Could anti-exe programs prevent applications from executing unknown dlls?

I'm all for that!

----
rich

 

How about 10 years ago!

Endpoint Security and Whitelisting were beginning to be discussed. I quoted from this paper [PDF] back then:

An Ounce of Prevention: Risk Management Approach is the Key to Good Security Process
By Dennis Szerszen, of Securewave, January, 2005

• The approach most enterprises have taken to endpoint security has basically echoed the defensive posture taken with their networks, firewalls, anti-virus and intrusion detection. All of these are effective to some degree, but hardly provide a complete answer. These are all geared toward identifying bad processes and malicious code. Trying to keep up with everything that is bad is a monumental task-one that is falling behind and should be reserved for reactive clean-up and maintenance processes. Trying to maintain an up-to-date 'blacklist' cannot be expected to work over the long run. It is, therefore, difficult to understand why security vendors did not start with a 'whitelist' approach until you think about what the world looked like in the mid-1980s, when endpoint security solutions began their journey. The world looked considerably different than it does today, who then could have imagined more than a few new exploits a month?

• This approach can effectively eliminate the need to patch in emergency mode. Malicious code by default is not on the white list which means that enterprises can rest assured that their exposed software vulnerabilities are safe from potential exploitation, enabling their IT staff to work proactively to develop scheduled patch deployments rather than being in a constant state of emergency.

SecureWave merged with another company, and is now Lumension IT Security. From its web site:

• Learn how to protect your enterprise with the leading patch, vulnerability management and endpoint security software solutions. Lumension IT security resources ...

• Solid endpoint protection requires a proactive and complete approach. Whitelisting combined with AV provides true defense-in-depth and is flexible enough to balance user productivity and convenience with enterprise security needs.

I discovered that there are many approaches to Enterprise Endpoint Security, Whitelisting, etc, and discussions became rather heated! I eventually avoided them.

I did home consulting back then, and a key factor, in my humble opinion, is Risk Management, Risk Assessment. It applies to both Enterprise and Home Users. But this is another topic...

----
rich

 

I don't see how VoodooShield would have been able to detect the "bad.exe" in this instance. As far as the OS is concerned, it is executing %Windir%\System32\mstsc.exe. That is the file id that would have been made available to VoodooShield. Since mstsc.exe is a system process, it would have been whitelisted and allowed to execute.

 

Sorry, but I don't agree. It is the security vendor's responsibility to demonstrate that the bypass is not possible. After all, you are the one making the claim that that your software is invincible. Also, I do hope you have a good legal firm on retainer to defend you when a lawsuit is leveled against you on that statement.

 

I cannot give away all of our secrets, but child processes of Windows parent processes are blocked. We really do have 3+ mechanisms that should have easily blocked this particular malware. Although if anyone has a sample, I would love to try it just to see.

 

Hehehe, so you noticed that the end point discussions become rather heated at times as well, huh? Yeah, for some reason, people are really passionate about their thoughts on end point security specifically. Maybe because it is the part of the security that the user interacts with the most... just a guess, I never really thought about why this is.

But yeah, I totally agree, the industry kind of shifts back and forth, usually because when the pivot to a new approach, they quickly realize that it did not work quite as well as they thought it would . On the end point, I believe it is because the solution never turns out as user friendly as they hoped .

 

Where are all of the videos of vendors demonstrating that a bypass is not possible? I see bypass videos all of the time, but the ones you are asking for are quite rare. We actually do have at least one on youtube... I uploaded one when the blackhole exploit was released and VS blocked it. That was a particularly nasty piece of malware that used several different exploits simultaneously.

https://www.youtube.com/watch?v=RInvpez9-OE

https://www.youtube.com/watch?v=FfWr4f5y0m8

Where did I ever say that VS is invincible? If I did say that somewhere, please let me know because that is not true. I have said multiple times that I am certain that something can bypass it, but I have just not been able to find it.

Yes, we have an excellent legal team who owns 6% of the company and represents well known technology startups. And our 4 initial investors are all attorneys as well.

 

This was not a spawned process. What the exploit did was fake out the OS program loader in the kernel bypassing this validation:

Before executing the filepath provided, Windows checks that the supplied path legitimately leads to mstsc.exe​

resulting in the loading and executing bad.exe instead.

 

Correct, it would bypass the windows validation... where does it say that it would bypass the VS validation .

Again, this is why if someone is going to make claims that a specific threat can bypass a certain security software, then it is up to them to provide proof. It is a lot more efficient than arguing about it. I think vendors should demonstrate that their product is effective as well, but they cannot test against every single threat that is released.

Do you know where we can find a sample, I would love to try it.

 

And actually, your posts only further confirms why it is a good idea to run VS .

 

Perhaps you can contact this individual to do a test? He believes your software is "primitive."

r41p4125 June 2015 at 08:41

i didn't have a look at AppGuard, but i did have one at voodooshield.
as of now it has primitive protection, easily bypassable and not really worth the time since i don't want to do quality test for them. =)

http://casual-scrutiny.blogspot.com/2015/03/defeating-emet-52-protections-2.html

 

Pete, with v3, Faronics completely rewrote the program, limiting it to whitelisting just a few executables (I complained about that!), with DLLs being optional. V2 had DLLs whitelisted automatically. I inquired, and the reason was due to many complaints at the Enterprise level, that AE was too restrictive in many day to day operations, especially with DLLs.

So, although DLLs can be scanned, the monitoring is left off by default, so that the user has to want the monitoring. Evidently many do not.

As far as the performance hit with v3 onward, I do not know why. Not being programmer, I do not know why the monitoring involves much more work than in v2. Too bad.

----
rich

 

Absolutely, thank you, I will contact him right now and let you guys know. I will be curious to see what he finds!

 

Here is what I sent him, let's see what he comes up with!!!

Hi, this is Dan from VoodooShield. If it really is that easy to bypass VS, it should not take you much time at all. I have been looking for someone to bypass VS, because I have been curious for several years what will finally get through.

Here is a link to our current VS 2.0 release, and we will have a beta soon for VS 3.0 which implements a mini filter kernel mode driver.

https://voodooshield.com/Download/beta/InstallVoodooShieldbeta.exe

Thank you!

 

I hope he is not confusing "Primitive" with "Simple". And I hope he is familiar with Occam's Razor .

 

I totally agree with this. There should be a balance between security and usability. I actually turn of certain features in HIPS, because some alerts are useless to me (no way to know if the behavior is possibly malicious) and make HIPS way too chatty.

 

What I was trying to say is that these apps can block API hooking (hijacking of the browser) even after DLL injection. It's a nice feature that wasn't offered by HIPS back in the days. Like you said yourself, it's sometimes a bit difficult to dedice whether DLL injection performed by a certain app is suspicious or not. But when in doubt, it's best to block it.

 

Hi Dan,
This is r41p41.
Let me first tell you why i think VS is a primitive protection.
Firstly Please don't take this as offensive, we are all here to improve and criticize and all i am doing is constructive criticism.
I am assuming your comment stated that if i did the following, it would qualify as a bypass for VS.
A user opens a website in IE, one EXE gets dropped and executed. Since the exe was not in your whitelist it must not launch.
If i launched it, it would be bypass?

Lets take aforementioned to be your desired goal, and i can possibly show you countless ways to bypass VS right now.
note: The first problem with VS is removing UAC, which makes IE sandbox go bonkers and put child process on High Integrity. This is going to make a user more vulnerable as disabling EPM on IE is very bad. Something which noone should do. I understand that you have *better* protection so you "think" you can deal with it, but you are just creating more holes in the application.
Now off we go, i roughly analyzed VS for 15-20 minutes so maybe i could be wrong. If i am please do point it out, in which case i would be wrong in assuming VS is primitive and apologize Then go look for a bypass.
HKLM/SYSTEM/ControlSetxxx/Control/SessionManager/AppCertDll's -> C:/windows/syswow64/cpn32.dll!CreateProcessNotify()
This is what you use to make sure that every process that gets started would provide you with a callback mechanism to deal with it.
Inside call back you open handle to a pipe CPNSpecialPipe and do a transaction to check whether to allow this process to run or not
thats enough i guess.

why i call it primitive? Because you are using a callback to prevent code from executing unsigned or non whitelisted process.
i see endless targeted bypasses just by looking at above details.
1. exploit code hooks
->CreateFileW and returns -1 upon seeing CPNSpecialPipe (your code cleanly exits)
->TransactNamedPipe and returns immediately (there will be no message popup)
->ZwTerminateProcess and doesn't allow it to succeed unless handle == 0xFFFFFFFF (message popup will be there, even if user doesn't allow exploit will still succeed)
->CreateProcessNotify() in your dll to return NULL (there will be no callback for you)
2. exploit code patches LDR so you never get callback (call [esi+10])
3. exploit code Nullifies the Data Structure (idk, never tried that) so your callback won't even occur.
4. exploit payload does FreeLibrary() and remove your dll, then attach a vector handler. By the time it gets exception callback the process is already created in suspended mode and your DLL unloading will cause an exception when it should get a callback. The handler created before handles that call and simply Resumes the new process you were supposed to prevent from launching.
etcetera

As for generic bypass
difficult: exploit payload does ZwCreateUserProcess and ZwResumeThread itself
easy: exploit payload hooks ZwCreateUserProcess and lets it succeed (hooking epilogue i.e. (add esp,4; retn 0x2c) Then Simply put handle procured from parameters in ZwResumeThread and Terminate It

i just listed out perfect methods for bypassing, tbh i dont have enough time to write code for above. If you are as skilled as i think you should be, you will improve your product and quit calling people out to get you a bypass, if you still want a workable bypass i can create a small POC as part of some bug bounty you can host.

 

IMA, Since you disabled UAC and IE is running with High Integrity.
An exploit can simply drop its DLL and register it at HKLM/SYSTEM/ControlSetxxx/Control/SessionManager/AppCertDll for persistence.
Malicious DLL will be executing in all processes. An example would be http://www.cyactive.com/new-kid-block-pandemiya-trojan/

 

Poweliks abuses Powershell.exe. VS blocks execution of Powershell.exe by default. Therefore, VS blocks Poweliks... unless user allows Powershell.exe to execute at the notification\prompt.

Block first, then investigate. Blocking things never breaks anything; it can always be re-executed after user investigates and determines to be safe.

 

This instance of Poweliks just happened to use this exploit. The exploit could have been used by any other malware.

 

Yep, I agree. For me, there are 2 very simple questions.

1. Should the computer be locked when a web app is running?
2. With the exception of protecting the user space, should the computer be unlocked when a web app is not running?

If you answer yes, then no... then you agree with the premise of VS. Other than that, it is just a matter of how we go about implementing these core principals. We can always add additional features, to tighten "the lock" even more.

So I guess what I am saying is that if someone agrees with these principals, but does not agree with how I am implementing them, then it might be beneficial to offer suggestions on how to better implement these principals, rather than suggesting that my design has a flaw, and guessing whether or not something can bypass it or not, without actually trying to bypass it themselves.

Now, if they do not agree with these core principals, that is totally cool... but they better have the ability to create something that is more effective.

 

I thank you for your reply, I will reply in depth a little later, I have to be somewhere.

First of all, we have not disabled UAC for quite some time... not since VS 1.0, the working prototype. So I will just ignore all of that.

Second point, I used the AppCertDll for VS 2.0 because I was developing VS myself, and I was not comfortable with KMD, and did not want to cause BSOD's... until I had a chance to get VS humming. To me, it was one of the best decisions I have ever made... would you not agree, considering that I admin that my coding skills are limited? VS 3.0, which will be released very soon has a mini filter KMD, which I have already mentioned in the test requirements that you asked for. Although, I would LOVE to see how someone can actually bypass that. It is not going to matter as far as VS goes anymore after VS 3.0 comes out, but I would just be curious to see an actual bypass... no theoretical BS.

BTW, I knew you were going to attack the AppCertDLL... everyone says they can bypass it, but I have yet to see an actual bypass.

That is the thing... I am not that skilled of a developer, I have mentioned that many, many times on wilders, and actually make fun of myself. Some people might think I am creative and come up with cool new ideas to tackle problems, but I am not a great coder. But at the time I was tired of waiting on the developers that were helping me to get anything done. So I had 3 choices... try to learn security development myself, or find another coder, or just let VS die. So for a couple of years there I struggled through the code (and believe me, code was not the only struggle). And if you had any idea how many obstacles I have overcome these last 4.5 years, you would understand. Anyway, our new developer came along about a month ago, at just the right time, and he is doing an amazing job.

Anyway, you apparently do not want to try to bypass the AppCertDll... I do not blame you, no one else has been able to do it either as far as I know. If they have, please let me know and I will stand corrected. Otherwise, you are just blowing smoke and not putting your money where your mouth is.

Hey, you know what? I know of a way that you can make 10 million dollars... I am dead serious. I am not going to show you how to do it, but trust me there is a way.

Each time someone says that VS can be bypassed, but does not offer an actual demonstration... THAT is EXACTLY what they are doing.

Show. Don't tell.

So since you are not going to help us test after all, if you want you can look at VS 3.0 when it is ready in a day or so and you can tell me if it is primitive or not. Deal?

 

To me sound like this person would show you a bypass if there was a bounty. Maybe I am wrong. I mean why should he show you any bypass without getting rewarded in some way? There many people out there like that except for Snowden. Unless he is getting paid by the Russians to undermine in some way.
I could be wrong but this person did say that he would create a bypass for pay.