VoodooShield/Cyberlock

What other site do you know Mike from? Please do tell.

TH

 

If an exploit tried to drop a payload to the system space in Windows Folder would the malware have to have Admin privileges in order to run? If the application being exploited has Admin privileges wouldn't the exploit automatically gain Admin privileges? Would the binary payload dropped be able to gain Admin privileges?

Edit: 2/18 9:40 Would the exploit be able to write to the system space at all without Admin privileges?

 

Again Dan would have to let us know for sure. And again the payload would have to execute.

 

I'm interested in hearing from Dan about this, but i'm also interested in hearing from anyone that feels they have the answer to this.

 

Why are you looking for an argument where there are no grounds for an argument...
I post what I observe and simply ask why ....
My security passes eicar...

 

Well if you look at it this way. VS is On when any Browser is Open or Email Client the 2 main vectors which Malware comes from so in this case it's Locked Down Right? Also both if an Exploit tried to download and execute it would be in the user space, lets say IE it stores it's data in Appdata not Program Files the same with Outlook.

 

Most malware tries to run from the user-space. My question basically is what does it take for an exploit to drop a payload in Program Files or System Space. I will just pose this question in a different thread. It may get out of hand in this thread.

 

That's what I'm wondering....until I understand what the setting is intended for....how would I know the result.

 

I was just asking if you have experienced any noticeable problems since you unticked that in the settings. I was afraid it might cause serious problems.

 

Well it's about VS so anyone can join here if you would like to invite them IMO. How about @Rmus

 

So, does VS have settings that may cause serious problems. I unticked to see what VS flags.

 

I think if the process being exploited has Admin privileges it can write to the system space, but maybe there are other factors that also have to be true before it can do this. This is assuming the exploit is able to execute in the first place. It has to run in the memory first. I'm not sure how the OS treats Program Files Folders in terms of privileges. I wonder if Admin privileges are needed to write there as well. Once technique used by some software I use is web applications are not allowed to write to Program Files Folders, or the System Space. I will see if I can find my privilege question with some Googling.

 

None that I have experienced myself. I was just curious if you have had any problems since you "unticked allow specific critical Windows processes". Have you had any problems so far since you unticked allow critical windows processes?

 

Yeah, that circles around to why does VS drops UAC bar to not recommended. If we're back to Admin privileges...then UAC v LUA
Are we all starting from the same account privileges.

 

No problems....actually VS may be acting as a system monitor. My jury is still out.
I'm still trying to get flag'd to run via VS sandbox. How do I test ?

 

You can use both if you want. You will get redundant prompts though. UAC will prompt you more than VS will unless you untick "allow all software in the Program Files Folder". I see what you are saying though with UAC, and how it should prevent process from running with Admin privileges without an Admin user allowing it. That's why I prefer to prevent unknown executables from running in Program Files Folders, or System Space.

 

I'm not sure how you can test. I don't use Sandboxie since special exceptions need to be made for it with most AE's, and policy based software. I have spent a lot of time helping users configure AppGuard for Sandboxie. I'm not sure what needs to be done in VS since I have never set them up together. Have you gone to the custom tab in VS, and tried adding whatever is being blocked as an allowed folder? I don't know what flag'd is that you are referring to.

 

Not talking about SBoxie....VS native sandbox....

 

Oh, ok. What is flag'd?

 

Wow...what's a honor...hahaha
Of course I'll try new build and give you answer how it works.

 

He was suggesting that I was the only one who understood what the description of that option meant. Well, that is just kinda silly, considering that only 2 people had an issue with it.

 

Hey ichito, cool, thank you. I do not think it is fixed yet, but I put in some debugging code. So can you run it a day or so and make it mess up a few times, then send me the DeveloperLog.log from the C:\programdata\voodooshield folder. Either way, we are getting really, really close. Thank you!

 

And if someone could make a video, that would help too. I just got an email today from a guy in France running the French version of windows, and he is having the same issue. But he is working with me to figure it out. We are definitely getting close, sorry it is taking so long!

 

Cool, thank you!

 

Exactly! That is why malware is ALWAYS found in the user space (usually appdata or programdata), at least initially. If it can execute in the user space, then it can do whatever it wants, and all bets are off. So as long as you can stop it executing in the user space, then you are safe.

BTW, VS is not the only security software that automatically allows everything from the program files folder, as far as I know, they all do, but they just do not have the option to turn that feature on and off. From what I remember, even UAC automatically allows everything in the program files folder. Thank you!

Edit: Keep in mind, I am not suggesting that traditional antivirus does not scan the program files executables, I am just suggesting that they do not deny them by default.