undefined | Better HN

0 pointsFreakLegion8y ago0 comments

They're talking about malware, not exploits. It's a habit of the non-technical side of the industry and means 'this hash hasn't been seen before'. Given the phrasing -- "Apps" are "cyber fingerprinted", hashes are "crashed" -- I'd guess the post was written by a marketer or SE.

0 comments

2 comments · 1 top-level

P388y ago· 1 in thread

We are talking about file-based malware that needs to execute.

It doesn't mean this hash hasn't been seen before, it means that application X which is trusted, is on the trust list (and yes, fingerprinted by 6 hashes) is allowed to run. Application Y which is not on the trust list is blocked from running.

That malware can't get on the trust list (unless by a malicious admin) and therefore can't run.

A zero day exploit that allows the injection of malware onto an endpoint for example, doesn't really matter as the malware can't run. How application Y got there, is irrelevant. It could have come from any attack vector.

FreakLegionOP8y ago

Exploits don't have to pivot to PE files, and even the exploits that go that route don't have to do it in a way that triggers standard loader hooks (e.g. PsSetLoadImageNotifyRoutine).

j / k navigate · click thread line to collapse