Pumpernickel (FIDES)

Discussion in 'other anti-malware software' started by TheRollbackFrog, Dec 9, 2016.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    Is someone using "AppCheck Anti-Ransomware" and has maybe noticed, that AppCheck can write files to the folder Backup(AppCheck) (in the root-folder) even if the software is not in the Whitelist? o_O
    I think there is a connection to the above quote and i guess the service from AppCheck is creating these files and FIDES doesn't or can't prevent it fully. :cautious:

    Sometimes
    i see that FIDES is indeed blocking files:
    Code:
    *** excubits.com beta ***: 2017/01/18_22:45 > W: C:\Program Files\CheckMAL\AppCheck\AppCheckS.exe > G:\Backup(AppCheck)
    but nevertheless i can see files and folders in the "Backup(AppCheck)"-folder.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I have nothing blocked on C drive, but when blocking other drives it did affect Appcheck Oh is this true of the free version
     
    Last edited: Jan 18, 2017
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hmm, I'll have test that.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well I tested. Installed Appcheck, changed the backup folder to my c: drive, and modified my FIDES config file. Tested by trying to copy a file to that folder and FIDES blocked as expected. Then I ran a piece of ransomware with all system stuff turned off. Appcheck did it's thing and indeed did write to the Backup folder. That's a huge fail, but it's the raw access stuff. Bad.

    Pete
     
  5. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Hey guys. I also installed CheckMAL' AppCheck. It seemz to install Kernel-MOde driver, I thinks this driver responisble for making backups, so AppCheck has control over file systems like all other kernel stuff. Theres litte Pumpernickel can do here. I would guess that malware in Kernel will also be able to changes files in AppCheck backup folder. If remember I correctly the excubits developer somewhere write or say that Pumpernickel cannot protect from in-kernel attacks which make sense to me: we all know: if someone is in kernel he own the system regardless of the protection tool you use.

    Well, I will write Florian a e-mail, so he can confirm and give more details. Will then post his answer here; maybe this helps to clarify thing.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well the scary thing is if ransomware can do that it could be game over for all the ransomware products. But I was curious and there was one thing it couldn't beat and that was Shadow Defender. I shadowed my system with SD and Appcheck on board, and looked at the backup folder. Then I ran a normal piece of ransomware and again looked at the folder. Of course it changed. Then I ran Goldeneye(Petya) and when it rebooted I was exited from Shadow mode and the system was back to normal
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    Good. I wrote an email right after i found out that AppCheck was able to write to the folder.
    We'll see what they have to say about this.

    But yes, i suspect too this might be the kernel-driver of Appcheck which is allowed to create files.
    AppCheck Anti-Ransomware is clearly demonstrating it, kernel-drivers have full access.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    I posted about this here: https://www.wilderssecurity.com/thr...ansomware-freeware.391031/page-8#post-2643771. Most notably:

    Due to the fact ransomware only needs to operate in the kernel long enough to encrypt files, KPP and SecureBoot are useless, all that’s needed is a DSE bypass (which is very easy on pre Windows 10 platform).

    i.e. DSE is driver signature enforcement.
    As the author noted, ransomware will evolve to more potent forms as all malware does. More so for ransomware given its large payback to its creators.

     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi itman

    Yep I remember your post. Almost like the Ghost of Christmas pass. I suspect most of these pure ransomware products may not survive 2017. Keep the good info coming.

    Pete
     
  10. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    Yep, this is how the way go. So there is always need for multi-layer protection. One solution alone will not defend all possibilities. Even if you have a multi-layer it is possible to bypass in some way if one hacker is smart enough and find way into the castle. I dont assume that one solution will "kill 'em all". I would add anti-exe to reduce the risk that someone can installs a kernel-driver, so NVT ER, SRPs, Bouncer, Appguard, Faronics Anti-EXE would do good job. Here again, a good hacker will also be able to bypass if time goes and the attacker has enough time and money to find (or buy) a zero-day :) So in general I dont thinks that this is issue with protection software, it is how the world is, we cannot protect 100%. I love the car example: with all the air-bags and bumbers etc. we can still die in the car, so this is something we have to be clear about - nothing is 100%. The problem is that AV and IT-Sec industry often paints the picture of 100% ;-)


    This is what we hav seen with all the computer viruses in the 80s and 90s, then with worms arounf 2000s, then with (banking)trojans. Its all the same, they release some weak malware, then AV-industry fights back, than they enhance and finally the go PRO and build the ultimate, hardcode malware class not easy to detect and find. In all the years for me a reliable external backup, access-permissions and anti-exe solutions were the most fexible and best solution to fight malware. The other stuff is just additional layer to help filling the gaps.
     
  11. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,437
    Location:
    Under a bushel ...
    :thumb:. But then there is still always the risk of wrongly clicking 'Allow', and how far back in the backup chain did one do this? But thankfully, I have been OK till now - always been able to recover.
    But I use Pumpernickel only to protect my backups on external USB drive so if that is compromised by the 'raw access' issue, I would indeed be hosed (except data is backed up on Amazon Glacier via Zoolz).
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,813
    Location:
    U.S.A. (South)
    That's the glory of solid virtualization in SD. A parallel universe (Star Trek TOS lore) where they enter but can't stay.

    No matter the efforts to dance and march with trying to build the strongest wall, SD is your iron curtain.

    I like FIDES and it covers some bases well but am one of the few who demand a GUI.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    It may be stronger then we think. I was testing and found, if I image with FIDES off, but shadowed with SD, then I could image. But off course unless I excluded the image folder I would lose the image when I exited shadow mode. BUT if I had FIDES on and protecting the drive then under the same conditions the image wasn't deleted, FIDES prevented it. That dude is strong

    Easter to not use it because of the GUI may not be good, because the might not do a GUI. It's not that tough
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,813
    Location:
    U.S.A. (South)
    Yeah there's little doubt to it's effectiveness but just a personal preference where I don't have to play & fiddle with text files, writing, rewriting, etc.

    Guess you might call it stuck in the ways of streamlined automation.

    Can't stand manually having to deal with that when a GUI could make those tasks more fluid with less effort. Or maybe it's just the laziness factor that a GUI offers LoL
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    True, but it's a unique program. Being stuck isn't good these days, as malware isn't stuck in it's ways.
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,813
    Location:
    U.S.A. (South)
    I don't remember who exactly it was back when this thing got it's wheels rolling early on but they were more adamant over expectations for a GUI to this thing then I am.

    If FIDES had a GUI then it might attract more than the Power Security users one might think. I dunno, but that's a deal breaker for me too.
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    There is a new Blog-entry from the author with some interesting information.
    https://excubits.com/content/en/news.html

    It contains information about: Raw Access, Network Drives and the 8.3 naming scheme.
    Quick summary:
     
  18. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,056
    Location:
    Mexico
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,056
    Location:
    Mexico
    Yes. Now devs who make products for home users like us can research and implement such technology in their products. I'd like FIDES as a candidate, what do you think?
     
  20. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    you can check out different with "pestudio"
    AppCheckD.sys
    AppCheckB.exe think this file responsible for backup
    AppCheckS.exe

    also with pestudio found that FIDES not enabled Structured Exception Handling (SEH),so hope enable someways.
     
  21. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    AppCheckB.exe = AppCheck Anti-Ransomware Backup Application
    I can see that this file is responsible for the "Auto Backup"-feature, it has references to "\AutoBackup(AppCheck)" if i look at the strings with PeStudio.

    The service AppCheckS.exe has references to "\Backup(AppCheck)", so this file should be responsible for the feature "Ransom Shelter" and it was blocked from FIDES.
    But the kernel driver AppCheckD.sys can't be blocked and it can copy files to protected drives.
     
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    42,282
    If Windows itself can block the raw-access after a little change in the group-policy (only for removable devices), vendors could do this too.
    But malware with raw-access is rare and there are further requirements for raw-access (admin-rights or it needs to install a driver), i'm not sure if more vendors want to implement it.
    Or they don't even consider this as a security issue:
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,056
    Location:
    Mexico
    Agreed. If a group-policy setting can block raw access then would be the best and native way to do.
    As for vendors, well yes, if they consider it is not an important issue they won't implement as we've seen in Florian's comments.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yep, but only for removable devices isn't the whole issue. what about other internal drives.
     
  25. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    405
    Location:
    router
    sometime back i requested such feature.what do you think about it? for pump and other driver
    can cause smaller & smarter rules
    they said will consider it.but no clear time when will be added.


    Code:
    C:\Program Files\*robotaskbaricon.exe,identities.exe,firefox.exe>C:\Windows\System32\sechost.dll,secur32.dll,sfc.dll,sfc_os.dll,shell32.dll,shlwapi.dll,slc.dll,srvcli.dll,sspicli.dll,tzres.dll,urlmon.dll,user32.dll,userenv.dll,usp10.dll,uxtheme.dll,version.dll,WindowsCodecs.dll,wininet.dll,winnsi.dll,WinSCard.dll,wkscli.dll,Wldap32.dll,ws2_32.dll,wsock32.dll,wtsapi32.dll
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe,identities.exe>C:\Windows\System32\sechost.dll,secur32.dll,sfc.dll,sfc_os.dll,shell32.dll,shlwapi.dll,slc.dll,srvcli.dll,sspicli.dll,tzres.dll,urlmon.dll,user32.dll,userenv.dll,usp10.dll,uxtheme.dll,version.dll,WindowsCodecs.dll,wininet.dll,winnsi.dll,WinSCard.dll,wkscli.dll,Wldap32.dll,ws2_32.dll,wsock32.dll,wtsapi32.dll
    
    C:\KMPlayer\KMPlayer.exe>C:\KMPlayer\avcodec-lav-57.dll,avfilter-lav-6.dll,avformat-lav-57.dll,avresample-lav-3.dll,avutil-lav-55.dll,BookMark.ini,ColorTheme.ini,KMPlayer.exe,Language\English.ini,LAVSplitter.ax,LAVVideo.ax,libbluray.dll,libcodec.dll,libmplay.dll,MediaInfo.dll,PlayList\Default.kpl,PProcDLL.DLL,Privilege.dat,Skins\touch.ksf,swscale-lav-4.dll
     
    C:\Program Files\Notepad2\Notepad2.exe>C:\Users\*\*.txt,*.ini,*.log,*.html,*.cmd
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.