VoodooShield/Cyberlock

This was interesting. After ejecting a USB flash drive VS gadget stayed blue so I right clicked it and was going to check if VS thought a web app was open and it changed to red with USB on it.



I've never seen that before.

 

+1

 

Hi
I had a similar event recently when 'safely removing' a USB flash drive. The VS systray icon stayed blue (I have the gadget turned off) and it would not change back to red despite there being no web facing apps running, I rebooted the pc and normal service was resumed.
Running 3.58 on Win7 32bit. Only other security app running was Comodo Firewall 10.

 

Hey Andy,

I want to make sure we are on the same page…

1) VS will block the exploit from ever running PowerShell… if you have figured out a way for an exploit to run PowerShell without VS blocking it, please let me know.

https://malwaretips.com/threads/how-do-you-secure-powershell.70981/page-2#post-623685

2) How are you going to rename or create an executable file called “PowerSh.exe” without VS blocking the initial non-whitelisted executable or script?

https://malwaretips.com/threads/how-do-you-secure-powershell.70981/#post-623590

In this scenario, VS would block the payload spawned by PowerSh.exe

3) If there are “serious loopholes in Windows Script Host security in Autopilot mode”, please let me know!!!

Sure, one can manually modify Windows to set it up for failure in a POC, but this would never happen in a real world attack scenario.

I think VS has everything covered, if not, please let me know , thank you!

 

Thank you for letting me know... I will see if we can reproduce this. Or if you guys know of a way to reproduce this, please let me know too, thank you!

 

Hey Andy,

I understand, but VS should block the exploit from spawning powershell... if you have found a way around it, please let me know. BTW, even if an exploit can spawn powershell, the payload would be blocked as well.

AutoPilot is a little more at ease with scripts than Always ON or Smart Mode, but VS should still sufficiently protect the computer.

If you have found a Windows Script Host vulnerability in AutoPilot mode, please either post it on MT or email me at support at voodooshield.com.

BTW, when you are testing with VS, if you think you might have found a bypass, please make sure to reset your whitelist and clear the command lines, and test once more to verify. This happens to me all of the time . Thank you for your help!

 

BTW, I think we are covered on the PowerShell front... Black Cipher tried pretty hard to bypass VS with PowerShell, and as far as I know, was unable to do so... but he did manage to bypass several others.

https://www.youtube.com/channel/UCiBGKMoRpJrUQ4ysXtB0mUw/videos

 

Please do not get me wrong... I certainly am not validating his work, or even approve of it. If you read the comments I made on this video, you will see what I mean .

https://www.youtube.com/watch?v=nuJcxSkMW3U&t=2s

Then again, if what you are saying is true, then why this post?

https://malwaretips.com/threads/bypassing-emsisoft-video.70606/page-3#post-619674

My only point is that BC stated in the following video "CB Defense, Cylance, Voodoo Shield, Eset NOD32, Kaspersky and Bitdefender are tough for sure. But we are working on them ;-) The ones posted so far are easy to get around even when configured for maximum security."

https://www.youtube.com/watch?v=sq9T6xtNRA4&t=192s

And only CB Defense, Kaspersky and VoodooShield never had a video posted that demonstrated a bypass. Keep in mind, one video was posted and later removed .

I am not sure what you mean by "You removed the settings a few versions back to control for what shows notification so he couldn't do it with VS"... what setting are you referring to?

 

Salutations/Greetings/Everyone!

Questions/Thoughts

AUTOPILOT MODE when surfing the web!
Or would you suggest ALWAYS ON?
Which is better as far as protection?

So there are no problems with the Fast Boot and/or Fast Startup?
Or has this problem been fix completely? With the latest version?

SMART (Default) when rebooting the Computer.

With Windows Updates, how often would you
Take a Take Snapshot? With VS?

Looking forward to your answers and opinions!

 

Hey Moose, I think the initial screen you see after installing VS explains it best: www.voodooshield.com/artwork/mode.png

AutoPilot should be almost as secure as the Always ON or Smart mode, but there are several usability features that certainly take some calculated risks. That is, the goal with any security product is to find the best balance between usability and security. If you want "absolute" security, then lock it down. If you want to maintain usability, you have to take some calculated risks... there is no way around it. But this is why VS offers different modes.

Me personally, I really like Smart Mode... it is almost always quiet as a church mouse, but is still locked when it is at risk... it is a great balance.

AutoPilot is great for novices, especially if you run VS on AutoPilot for a couple of weeks, then switch to Smart Mode or Always ON. AutoPilot is also great if you do not need full "lockdown", but yet want a lot of the benefits of application whitelisting, especially when used in conjunction with a solid AV.

There really is hardly ever a reason to take a snapshot... these are all automatic. That option is simply there to allow the user to take an advanced snapshot, which scans the registry and other places, to add recently used programs to the whitelist. And even this really is not necessary... VS learns very quickly in default settings. Thank you!

 

Cool, I am just not sure what feature I removed in VS... if you want to let me know, please do.

 

BTW, I actually do not view any security software as VS's competitor... we ultimately have VERY different target audiences and goals.

As far as AV's go, VS works extremely well with all of them (as far as I know), and adds a killer level of security when the computer is at risk. The problem with AV's is that they provide the same level of security, whether the computer is at risk or not... and this is an issue because you can only make the computer so secure before it is not usable.

Which is why I always say "the device should be locked when it is at risk".

My goal is to lock as many web connected devices as possible, when they are at risk.

 

Ohhhhh, I remember now... yeah, that is all handled automatically now.

Are you saying that BC manually disabled similar features (cmd/powershell/etc) in all of the products that he tested, then posted bypass videos? I know he did for the one video that he removed, but his point in that video was that unless all of the protections were enabled, then the endpoint was subject to bypass. THE PROBLEM IS, hehehe, he went on to explain that most endpoints are configured to disable Script Control and Application Whitelisting because it was too much of a PITA for admins of the product he was demonstrating. If that is the case... either the features need to be made more user-friendly, or they need to look elsewhere for a security solution, because disabling these features in the enterprise is completely unacceptable.

 

How is downloading the current version of software directly from the main link of a vendors website cheating? (Let's at least be fair and honest here).

Besides, the real issue is that users should not be required to manually add vulnerable processes as they are exploited... what happens when malware authors start exploiting other Windows (or other) files?

VSSAdmin ring a bell?

 

When did it become a good idea to test beta versions of security software? Did I miss something? I did not get that memo.

 

Hehehe, "user doesn't get alerts when there is no point in getting alerts"... this makes zero sense for many, many different reasons, but I will focus on one.

Please name one single potential block in this scenario... just one. In all of the time that VS has has this feature, I am not a betting man, but I would bet it has not blocked one single item, for any of our users, unless it was malware.

 

Not even to ensure that the software is working correctly to defend against modern threats?

 

Just wondering why Microsoft Word is not on the default list of web apps, even though PDF readers are on the list.
Word would benefit from anti-exploit protection, similar to the PDF readers.
Does the anti-exploit feature interfere with Word functionality in some way?

 

Word is protected... along with a HUGE list of other standard programs that are hard coded into VS, but apps that do not act as the part of the primary attack vector, should not toggle VS to ON. Keep in mind, even when VS toggles to OFF, there are still protections in place.

It is difficult to explain (and took me awhile to figure out), but if we consider how attacks actually occur, it starts to make sense.

For example, using Word by itself will never infect the computer. That is, if you only use word to create your own documents, and do not download malicious macro enabled Word documents from a malicious email (for example), the computer will never be infected. It is only when you use Word in conjunction with a risky web app, that there is an issue (yeah, and supposedly USB drives ).

I hope that makes sense... I will try to figure out a better way of explaining this.

When we first implemented this feature a while back, I posted on wilders several times that there is no reason for a web app to ever spawn any of the Windows files (along with other risky files). Sure there are 3-4 or so items, out of the many thousands of Windows files (such as splwow64) that need to have the ability to be called from a web app, but ALL of the other Windows files should be blocked by default, if spawned through a web app. If you have noticed, there were a couple of blocks in the beginning, but since then, there have been none.

If you ask me, all security software should implement a feature similar to this... I do not consider it proprietary, and it helps to lock the system down pretty darn tight. With VS, it was relatively easy to implement since everything is centered around the concept of Web Apps, and locking the computer when it is at risk. But it would not be too difficult for other software to implement something similar. That way, the next Windows process that all of the malware authors start to exploit, is already covered... and you do not have to worry about adding new vulnerable apps in the future.

 

I'm no expert... but I can run powershell w/o interference from VS when I'm in Smart (Default) mode. In Always On or Autopilot modes, VS blocks execution. Why is this?

Relatedly cmd.exe and regedit.exe are unprotected in all modes. Is that intentional?

 

Yes, it is intentional... when VS is in Smart Mode / OFF, powershell is auto allowed, if the user launches it... and cmd and regedit are always allowed when the user launches these as well. But if something besides the user tries to launch one of these apps, for example a non-whitelisted command line, it will be blocked.

This is simply to help with usability... the idea is to reduce the number of prompts as much as possible., but only when it is safe to do so. For example, it always drove me absolutely crazy that UAC would block regedit when I launched it manually... and obviously, this is just one example.

I hope that makes sense, if not, please let me know!

 

For example you should get a prompt if one of your webapps wants to execute cmd.exe or regedit.exe

 

Thank you mood!

BTW, Andy Ful did find a bug for .wsf files when VS is on AutoPilot. It was not an issue with the design, it has something to do with the way VS extracts the command lines for .wsf files... it will be an easy fix and it will be included in the next release. Thank you Andy!

 

All good. That was helpful.