Could anti-exe programs prevent applications from executing unknown dlls?

Discussion in 'other anti-malware software' started by Online_Sword, Sep 26, 2015.

Thread Status:
Not open for further replies.
  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Pete, sorry I forgot to mention this, but r41p41 and I mutually agreed to discuss this freely and openly on this thread. I do agree that typically the right thing to do is to take it to the developer privately, but him and I both agreed to discuss this publicly... if that is ok with everyone at wilders. I sincerely apologize for the confusion.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Dan

    I am not sure that is all that great an idea as it can confuse and scare some of the new or less experience members. If it's primarily between you and he it might be better private.

    Pete
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, sorry about that, I should have known better since I have been on wilders for 4.5+ years.

    Is it ok that he posts one last response to post #147?

    I have to do some on site stuff, talk to you guys soon, thank you!
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you. Sorry again for the confusion.
     
  6. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    No, I think it should be way out in the open for everyone to see.

    No, please continue because I find it very enlightening.

    Confusion and fear is what this "protection" industry is thriving upon, so they can take a sip of their own medicine.
     
  7. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    Hi Rich
    Thanks for your comments. If I did the test as you assume, I would absolutely agree with you. But metasploit was run on the attacking computer, it was not in any way whitelisted on the victim computer (where it was not even present). You are absolutely right that if the test required me to first execute some test-file on the target PC, then the test would not make any sense.
     
  8. r41p41

    r41p41 Registered Member

    Joined:
    Sep 29, 2015
    Posts:
    12
    @Peter2150 i never said i am going to bypass or do anything to VS. I just said the protection was primitive, when dan called it out i described why and gave some comments. Sure a system will protect you from 90% of threats even more, but i think highlighting the flaws doesn't cause trouble instead let talented developers give another insight on how they can probably improve the product. Right now, implementing mini filter is very good for VS and i think its an improvement to current model on VS. I have no intention of taking my analysis to vendors, let alone analyze their products unless i am getting paid. I was just blogging about best Anti Exploit protections in industry and how easy it is to bypass them. I just got dragged into this conversation, so if its not yielding any output i will simply rest my case.

    @Dan
    1. Bypassing AppCert Dll's is very easy, because you get a callback when Process is already Created in suspended mode, waiting to be resumed, while your callback is in UserMode. you are terminating it in between. VS is blocking process from being resumed, not created. Once you implement a driver callback you will be in KM and will be able to stop it from being created. Thus the current tech is flawed, please stop quoting 'code or no bypass' when the flaw is so obvious.
    2. I would certainly look @ VS 3.0 and your driver once its implemented then tell you if an exploit is possible to subvert the system. Privately ofcourse.
    For now, lets stop the discussion on bypass. I cannot state as to what i expect from a bounty, that you have to decide. Then i will decide whether its worth the time and money. I also hope i am not giving negative publicity to VS or any other product through these comments, if i am then some moderator can happily delete them.
    lastly a POC is what you expect because you will give that to your developer who is perhaps clouding your judgement
    however i won't be making one just yet, mostly because one, i want to see how you implement a KM driver and two i will wait for bounty program.
    Also i think there are many researchers present on this forum, they can validate my feedback on point no. 1. I have full faith that they will comply with my statement and provide you with the same feed.

    @ other users
    I am sure QA did their job, the devs did their job and the consumer will be shouting later on (if) when there will be a breach. I am just another guy pointing out holes when asked. I didn't volunteer for this.
     
  9. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    I believe this is an essential part of the debate. It is claimed that VoodooShield has never been "bypassed". This is true if you use the definition that certain testing labs use. The problem is that many, probably most people, will interpret the statement as if VodooShield is invincible and has stopped ALL attacks against the system where it is installed. That was also my (apparently wrong) interpretation. And that's the problem as it gives a false sense of security.

    I still think VoodoShield is an awesome product and will continue to recommend it (the one of my parents are now using it and the other is next up!). It is truly rare to find programs that provide this level of security and yet are very user friendly (and even free for home users). That's why I love VoodooShield! But I also think the talk about "having never been bypassed" leaves most readers with a wrong impression.
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I just realized that you are merely substantiating your claim "as of now it has primitive protection, easily bypassable and not really worth the time", and that is perfectly cool and fair. Like, it would not be fair for me to present you with VS 3.0 to test, then say "but you said... as of now it has primitive protection, easily bypassable and not really worth the time... so you are wrong". The problem is that most readers will read your statement and assume that you are talking about VS as a whole, and not simply the AppCertDll, and assume that it is worthless.

    If you are saying that any and all AppCertDll's can be bypassed, then you are absolutely correct, VS 2.0 can be bypassed. But you know as well as I do how many security products used the AppCertDll in the past, and later moved to a KMD like we did... quite a few, right?. I have heard MANY, MANY differing opinions on the AppCertDll, but honestly have never seen it bypassed with my own eyes, and would love to actually witness that.

    The AppCertDll is only about 1% of our entire code, and I was just hoping that you would find a bypass on the rest of the code that I worked on... because there has to be a bypass in there somewhere, and I am dying to find out what it is. I would guess that about 40-60% of the code from VS 2.0 is not changing for VS 3.0, but Vlad would have a better idea what the actual percentage is. I have not touched the code since he has taken over as lead developer because he is a much better coder than I am, and I do not want to mess anything up.

    Thanks again for your help. Please take VS 3.0 for a test drive when it is ready and let us know.
     
    Last edited: Sep 30, 2015
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you, I appreciate your kind words! I think we can probably both agree that the best way to describe it is this...

    VS did not block your Metasploit flash attack because it was not designed to do so. Is that fair?

    Just a thought... maybe you can combine r41p41's attack description with your flash attack and drop and execute a payload ;). It sounds like there is a way to do so.
     
  12. r41p41

    r41p41 Registered Member

    Joined:
    Sep 29, 2015
    Posts:
    12
    Appcert usage might be 1% of your code, but its your flagship tech as of now, its the code which gives you control to whitelist right now.
    If someone bypassed KIS's KM hooks then even though hooks are 1% of its code, the product has a flaw and certainly bypassable.
    I certainly never said its worthless, just the protection is primitive imo because you could have implemented the idea much much better. (certainly would be doing so)
    For a user like a grandpa or someone's mom who just want to browse Emails, checkout web i think Appcontainer feature of Windows 8 would also qualify as a security feature. But one KM exploit and Boom goes the cloud.
    Also, if a kernel privilege escalation happens and exploit gets to load their driver i dont think you can stop the malware at any stage. =)
    But again thats not a normal attack scenario. There are a lot of things, and i wish you can see the attack surface as well as i can see.
    At the end, IMA. The protection is primitive for a user like me who does a lot of things on windows. For a different user who doesnt run Gamehacks, debuggers, etc its fine.
    And yes a POC won't take much time, though i must wait for VS 3.0 and bounty information. =D
     
  13. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Actually the answer seems to be no. Most discussions on Wilders are not based on research performed by forum members.
    Although some time ago I opened a poll to find out how many forum members that are using anti-exploit software have knowledge of exploits: https://www.wilderssecurity.com/threads/do-you-use-exploit-mitigation-software.377669/
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    @r41p41, I have always been curious about one thing, but have never been able to find a good explanation, and it has ALWAYS bugged the heck out of me, but it sounds like you will be able to answer this question.

    You said the following, which I agree with, except I was always under the impression that the process was denied creation... not denied from being resumed.

    1. Bypassing AppCert Dll's is very easy, because you get a callback when Process is already Created in suspended mode, waiting to be resumed, while your callback is in UserMode. you are terminating it in between. VS is blocking process from being resumed, not created. Once you implement a driver callback you will be in KM and will be able to stop it from being created. Thus the current tech is flawed, please stop quoting 'code or no bypass' when the flaw is so obvious.

    So if this is the case... when I run VS with other security products that have implement a KMD, why does VS block the new process before some of the security products that have already implemented a KMD? Like, VS will block the process, but the other security products does not detect or block it at alll. Then if you turn VS OFF, the other security product will block the new process. There are some security products that block things quicker than others, and in the end, it really does not matter as long as the process is never created. Like some block faster than VS, some slower (disclaimer ;)).

    But my question is... if both the KMD and AppCertDll are running at the same time, how can the AppCertDll block something that the KMD should have denied from running in the first place? Especially if the AppCertDll uses suspend / resume. Now that you mention it... I do remember seeing resume or something like that in the C++ code... but I have not looked at it for quite some time.

    Anyway, this is not meant to start an argument... this is just something that a couple of wilders users and I have always been curious about.
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I agree, and that is why VS 3.0 is implementing the KMD... it is one of the most vital parts. Can you even give me a range for the bounty? ;)
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you... I just voted for "Yes, but I do not exactly know how exploits work" ;).
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Came across this on the VoodooShield web site:

    So is VoodooShield™ completely bulletproof?

    That is a tricky question, but at some point in the near future, we hope to be able to say with confidence that it is. VoodooShield™ has been tested against many, many viruses, and VoodooShield™ performed perfectly every time. We are still adding a few new features and security measures, but either way, VoodooShield™ offers a level of protection that is truly unmatched by traditional antivirus software.

    Ref.: http://voodooshield.com/faq

    Appears from the above statement VoodooShield is indeed "not bulletproof." Maybe against the papier-mâché ones .........

    I keep seeing references in this thread about NSS Labs by VoodooShield. Have they indeed tested the product? Where are those test results? Where are the test results referenced in the above faq.? I have searched for any test results done by any established security testing authority and found none.

    Referring back to my previous statement, it is the security vendor's obligation to prove that their software is what they claim it is. The established and recognized way of doing that is by requesting a certified security lab test. It is not up to the general public to disprove a vendors claims; that's ludicrous.
     
    Last edited: Sep 30, 2015
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Ok, that is just kinda rude and childish, so everyone please excuse the following sarcasm.

    You have youtube, correct? Have you not seen the various VS tests?

    I received an email from NSSLabs a while back, offering to include VS in their test for free. By the time I responded, they had already filled up... I have the emails to prove it if you do not believe me. VS will be tested ASAP by as many labs as possible... after a couple of months of making sure that VS 3.0 is good to go.

    Please find 1 instance where I made the claim that VS has never been bypassed, that was NOT A RESPONSE to someone making a claim that it can be bypassed. As far as I know, the only time I mention that VS has never been bypassed is when someone makes the claim that it can be. So my response is basically show, don't tell.

    How is your bypass for VS coming along?

    Always a critic, never a creator.
     
    Last edited: Sep 30, 2015
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    If you consider those certified lab tests, you're definitely from another planet.
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Darn it, I think I just deleted my response... does anyone have it?
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Who do you recommend?
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Where did I ever say that youtube was a testing lab? Does it say it on our website? If so, please let me know and I will be sure to remove it.

    I think those were your words.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Since your US based, NSS Labs would probably be the most convenient. A-V Comparatives is probably the most non-biased lab I know of.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I would rather be doing something more productive... you know, like finish up some testing and owners manual stuff on VS 3.0 so we can get it ready. So if I ignore your posts, you will know why.
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    One last thought... I am assuming that you realize that these labs are setup for traditional blacklist testing, and not whitelist testing, correct? You can see how that could possibly be problematic? You know, like the results will not be exactly valid... like a lot of false positives. But yet you still recommend them?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.