VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. hjlbx

    hjlbx Guest

    White-list the command line. If that doesn't fix it, then you will need wild-card support - which VS does not have at this moment.
     
  2. singularity

    singularity Registered Member

    Joined:
    Mar 6, 2014
    Posts:
    76
    Location:
    India
    You mean uncheck cmd in advanced settings and keep rundll checked? That would solve this?
     
  3. hjlbx

    hjlbx Guest

    Click "Allow" at prompt.
     
  4. singularity

    singularity Registered Member

    Joined:
    Mar 6, 2014
    Posts:
    76
    Location:
    India
    That is what the issue is.. no matter how many times allow.. the prompt pops up again
    Only uncheking blacklist rundll in advanced settings stops the prompt.
     
  5. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,306
    Location:
    Under a bushel ...
    See post #8118.
     
  6. singularity

    singularity Registered Member

    Joined:
    Mar 6, 2014
    Posts:
    76
    Location:
    India
    Oh ok.. so for now I will keep rundll / cmd blacklisting unchecked.
     
  7. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    Hi Dan/Vlad,
    I am getting large numbers of Application faults caused by Voodooshield since updating to the version 3 series in Event viewer, event ID 1000. It's also causing large numbers/amounts of Windows error reports.
    If I remember rightly we used to get these event 1000 errors in the earlier days of beta testing VS.

    Regards
    Gordon

    VS fault 1.png
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,790
    Location:
    The Netherlands
    It's not really interesting, because it has already been discussed. In real life you will almost never encounter in-memory payloads, but to be on the safe side, it's best to combine a tool like VS with anti-exploit, because it can stop shell-code in an earlier stage, that's all.

    Interesting, thanks.

    OK, then I did understand correctly. What you mean is that it doesn't need to download any additional malware. Like we already said, VS was not designed to block these kind of in-memory attacks. So it's not a true bypass. I believe some other guy did post a technical bypass of VS on his blog.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,269
    Location:
    U.S.A.
    Refer to my reply #8112. There is a download that starts the whole process; it's the "stager." It's a Trojan and AV's have had limited success in developing signatures for some variants.
     
    Last edited: Oct 11, 2015
  10. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    It depends on the definition of the term "bypass". But I believe we have already covered that debate.
     
  11. hjlbx

    hjlbx Guest

    This subforum is meant only for support and reporting issues\bugs to development.

    While vulnerability reporting is certainly a noble endeavor, industry etiquette is to take such matters directly to only the developer. It's done that way so that a vulnerability isn't made "Open Source" for anyone and everyone to see - including malware authors !!!
     
  12. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel
    Hello everyone.
    I'm just back from the great vacation. It will take some time to go over the posts and I hope that I'll not miss anything.
     
  13. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel
    Hello Gordon.
    That looks bad. Can you please send the details of the bugs (how to reproduce, logs, etc.) by PM or email to vlad@voodooshield.com

    Thanks in advance!
     
  14. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel
    Bug fixed.
    The bug was not around the \\.\pipe\chrome.nativemessaging.in.c8c53640c5afa737 part. Those commands will be allowed without prompt if the option "Automatically allow Program Files..." is enabled.

    Thanks for the finding!
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,809
    Location:
    .
    ...and what is my option. I prefer "Automatically allow Program Files..." not checked.
     
  16. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel
    That file is detected as installer, so clicking Allow False positive makes VS to handle it as installer (toggle state to Off for the installing). I assume that the file is not the installer, so I need to check why it is detected as installer. I agree, that need something more informative to tell the user why it been switched to Off
     
  17. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel
    Then you will see the prompt for conathst.exe process. Once you allow it, it will be added to the whitelist
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    Vlad,

    Does that mean it will be fixed in the next version, or to fix it just enable "Automatically allow Program Files..."?
     
  19. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel
    Yes, the fix will be released in the next version. For now "Automatically allow program files.." will not solve, the bug is in wrong parsing the command line. I believe that the next version will be released in the next 2 days.
     
  20. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,624
    Location:
    Among the gum trees
    :cool: Thanks!

    I will try the next version when it is released. :thumb:
     
  21. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,809
    Location:
    .
    ....but, how to wildcard changing string..?
     
  22. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel

    This command line is used by WebRoot antivirus. I will add this pattern to VS.

    Thanks
     
  23. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,277
    Location:
    USN Retired 1969 ~ 1992
    Thank you Vlad. :thumb:
     
  24. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel
    I couldn't reproduce it by using MicrosoftToolkit.exe (it just didn't call that cmd). But I created another batch file that calls this command. It worked fine. Do you have the reproduction steps for this?

    Thanks
     
  25. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,991
    Location:
    Ontario, Canada
    I already sent logs to Dan on this as it's doing it with WSA and not sure if the rundll32 issue has come back or not!

    2015-10-11_20-06-13.png

    Daniel
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.