How does the MoTW matter anyway, one might ask. Windows treats quite a number of dangerous files quite differently if it carries the MoTW. Let's compare behavior of a few files contained first in a ZIP, and then in a VHD file. Which's more likely to allow a user to harm themself?pic.twitter.com/XoCIPeKGxN
-
-
Show this thread
-
I've written a blog post to elaborate on the concept of VHD and VHDX files being dangerous: https://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html …pic.twitter.com/sDHl6UPM9O
Show this thread
End of conversation
New conversation -
-
-
To answer my own question: ZERO antivirus products on VirusTotal detect the EICAR file contained within a VHD file. So no, I don't think anything is scanning VHD or VHDX contents. https://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html …pic.twitter.com/M2rbfuFNKh
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Thanks for sharing and raising awareness about this! According to my tests the user needs to be admin, do you confirm?
-
In my brief testing, a default Windows user with default UAC settings will simply open VHD and VHDX files upon a double-click. If you've explicitly created a non-admin user or have moved the UAC slider to "Always notify", mounting VHD(X) seems to require admin. IMG and ISO don't.
- 1 more reply
New conversation -
-
-
Can confirm, excellent vehicle
-
Ooo pray tell me more.
End of conversation
New conversation -
-
-
There are a few out there. MS has asked that you configure the real-time scanning accordingly. https://support.microsoft.com/en-gb/help/3105657/recommended-antivirus-exclusions-for-hyper-v-hosts …
-
Sorry, I suppose I meant to say "parse" vhd or vhdx files. That is, something that understands the filesystem contained within.
- 1 more reply
New conversation -
-
-
Maybe u can script something up via forensic tools like volatility ?
-
Perhaps. But my main goal is to get an understanding of whether or not any enterprise product in the wild has visibility into VHD or VHDX contents before it gets to an endpoint. My hunch is NO.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.