[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2020-11-04 Thread Brett Cannon
Change by Brett Cannon : -- nosy: -brett.cannon ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-09-09 Thread Steve Dower
Steve Dower added the comment: Would be nice to add this, but I have no immediate plans so I'm unassigning it. -- assignee: steve.dower -> ___ Python tracker

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-07-02 Thread Alexander Riccio
Alexander Riccio added the comment: We might want to use some kind of Group Policy setting, for the same reason that many Windows security configuration options are there, and that DoD STIGs for Windows https://www.stigviewer.com/stig/windows_8_8.1/ are almost totally about configuring Group

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-07-02 Thread Alexander Riccio
Alexander Riccio added the comment: It's not just Stuxnet, as at least one other Advanced Persistent Threat uses that tactic. An APT (likely Russian intelligence) recently used encoded PowerShell to break into the Democratic National Committe:

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-07-01 Thread Thomas Heller
Changes by Thomas Heller : -- nosy: +theller ___ Python tracker ___ ___ Python-bugs-list

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-30 Thread Paul Moore
Paul Moore added the comment: Thanks for the explanation. Based on what's been said, I'd have no objections to this, on a "you don't pay for what you don't use" basis - i.e., users who don't enable AMSI should not pay any cost for its existence. I'd be extremely happy if Python was viewed as

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-30 Thread Steve Dower
Steve Dower added the comment: And in case it's not clear, I *totally* recognize that AMSI is not for everyone. If you're running in a developer environment, your security is almost certainly so lax that it's irrelevant. However, once you start getting serious about what's deployed on your

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-30 Thread Steve Dower
Steve Dower added the comment: > what's to stop the attacker from distributing their own interpreter that just > doesn't use AMSI? AppLocker https://technet.microsoft.com/en-us/library/ee619725.aspx (In short, restrict which executables can be run on a particular system by

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-30 Thread Zachary Ware
Zachary Ware added the comment: > But in that case, why hook into exec? The malware author can execute > arbitrary Python so doesn't *need* exec. As I understand it, the malware is distributed in encrypted form (probably encrypted differently each time it propagates) so as to be given a

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-30 Thread Steve Dower
Steve Dower added the comment: > So the malicious payload is the whole python command, not just file.bin Yeah, sorry that wasn't clear. Many vulnerabilities allow attackers to schedule process launches (e.g. via cron/Task Scheduler/etc.) without actually being able to add any files to the

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-30 Thread Paul Moore
Paul Moore added the comment: >> I am puzzled as to why "use safe_exec rather than exec" isn't an option > Because you're going to have a hard time convincing malware authors to use it. :-) So the malicious payload is the whole python command, not just file.bin. OK, fair enough. But in that

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-30 Thread Zachary Ware
Zachary Ware added the comment: > I am puzzled as to why "use safe_exec rather than exec" isn't an option Because you're going to have a hard time convincing malware authors to use it. -- ___ Python tracker

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-30 Thread Paul Moore
Paul Moore added the comment: OK, so a 3rd party module providing a "safe_exec" function would make a good proof of concept, I assume. You could probably do that using comtypes or pywin32. I'm not going to try to say what is or isn't a security threat, that's not my expertise. But I am

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-30 Thread Steve Dower
Steve Dower added the comment: AMSI is intended for local scanners that are entirely on your own machine, so code never goes anywhere, and everything that passes through the file system is already scanned because of hooks whether you wrote it or not (maybe you're thinking of SmartScreen?).

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-30 Thread Paul Moore
Paul Moore added the comment: Strong -1 on anything that scans my locally-written scripts by default. There's no reason or justification for that. Maybe there's a point in having a way to submit an untrusted Python code snippet for scanning, but why would that need to be a core service, as

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-06-29 Thread Steve Dower
Steve Dower added the comment: This now depends on issue27417, since we can't enable AMSI without enabling COM, and doing that has a number of back-compat implications. -- dependencies: +Call CoInitializeEx on startup ___ Python tracker

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-01-17 Thread Alexander Riccio
New submission from Alexander Riccio: I'm really not sure what it'd look like, or how it'd work, but CPython should take advantage of Microsoft's Antimalware Scan Interface, which is new to Windows 10. It's designed for applications like interpreters, which can execute u trusted code that may

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-01-17 Thread Alexander Riccio
Alexander Riccio added the comment: See also: "Security Focus: Defending PowerShell with the Anti-Malware Scan Interface (AMSI)" http://blogs.technet.com/b/poshchap/archive/2015/10/16/security-focus-defending-powershell-with-windows-defender.aspx --

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-01-17 Thread Alexander Riccio
Alexander Riccio added the comment: When I say "I'm really not sure what it'd look like, or how it'd work" I mean at the C level. At a higher level, there are many places that I imagine are good places to use AMSI: Perhaps expressions passed in from the command line (-c) should be scanned;

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-01-17 Thread Alexander Riccio
Alexander Riccio added the comment: See "Windows 10 to offer application developers new malware defenses" https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/ for an example of how AMSI works with PowerShell. I think the

[issue26137] [idea] use the Microsoft Antimalware Scan Interface

2016-01-17 Thread Steve Dower
Steve Dower added the comment: I actually have a prototype of this already, though I haven't benchmarked the impact yet. Brett and I were concerned that the applicability wasn't apparent enough given the cost involved, so we've been (slowly) preparing a PEP, mainly to have that record of why