Emisoft - Voodoo Shield Discussion

Re: Emsisoft Anti-Malware 8.xx Sammelthread

I must be quite lucky then. You have a PM .

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Fabian,

how does EAM's file guard handle the execution of files when it's set to "scan only programs before they are executed"? I have recently read about other products, which actually detected something and moved it to quarantine, but somehow it was enough for the malware to manifest.

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Depends on the file type. In general we look out for files that are being mapped with the PAGE_EXECUTE rights. There are some file formats that are executed or interpreted that don't use the Windows file mapping mechanism. In those cases we detect the file extension and treat a simple file open request as execution (COM files for example, but also all kinds of scripting languages). In all cases, the code is checked by the File Guard before anything is executed.

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

I am sorry ZeroDay, I seriously did not mean it like that, and certainly was not trying to be defensive. Sorry if it sounded like that, and I was just replying in general, not necessarily to you. But my point is... in order for something to be detected, it has to exist. Sure, the method that Fabian is suggesting might be a touch faster, but we are talking ms. The thing about the current version of VS is that we do not have to do anything major to the OS to kill viruses. It is nice to have a security software that is completely benign to the system, and still does its job. Especially when we are working through the UI and options. Once we have everything where we want it, we will then write the engine as a service and use a method similar to what Fabian suggested to me an a PM. We just didn't want to make any major changes (or minor for that matter) to people's computer to achieve our goal of killing anything that is not on the whitelist. Sorry for the confusion!

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Honestly, I ran the file you sent me... VS blocked it... I told VoodooShield to scan it with VirusTotal, here are the results.

https://www.virustotal.com/en/file/...cd113f873e04b05a5ce76329/analysis/1375133887/

I can keep clicking and clicking, but always get the same result. Feel free to have others try it, but please make sure that they know that VirusTotal called it a virus.

I do agree, the method you are suggesting is a touch faster, but please read the previous post and you will see why we chose this method for now.

And seriously, if you can find anything that can get past VS, please let us know. Surely 3 guys from Kansas City did not create a totally bulletproof product... something has to get past it, but we just have not found anything. And once we run the engine as a service and use a method like you are recommending, there is even less of a chance of something getting by. Thank you for your help!

BTW, I thought we were talking about how VS does not block unknown / untrusted applications from running .

Edit: BTW, if you are running VS in Smart Mode / OFF, it might slip past... but that is because VS is OFF and doing other things, like watching for browsers, etc. We have an option to Protect User Space in Smart Mode when VS is OFF... but this is to protect the user against them clicking on something in their user space, so it doesn't have to be fast. I will try it on a different computer later to see if it slips past in this mode, it probably will if I click on it fast enough. But this is my main computer and I was a little worried about the virus total results.

Sorry, I will not post on here anymore, I didn't mean to hijack your thread!

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

He is suggesting more of a kernel level method (which I admit would be a touch faster)... but I agree with what you are saying... in order to detect something, it has to exist first.

And from what I understand, using this method increases your attack surface, although I have no way of proving this. It was just something that I read on the internet .

Also, we do not spend time checking files and code, we just kill it if it is not on VS's tiny, customized whitelist. I always wondered why VS kills things much faster than everything else that I have ever compared it to. But like I was saying, that really does not matter. All that matters is that the malware was killed.

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Good discussion, and well argued.

Thank you gentlemen.

My 2 cents worth is that it is very fruitful for developers to discuss their products together. A small synergy could result that may well bear fruit further down the track.

As Linus replied to Charlie Brown about reading comic books..........."Truth is where ever you find it".

cheers,
feandur

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Indeed! I agree, thank you!

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Actually VoodooShield does block unknown Apps from running. VoodooShield will not allow any executable to run that is not on it's whitelist or excluded by directory. I have been using VS for over a year now. VoodooShield is an anti-executable that uses a training mode to build it's whitelist. It offers far superior protection than most security applications.

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

very true anti-executables are strong security aproach

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

You need to prove what you are saying. I have not witnessed VS using this method at all you are speaking of. VS blocks the executable before it is allowed to spawn any process that i'm aware of. I just tried running several .exe files and I saw no knew process spawn. VS blocks any unknown executable by default. Are you sure you are not confusing VS with exploit shield that malwarebytes purchased?

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Sorry, one more post, I really do not mean to hijack your thread, sorry about that. But here is a video that tests the "virus" you sent me. Seriously, if you can find a way to defeat VS, please let me know.

http://www.youtube.com/watch?v=psFMH8_cDxY&feature=youtu.be

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

VS was in off mode, and still blocked the execution the best I could tell. The video quality made it hard to see exactly. How did it block the executable in off mode? Did they enable the option to protect userspace in off mode?

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Doesn't surprise me. All of them are generic and heuristic detections. The program enumerates all processes and tries to kill one. For an AV program it just looks like a normal AV killer. There is nothing "virus" about it though.

So you are sure you allow me to release the PoC I sent you?

I tested in ON mode.

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Absolutely you can release the POC you sent me!!!!!! (Just please make sure that you warn users that VirusTotal detects it as a virus. We both know that it is not a virus, but in the interest of full disclosure, I think it is a good idea).

You have to realize that people a lot smarter than you and I combined have tried to kill VS. We have tried everything that we can think of as well. And I admit... there must be something that can kill it, we just have not discovered it yet.

But running in a VM is not cool, it is not a real world test. You sent me that "Virus" to kill VS, and I do not know you from Adam, but yet, I ran it on my main computer without thinking twice. I admit, I did not turn VS OFF before I ran it the first time, but you get the point.

But seriously, if you can create something that gets past VS, please let us know! Like I was saying, there has to be something, but no one has figured it out yet.

And yes, that would be significant if VS was bulletproof... but it would be even more significant if VS is bulletproof AND the fact that it is user friendly.

I have been trying to break VS for a long time. Please do it and show me how you did it.

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

You did see the video, correct?

If the issue that you have with VS is its kill method, we can change that... you know that.

My point is that why would we want to dig deeper into the OS and make changes that increases our attack surface and makes major changes to the users computer if we do not have to?

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Keep in mind... I have been removing viruses for 15 years. You have been developing software that protects against viruses for a long time, maybe even 15-20 years, I do not know. I know how to write code to a certain extent, but I am not a code ninja... I have admitted that many times.

I know that your issue is with our kill method, and you might be right about that, but until someone breaks VS, we are not going to take a chance on messing everyone's computer and slowing them down.

But my point is... since you specialize in writing code to protect against viruses, shouldn't you be able to write something that kills VS?

If so, we will have to change our kill method, and as a result slow down the entire computer, and make serious changes.

So please, kill VS. If you cannot find a way, it is going to look really, really bad for you, right?

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Btw.. I'm a die hard fan of Online Armor! I have been using it since like version 1 or 2. It's been so many years I can't remember. Online Armor is an amazing HIPS, and IMO the best available. I just always believe in giving credit where credit is due.

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Now, that's what I call a challenge!
C'mon, Fabian! Show us what you can do!

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Okay, as you wish.

Tested it on my malware test boxes (Pentium 4, 2 GB RAM, Windows XP SP3).

I did. Not sure I like the way of presentation (title etc.) but I just blame that on the fact that Americans have a tendency to blow stuff out of proportions all the time .

Actually the method you use now is way more wasteful than any method using official Microsoft interfaces would ever be. You don't have to be a programmer to realize that asking the system to just tell you if a new process is about to start and ask whether or not that process is allowed to start is more efficient than asking the system literally thousands of times per minute "Are there any new processes yet?". It is not like you would be using hacks or hooks either. There are official interfaces provided by Microsoft to do exactly what you are trying to do right now.

But since you allowed me to provide the PoC to others as well, I made a little video demonstrating the PoC on one of my malware test systems:

http://www.youtube.com/watch?v=8WDce4HBFD0

The link to the tool is included in the description. Enjoy my terrible German accent!

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Thank you, Fabian!
Let's wait for Dan's reply...

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

Thanks for the video Fabian.

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

I enjoyed the video Fabian...Thank You....

 

Re: Emsisoft Anti-Malware 8.xx Sammelthread

First of all, how well would your software run on a 10+ year old computer? You used a Pentium 4 for the test... really? You were probably running in a VM as well... this complicates things with CPU timings, etc.

You should do a real world test on a semi modern computer. Or better yet, I think we should let other users try killvoodoo.exe, and see what results they come up with.

Please let me clarify the challenge... Please find some malware that will slip past VS on a computer that is not over 5 years old. Any computer that has been in use for 5 years should not be running.

You said "Not sure I like the way of presentation (title etc.) but I just blame that on the fact that Americans have a tendency to blow stuff out of proportions all the time ." I am not blowing anything out of proportion. You made an erroneous and malicious claim that VS does not "block unknown/untrusted applications from running". How is VS not blocking applications if they cannot start when VS is ON and kills them?

Either test VS with a legitimate, professional, real world test, or retract your claim.

As I said, we can change the kill method, but doing so might adversely affect the performance of the computer. I am certain that you are aware of this.

 

When you test "virus" you don't need i7 Intel processors with 64 GB RAM but PC with 1 operating system installed... Windows XP still rules the world:
http://technorati.com/technology/article/windows-xp-still-most-widely-used/
http://www.tomshardware.com/news/Windows-8-Windows-XP-Market-Share-Windows-98-Zombie,21341.html