Pumpernickel (FIDES)

Is someone using "AppCheck Anti-Ransomware" and has maybe noticed, that AppCheck can write files to the folder Backup(AppCheck) (in the root-folder) even if the software is not in the Whitelist?
I think there is a connection to the above quote and i guess the service from AppCheck is creating these files and FIDES doesn't or can't prevent it fully.

Sometimes i see that FIDES is indeed blocking files:

Code:

*** excubits.com beta ***: 2017/01/18_22:45 > W: C:\Program Files\CheckMAL\AppCheck\AppCheckS.exe > G:\Backup(AppCheck)

but nevertheless i can see files and folders in the "Backup(AppCheck)"-folder.

 

Hey guys. I also installed CheckMAL' AppCheck. It seemz to install Kernel-MOde driver, I thinks this driver responisble for making backups, so AppCheck has control over file systems like all other kernel stuff. Theres litte Pumpernickel can do here. I would guess that malware in Kernel will also be able to changes files in AppCheck backup folder. If remember I correctly the excubits developer somewhere write or say that Pumpernickel cannot protect from in-kernel attacks which make sense to me: we all know: if someone is in kernel he own the system regardless of the protection tool you use.

Well, I will write Florian a e-mail, so he can confirm and give more details. Will then post his answer here; maybe this helps to clarify thing.

 

Good. I wrote an email right after i found out that AppCheck was able to write to the folder.
We'll see what they have to say about this.

But yes, i suspect too this might be the kernel-driver of Appcheck which is allowed to create files.
AppCheck Anti-Ransomware is clearly demonstrating it, kernel-drivers have full access.

 

I posted about this here: https://www.wilderssecurity.com/thr...ansomware-freeware.391031/page-8#post-2643771. Most notably:

Due to the fact ransomware only needs to operate in the kernel long enough to encrypt files, KPP and SecureBoot are useless, all that’s needed is a DSE bypass (which is very easy on pre Windows 10 platform).

i.e. DSE is driver signature enforcement.
​

As the author noted, ransomware will evolve to more potent forms as all malware does. More so for ransomware given its large payback to its creators.

​

 

Yep, this is how the way go. So there is always need for multi-layer protection. One solution alone will not defend all possibilities. Even if you have a multi-layer it is possible to bypass in some way if one hacker is smart enough and find way into the castle. I dont assume that one solution will "kill 'em all". I would add anti-exe to reduce the risk that someone can installs a kernel-driver, so NVT ER, SRPs, Bouncer, Appguard, Faronics Anti-EXE would do good job. Here again, a good hacker will also be able to bypass if time goes and the attacker has enough time and money to find (or buy) a zero-day So in general I dont thinks that this is issue with protection software, it is how the world is, we cannot protect 100%. I love the car example: with all the air-bags and bumbers etc. we can still die in the car, so this is something we have to be clear about - nothing is 100%. The problem is that AV and IT-Sec industry often paints the picture of 100% ;-)

This is what we hav seen with all the computer viruses in the 80s and 90s, then with worms arounf 2000s, then with (banking)trojans. Its all the same, they release some weak malware, then AV-industry fights back, than they enhance and finally the go PRO and build the ultimate, hardcode malware class not easy to detect and find. In all the years for me a reliable external backup, access-permissions and anti-exe solutions were the most fexible and best solution to fight malware. The other stuff is just additional layer to help filling the gaps.

 

. But then there is still always the risk of wrongly clicking 'Allow', and how far back in the backup chain did one do this? But thankfully, I have been OK till now - always been able to recover.
But I use Pumpernickel only to protect my backups on external USB drive so if that is compromised by the 'raw access' issue, I would indeed be hosed (except data is backed up on Amazon Glacier via Zoolz).

 

That's the glory of solid virtualization in SD. A parallel universe (Star Trek TOS lore) where they enter but can't stay.

No matter the efforts to dance and march with trying to build the strongest wall, SD is your iron curtain.

I like FIDES and it covers some bases well but am one of the few who demand a GUI.

 

Yeah there's little doubt to it's effectiveness but just a personal preference where I don't have to play & fiddle with text files, writing, rewriting, etc.

Guess you might call it stuck in the ways of streamlined automation.

Can't stand manually having to deal with that when a GUI could make those tasks more fluid with less effort. Or maybe it's just the laziness factor that a GUI offers LoL

 

I don't remember who exactly it was back when this thing got it's wheels rolling early on but they were more adamant over expectations for a GUI to this thing then I am.

If FIDES had a GUI then it might attract more than the Power Security users one might think. I dunno, but that's a deal breaker for me too.

 

There is a new Blog-entry from the author with some interesting information.
https://excubits.com/content/en/news.html

It contains information about: Raw Access, Network Drives and the 8.3 naming scheme.
Quick summary:

 

Thanks @mood

 

Yes. Now devs who make products for home users like us can research and implement such technology in their products. I'd like FIDES as a candidate, what do you think?

 

you can check out different with "pestudio"
AppCheckD.sys
AppCheckB.exe think this file responsible for backup
AppCheckS.exe

also with pestudio found that FIDES not enabled Structured Exception Handling (SEH),so hope enable someways.

 

AppCheckB.exe = AppCheck Anti-Ransomware Backup Application
I can see that this file is responsible for the "Auto Backup"-feature, it has references to "\AutoBackup(AppCheck)" if i look at the strings with PeStudio.

The service AppCheckS.exe has references to "\Backup(AppCheck)", so this file should be responsible for the feature "Ransom Shelter" and it was blocked from FIDES.
But the kernel driver AppCheckD.sys can't be blocked and it can copy files to protected drives.

 

If Windows itself can block the raw-access after a little change in the group-policy (only for removable devices), vendors could do this too.
But malware with raw-access is rare and there are further requirements for raw-access (admin-rights or it needs to install a driver), i'm not sure if more vendors want to implement it.
Or they don't even consider this as a security issue:

 

Agreed. If a group-policy setting can block raw access then would be the best and native way to do.
As for vendors, well yes, if they consider it is not an important issue they won't implement as we've seen in Florian's comments.

 

sometime back i requested such feature.what do you think about it? for pump and other driver
can cause smaller & smarter rules
they said will consider it.but no clear time when will be added.

Code:

C:\Program Files\*robotaskbaricon.exe,identities.exe,firefox.exe>C:\Windows\System32\sechost.dll,secur32.dll,sfc.dll,sfc_os.dll,shell32.dll,shlwapi.dll,slc.dll,srvcli.dll,sspicli.dll,tzres.dll,urlmon.dll,user32.dll,userenv.dll,usp10.dll,uxtheme.dll,version.dll,WindowsCodecs.dll,wininet.dll,winnsi.dll,WinSCard.dll,wkscli.dll,Wldap32.dll,ws2_32.dll,wsock32.dll,wtsapi32.dll
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe,identities.exe>C:\Windows\System32\sechost.dll,secur32.dll,sfc.dll,sfc_os.dll,shell32.dll,shlwapi.dll,slc.dll,srvcli.dll,sspicli.dll,tzres.dll,urlmon.dll,user32.dll,userenv.dll,usp10.dll,uxtheme.dll,version.dll,WindowsCodecs.dll,wininet.dll,winnsi.dll,WinSCard.dll,wkscli.dll,Wldap32.dll,ws2_32.dll,wsock32.dll,wtsapi32.dll

C:\KMPlayer\KMPlayer.exe>C:\KMPlayer\avcodec-lav-57.dll,avfilter-lav-6.dll,avformat-lav-57.dll,avresample-lav-3.dll,avutil-lav-55.dll,BookMark.ini,ColorTheme.ini,KMPlayer.exe,Language\English.ini,LAVSplitter.ax,LAVVideo.ax,libbluray.dll,libcodec.dll,libmplay.dll,MediaInfo.dll,PlayList\Default.kpl,PProcDLL.DLL,Privilege.dat,Skins\touch.ksf,swscale-lav-4.dll
 
C:\Program Files\Notepad2\Notepad2.exe>C:\Users\*\*.txt,*.ini,*.log,*.html,*.cmd