I would expect CIS to contain the malicious modules once they are executed by the relative trusted parent files. Or even contain the Javascript from reaching a none-sandboxed version of BitsAdmin. However I just wanted to double check if either would be the case.
Yes up to a certain extent as I think that once the stage of executing a .dll file using regsrv32 it should be stopped at that point, assuming it doesn’t use the avast process if avast is not installed.
Sorry, but I missed something. “Only if embedded-code detection is turned on for cmd.exe which by default is disabled” I’m vulnerable or “Only if embedded-code detection is turned on for cmd.exe which by default is disabled” I’m protected?
I just took a look at my settings, and Embedded Code Detection is disabled for regsrv32 as well as cmd.exe. Does that mean I am completely vulnerable? Is there a best practice for what to enable Embedded Code Detection against?