Then?
No windows process does anything malicious without executing something not from windows and not whitelisted.

Reason NVT and programs like that have a vulnerable processes list is that the only way to control issues is by stopping the first execution because they just allow or block. Rehips have an alert mode and an inspect mode which feels that role giving you more granular control.