Malvertising, weaponized documents continue to threaten networks

Good article just for the record Hit man pro has a free app called Hit man Pro Alert which hardens ones browser in my humble opinion its quite impressive. It provides keystroke encryption, exploit mitigations and much more.

@Antus67 wrote:
Good article just for the record Hit man pro has a free app called Hit man Pro Alert which hardens ones browser in my humble opinion its quite impressive. It provides keystroke encryption, exploit mitigations and much more.

Well I would say WSA's Web Shield and Identity Shield would have the same protection in this case.
 
Daniel
 

 

I get bad attachments all the time: ? ? ? have a look at this one.
 
Daniel ;)
 
https://www.virustotal.com/en/file/064dd0c200550fdbc9844f1015a8d084dde782ad7de75cc11e4c8146c9545ec1/analysis/1456166958/
 
Mon 2016-02-22 13:47:29.0201 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0201 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0201 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0411 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0411 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0412 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0631 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0632 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0632 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0860 Agent Bits : 0
Mon 2016-02-22 13:47:29.0966 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [(null)]
Mon 2016-02-22 13:47:30.0116 Begin passive write scan (1 file(s))
Mon 2016-02-22 13:47:30.0800 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:30.0800 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
 
 
 

 

 

 

 
Note: This is not recommended for common users, it's just a test in a protected environment on my PC!

@ wrote:
I get bad attachments all the time: @ @ @ have a look at this one.
 
Daniel ;)
 
https://www.virustotal.com/en/file/064dd0c200550fdbc9844f1015a8d084dde782ad7de75cc11e4c8146c9545ec1/analysis/1456166958/
 
 
 

 

 

 

 
Note: This is not recommended for common users, it's just a test in a protected environment on my PC!

Another perfect example of an email that should be deleted before even opening it. 
 
-Dan

@ wrote:
Another perfect example of an email that should be deleted before even opening it. 
 
-Dan

Correct!
 
Daniel

@ wrote:

@ wrote:
I get bad attachments all the time: @ @ @ have a look at this one.
 
Daniel ;)
 
https://www.virustotal.com/en/file/064dd0c200550fdbc9844f1015a8d084dde782ad7de75cc11e4c8146c9545ec1/analysis/1456166958/
 
 
 

 

 

 

 
Note: This is not recommended for common users, it's just a test in a protected environment on my PC!

Another perfect example of an email that should be deleted before even opening it. 
 
-Dan

Yes indeed, but....when you are expecting an important package to arrive and it does not turn up or the delivery was missed and then the user sees such an email from Fedex or wherever, then perhaps not we, but many others WILL open it! Good to see that WRSA will jump on it, but still, I'd prefer that it's detected and destroyed much sooner!

@Antus67 wrote:
Good article just for the record Hit man pro has a free app called Hit man Pro Alert which hardens ones browser in my humble opinion its quite impressive. It provides keystroke encryption, exploit mitigations and much more.

HMP.alert is a great barrier to this kind of malware but I had too many problems when running it alongside WRSA, so fell back to just using reliable WRSA on most of my PCs.

So few companies detected that one, wow. Behavioral is definitely the way to go, but as an extra layer I really want also online lookup signatures and delete the little buggers as soon as possibe off my drive!  ;)
 

Hi cavehomme
 
I have tested and run HMP.A with WSA over a number of months and have not had a single issue. If you would like to share what you have been seeing may be I can help out here.
 
Regards, Baldrick

@ wrote:
Yes indeed, but....when you are expecting an important package to arrive and it does not turn up or the delivery was missed and then the user sees such an email from Fedex or wherever, then perhaps not we, but many others WILL open it! Good to see that WRSA will jump on it, but still, I'd prefer that it's detected and destroyed much sooner!

In this case WSA detected the payload as the DOC file ran a script trying to download the payload after opening so the actual DOC was not an infection but the payload was and detected by WSA. So as @ said when you see attachments from people you don't know it's best to just delete them.
 
And this is the detection of the Payload: https://www.virustotal.com/en/file/f6070599b201e0220bdd5c751766aa8cfb00faab3ab404b3b3ad8738ee575963/analysis/
 
Mon 2016-02-22 13:47:29.0201 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0201 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0201 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0411 Infection detected: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B] [3/00080001] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0411 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
Mon 2016-02-22 13:47:29.0412 Infection found in realtime: c:usersdanielappdatalocal empidd3.exe [MD5: ED3FA096244598CD0422C49D6DF3555B, Size: 154624 bytes] [524289/00000003] [W32.Trojan.Gen]
 

 
Daniel 😉

Thanks Baldrick, but I removed .alert a while ago and now just relying upon HMP as a second opinion.
 
I'm curious though, if WRSA works so well, why would we need to have an anti-exploit layer?
 
By the way, I've gone full-circle on my main laptop and it's now running WRSA again. I discovered in my tests that Windows Defender did not detect some malware when scanned, whereas on Virustotal the Windows malware engine did detect the sample I uploaded. This happened to quite a few, and I had the latest signatures, so there seems to be an issue with WD on PCs whereas on Virustotal it's picking up most things that I throw at it.
 
Despite potential shortcomings WRSA does seems to be the best all-round software including the ability to safely do online banking.

Hi cavehomme
 
We don't NEED to have an anti-exploit layer, and in fact we don't need to have any additional defences strictly speaking...it is just some of us prefer to have some back...just in case as, and it has been said many a time, nothing...not even WSA...is 100% effective 100% of the time.
 
Regards, Baldrick
 
 

@ wrote:
Hi cavehomme
 
We don't NEED to have an anti-exploit layer, and in fact we don't need to have any additional defences strictly speaking...it is just some of us prefer to have some back...just in case as, and it has been said many a time, nothing...not even WSA...is 100% effective 100% of the time.
 
Regards, Baldrick
 
 

 
Baldrick, which version of Windows are you running? My issues between WRSA and HMP.alert were with Windows 7, not tried it yet on 10.

@ wrote:
Hi cavehomme
 
We don't NEED to have an anti-exploit layer, and in fact we don't need to have any additional defences strictly speaking...it is just some of us prefer to have some back...just in case as, and it has been said many a time, nothing...not even WSA...is 100% effective 100% of the time.
 
Regards, Baldrick
 
 

...and you run Voodoo Shield as well as .alert?

HI cavehomme
 
I run Windows 10 Pro on the system that I have HMP.A installed.Yes, I run VS AND HMP.A because I am an official beta tester for both apps...that is the reason, and not because I do not believe that WSA is enough protection on its own.
 
Before becoming a beta tester for both products I ran WSA all on its own and it did a sterling job protecting me on a number of occassions when there was a need.
 
Now personally, I do like a goodly amount of control of what runs on my system and if I were not beta testing it then I would use VS as a replacement for UAC (which is a major pile of doodoo IMHO...;)).
 
Regards, Baldrick
 

Sorry don't agree with you. Its always important to have layers of
protection for back up or second opinion. No......single security
application is 100% fool proof.

I agree with you 100% Baldrick on you assessment of security applications