There are some interesting Windows News in case you did not notice:
The Good is an instance where Microsoft is reworking their Operating System(for WIndows10) and adding an Anti Malware Security Software called AMSI (AntiMalware Scan Interface)
Script Based Attacks in Windows 10’s AMSI – Anti Malware Scan Interface has been developed. And the following presentation at BlackHat 2016 gives the details:
This means there is now an additional layer of defense on Windows10 that prevents some scripts from running.
The Bad: An old flaw in Microsoft’s browsers (including the latest one – The Edge) allows an ingenious server to collect your usernames and passwords for your Microsoft account.
From ZDNet story 8/2
This means if you use a Microsoft browser you will not notice when your username and password is stolen by server programs.
The remaining slides in the BlackHat AMSI presentation are spent on how one would bypass the AMSI to attack a computer.
Following are interesting points:
Signature bypass- Obfuscation
Not really hard to bypass AMSI using this
- remove help section
- Obfuscate function and variable names
- Encode parts of script
Obfuscation functionality in ISESteroids Module – Fast and very effective at the time of writing.
So what started out as a promising defense mechanism now is already just another program to bypass. There are also ways to bypass AMSI without showing a notification to the user, although it does need elevated privileges (username and password with permissions).
So now what? It figures what started as a method to stop powershell and other scripts AMSI is just another program to bypass. It is as if Microsoft develops their programs without anyone trying to hack them.
I have mentioned this before but it is wise to have another entity check you to see if there is anything you missed, or even to just have a different mind look at your creation.
The above instances prove this adage once again.
As far as Microsoft is concerned we all know how important getting the program to the computing population is, and again it is proven that Microsoft tends to err in publishing software rather than waiting and releasing with more tests.
We think testing should be built into your methods:
Contact Us to discuss how to improve your security programs.