VoodooShield ?

White-list the command line. If that doesn't fix it, then you will need wild-card support - which VS does not have at this moment.

 

You mean uncheck cmd in advanced settings and keep rundll checked? That would solve this?

 

Click "Allow" at prompt.

 

That is what the issue is.. no matter how many times allow.. the prompt pops up again
Only uncheking blacklist rundll in advanced settings stops the prompt.

 

See post #8118.

 

Oh ok.. so for now I will keep rundll / cmd blacklisting unchecked.

 

Hi Dan/Vlad,
I am getting large numbers of Application faults caused by Voodooshield since updating to the version 3 series in Event viewer, event ID 1000. It's also causing large numbers/amounts of Windows error reports.
If I remember rightly we used to get these event 1000 errors in the earlier days of beta testing VS.

Regards
Gordon

 

It's not really interesting, because it has already been discussed. In real life you will almost never encounter in-memory payloads, but to be on the safe side, it's best to combine a tool like VS with anti-exploit, because it can stop shell-code in an earlier stage, that's all.

Interesting, thanks.

OK, then I did understand correctly. What you mean is that it doesn't need to download any additional malware. Like we already said, VS was not designed to block these kind of in-memory attacks. So it's not a true bypass. I believe some other guy did post a technical bypass of VS on his blog.

 

Refer to my reply #8112. There is a download that starts the whole process; it's the "stager." It's a Trojan and AV's have had limited success in developing signatures for some variants.

 

It depends on the definition of the term "bypass". But I believe we have already covered that debate.

 

This subforum is meant only for support and reporting issues\bugs to development.

While vulnerability reporting is certainly a noble endeavor, industry etiquette is to take such matters directly to only the developer. It's done that way so that a vulnerability isn't made "Open Source" for anyone and everyone to see - including malware authors !!!

 

Hello everyone.
I'm just back from the great vacation. It will take some time to go over the posts and I hope that I'll not miss anything.

 

Hello Gordon.
That looks bad. Can you please send the details of the bugs (how to reproduce, logs, etc.) by PM or email to vlad@voodooshield.com

Thanks in advance!

 

Bug fixed.
The bug was not around the \\.\pipe\chrome.nativemessaging.in.c8c53640c5afa737 part. Those commands will be allowed without prompt if the option "Automatically allow Program Files..." is enabled.

Thanks for the finding!

 

...and what is my option. I prefer "Automatically allow Program Files..." not checked.

 

That file is detected as installer, so clicking Allow False positive makes VS to handle it as installer (toggle state to Off for the installing). I assume that the file is not the installer, so I need to check why it is detected as installer. I agree, that need something more informative to tell the user why it been switched to Off

 

Then you will see the prompt for conathst.exe process. Once you allow it, it will be added to the whitelist

 

Vlad,

Does that mean it will be fixed in the next version, or to fix it just enable "Automatically allow Program Files..."?

 

Yes, the fix will be released in the next version. For now "Automatically allow program files.." will not solve, the bug is in wrong parsing the command line. I believe that the next version will be released in the next 2 days.

 

Thanks!

I will try the next version when it is released.

 

....but, how to wildcard changing string..?

 

This command line is used by WebRoot antivirus. I will add this pattern to VS.

Thanks

 

Thank you Vlad.

 

I couldn't reproduce it by using MicrosoftToolkit.exe (it just didn't call that cmd). But I created another batch file that calls this command. It worked fine. Do you have the reproduction steps for this?

Thanks

 

I already sent logs to Dan on this as it's doing it with WSA and not sure if the rundll32 issue has come back or not!



Daniel