Quite a while ago, I provocatively asked the question, whether Anti-Malware Technology is dead. Back then it caused quite some reaction. Honestly, I still see little value to be added by classical anti-malware products if we would finally be willing, able and ready to use the technology, which is built in today’s operating system. Unfortunately, these technologies are rarely leveraged. In the above mentioned post I listed them for Windows:
- Deploy the Enhanced Mitigation Experience Toolkit (EMET). EMET allows to switch on the key technology in Windows to protect your environment. Basically, this leverages Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP) and Address Space Layout Randomization (ASLR). Having these technologies deployed would make it harder to exploit vulnerabilities.
- Leverage App Locker in the Application Control Policies of your Security Settings. You can start fairly straightforward: There is really no need for a user to start an application in the user path as well as in a temp directory, nor to install from there (maybe with the exception of the Download path). If you want to invest more time and resources, you could go towards white-listing of your applications but the simplest way forward is to protect those two paths.
- Switch on Bitlocker to protect the boot process of the Operating System.
- Use Windows Defender as your AV-engine.
Leveraging AppLocker is unfortunately rarely used – for sure not for white-listing applications. You can – as I stated above – make sure that applications cannot be started out from the temp or user directory but I have rarely seen any company really deploying white-listing. It would actually stop a lot of attacks!
NIST now published an interesting paper: NIST Publishes Application Whitelisting Guide. It will be interesting to see whether it survives the confrontation with reality but it is definitely an interesting direction