Eset Needs A Generic DNA Sig For This ASAP!

[itman 1,659]

Situation

Microsoft in their "ultimate non-wisdom" has provided a way to disable the Meltdown and Spectre patches by adding the reg. value, FeatureSettingsOverrideMask, to this reg. key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management. By performing "bit-flipping" in FeatureSettingsOverrideMask, one can disable either the  Meltdown or Spectre patches or both. This override was supposed to be applicable to only Win Server OSes but security enthusiasts have discovered it also works on Win OS desktop versions.

To make matters worse, security orgs. that should know better have provided software that automates the process; GRC's InSpectre portable app which can be downloaded here: https://www.grc.com/inspectre.htm . A dozen or so AV vendors are detecting this reg. modification activity; Eset is not.

BTW - I also need the HIPS bug fix I previously posted implemented now so that I can protect reg. keys like this myself.

Edited January 17, 2018 by itman

[Peter Randziak 1,130]

Hello itman,

when it comes to the registry keys protection as the keys are under HKEY_LOCAL_MACHINE, the attacker would need the full admin rights.

Once attacker has them, he already has full access to the system, so no need to enable further vulnerabilities in the system from my point of view.

 

When it comes to the mentioned bug, can you please share the direct URL to the post?

I had quite a longer holiday so I do not have an overview,...

Regards, P.R.

[itman 1,659]

Hi Peter,

Appears Microsoft has been informed of these "shenanigans" and is now blocking access to the GRC web site link I posted in SmartScreen. I assume this would also apply to any resultant download from the site also. As far as requiring full admin access, it is just currently too easy for hackers to do or to bypass UAC.

As far as the HIPS bug fix for the registry I am awaiting, that is described here: https://forum.eset.com/topic/14213-major-hips-issue/ . Simply put, some reg. keys have spaces in their names e.g. "Session Manager." Based on my experience with the HIPS, it appears the HIPS stops parsing the key name when it encounters a space.

-EDIT- This can be easily fixed by changing parse termination to two contiguous spaces. This also might allow parsing of cmd.exe optional parameters I just recently posted in the IS/SS Suggestion thread.

Edited January 17, 2018 by itman

[persian-boy 22]

6 hours ago, itman said:

bypass UAC

But Hips in interactive mode can catch everything! the only problem is that Buggy auto allow.

[itman 1,659]

44 minutes ago, persian-boy said:

But Hips in interactive mode can catch everything!

The question is if malware is using a legit System32 process running hidden to bypass the default UAC setting in WIndows, do you have the "smarts" to realize this is malware initiated activity? Note that setting UAC to maximum level will detect most of this type of activity but most users are "clueless" about that option. And many who do know refuse to implement it because of the minor annoyance of increased UAC prompts.

Edited January 17, 2018 by itman

[persian-boy 22]

No, I'm not that smart!But I'm using SUA acc with UAC max plus SRP and a lot of group policy tweaks! I have no problem with this config.
But if I want to install smth then alerts come(painful)! you have to choose between security or usability( you know that)how that malware ran when I have Srp?!magically?so I don't need to be a smart boy I just need to turn on SRP and fix the problem from the beginning.even without the SRP where that hidden malware come from?the user needs to run it(Exe.bath files or...)i meant you need to click on smth! Btw Eset needs to fix the bug you found.