Reza Shamsudin 2 Posted March 29, 2017 Share Posted March 29, 2017 I do not support this kind of understanding, but some of our IT Support at Malaysia advising people: Quote DON'T NEED TO USE ANTIVIRUS. JUST USE WINDOWS GROUP POLICY EDITOR (GPO) SETTINGS TO PREVENT VIRUS, MALWARE, RANSOMWARE ATTACK. For some of us, IT Support DON'T TRUST with just GPO SETTINGS will make your Windows Operating System is safe from attacked by viruses, malware & Ransomware. What do you think guys? Can we prevent those cyber attack with just only with WINDOWS GPO SETTINGS? Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 29, 2017 Share Posted March 29, 2017 (edited) Ref.: https://technet.microsoft.com/en-us/library/cc960657.aspx GPO and its counterpart SRP, software restriction policies, are in my opinion designed to restrict end user endpoint activity. For example, GPO can be configured to only allow admins registry access. Malware on the other hand can employ a number of ways to escalate privileges and get access to whatever system areas it needs to infect an end user's PC or the entire internal network. This is especially true for advanced persistent threats(APT). Enterprise security protection involves protecting primarily at the network access gateways and secondly within the internal network. Therefore, enterprise endpoint security protection supplemented with network security appliance protection is a must. Edited March 29, 2017 by itman Link to comment Share on other sites More sharing options...
Reza Shamsudin 2 Posted March 29, 2017 Author Share Posted March 29, 2017 4 minutes ago, itman said: Ref.: https://technet.microsoft.com/en-us/library/cc960657.aspx GPO and its counterpart SRP, software restriction policies, are in my opinion designed to restrict end user endpoint activity. For example, GPO can be configured to only allow admins registry access. Malware on the other hand can employ a number of ways to escalate privileges and get access to whatever system areas it needs to infect an end user's PC. This is especially true for advanced persistent threats(APT). Enterprise security protection involves protecting primarily at the network access gateways and secondly within the internal network. Therefore, enterprise endpoint security protection supplemented with network security appliance protection is a must. So from Mr. Itman replied, meaning even with the GPO settings, computer users still must have an Antivirus Protection for their Windows OS right? I have already tested Cerber Ransomware on my experiment Laptop. Just using "Standard User" Account in Windows (No Administrator Permission). Cerber Ransomware run freely without worrying Administrator permission. For me if just WIndows Policies, Group Policies Setting in Windows is not enough. They must have Antivirus Protection on their Windows Operating System to counter viruses, malware & ransomware attack Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 29, 2017 Share Posted March 29, 2017 (edited) 10 hours ago, Reza Shamsudin said: have already tested Cerber Ransomware on my experiment Laptop. Just using "Standard User" Account in Windows (No Administrator Permission). Cerber Ransomware run freely without worrying Administrator permission. Yes. Ransomware works just fine on a standard user account. The only restriction is that it's limited to encrypting files associated with the standard user account. However, there is nothing to stop the payload from containing multiple malware; one of which could elevate privileges. Also I suspect the argument is being made that GPO plus Windows Defender is adequate protection against ransomware. Advise applicable concerns check out AV Lab reports on WD's protection against ransomware. It is absolutely dismal scoring last place in all recent tests I have viewed. Edited March 29, 2017 by itman Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 29, 2017 Share Posted March 29, 2017 I don't know where Eset stands on rolling out built-in HIPS rules for ransomware for their endpoint solution. I know it was in process but don't know if it has been implemented yet. If not, make sure your endpoints are employing the HIPS rules noted here: http://support.eset.com/kb6119/ Link to comment Share on other sites More sharing options...
Reza Shamsudin 2 Posted March 30, 2017 Author Share Posted March 30, 2017 11 hours ago, itman said: I don't know where Eset stands on rolling out built-in HIPS rules for ransomware for their endpoint solution. I know it was in process but don't know if it has been implemented yet. If not, make sure your endpoints are employing the HIPS rules noted here: hxxp://support.eset.com/kb6119/ Thank you ITMan. How effecient is Eset HIPS? Is there any ready template for this HIPS Rules? Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 30, 2017 Share Posted March 30, 2017 2 hours ago, Reza Shamsudin said: Thank you ITMan. How effecient is Eset HIPS? Is there any ready template for this HIPS Rules? Not sure about a template. You might ask in the Endpoint forum section. Did you mean effective vs. "efficient?" Also, you should read this "best practices" article by Eset on preventing ransomware: http://support.eset.com/kb3433/ Link to comment Share on other sites More sharing options...
jdashn 12 Posted April 18, 2017 Share Posted April 18, 2017 All i know is that Applocker (setup via GPO) at our organization has saved us more times than eset (though i'm confident eset would have caught the infection after install) by preventing the running of executable files within the users profile folders (with some exceptions). It took some setup, and exceptions need to be made for certain software, but we've not had a major infection since it's implementation. I suspect if you keep scripts and exe's from running it's hard for them to escalate privileges Then again i'm not going to give up my AV. Link to comment Share on other sites More sharing options...
itman 1,741 Posted April 18, 2017 Share Posted April 18, 2017 11 minutes ago, jdashn said: All i know is that Applocker (setup via GPO) at our organization has saved us more times than eset (though i'm confident eset would have caught the infection after install) by preventing the running of executable files within the users profile folders (with some exceptions). It took some setup, and exceptions need to be made for certain software, but we've not had a major infection since it's implementation. I suspect if you keep scripts and exe's from running it's hard for them to escalate privileges Then again i'm not going to give up my AV. Smart move not giving up on your AV There have been a number of past and present AppLocker bypasses. I posted links to a few below: http://www.csoonline.com/article/3060242/security/researcher-uses-regsvr32-function-to-bypass-applocker.html https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html https://www.rapid7.com/db/modules/exploit/windows/local/applocker_bypass https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/ http://seclists.org/fulldisclosure/2017/Mar/69 Link to comment Share on other sites More sharing options...
Reza Shamsudin 2 Posted April 18, 2017 Author Share Posted April 18, 2017 Thank you jdashn & itman for the opinion. For me yes, the setting under Windows/Software Policies do help in viruses, malware, ransomware prevention. But the Windows/Software Policies can't take over the job had been done by the Antivirus for so long protecting the computer users. Link to comment Share on other sites More sharing options...
Reza Shamsudin 2 Posted April 18, 2017 Author Share Posted April 18, 2017 On 3/30/2017 at 8:55 PM, itman said: Not sure about a template. You might ask in the Endpoint forum section. Did you mean effective vs. "efficient?" Also, you should read this "best practices" article by Eset on preventing ransomware: hxxp://support.eset.com/kb3433/ Ok itman, I will ask from there. thank you anyway Link to comment Share on other sites More sharing options...
Recommended Posts