The XDA hack was fishing for user login/password info and the XDA hack specifically went after defenders trust stores which is what the "anti malware signing level requirements " message indicates.
I think your actual threat is actually quite low, but it wouldn’t hurt to reset and or reinstall firefox (and any other browser you use too) as part of the XDA hack was placing some pre hack code in an earlier visit which would then “activate” with the second attempt.
BTW: It’s not widely discussed but defender does seem to hard crash a system as sort of a “last resort” at least in some cases where an intrusion may be attempted and defender recognizes an intrusion but doesn’t have explicit definitions yet.
They do have solid value as a “known good” installation, but the challenge would be determining when the first code plant (if this indeed was like the XDA hack) occurred and doing a restore prior to that.
Thus it would be not much more than a “best guess” otherwise… I think cleaning your browsers and if you do banking on that PC taking quick check of your account is more than sufficient.
And at least to my knowledge, you haven’t posted anything odd here
Thanks. The most recent restore point is from before a huge list of updates. I always worry that a restore could leave some things in some broken state. So I guess I’ll just reinstall FireFox just in case, and keep an eye on login alerts. Sometimes I wish I didn’t know where to look, because know just enough to be concerned, but not enough to really figure out what’s going on. Bad combination!
yeah the old conundrum … Is it paranoid to think everyone’s out to get you when in the past it has been shown that yes, people really are out to get you…
Given that I keep defender and Windows up to date, this would have to be a (near) zero day attack, and afaik those aren’t wasted on regular JoeSchmoe. So… I should be fine.
Still a little unnerving though, I hate it when crashes leave a bunch of suspicious looking breadcrumbs, making me reach for the tinfoil hat. Posting this from a fresh Firefox install. :vb-grin:
Very true. In the past when we’ve helped customers that have had significant attacks/intrusions, our lead PC security expert will often get asked “what can I do differently?” He of course answers with what applied in their case, but the follow on question is always “what can I do to prevent it in the future”.
And sadly beyond the usual, always keep patched and up to date and avoid obviously sketchy websites, the real answer is “not that much”
One CIO after our engineer (who’s ex FBI cyber security BTW) engaged in an extended discussion with him on the topic only to arrive at the point of accepting that to a large degree it’s still pretty much whack-a-mole out there right now, told me never to let him speak to a seriously paranoid or depressed person ever
On the bright side the really sophisticated attacks such as what the NSA uses are only targeted at the worst of the worst people wise and the the vast majority of us aren’t worth the effort…
This is what I’m pinning my hopes on. Once a given attack vector becomes sufficiently commonplace to affect the average JoeS, the big AV vendors will jump on it.
That said, I recall years ago that my browser suddenly did some things in rapid succession, only for a tiny PDF to end up in my downloads folder. Defender said it was fine. Left it in my downloads folder in a subfolder that I wouldn’t open accidentally, and lo and behold, months later defender ended up flagging that thing as something bad.
Still feeling uncomfortable after that unexpected hard reboot. What’s the best “bootable-from-USB” type virus scan? Kaspersky? Or are they too much of a “bad guy” outfit? Any others? I’d love to get a supposed clean bill of health just for peace of mind (while acknowledging that there’s a chance that a scanner might overlook ports that were opened or services/peotocols that were enabled).
On a related note, MS used to make the Microsoft Baseline Security Advisor, does something like that still exist? It was pretty great, basically gave a report card for a wide range of settings. Maybe “Acronis Cyber Protect”? Other options?
I think you may be worrying more than you need to about this. Defender seemed to do it’s job, albeit inelegantly by blue screening your system when something tried to alter the trust stores.
As to the bootable solutions to do a scan, we aren’t fans generally as bad actors are specifically targeting them (avoidance).
Realistically, about the only thing you can do if you are really concerned is to take the drive to a known good and up to date system and scan it there. Of course that won’t do anything about a UEFI incursion.
That being said, the other realistic thing you can do is just keep an eye on your Windows directory specifically overall size and numbers of files. The size will fluctuate a bit in normal use due to expansion and contraction of the page file, but it shouldn’t be a wide swing.
Same with the number of files, which should only significantly change when there is a large cumulative update or if you install an app that uses something like MS .NET libraries where you didn’t use them previously.
TLDR, I wouldn’t worry about it, if it was my system and you seem to be as vigilant as I am.
Sadly it does once again point out how relatively powerless users are, if some bad actor is determined to infiltrate a system.
That being said, I think most here pay close enough attention to their systems to notice changes in them that could indicate suspicious behavior such as suddenly taking longer to boot, or your router lighting up like a Christmas tree when your systems are nominally idle
Indeed. As you mentioned, like probably most on this forum I keep an eye out for suspicious behavior. But I let Windows Defender do its thing otherwise. I have managed to go my entire computer life without an infestation (knock on wood) but I realize that if I am targeted by a bad actor I’m doomed. Just as if I got robbed at gunpoint. Powerless.
Thanks for this and the rest in that post. It’s not a constant concern, just this nagging feeling that my system may be compromised. So if anyone can think of some tool that could detect traces of a compromise on my system that would be great. Or maybe I should move all banking etc to my iPad.
FWIW, the system didn’t even bluescreen. It went straight from typing something in a text box in the browser to “boom! black screen, windows logo” in the span of two tenths of a second or so. I’ve never seen that before. The attempt to load the unsigned file into Defender occurred after the hard crash, so the crash wasn’t Defender using its last way out. It was “hard crash” followed by (seemingly) attempts to do nefarious stuff. Brr.
Unfortunately I’m one of those people who has a lot of apps and settings tweaked ‘just so’, so I’d hate to have to reinstall the whole dang system. Your idea of scanning the drive on a separate machine sounds great, if MS didn’t make it so gosh darned difficult to take out the SLS SSD. And even then, UEFI could still be compromised. It’s a scary world out there…
We’ve actually seen Defender do precisely what you are describing… eg. something tried to alter the stores, Defender went “WTF, no!” and shut down then with secure boot active rejected the attempt outright.
In need to check the timestamps, but iirc the “Defender attempted to load something” event viewer item came a while after that reboot. Does that make sense to you? All your responses are much appreciated BTW if that wasn’t clear.
You are always welcome for any help I can offer. That’s still consistent with what I’m saying as secure boot itself doesn’t have anything UI wise to alert you, so it’s writes a file out to defender to display.
BTW: There is one other thing you can do that would/should show a successful incursion occurred, but is a total PITA, would be to do a reset of windows but with the “keep my files” option. What will happen is that when Windows is reinstalled, it will fail an integrity check mid way through and hard crash. At that point the only option is to reboot in safe mode and do a full reinstall and wipe your files.
EDIT: to be clear. I think you are fine and would not recommend this as it’s a lot of effort for what is likely no benefit.
I think I already ran a repair install (I really should be taking note of these things…) which I think is one step more conservative than the one you mention. I might leave it that.
Oh, and I just disabled SMBv1 which MS recommends one should do, so I’m not sure why it was enabled. I looked for it because the warning “One or more named pipes or shares have been marked for access by anonymous users” pointed to SMB as the relevant protocol.
I might still try to track down more about the warning “an administrator has enabled insecure guest logons” but THEN I’ll leave it at that. Probably.
This is not helping my paranoia! Turns out it’s false alarm, or at least not related to the mystery crash. I see similar entries dating back to the original Win install months ago.
In the off chance that you’re mildly entertained by all these musings: the Defender event item was that MsMpEng.exe attempted to load igd10iumd64.dll which should be an intel graphics command center file. Is there any legitimate reason why defender would attempt to load that dll? Scanning sure, but loading?
The hard reboot (The system has rebooted without cleanly shutting down first.) was 7/14/2022 9:03:56 AM. The Defender issue was at 7/14/2022 9:05:41 AM, so almost two minutes later.
So it turns out that there is an official malware scan app by Microsoft: the Microsoft Safety Scanner.
Quick scan found nothing. Doing a full scan (just started) it’s already stating that 18 files are infected, I think while it was still just working though c:/windows. Very much hoping these are false positives!
Turns out it’s false alarm, or at least not related to the mystery crash. I see similar entries dating back to the original Win install months ago.
