DanKeymasterI forgot to mention that the other reason to not just blindly and lazily block the initial sponsor (#2 from above post) is so the vulnerable process “anti-exploit” mechanism can be applied to pretty much all Windows processes. In a nutshell, the OS does exactly what it is supposed to do, and nothing else (based on the event chain)… which happens to work seamlessly with our snapshot / toggling. Once you realize that VS applies this mechanism to all but a small handful of Windows processes, you will realize how advanced and secure it is.
- March 14, 2020 at 2:43 pm
In other words, if you want to harden Windows, blindly and lazily disabling key components is one way to do it. Or you can develop something more sophisticated that intelligently hardens windows by carefully monitoring the entire chain of events. VS is not a traditional, standard or simply anti-exe / application whitelisting utility… and it cracks me up when people suggest that it is. As I have said many times, even though it appears deceptively simple on the surface, under the hood VS is far more advanced then what anyone would guess. Part of that is my fault for not explaining how it works and educating people on VS.
Do you guys remember a couple / few years ago when the VS betas had a lot of strange blocks? Well, this is what we were developing and refining. It took a very long time to work out the kinks and was a major PITA for the beta testers and myself, but it was certainly worth it.
BTW, when testing VS with the test app, be sure to delete the command line if you move the file to a different location on the hard drive. I did this a couple of times and wondered why VS seemingly allowed something it should not have ;).00