VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Greetings Dan, today I was home bored, so I figured "wth" and I started digging through my whitelist, I noticed a crap ton of repeat entries, I know they are due to software updates for the particular software, for example I had 10 firefox.exe entries, some of the others were more some were less, but this made me have a unnesessarily huge Whitelist.
    Why not trim that or simply replace the old when the new is added, it took me 2hrs to trim out the doubles (some dating back to 2016)
    its now a manageable 275 entries, but man that sucked I don't want to do that again :(
    @VoodooShield
     
  2. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    Could you not reset the whitelist and populate again as you would on a first time install?
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, yeah, that would be a great idea to auto cleanup any whitelisted items that have not been used for 4-5 months or so. In order to do that, we would have to track when they were last accessed... and that might be kind of tricky. On thing that would help is if whenever there is a new whitelisted item (with a different hash... like an updated file), if there is an old duplicate with a different hash, we can remove that one. But like clubhouse said... probably the best thing to do is just reset the whitelist ;). I have to reset mine pretty much everyday for dev reasons... and I still hardly ever get a block.
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    FYI... the following article is what piqued my interest in EternalBlue and DoublePulsar.

    https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nextgen-protections/

    I spoke with NSSLabs a couple of years ago, and I asked them if not blocking the exploit, but blocking the payload counted as a complete block. And they replied that it would be counted as a complete block. So basically, the testing labs did not used to test specifically for exploits, but it looks like they are going to start ;). So I simply duplicated their test. I honestly thought that all 4 products would block the installation of DoublePulsar... but you just never know until you test... nothing is bulletproof.

    From the article... "It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great."
     
    Last edited: May 28, 2017
  5. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    I could, and most likely will next time, but it does make me have to retrain it for a good number of my Gaming software, but your
    right brother, that would have been the quickest way to trim the fat. ;)
     
  6. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Or by date Dan ? ie if it matches a already existing entry, it would then keep the most recent, which would be the updated version
    anyway, that may be far easier brother ?
     
  7. guest

    guest Guest

    so after investigation with Lockdown and BRN ; what i can tell (because Lockdown is busy , so i relay :D )

    the attack shown by Dan , is about stage 1, it opens an active connection.
    DoublePulsar is a kernel exploit and leaves a permanent backdoor. So the remediation is to disable SMBv1 - but that only applies if system is client of server. If a person does not keep their systems up-to-date, then they can add beta HMP.A, internet security suite and enable public profile for firewall, etc, etc.

    What is dangerous for us (consumers/home users) is the 2nd stage of following this attack, the dropped payload. AG team went a step further than Dan and loaded an executable on the breached system. AG blocked it as expected because it is its original purpose.

    As some mentioned, on home user version, the 1st stage can even be stopped by adding the vulnerable Processes to the user-space. AG wasn't made to be used out-of-the-box but tailored to your machine.
    The enterprise version has a module that block the 1st stage.

    Conclusion: BRN has nothing to fix about AG, it work as intended. Anyway, the next build of AG will take care of those vulnerable processes by default.
     
  8. guest

    guest Guest

    be careful , running a process and modifying is different thing.

    Exact. It is the tightest way to protect the system from powershell abuses; but by doing so you deny yourself the use of powershell (you have to untick it everytime you need it)

    No, because unlike Powershell, Rundll is regularly needed and used by Windows

    Exact

    Because Powershell is a tool that you occasionally use while rundll is a necessary process. if you add it to user space, you totally block it , denying the OS to use it.

    Reason i explained above. You don't need a diploma to use it, just the understanding of "system space and user space" concept

    Exact. AG must be tailored to the system it was installed in.
    For example, ITs of businesses that purchase AG, have the choice to deploy it with the help of the AG's support team for best efficiency.
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    In all fairness, it is not optimal to have a kernel level backdoor running on anyone's system. There are a lot of things that can happen at that point. Remember how the first process was injected? Wouldn't it be just as easy to inject another process with malicious code? This is just one of many scenarios... there is at least one other scenario in the MRG article.

    Also, keep in mind, we are only talking about one exploit and one backdoor... there are lots of others... and lots of windows processes that are potentially vulnerable.

    Either way, that is great to hear that they are aware of the issue and are fixing it. I actually made the video thinking that all 4 products would block the DoublePulsar backdoor installation. MRG is going to test most of the other security software, and there was so much speculation on how these 4 products would perform, and since no one else was testing, I figured I would take the time to do it.
     
  10. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,531
    Layered approach is best. We can't expect one security soft to do it all, and do it well. How does the saying go? "Jack of all trades, master of none."
     
  11. guest

    guest Guest

    and AG isn't made to block exploit, however it can do if set properly. Blocking exploit and in the case of doublepulsar , network exploits is the job of your firewall IDS/IPS.

    AG by default setting doesn't care of the method used, only of the endgame result. If an attacker need to drop a malicious exe to your system , the ultimate goal is to stop the exe to run and do its malicious job. How it came in the system is irrelevant for AG.
    To use an analogy : AG is the goalkeeper in soccer, not the midfield or defense player.

    Appguard will never be a full security solution , not going to happen ever. it is SRP , and is the best in his class.
    I can understand that people will be disappointed by what i just said , but AG is just one layer of protection, but the most important one , protection of the system space.
    BRN always recommended to use AG alongside one decent firewall and AV.

    those others will be taken care of and will surely be protected by default in the next build...
    Personally i took care of them already via my personal customization of AG. but BRN can't put all of them by default because some users may need them to run normally.; it is why i insist that AG MUST be tailored right away after installation to offer optimal protection.
     
  12. guest

    guest Guest

    Exact. opposed to suites , AG is the master of one thing.
     
  13. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Yeah, but that also limits how useful AG is and who it's useful to.
    VS is well designed and appealing to a far wider market, Dan did himself a big favor in that aspect.
     
  14. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Nice ;)
     
  15. guest

    guest Guest

    Exact, but this is BRN choice and they are fine with it. More protection modules you add , more bugs/issues you will create...they choose to master on thing , and they do it perfectly.
    So people like me who are looking for this type of protection are more than satisfied.

    The whole issue with doublepulsar and co is that MS keep obsolete and vulnerable protocol/feature/apps (denominated under the "legacy" term) because some users still need them.
    By doing this they expose the many for the needs of the few. Normally " the needs of the many outweigh the needs of the few"
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Is it your assertion that the system space was sufficiently protected from the EternalBlue / DoublePulsar attack?

    We should probably change topics ;). BTW, I tested a lot of other security products, and I was surprised how many did not properly protect against this threat. Then again, it was a seriously mean / nasty attack... so it is understandable that a lot of products failed. There is no point in releasing anymore results or test videos... I do not want to start a holy war ;).

    I look forward to seeing the MRG report.
     
  17. guest

    guest Guest

    If the OS is up to date, yes. Victims were running unpatched OS, so it is their fault. Security products assume that the OS is properly maintained.
    On win10, WD will block it right away. AG doesn't even had to kicks-in.
    If you put airbags on a car without breaks, don't expect to survive a fall from a cliff...

    and on my system
    - smb1.0 was removed since ages
    - my OS is up to date
    - my OS FW is properly set up
    - i'm behind d a NAT FW
    - AG is customized to block all vulnerable processes.
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I give up ;). Okay, next topic ;).
     
  19. guest

    guest Guest

    No it is ok. Your video was good, you shown the way it works , "unfortunately" (if i can so) , you shown products that are not specifically designed to block exploits by their default settings. If you tested suites , it would be different.
    if your video included the 2nd stage (which those products are designed to block) , it would be more informative.
    What is important is to show the big picture; with all aspects taken in consideration.
    You can't test an anti-exe or SRP without exe to block ^^
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    guest, we are talking about successfully installing a backdoor at the kernel level. If we were talking about an exploit running a neutered instance of powershell, that might be a different story, but we are dealing with a kernel level backdoor.

    BTW... this is one of the comments that helped pique my curiosity.

    https://malwaretips.com/threads/is-...lblue-doublepulsar-attacks.71722/#post-632722

    If you ask me... any and all speculation should be clearly marked with a "Potential BS" tag ;).

    Why speculate when we can test and know for sure? Because of the reaction I received from a few people, there is a chance that I might not ever test again.

    The big picture? The big picture is that this attack is just one attack... and patching the system for this one attack is not going to protect you against the other attacks, if there is a flaw in the security mechanism that is not fixed.
     
  21. guest

    guest Guest

    don't misunderstand the principle of a product. AG doesn't block all exploit by default. AG is SRP, not anti-exploit.
    You should have tested your exploit with HMPA and MBAE , those are made for it.

    Guess i was wrong on this one, i'm not flawless :p
    also @Lockdown explained better there was AG does : https://malwaretips.com/threads/is-...lblue-doublepulsar-attacks.71722/#post-632820

    sure , you are free to go ;)

    Nothing can protect from everything. There is always some holes somewhere, security are made to reduce the number of holes and if the hole involve something that the product is not designed to protect , it will not protect.
     
    Last edited by a moderator: May 29, 2017
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I was under the impression that it blocked system processes from being injected / exploited (especially because of its memory protection), which is why I included it in the test. Well, that, and it is in the same "computer lock" class of software as the others.
     
  23. guest

    guest Guest

    I don't have the details of AG's memory protection and i will never have, it is secret. All i know, is that it will forbid/isolate process A from modifying the memory of process B.

    Anyway, actual AG (which is quite old now) does what i expected it to do, and it does it perfectly. it can do even better if properly customized.

    Users must remember that you shouldn't use SRP apps at default settings.
     
    Last edited by a moderator: May 29, 2017
  24. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    :thumb::isay:
     
  25. mWave

    mWave Guest

    I'm sure you already knew what the expected outcome would be; obviously unless they are auto-blocking process execution and are not auto-allowing trusted Windows processes to execute other programs then they won't block the process execution from the injected malicious code. It would be better for the vendors not to lock-down a process like lsass.exe since if a future patch is ever made which brings changes to lsass.exe (e.g. it may start spawning another program to do something even though this is unlikely since it already has Inter-Process Communication between other Windows processes and the such). :shifty: Sneakyyyy

    You probably just don't trust lsass.exe by default for process execution, or you made a change in an update to look out for lsass.exe process execution. While your product did indeed prevent the infection, there is nothing "special" within the product to actually protect the system other than process white listing... Which takes me back to thinking "If you don't trust it or are in doubt, don't run it in the first place".

    I feel like this entire discussion and video is about proving how VoodooShield is good at preventing exploitation, and while I am a fan of VooodooShield (I recommended it to someone who still uses it today actually, a close friend) there is actually no real anti-exploit functionality within VoodooShield. Process white listing is not the same as "exploit mitigation" that other vendors incorporate... There's a mix up and misconception on what it really is within this thread it seems.

    ------------------------------------
    The only thing Microsoft need to do to patch this problem with lsass.exe would be through making it a protected process (the same thing that they did to processes like csrss.exe) and personally I am not sure why they haven't already done this.

    Also, I want to mention that lsass.exe actually contains handles to running processes (as does SvcHost.exe) and this means that if you can inject code into those processes (you'll need to enable SeDebugPrivilege for lsass.exe since its running under SYSTEM and you'll probably need to use RtlCreateUserThread or even NtCreateUserThreadEx instead over CreateRemoteThread) then you can work with handle hijacking and then terminate any process you want regardless of any self-defense. Therefore, if you exploit the system to inject code into lsass.exe through Metasploit as seen in the video, and use handle hijacking instead of doing whatever you did with the injected code and then trying to run another process, you can bypass pretty much any AV you want on x64 since you could just terminate any AV processes under SYSTEM and rid the protection (note you'd have to do it recursively since they have watchdog methods outside of user-mode process space but you could always load a driver afterwards and then block them from restarting).

    So if code has already been injected into a process like lsass.exe then it is already over. I doubt the other security products even inject and hook in lsass.exe to monitor for suspicious behavior but I could be wrong. Like I said, VoodooShield has no real exploit mitigation so it isn't like it would jump in and do anything if it wasn't for the normal process execution blocking. lol

    .... :isay::isay::isay:

    If VS blocked the code injection into lsass.exe then yes fair enough except it didn't and that right there is the main exploit... anything else after is additional since you can just execute your malicious code from within lsass.exe if you can inject into it, or better still just use process hollowing (dynamic forking) on another Windows process. then what? Nothing... because VS wouldn't be detecting an untrusted process execution, would it?
     
    Last edited by a moderator: May 29, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.