trusted applications Archives

Winsage

July 24, 2025

Update for Windows 11 brings more resilience (and Recall)

The optional update KB5062660 for Windows 11 version 24H2 introduces several new features, including Microsoft Recall in Europe, which allows users to export snapshots of their activities with a unique export code for privacy. The Click to Do functionality expands with a new Practice in Reading Coach feature and integration with Microsoft Teams for drafting messages. An AI agent is added to the settings app for Copilot+ PCs, while non-Copilot+ systems have a centered search bar for accessibility. The update includes rapid machine recovery options, enhancements to the Start menu, improved snap functionality, and a new Gamepad keyboard layout for gamers. It also resolves various issues from previous versions, including bugs in File Explorer and system stability problems. AI components related to Image Search, Content Extraction, and Semantic Analysis have been enhanced, and there are no known issues with this update. Features will be rolled out gradually to users.

Winsage

June 6, 2025

Why I Use simplewall Instead of Windows Firewall (And You Should Too)

Simplewall is a rule-based firewall controller for Windows that enhances the Windows Filtering Platform (WFP) without replacing it. It allows users to manage network access for applications and services with a user-friendly interface, supporting advanced features like filtering rules by IP, port, or protocol. Users can create tailored profiles for different scenarios and have comprehensive control over network interactions, including blocking telemetry data and automatic updates. Simplewall is lightweight, portable, and operates without background processes or telemetry, ensuring a straightforward user experience. Setting up simplewall involves downloading it, extracting the files, and enabling filters, allowing users to establish a functional firewall profile quickly. While it offers many advantages, such as being open-source and compatible with older Windows versions, it may be overwhelming for beginners and lacks detailed app profiling compared to premium firewalls.

Tech Optimizer

May 5, 2025

How to Easily Uninstall McAfee Antivirus Completely

McAfee can appear on computers without user consent, often pre-installed on new laptops or bundled with other software. To uninstall McAfee on Windows 10 or 11, users can access the Settings app or Control Panel to remove it. For Mac users, the McAfee Total Protection Uninstaller can be used, but some residual files may need to be deleted manually. If standard uninstallation methods fail, the MCPR removal tool can be used to thoroughly clean up remnants of the software. Uninstalling McAfee is generally not detrimental, as many users prefer alternative antivirus solutions or rely on built-in protections provided by their operating systems.

Tech Optimizer

April 16, 2025

Hackers find a way around built-in Windows protections

Windows Defender Application Control (WDAC) is a built-in security feature on Windows PCs that restricts the execution of unauthorized software by allowing only trusted applications. However, hackers have discovered multiple methods to bypass WDAC, exposing systems to malware and cyber threats. Techniques for bypassing WDAC include using Living-off-the-Land Binaries (LOLBins), DLL sideloading, and exploiting misconfigurations in WDAC policies. Attackers can execute unauthorized code without triggering alerts from traditional security solutions, enabling them to install ransomware or create backdoors. Microsoft operates a bug bounty program to address vulnerabilities in WDAC, but some bypass techniques remain unpatched for long periods. Users can mitigate risks by keeping Windows updated, being cautious with software downloads, and using strong antivirus software.

Winsage

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

Microsoft's Windows Defender Application Control (WDAC) has become a target for cybersecurity researchers, with bug bounty payouts for successful bypasses. IBM's X-Force team reported various outcomes from WDAC bypass submissions, including successful bypasses that lead to potential bounties, those added to the WDAC recommended block list, and submissions without recognition. Notable contributors like Jimmy Bayne and Casey Smith have made significant discoveries, while the LOLBAS Project has documented additional bypasses, including the Microsoft Teams application. The X-Force team successfully bypassed WDAC during Red Team Operations using techniques such as utilizing known LOLBINs, DLL side-loading, exploiting custom exclusion rules, and identifying new execution chains in trusted applications. Electron applications, which can execute JavaScript and interact with the operating system, present unique vulnerabilities, as demonstrated by a supply-chain attack on the MiMi chat application. In preparation for a Red Team operation, Bobby Cooke's team explored the legacy Microsoft Teams application, discovering vulnerabilities in signed Node modules that allowed them to execute shellcode without triggering WDAC restrictions. They developed a JavaScript-based C2 framework called Loki C2, designed to operate within WDAC policies and facilitate reconnaissance and payload deployment. A demonstration of Loki C2 showcased its ability to bypass strict WDAC policies by modifying resources of the legitimate Teams application, allowing undetected code execution. The ongoing development of techniques and tools by the X-Force team reflects the evolving cybersecurity landscape and the continuous adaptation required to counter emerging threats.

Tech Optimizer

March 14, 2025

Webroot Total Protection

Webroot Total Protection includes antivirus capabilities, identity theft protection, file backup, parental controls, and a VPN application. The pricing starts at .99 annually for five devices and one identity, with a family plan extending coverage to ten devices and ten identities. The installation process requires users to create or log into an account, and the backup system can only be installed on one device. The user interface has been redesigned for improved readability. Some features, such as the Utilities page and Secure Erase, have been removed, and the firewall relies on Windows for external threat defense. Webroot employs a journal-and-rollback system for malware detection, achieving high scores in independent testing. The suite includes a simplified tune-up scan and a vulnerability scan. The Mac version mirrors the Windows interface but lacks certain features. Identity protection is provided in partnership with Allstate, but it is less comprehensive than competing services. The backup solution is limited to one device, and the integrated VPN service encrypts data during online activities. Parental controls have been introduced but are considered ineffective.

Tech Optimizer

February 8, 2025

New Attack Technique to Bypassing EDR as Low Privileged Standard User

A new cyberattack technique allows attackers to bypass Endpoint Detection and Response (EDR) systems while using low-privileged standard user accounts. This method utilizes masquerading and path obfuscation to disguise malicious payloads as legitimate processes, misleading detection systems and analysts. Process creation events are crucial for identifying threats, with tools like Sysmon logging detailed information about process execution. Attackers can manipulate file paths to evade restrictions on placing payloads in protected directories. They create folders that mimic legitimate antivirus software paths using Unicode characters to resemble spaces. For example, a folder may be named C:Program[U+2000]Files, allowing the attacker to introduce their payload (SuperJuicy.exe) without raising alarms. The execution of the payload results in logs that appear legitimate, complicating detection efforts. This technique poses challenges for EDR systems, including confusion in log analysis, deceptive attribution to legitimate software, and prolonged dwell time for malicious payloads. Defensive strategies include enhanced logging rules to flag Unicode characters, adjusting log viewers to display these characters, and restricting folder creation permissions for standard users.

AppWizard

December 5, 2024

New DroidBot Android malware targets 77 banking, crypto apps

A new Android banking malware called 'DroidBot' targets the credentials of over 77 cryptocurrency exchanges and banking applications in several European countries, including the UK, Italy, France, Spain, and Portugal. Discovered by Cleafy, it has been operational since June 2024 and functions as a malware-as-a-service (MaaS) platform with a subscription price of ,000 per month. At least 17 affiliate groups are using malware builders to customize their attacks. DroidBot has caused 776 unique infections across the UK, Italy, France, Turkey, and Germany. The developers, believed to be based in Turkey, provide affiliates with tools like a malware builder and command and control servers. DroidBot disguises itself as trusted applications to deceive users and includes features such as keylogging, overlaying fake login pages, SMS interception, and remote control via Virtual Network Computing. It exploits Android's Accessibility Services to monitor user actions. Targeted applications include Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken, and Garanti BBVA. Users are advised to download apps only from Google Play, scrutinize permission requests, and activate Play Protect.

Winsage

December 4, 2024

Microsoft Announces Security Update with Windows Resiliency Initiative

Microsoft has launched the Windows Resiliency Initiative to enhance the security and reliability of its operating system in response to a significant CrowdStrike outage that affected over 8 million Windows PCs and servers, resulting in losses estimated at .4 billion. The initiative focuses on four key areas: learning from past incidents, reducing administrative privileges, implementing stronger controls for apps and drivers, and improving identity protection. Key components include: 1. Quick Machine Recovery: Allows IT administrators to remotely diagnose and repair devices, reducing downtime. 2. Administrative Protection: Users will operate under standard accounts by default to limit unauthorized access. 3. Smart App Control: Ensures only verified applications can run on Windows PCs. 4. Advanced Identity Protection: Enhancements include stronger password policies and multi-factor authentication. Additional improvements involve collaboration with security vendors, new encryption features, and transitioning components from C++ to Rust for better code security. The initiative aims to restore user confidence and prevent future cyber threats.

AppWizard

November 27, 2024

You Should Delete These 15 ‘SpyLoan’ Apps From Your Android Phone Today

Security firm McAfee has identified 15 versions of predatory loan applications, known as 'SpyLoan', infiltrating the Google Play Store since 2020, with over 8 million installations. These apps request extensive permissions to harvest sensitive personal information, which is encrypted and sent to a command-and-control server. They mimic reputable financial services and often prompt users for a one-time password (OTP). Users have reported harassment from recovery agents, including threats and modified images taken from their devices. India is the most affected country, followed by Mexico, the Philippines, and others. Regulatory actions have been taken, but the apps continue to proliferate. Users are advised to check for and uninstall any SpyLoan apps to protect their personal information.