VoodooShield/Cyberlock

The only thing I gleaned from mWave's video and subsequent comments is, OK, hold on:

VoodooShield is an anti-executable.

If I'm missing some crucial point or piece of info, fine, but that was my takeaway.

Wow, OK. I hope this is included in a future release and I understand the "optional" rationale. 355 b2 is fine, no problems.

 

Hi All

Anyone tried the DoubleAgent zero day PoC against VS?

https://cybellum.com/doubleagent-taking-full-control-antivirus/

 

i was waiting how long before this will be mentioned here

 

Someone had to ask the question

 

The interesting point is that it is a persistent malware :

 

Yeah, we really should not let things get out of hand like that. I see the point he is trying to make, but he is forgetting that much of VS's self-protection is inherent, which is true with all anti-executables. If VS were a traditional AV, it would be a different story.

I will say, it is great to see that people are extremely passionate about VS, and that is a great thing. They get upset with me if I do something that they do not like with VS, and they let me know it . And actually, that is a great thing too.

 

Yep . I am not sure if we will find a need for a lock down feature or mode, but if you guys can think of one, please let me know!

 

I have not tried it myself, but VS will easily block it... any anti-executable would easily block it. If anyone has a copy of this, please try it and let us know!

Here is a video... they launch the payload with a command line so they can add a necessary argument, but that is beside the point.

https://www.youtube.com/watch?v=-ZL9WSuDAqk&feature=youtu.be

That is what is so great about anti-executables... if you block all new executables and scripts, it is almost impossible to infect the machine.

Well, unless you click allow.

 

No problems with v3.55 beta3. But I didn't have problems with any builds post 3.53.

 

That is why i shifted to A-E long time ago and i promoted them. I just want system lockdown
Once in Lockdown, i'm happy that nothing will get in my system without my permission.
And for that, my actual combo is quite robust

 

BTW... please note this section from the article.

1. Generic code injection technique that is undetected by AV.
2. Generic persistence technique that is also undetected by AV.
3. And most importantly, injecting code directly into the AV while bypassing its self-protection techniques.

That is what I was saying about self-protection... the more you research self-protection, the more you find that the various methods can be defeated. Also in the article...

Mitigation
Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago. It’s important to note, that even when the antivirus vendors would block the registration attempts, the code injection technique and the persistency technique would live forever since it’s legitimate part of the OS.

But from what I understand, this might be defeated as well. Either way, my point is, why implement self-protection if you know it can be defeated? Which is why I was thinking that a lock down approach, combined with one or two other methods might be the best thing to do for VS.

VS protects itself extremely well on its own, with the exception of Adam's macro, and we have plenty of time to figure it all out before we see malware that targets VS. And once we decide for sure, I will hire the right person with a lot of experience with this type of coding to implement whatever we decide is best.

 

Dan,

Since you asked, I've haven't tried the latest beta so cannot report on it.

 

Cool, thank you for letting me know. If anyone has any issues with the beta, please send me your DeveloperServiceLog.log!

 

Yeah, I am not sure why anyone ever thought that allow-by-default was a good model for computer security . My goal is this... five years from now, I want everyone to look back and say "Do you remember when we used to not lock our computers when they were at risk? Can you believe we actually used to do that?"

 

@VoodooShield
i remember, at that time i had HIPS to lock my system (was Online Armor and Comodo in my case), after i ditched them for A-E (Apgguard, ERP, SOB, etc...).

DoubleAgent need admin rights; and is effective after after the system is compromised. So not much a big deal.

 

Thank you for letting me know. I really need to finish up the web management console with Alex, so we will probably just remove the self-protection in the beta versions for now, and revisit this feature sometime soon, in a different beta fork. The code for the feature is almost there... it will not take much more work to finish it up, the difficult part is finished.

 

Just put an opt-in option, and a way to unlock the system in case the lock was mistakenly triggered by the user. and every body will be happy.

 

@VoodooShield
What scenario(s) do you have in mind that VS self-protection is necessary? mWave gave you an example, but you didn't accept it because the supposed "bypass" still needs the user to execute it.

So, am I right in thinking that the planned self-protection is a fail-safe measure for a possible bypass of VS' Lock Down approach (Always On, Autopilot, etc.)? In other words, if VS, in Always On, allows a malware to run without user intervention (so there's a bypass), and the malware attempts to disable VS, self-protection should kick in to stop further infection, right?

 

Indeed, that is Dan view of the S-P.

Now some people like me said "why go to such length on a home user system, because if the S-P have to kicks in, mean the system is already compromised , so why bother lock the system? just keep VS simple to use".
In a home suer compromized system, a reformat/restore is needed since VS can't clean the system and 90% of the users won't know how to clean it themselves... So lock for what?

The approach of Dan is valid if the malware isn't persistent and the attack doesn't survive a reboot. But, as a tester, i won't rely on a protection valid only in a particular situation; especially for a home user system.

This "system lock" approach is more a corporate measure, because in corporate environment, the infection must be located, analyzed and the source must be identified asap to avoid further loss and costs for the company.
In a home user , you don't care of this, just restore a backup.

Appguard uses the lock method , because AG is a corporate solution first, and when an infection manage to attack its S-P, it means it is a HUGE concern. So the attacked system must be locked and removed right away from the network for further inspection and forensic analysis.

You don't wear a kevlar vest to avoid being bitten by mosquitoes.

 

I remember the Honeypot feature of CryptoPrevent. If it detects ransomware activity, it stops all operations, asks the user to seek help, and recommends to shut down the system without restarting until a competent person handles the computer.

It's similar to what you're saying. Shutting down or restart might not completely resolve the infection. There is already an infection, so a restart might just continue the mess.

 

Exactly, and since VS is a home "beginner" user software, it doesn't need complex features like this, which will mostly freak out the beginners when it will happen.
Now if Dan can find out a good compromise; im fine with it.

 

I'm interested to know what you think should happen instead of a lock down when VS is killed by malware or some other method? Nothing?

 

As i said many times, if you are compromised to the point a malware kills your security softs, it is too late. Just restore a backup, it takes 15mn and you won't worry about your system being locked and the consuming task of cleaning the system (which 99% home users have no idea how to do it).
If you are compromised, you can't allow yourself to let any traces of the infection in the system.

 

If VS starts locking my machine and / or requesting I shut my machine down then I would expect my machine has been compromised. In this case I will either restore from a recent backup or clean install Windows... But hey, that's jut me.

 

i think instead of locking right away the system , announcing first that the system may be infected and requesting a restart would be a good solution.