Posts

Application Control - AppLocker and Windows Defender Application Control Overview

  Process to reduce risk The administrator uses application control to restrict applications users are allowed to run.   Application control policies are used to block unsigned scripts and MSIs and implement Windows PowerShell constrained mode.   Security administrators will want to use application control alongside endpoint protection products such as antivirus and endpoint detection and response. Application control uses a predetermined list of parameters to allow applications to be trusted to run on the endpoint while blocking others.   Implementing application control can stop malware and unauthorized software.   Microsoft implements application control for their operating systems.   Microsoft Windows 10 and Windows 11 include Windows Defender Application Control (WDAC) and AppLocker.   AppLocker will run on older Windows versions such as Windows 7, Windows 8/8.1, and Windows Server 2008 up through Windows 11 and Windows Server 2019.   I...
1 comment
Read more

Antivirus Weaknesses

  Poor signature-based detection Antivirus or antimalware software runs on the endpoint and watches for malicious binaries.   The antivirus may include the inability to detect newer malicious binaries because the antivirus needs to be updated once the new malware is discovered.   In this case, some businesses and users’ systems are compromised because the attack is using a newly developed binary, and their antivirus does not know about it.   After the successful attack, the antivirus vendor updates their product, and all their customers are now protected.   Malware writers evaluate the antivirus detection and alter their binary, so it is no longer detected before deploying it again.      Incomplete Detection Another possible antivirus weakness is the inability to detect malware that uses certain parts of the operating system.   The attacker entices the user to download software that appears to be an “update”.   The “update” enters ...
Post a Comment
Read more

Software Firewall

A software firewall or host-based firewall runs on a each server or workstation rather than being a separate device or hardware appliance.  In some cases, host-based firewalls are available as part of the operating system or the user can download and install one from software firewall vendors.  The host-based firewall settings can vary from host to host and can protect the host from attacks on the local network as well as from other networks.        The value of a host-based firewall is that it works against threats that pass through the network firewall. For example, if an attacker uses a malicious email to compromise one of the network hosts, and it attempts to spread to neighboring computers, the host-based firewall will block those attempts.  Using a host-based firewall is an important step in preventing reconnaissance, lateral movement or the spread of malware.  Once an attacker compromises a workstation, he or she may use tools to scan the...
Post a Comment
Read more