VoodooShield/Cyberlock

In both cases I think that both are really good...no need to change or enhance what you have come up with.

Regards, Baldrick

 

Quick question: I have not played with VS for a long time, does VS allow browser to update when (smart) protection is on?

 

AG does not suspend the process. It blocks the process before it's created because it never has to rely on user input when an execution attempt occurs. The only possible suspension that occurs is to allow AG to check it's policy to see if an execution should be allowed. That check occurs so fast that's it's undetectable using a process monitor. If you run Process Hacker, or KillSwitch there should be no process ever spawned. I did find a strange bug in AG one time though caused by the additional prompt they added which caused a process to spawn for a fraction of a second. It's strange because the prompt only notifies the user when a block occurs, and requires no user input. After I chose the option to no longer show that prompt it stopped the unexpected behavior from occurring. It's different with VS, and ERP because the process has to be suspended in order to give the user a chance to allow, or deny executables that are not whitelisted. Theoretically though VS should be able to stop a process before it's ever spawned using it's Deny by Default setting. I think it should be able to anyway.

Edited 2/20 @ 9:55

 

Vlad will be able to answer this better than I can, but yeah, we manually added the files necessary to update most or all of the web apps.

 

Yeah, when AG's protection level is set to "Locked Down", you will not see a spawned process in Process Hacker because it happens so fast. VS would act the same way if we made it so the user was not prompted, and it just denies process creation altogether (the process would be spawned and denied so quickly that you would never see it in Process Hacker).

What do you see when you set AG's protection level to "Medium"?

VS 1.0 used to kill the process, then start it again if the user allowed it, but for a lot of reasons, this is not the right way to go about it. Mainly because it is difficult to correctly restart a process after it has been killed.

 

At some point we can add self protection, but it probably is not necessary. Mainly because VS will block anything that tries to kill it, before it has a chance to kill VS.

 

It's the same behavior. When AG blocks something in Medium Mode the process will not be suspended, or allowed to spawn. Medium Mode just allows signed files to run with Limited Rights. It's either deny by default, or automatically allow. If it matches a block rule it is automatically blocked, and if not then it's automatically allowed. The time it takes for AG to check it's policy to decide whether to block, or allow an execution is not enough time for a process to spawn.

 

Assuming that the method (KMD) AG uses to deny process creation is the same for Medium and Locked Down mode, I would think that Locked Down mode behaves the same way Medium mode does, but that Locked Down mode denies the process so quickly that it is undetected by Process Hacker.

Here is a screenshot of AG blocking burnaware_free.exe in Medium mode.

http://voodooshield.com/artwork/AG.png

I really am not that familiar with AG, but they would be able to tell you for sure. I am sure though that the correct way to implement the KMD is to suspend the process until the user decides whether to allow the file or not (assuming the user is going to be presented with a prompt).

 

That's correct. If AG blocks a file, it was not executed or spawned (Lockdown + Protected/Medium Mode).
No Entry in Processhacker-logs, in the Event Viewer (Applocker), SOB, ERP. Nowhere.
But Processes are created if the files are blocked with SOB or ERP for example.

I don't think so. Not because it happened so fast - it's not even happening.

 

In this screenshot, it clearly shows burnaware_free.exe as a suspended process when AG blocks it in Medium mode.

http://voodooshield.com/artwork/AG.png

I must be confused, please let me know what I am doing wrong!

Edit: I just tested with ProcessHacker's logging enabled, and yes, in Locked Down mode, the process was never created

However, in Medium Mode, here is the log:

12:54:31 PM 2/20/2016: Process created: dllhost.exe (1372) started by svchost.exe (62
12:54:34 PM 2/20/2016: Process created: burnaware_free.exe (1384) started by explorer.exe (1592)
12:54:36 PM 2/20/2016: Process terminated: burnaware_free.exe (1384); exit status 0x1
12:54:37 PM 2/20/2016: Process terminated: dllhost.exe (1372); exit status 0x0

I apologize for assuming that the method that AG uses to detect process creation behaves the same way in both modes... it simply does not. However, in Medium mode, the process is created and terminated... so everyone was right and wrong at the same time .

 

Thank you for checking my Post 8562 out. And that you are going to look into it. Hoping that will help improve VoodooShield!!!

 

I just used pr

Thank you as well, we appreciate your guys help!

 

The reason the Burnaware installer was permitted to spawn a process is because it is a signed file. That's what I was saying above about Medium Protection Mode. AG allows signed files to run with Limited Rights in Medium Protection Mode from the user-space. I just tried executing an unsigned file from the desktop (GMER), and it was unable to spawn a process in Medium Protection Mode. I checked with Process Hacker, and KillSwitch. The AppGuard Stopped a Suspicious Program Prompt you received is the prompt I was referring to above which sometimes causes the strange behavior of allowing a process the spawn for a millasecond. Try executing an unsigned file from your desktop in Medium Protection Mode, and see if a process is able to be spawned. If one is spawned then choose not to receive the annoying prompt BRN added to AG that states "AG Stopped a Suspicious Program...". That's the bug I was referring to above. It does not always occur though so you may not have to do that. I'm using the latest beta version, and i'm not sure if that bug exist in this version.

I have been Brainstorming about VS the last several days, and I think I have some good recommendations coming for VS. I would post it now, but I can't make up my mind whether to block some things globally, only when web apps are the parent, or both. I think monitoring the command lines of vulnerable apps is the way to go. For example: if a vulnerable app like a browser has taskhost.exe in a command line then it should automatically be blocked. I do think VS should block a few things Globally that is not currently being blocked like vssadmin.exe, and bitsadmin.exe. I'm getting ready to roll my machine back after the Kentucky game, and install VS again. I also may have a test computer available in a few days. If I do I will see if I can get my hands on some nasty exploits, and do some testing on VS. It will help give me a good ideal on what processes need to be closely controlled. I have a small list i'm working on for web apps at the moment. It would be a large list, but I think many things can be safely blocked globally. Well, the game is getting ready to come on. Got to run.

Edited 2/20 @ 6:18

 

It is confusing because AG ended up blocking Burnaware, but it suspended the process until the 2 prompts were closed (although these prompts do not let the user allow the blocked item). If AG is going to ultimately block the item either way (since Allow is not an option in the prompt), then why suspend the process until the 2 prompts are closed (while in Medium mode)... why not just block it altogether like it does in Locked Down mode, even if it is a signed file?

BTW, I always test all software using its default settings... I assume this is what AV testing labs, pen testers and software reviewers do as well. So the last time I tested AG, it was in its default mode and I launched a few items from the desktop and noticed that they appeared in Process Hacker. That is why I said "This is normal for the process to be suspended... test with AG, ERP and VS and you will see the same result." which got us off on this tangent . Obviously I did not even think to see if the files were signed or not because VS does not utilize digital signatures, except to temporarily allow new items if the previously allowed item digital signature matches with the one that is currently being evaluated... so I always forget about digital signatures.

Cool, please let us know what recommendations you have for VS, or if you find anything that can bypass it! Thank you!

 

Sure, if the file is signed it's allowed to spawn in Medium Mode.
If it's unsigned, it's blocked in both modes (without spawning).

 

A certain member has posted that VS and ERP were indeed bypassed, but I couldn't tell it from the screenshots alone. I also wonder if it's a big deal that VS and ERP will suspend processes instead of completely blocking them, like AG does in lockdown mode. The ERP developer has told me that this shouldn't be a security risk. And I believe the bypass method relied on loading certain system processes, apparently AG blocked this, and that's why it passed the test. Or perhaps I misunderstood?

 

Cool, but I just do not understand why the process is suspended in Medium mode and denied from spawning in Locked Down mode, when there is not a prompt that would let the user allow the process. It is not a big deal and is perfectly safe either way, but I am just curious. I would also be curious if Vlad instructed VS's mini filter driver to automatically deny process creation, instead of evaluating the process and prompting the user... if then the process would be detected in ProcessHacker or not. Right now he is busy finishing up the wildcards and VoodooAi integration, so we can save this for another day.

 

Very cool, thank you for your help!!!

 

The payloads were clearly blocked by both VS and ERP, the OP even posted the prompts showing that the payloads were blocked. Are there screenshots of the ransomware in action? If so, please let us know!

 

That's probably the same behavior I reported to BRN as a bug. AG did not start exhibiting that behavior until after they added an additional notification prompt that lets the user know something has been blocked. I think it's a useless annoying prompt myself. Thank you for confirming that behavior! I will report it again.

Edited 2/21 @ 3:00 am

 

Just for the record it was not I that reported they were bypassed. I have read that post though. I can see why the poster believed that VS, and ERP were bypassed though. The tester took screenshots while the payloads were suspended so it looks like the payload were successful. That's what I have been informed to be the case anyway. It's impossible to confirm either way. The testers should have posted videos instead of screenshots if they wanted to be taken seriously. The really poor Google translation of Chinese does not help matters.

 

IMO AG should block signed files in Medium Mode too, and only allow signed files from Publishers that are on the Publisher List.

The process is created, VS suspends it and is prompting the user? (like ERP)

If the final comes out, i think i'll give VS a try.

 

Ok, that makes sense now... The Error 5: Access is denied message is from the KMD (which cannot be customized), so they added "AG Stopped a Suspicious Program..." message because it is more descriptive and tells the user why a certain item is blocked. VS has the same KMD message, but it automatically finds the KMD message when something is blocked and dismisses it so that we can use our own customized prompt, so that the user knows why something is blocked. But I am still curious why the process is suspended (only in Medium mode), since the user does not have the option to allow the blocked item, with either the KMD message or the customized prompt.

 

OHHHHH, that is why they thought there was a bypass... they noticed the suspended process in ProcessHacker!!! Thank you for figuring that out!

 

I really am not sure either way about how AG should handle signed files... and by no means am I trying to give anyone advice . We just kind of got off on a tangent, and I was curious about some things that did not make sense to me. I am certain there are several things in VS that confused people as well . For example, some people are confused when VS automatically turns OFF when it is in Smart mode, when all of the web apps are closed . Even though we went to great lengths to let the user know that VS automatically toggles with the web apps in Smart mode .

What I mean about "The process is created, VS suspends it and is prompting the user?" is... if VS had a locked down mode where it did not prompt the user at all, I would be curious if the process would show up as a suspended process in ProcessHacker. I think it would, only because we use similar drivers.

Cool, yeah, try VS at some point and let us know what you think! Thank you!