VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
  2. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I see... yeah, we already do something kind of similar, and I think it actually works better for VS to leave it the way it is. Let me think through it though... if it makes sense to do that, then we certainly will... it would be super easy to implement. Thank you!
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I installed ImDisk, but there were at least 3 different components, and I was not sure what to test. But basically, if VS is not working correctly with ImDisk, I would figure out the path that is causing the issue, and add that to Custom Folders. I hope that makes sense, if not, please let me know!
     
  4. mWave

    mWave Guest

    You probably just made it block process execution coming from lsass.exe.

    If I am wrong then I will actually inject into it myself to test this?
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Try it and find out. Ask Black Cipher how difficult VS is to bypass... he knows. It is not impossible, I am sure everyone is curious if you can... so just do it.

    BTW, I would be happy to rename our Exploit feature if someone has a better suggestion. I just figured that since that feature was designed to block malicious code from exploits, that the name I gave it was appropriate.

    While you are testing... you might as well test the specialized anti exploit products and see how they did against this attack. Then we will know what should be labeled anti-exploit and what should not.
     
  6. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
    I am using only RAMdisk component, so I run RamDisk Configuration (RamDiskUI.exe), then I create RAMdisk with specified size (e.g. 2 GB) and drive letter (e.g. R:\), I also enable "Use AWE physical memory" in Advanced Tab, everything other is default

    after creating RAMdisk I copy folder with application (e.g. cent portable https://www.centbrowser.com/) and run it, parent process will run but some child processes will be blocked
    only disabling VS will allow me run it normally

    in VS log are errors saying that VS cannot find exe in question, because it tries to find it in native NT path name
    this is because ImDisk is designed to run on all version of Windows NT

    can you find some workaround, because ImDisk is only free RAMdisk that doesn't have size limitation when creating RAMdisk
    tia
     
  7. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    What happens when you uncheck the RAM disk in Custom Folders, for both the ON and OFF (left / right) drive trees?
     
  8. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
    I am using free VS so no settings for me
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    pm me your email address and I will set you up an account.
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Actually, the more I think about it... you probably do not want to run a browser unprotected like that... let me see what other workarounds we can come up with. There may be a chance that ImDisk is not going to work properly with VS the way you want it to.
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I would strongly suggests any "testing" discussion be taken private.
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sounds good... let's move all of the testing comments to the YouTube test video.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    Maybe they should take it over to Malwaretips were they can battle it out lol I don't think Mwave is going to stop voicing his view about the exploit feature.

    If I can think of a better name for the exploit feature that is not misleading then I will let Dan know in a post here. I can't think of anything right off hand. I do know a little about how VS exploit mitigation works, and it seems to be working quite well for it's intended purpose.
     
  14. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    That or Malwaretips, they seem happy to allow A versus B and any test results.
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I am actually pretty much over this whole thing... it is really getting old. There is no point in arguing about any of this. There will either be a bypass or there will not be.

    Anyway, this feature has really worked out well for VS. VS is not originally intended to be an anti-exploit security software... but as I was saying... in order to stay relevant, you must adapt. Besides, if my method achieves the exact same result and does not allow for any bypasses, I would actually prefer this method. Mainly because new exploitation methods will be created, and it will always be a cat an mouse game. Simplicity is the final achievement.

    BTW, CET, would you agree that if VS blocked EternalBlue from installing DoublePulsar and specialty anti exploit products did not, that it is appropriate to leave that feature's name as it is? Either way, I am happy to change the name if someone can think of something more fitting.
     
  16. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    171
    Location:
    London UK
    I've used ImDisk in the past to create RAMdisks but currently I use an alternative. VoodooShield does see the RAMdisk. (Drive lette is V on my machine)

    VoodooShield Settings RAMdisk.jpg

    VoodooShield Settings RAMdisk 2.jpg

    VoodooShield Settings RAMdisk 3.jpg

    I reckon you'd need to add any browser path to web apps.

    VoodooShield Web Apps.jpg
     
  17. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
    cent is already detected by VS (as chrome), also firefox e10s is also affected

    ok this is interesting after little testing it seems that it affect multiprocess apps which create child processes with same name as parent
     
  18. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    And that should be the goal for all security softwares, not multiple GUI's with 1/2 dozen options on each window..Download, install, job done. I know its not as easy as that but it shouldn't be tougher than unravelling the gordian knot:p
     
  19. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    171
    Location:
    London UK
    I'm going to download that browser and launch it from RAMdisk and see what happens.
     
  20. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
    this is what I get in VS DeveloperLog.log

    [ERROR] - Exception in GetSHA256b (file does not exist or access denied): \Device\ImDisk0\Cent\chrome.exe
    [ERROR] - Exception in NewProcessHandler_HandleProcess: File C:\Device\ImDisk0\Cent\chrome.exe cannot be found.. in System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
    in System.IO.FileInfo.get_Length()
    in VoodooShield.NewProcessHandler.HandleProcess(ProcessInfo processInfo, String& title)
     
  21. mWave

    mWave Guest

    I'm not trying to bypass VoodooShield so I can brag about it, I just want to see if I can understand what you are actually talking about because I would feel really bad if you have really had some interesting stuff in your product after I spent time saying it was nothing more than process white listing with an Ai checkup.

    I am going to test VoodooShield with dynamic aspects and see what I can find, see if it will flag anything. For example, I will inject into a process like lsass.exe to execute some code and then see if VoodooShield does something? Or have I misunderstood you?

    From what I knew, all VS is, is an anti-exe... But now after reading your posts it is also an Anti-Exploit now? Bearing in mind that process blocking is not the same as exploit mitigation. So before I potentially waste my time how do I approach this?

    For example... I make a program to do something like suggested above, I let VoodooShield run the program and then VS will block exploit-related behavior? Or something different?
     
  22. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    171
    Location:
    London UK
    Seems to work fine for me using VS Pro.



    Cent Browser.jpg
    Cent Browser 2.jpg Cent Browser 3.jpg Cent Browser 4.jpg


    I suppose I should point out that I changed Environment Variables for TMP and TEMP.

    Environment Variables.jpg


    Code:
    [Process Creation]
    
    05/29/2017 22:39:50
    Process: [4100] V:\CentBrowserPortable\chrome.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\CentBrowserPortable\chrome.exe"
    MD5 Hash: 50078763865FC8403B8439D2FDF84073
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: High
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [2436] C:\Windows\explorer.exe
    Parent CommandLine: C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
    
    
    
    
    [Process Creation]
    
    05/29/2017 22:40:48
    Process: [5096] V:\CentBrowserPortable\chrome.exe
    Username/Domain: Chris/PC
    CommandLine: V:\CentBrowserPortable\chrome.exe --type=crashpad-handler /prefetch:7 --no-rate-limit "--database=C:\Users\Chris\AppData\Local\CentBrowser\User Data\Crashpad" --annotation=channel=unknown --annotation=plat=Win32 "--annotation=prod=Cent Browser" --annotation=ver=2.1.9.50 --handshake-handle=0x1a4
    MD5 Hash: 50078763865FC8403B8439D2FDF84073
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: High
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [4100] V:\CentBrowserPortable\chrome.exe
    Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"
    
    
    [Process Creation]
    
    05/29/2017 22:40:56
    Process: [4776] V:\CentBrowserPortable\chrome.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=gpu-process --channel="4100.0.1059119733\1501156167" --mojo-application-channel-token=4361859307DBAE71D961A4F6BC97FB65 --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --disable-direct-composition --supports-dual-gpus=false --gpu-driver-bug-workarounds=5,13,14,15,16,18,31,56 --gpu-vendor-id=0x1002 --gpu-device-id=0x9807 --gpu-driver-vendor="Advanced Micro Devices, Inc." --gpu-driver-version=13.251.0.0 --gpu-driver-date=12-6-2013 --mojo-platform-channel-handle=1140 --ignored=" --type=renderer " /prefetch:2
    MD5 Hash: 50078763865FC8403B8439D2FDF84073
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: Low
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [4100] V:\CentBrowserPortable\chrome.exe
    Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"
    
    
    [Process Creation]
    
    05/29/2017 22:40:58
    Process: [2404] V:\CentBrowserPortable\chrome.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=57C0D51898271D083F1D9626BFB8B807 --lang=en-US --extension-process --enable-webrtc-hw-h264-encoding --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=70150C18395CCEF827613B2FE3BCC00C --mojo-application-channel-token=57C0D51898271D083F1D9626BFB8B807 --channel="4100.1.460237381\1422646543" --mojo-platform-channel-handle=1736 /prefetch:1
    MD5 Hash: 50078763865FC8403B8439D2FDF84073
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: Low
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [4100] V:\CentBrowserPortable\chrome.exe
    Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"
    
    
    [Process Creation]
    
    05/29/2017 22:40:58
    Process: [5040] V:\CentBrowserPortable\chrome.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=utility --mojo-channel-token=E264157905A7DECB60594F94E0762FD7 --lang=en-US --no-sandbox --mojo-application-channel-token=7A9C631697347350493B35F28DFAF07E --mojo-platform-channel-handle=1748 /prefetch:8
    MD5 Hash: 50078763865FC8403B8439D2FDF84073
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: High
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [4100] V:\CentBrowserPortable\chrome.exe
    Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"
    
    
    [Process Creation]
    
    05/29/2017 22:41:02
    Process: [1132] V:\CentBrowserPortable\chrome.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=7DC0E65B451C18D462CB7A88C6E74E53 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=6404E8E3301D80038B4D5EDCEBD6F1DD --mojo-application-channel-token=7DC0E65B451C18D462CB7A88C6E74E53 --channel="4100.2.1941023831\363451609" --mojo-platform-channel-handle=2380 /prefetch:1
    MD5 Hash: 50078763865FC8403B8439D2FDF84073
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: Low
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [4100] V:\CentBrowserPortable\chrome.exe
    Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"
    
    
    [Process Termination]
    
    05/29/2017 22:41:02
    Process: [5040] V:\CentBrowserPortable\chrome.exe
    Uptime: ~00:00:04
    Exit Status: 0x0
    
    
    [Process Creation]
    
    05/29/2017 22:41:04
    Process: [3192] V:\CentBrowserPortable\chrome.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=54CD3E9B70F1E1A87E9BC8FCEECED037 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=54E3A6EFD349483B321ED9113437F137 --mojo-application-channel-token=54CD3E9B70F1E1A87E9BC8FCEECED037 --channel="4100.3.644004309\211613404" --mojo-platform-channel-handle=2388 /prefetch:1
    MD5 Hash: 50078763865FC8403B8439D2FDF84073
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: Low
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [4100] V:\CentBrowserPortable\chrome.exe
    Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"
    
    
    [Process Creation]
    
    05/29/2017 22:41:10
    Process: [2480] V:\CentBrowserPortable\chrome.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=46701F3BC3751D7357AE1CC44156ABD7 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=AE0CF9D22F4F385338050C11A5ADEBBF --mojo-application-channel-token=46701F3BC3751D7357AE1CC44156ABD7 --channel="4100.4.1956223588\1388812536" --mojo-platform-channel-handle=3168 /prefetch:1
    MD5 Hash: 50078763865FC8403B8439D2FDF84073
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: Low
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [4100] V:\CentBrowserPortable\chrome.exe
    Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"
    
    
    [Process Termination]
    
    05/29/2017 22:42:08
    Process: [2404] V:\CentBrowserPortable\chrome.exe
    Uptime: ~00:01:10
    Exit Status: 0x0
    
    
    [Process Termination]
    
    05/29/2017 22:42:32
    Process: [3192] V:\CentBrowserPortable\chrome.exe
    Uptime: ~00:01:28
    Exit Status: 0x0
    
    
    [Process Creation]
    
    05/29/2017 22:42:36
    Process: [5392] V:\CentBrowserPortable\chrome.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=DF45026943DA0AB993F93A7C6D8384FB --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=A11AF4FE717C62BF720B5315AB98DB54 --mojo-application-channel-token=DF45026943DA0AB993F93A7C6D8384FB --channel="4100.5.997818431\1768256492" --mojo-platform-channel-handle=1984 /prefetch:1
    MD5 Hash: 50078763865FC8403B8439D2FDF84073
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: Low
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [4100] V:\CentBrowserPortable\chrome.exe
    Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"
    
    
    [Process Creation]
    
    05/29/2017 22:42:46
    Process: [5496] V:\CentBrowserPortable\chrome.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\CentBrowserPortable\chrome.exe" --type=renderer --enable-features=enable-password-force-saving --disable-features=AutomaticTabDiscarding --primordial-pipe-token=D57404D8E4F191D45558DF3D4C3E45BA --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --mojo-channel-token=7B11892FD2B4030BFAC8190F4006AE67 --mojo-application-channel-token=D57404D8E4F191D45558DF3D4C3E45BA --channel="4100.6.1187171543\1045762808" --mojo-platform-channel-handle=2500 /prefetch:1
    MD5 Hash: 50078763865FC8403B8439D2FDF84073
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: Low
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [4100] V:\CentBrowserPortable\chrome.exe
    Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"
    
    
    [Process Termination]
    
    05/29/2017 22:42:46
    Process: [5392] V:\CentBrowserPortable\chrome.exe
    Uptime: ~00:00:10
    Exit Status: 0x0
    
    
    [Process Termination]
    
    05/29/2017 22:42:48
    Process: [1132] V:\CentBrowserPortable\chrome.exe
    Uptime: ~00:01:46
    Exit Status: 0x0
    
    
    [Process Creation]
    
    05/29/2017 22:42:58
    Process: [5584] V:\CentBrowserPortable\2.1.9.50\centbrowserupdater.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\CentBrowserPortable\2.1.9.50\centbrowserupdater.exe" --portable --real-exe-path="V:\CentBrowserPortable\chrome.exe" --langid=en-US --installid=226a16d1-bfc5-4ea5-b932-e5b5228b9f96 --pepper-version=23.0.0.162 --current=2.1.9.50
    MD5 Hash: E4E64453B536A81BEFA2DDC49279D82F
    Bitness: 32-bit
    Publisher: Cent Studio
    Description: Cent Browser
    Version: 2.1.9.50
    Integrity Level: High
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [4100] V:\CentBrowserPortable\chrome.exe
    Parent CommandLine: "V:\CentBrowserPortable\chrome.exe"
    
    
    [Process Creation]
    
    05/29/2017 22:46:14
    Process: [5140] V:\AppData\Local\Temp\centbrowser_2.6.5.52_portable.exe
    Username/Domain: Chris/PC
    CommandLine: "V:\AppData\Local\Temp\centbrowser_2.6.5.52_portable.exe" -s -d"V:\AppData\Local\Temp\CB_63DA7_PORTABLE.tmp"
    MD5 Hash: 361DF3125E15FE2E582A7057C8A017F9
    Bitness: 32-bit
    Integrity Level: High
    Signer: Dan Deng
    System Process: False
    Protected Process: False
    Parent: [5584] V:\CentBrowserPortable\2.1.9.50\centbrowserupdater.exe
    Parent CommandLine: "V:\CentBrowserPortable\2.1.9.50\centbrowserupdater.exe" --portable --real-exe-path="V:\CentBrowserPortable\chrome.exe" --langid=en-US --installid=226a16d1-bfc5-4ea5-b932-e5b5228b9f96 --pepper-version=23.0.0.162 --current=2.1.9.50
    
    
    [Process Termination]
    
    05/29/2017 22:46:48
    Process: [5140] V:\AppData\Local\Temp\centbrowser_2.6.5.52_portable.exe
    Uptime: ~00:00:34
    Exit Status: 0x0
    
    
    
    
    [05-29-2017 22:39:56] [INFO ] - Process blocked by Custom Folders: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:40:30] [INFO ] - Blocked: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:40:46] [INFO ] - Process allowed by User Clicking Allow or Install: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:40:46] [INFO ] - Allowed: chrome.exe, v:\centbrowserportable\chrome.exe
    [05-29-2017 22:40:54] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:40:56] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:40:57] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:40:57] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:41:02] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:41:03] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:41:10] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:42:36] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:42:45] [INFO ] - Process allowed by Current Whitelist Snapshot: v:\centbrowserportable\chrome.exe
    [05-29-2017 22:42:57] [INFO ] - Process blocked by Custom Folders: v:\centbrowserportable\2.1.9.50\centbrowserupdater.exe
    [05-29-2017 22:43:37] [INFO ] - Blocked: v:\centbrowserportable\2.1.9.50\centbrowserupdater.exe
    [05-29-2017 22:43:55] [INFO ] - Process allowed by User Clicking Allow or Install: v:\centbrowserportable\2.1.9.50\centbrowserupdater.exe
    [05-29-2017 22:43:55] [INFO ] - Allowed: centbrowserupdater.exe, v:\centbrowserportable\2.1.9.50\centbrowserupdater.exe
    [05-29-2017 22:46:23] [INFO ] - Process allowed by Parent Process: v:\appdata\local\temp\centbrowser_2.6.5.52_portable.exe
    [\CODE]
     
    Last edited: May 29, 2017
  23. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Nike is fixing to sue you :p lol
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,657
    Location:
    USA
    I imagine your are. The discussion could be worth having if it was in a more productive way with constructive criticism, and offering solutions. I hate seeing the vulgar language, it's always unprofessional. Let's move on, and not be pulled back into a discussion like that.

    I definitely agree with you on that point. I'm always looking for a simple method that will catch almost everything in the end. I believe simplicity is the key. It's like trying to monitor thousands of different doors which malware can use to enter the system, but they all have to go through one last door in the end to finish entering the system. Which is easier, and more effective, monitoring the thousands of doors, or the one door that they all have to go through in the end. This is a very rudimentary analogy, but it shows why products like VS work so well in method.

    Since VS does not actually block the exploit in memory you could consider changing the name, but including exploit in the name while giving a self documenting description describing why VS increases protection against exploits. If it mitigates the damage from the exploit in the end then that's all that really counts. How well does VS mitigate payloads from exploits? It does well from what I have seen, but thorough testing is the only way to be for sure. My course of study will be focusing on exploits soon, I will see if I can do a capstone project on VS, and similar products to see how well they do against a variety of exploit attacks. I expect VS will do well in such a test.

    I honestly can't think of a short name at the moment that would immediately give the user a reasonable understanding of what the feature does. Something like payload catcher comes to mind, but that's not a good name IMO. Maybe you could just leave the name the same, and include some literature describing why the feature increases protection against exploits if it's not too revealing. Anything that makes it clear that VS does not block the exploit in memory would work. I will have to think on this for a while. I honestly don't know if the name should be changed or not. I would prefer to discuss this in private. I don't want to feed the wolves in the thread lol
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    We were asked to not talk about this, so if we need to discuss anything further, please pm me.

    But in general, to demonstrate a true bypass of VS, all one needs to do is to somehow infect the machine without clicking Allow. For example, you already have EternalBlue... why not do something with that, and see if you can infect the machine? I think it would be difficult though, simply because DoublePulsar was created by the NSA and is pretty nasty, and VS had no problem blocking it. But who knows, you might do something really cool.

    VS does not do any behavior blocking at all... for a lot of reasons, but that is a totally different discussion.
     
    Last edited: May 29, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.