We've released a new application on Appsvoid: LNK File Guard v1.0 https://www.appsvoid.com/products/lnk-file-guard/ Screenshot (it blocked the malicious .LNK file from the mounted ISO file): The program was created mainly for businesses to fight the rise of malicious .LNK shortcut files used in initial stages of an attack. Once the program is installed and running, it will monitor .LNK files and automatically block suspicious and unknown .LNK files. You don't have to configure anything, if needed you can enable the option to block unknown .LNK files on Desktop but this option is commonly recommended for businesses, should not be needed for Home users. The program doesn't add an icon on the system tray, by default when a .LNK file is blocked it is logged in the .log files. You can see that the .LNK file has been blocked because when you double-click on it nothing will happen. For a quick test, just place a .LNK file on C:\ and try to run it, it should be blocked and logged in the .log files. Feedbacks are as always welcome
Hi, firefox is blocked somehow browser not working. Both icons on desktop and in the tray leads to non working browser despite being in the exclusions. Do you know why? Win 11 here. Thanks
my opinion: pure dupery. pointless "security" program. for the given example - dont insert media from unknown or untrusted sources. too simple? new and unknown link? user probably has other security issue than surveying links. there exist no "safe location". even not desktop or start menu. adware/malware is able to modify links without knowledge, even more worse when working as admin. any command line parameters in that links? it does not matter if that program blocks it if you are aware of the content of link. check it out.
@JOHNoff Can you check the Logs folder here: C:\Program Files\NoVirusThanks\LNK File Guard\Logs To see what .LNK file has been blocked? Also, the issue is that when you click the Firefox icon on the Desktop or on taskbar then nothing happens, correct? @Brummelchen Problem is that quakbot and other malware are spreading via .ISO/IMG files that once mounted as virtual disk (user just needs to double-click on them) they show a .LNK file masked as an image or a PDF document (using same icon) to deliver the payload. Another way is to spread via a compressed .ZIP/RAR file that contains just a .LNK file that uses system processes (curl, powershell, etc) to download and install the remote payload. Many other examples can be made, and as you see it is not a problem of inserting unknown or untrusted sources (no USB or external device is inserted in these cases). Here is an exmaple of malicious .LNK file contained inside a malicious "Inquiry.ISO" file of a quakbot sample found as attachment in an email: Code: Date/Time: 9/29/2022 3:28:25 PM Blocked LNK File: F:\image.jpg.lnk Process: [4412]C:\Windows\Explorer.EXE User/Domain: Dev/DESKTOP-123456 And here is an example .LNK file that was inside a fake invoice "#REF 18938263 Invoice.ZIP" file found as attachment in an email: Code: Date/Time: 9/29/2022 3:35:01 PM Blocked LNK File: C:\Users\Dev\Downloads\#REF 18938263 Invoice\Invoice_Print.lnk Process: [4412]C:\Windows\Explorer.EXE User/Domain: Dev/DESKTOP-123456 This program can help in blocking opening of .LNK files and thus provide an extra protection that can prevent an infection on the first stage. It is meant for businesses since the target of these attacks are commonly companies.
Firefox is crashing. Firefox opens with no opened website, like i would have no internet connection. Here is the log. Blocked LNK File: C:\Users\Public\Desktop\Firefox Private Browsing.lnk Process: [4896]C:\Program Files\Mozilla Firefox\firefox.exe and Blocked LNK File: C:\Users\user\OneDrive\Desktop\Firefox Private Browsing.lnk Process: [4896]C:\Program Files\Mozilla Firefox\firefox.exe Why this happens? Thanks
@JOHNoff Thanks for sharing the logs. Can you send me via PM also the content of Exclusions.db file? It is located here: C:\Program Files\NoVirusThanks\LNK File Guard\ I uploaded a new test version that should fix the FP you reported: Code: https://downloads.appsvoid.com/lnk-file-guard-setup-1-1-test1.exe You can install this new build over-the-top of the current version installed (reboot is not required). Let me know if now Firefox works fine when you open it via the shortcut.
There are several things you must know. I cannot test firefox anymore, i used a program privacy.sexy and since then firefox profile could not be loaded. No testing firefox anymore. So, i installed brave browser. First clicking on its icon shows only white window and close it. K7 antivirus reported something and i delete that after reboot. In exclusions i only have two my computer and documents icon. But i got some interesting info for you or FP. Blocked LNK File: C:\$RECYCLE.BIN\S-1-5-21-1698167706-2888400875-701645764-1001\$IOGFAWK.lnk Process: [3904]C:\Windows\Explorer.EXE Blocked LNK File: C:\Users\user\OneDrive\Personal Vault.lnk Process: [10104]C:\Program Files\Microsoft OneDrive\OneDrive.exe What is that? Thanks
K7 antivirus found this in your program. Here is the log. Product : K7AntiVirus Category : Virus Found Events Column : Date & Time,User,Program,Name,Problem Description,Status 30-Sep-2022 17:34:03,SYSTEM,RealTime Scan,C:\Program Files\NoVirusThanks\LNK File Guard\LnkModule64.dll,Suspicious Object in Program ( ID709801 ),Has been marked for deletion after restart 30-Sep-2022 17:33:33,SYSTEM,RealTime Scan,C:\Program Files\NoVirusThanks\LNK File Guard\LnkModule64.dll,Suspicious Object in Program ( ID709801 ),Has been marked for deletion after restart 30-Sep-2022 17:33:03,SYSTEM,RealTime Scan,C:\Program Files\NoVirusThanks\LNK File Guard\LnkModule64.dll,Suspicious Object in Program ( ID709801 ),Has been marked for deletion after restart 30-Sep-2022 17:30:58,SYSTEM,RealTime Scan,C:\Program Files\NoVirusThanks\LNK File Guard\LnkModule64.dll,Suspicious Object in Program ( ID709801 ),Quarantined. Need to restart the system
let me guess - that program has trashed parts of windows. those privacy crap is never good for windows.
I have uninstalled K7 and privacy crap. Reinstalled your program to get back that deleted file but brave and edge browser only opens with white window and close back. No browser working and i could not even whitelist it because its not in the log.
@JOHNoff Thanks a lot for sharing the other logs, they are all very useful. Here is a new test 2 build: Code: https://downloads.appsvoid.com/lnk-file-guard-setup-1-1-test2.exe It fixes the two FPs you reported. You can install this new test build over the top (reboot should not be required, except if it is asked by the setup file). Regarding K7 detection of LnkModule64.dll, it is a false positive (our DLLs are also all digitally signed). I tried to reproduce the issue you reported with Brave and Edge but I can't reproduce here (will try more on these hours). A possible solution/test: Try to open LNK File Guard GUI, click on Exclusions tab, now click on Scan Now button (this will scan the Desktop and auto-add to exclusions the .LNK files found). Then wait 2 minutes (so the app loads the new exclusions rules) and try to run Brave or Edge browser via the Desktop shortcut, let me know if they work fine now. A possible additional test in case the above doesn't work: I hope the issues you see were not caused by the privaxy.sexy tweaks . A quick test would be to uninstall LNK File Guard and then try to run the Brave shortcut, if it doesn't work then the issue is not caused by LNK File Guard.
Sorry, but it still does not work. When i click on brave or edge icon it still show white window for awhile and closes. The issue is related to your program, because if i uninstall it both browsers work fine and without white thing window. I am afraid you will have to dig deeper to squash this bug. Thanks.
i don't see how this is useful tho. just don't start the .lnk? why would you ever do that? you shouldn't hide file extensions ever, this is only useful for people who are complete monkeys, really. and even then i see this best as an addition to OSArmor rather than yet another program to put on top of the other pile
I think this app is primarily geared towards a corporate environment; individual users may find this app less useful. As an individual user, I'm eagerly waiting for the first release of "ERP Lite".
a website that is not able to insert a valid ssl cert for httpS? sure? https://www.blueskyprojects.in/
I'm not talking about that website. I'm talking about ExeRadarPro (ERP) We've launched Appsvoid: the new place for NoVirusThanks software
We've released LNK File Guard v1.1: https://www.appsvoid.com/products/lnk-file-guard/ Here is the changelog: It can be installed over-the-top, but it may be needed to reboot the PC if the setup file asks to do that. @JOHNoff Issues reported should be fixed now, thanks a lot for reporting them and for testing. @Floyd 57 Attackers are widely using LNK files in first stages of an infection to deliver the payload after Microsoft announced they will disable macros: Cyber-criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP Reports https://www.infosecurity-magazine.com/news/cyber-criminals-shift-macros/ LNK files are not easy to monitor, the file type can't be fully unassociated, they can have custom icons (can be easily masqueraded as fake PDF invoices), can be used to execute lolbins and commonly abused system processes, etc. This app can help organizations to restrict opening of .LNK files, also on user Desktop folder. We would like to keep OSArmor simple and not complicate it with extra protection options other than process blocking (it already blocks execution of processes from malicious .LNK files).
I don't see what the problem is. You can add the option to OSArmor and leave it disabled by default, then advanced users can enable it if they want to. In my opinion, you are complicating it more by creating different programs for every single task instead of just combining it all in one. But i suppose charging for an extra license is nice, so fair enough, who doesn't like $$$
Probably will be good against the new version of Quantum Builder (the news is from June, but I heard that a new version was cracked a few days ago): https://thehackernews.com/2022/06/new-quantum-builder-lets-attackers.html