New Update VoodooShield CyberLock 7.0

n8chavez

Level 19
Well-known
Feb 26, 2021
945
I swear I must be retarded. It seems like Cyberlock will allow me to run whatever application or script I want, and after that it asks me to whitelist it. I've tried this on things I know are bad and still Cyberlock lets me run it. I've tried using the "always on" and aggressive modes. It's like it asks for forgiveness rather than permission.

Edit - Maybe the new 7.72 will help?
 
Last edited:
  • Wow
Reactions: oldschool

Digmor Crusher

Level 24
Verified
Top Poster
Well-known
Jan 27, 2018
1,396
I swear I must be retarded. It seems like Cyberlock will allow me to run whatever application or script I want, and after that it asks me to whitelist it. I've tried this on things I know are bad and still Cyberlock lets me run it. I've tried using the "always on" and aggressive modes. It's like it asks for forgiveness rather than permission.

Edit - Maybe the new 7.72 will help?
Strange. Never had this issue. Just wondering, what do you define as "bad"?
 

n8chavez

Level 19
Well-known
Feb 26, 2021
945
Strange. Never had this issue. Just wondering, what do you define as "bad"?

Well, I created a very basic script that aimed to just delete everything on c:\. It ran fine, then asked halfway through if I wanted to whitelist the script. I consider that bad.. The script deleted some stuff, that was not locked. But I quickly reimaged.
 

Digmor Crusher

Level 24
Verified
Top Poster
Well-known
Jan 27, 2018
1,396
Well, I created a very basic script that aimed to just delete everything on c:\. It ran fine, then asked halfway through if I wanted to whitelist the script. I consider that bad.. The script deleted some stuff, that was not locked. But I quickly reimaged.
Hmm, some security programs do have issues with scripts. Maybe Dan needs to comment on this.
 
  • Like
Reactions: Azazel and n8chavez
F

ForgottenSeer 107474

@Digmor Crusher

When a user runs a script which does not has a MOTW, what should an AI engine do? The program executing the script is legitimate (probably Microsoft signed). The commands used in the script are all legitimate programs running from UAC protected folder. The parent program is File Explorer also a Microsoft signed legitimate program and the user has started the sequence of actions him/herself. What is suspicious about these sequence of events?

The only effective counter measure is blocking scripts originating from external source (but then you shift the Achilles heel to the MOTW). A better (more solid, but dumber) counter measure would be to block scripts running in user folders.

This is what old-SWH does, it blocks scripts in user folders and allows executable's to run. Old-SWH has as default setting to apply these rules for standard users. I have used old SWH trouble free for years. New WHHL also has a SWH part (blocking scripts using software restriction policies), but the new version applies these rules for all users. I am running WHHL problem free for I think for three months now.

I stopped counting, but the vast majority of Cruel Sister's home brewed samples would be blocked by old SWH.
 
Last edited by a moderator:
  • Like
Reactions: oldschool

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
I swear I must be retarded. It seems like Cyberlock will allow me to run whatever application or script I want, and after that it asks me to whitelist it. I've tried this on things I know are bad and still Cyberlock lets me run it. I've tried using the "always on" and aggressive modes. It's like it asks for forgiveness rather than permission.

Edit - Maybe the new 7.72 will help?
Since you are having this issue with both executables and scripts, my best guess is that you created a rule or custom folder that auto allows everything. It should tell you in the developer log why a file was allowed: C:\ProgramData\CyberLock\DeveloperLog.log

But if we are only considering scripts, you might be running the script from a text editor or IDE, in which case CyberLock is designed not to block these events, that way developers can use our software without it interfering with their workflow. That is, most novices and intermediate users do not use text editors or IDE's to write code.

CyberLock has always been very capable in blocking all common, and even many lesser known scripts. With the new File Type feature, it covers even more scripts, but honestly it will not make a huge difference because most users do not have the additional script hosts on their machines, so the script would never run in the first place. But I figured, why not add them anyway, just to be safe, especially since CyberLock has this capability now.

What are the file types of the scripts that are not being blocked? If the file type is not included in our new File Type feature, then I will probably add it. But I would be surprised if it is not already on the list. That is why I am thinking that you inadvertently wrote a rule that auto allows everything.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
I thought of another option... maybe you are using something like AutoIT or AutoHotKey, which creates both scripts and executables. I just added .ahk, .a3x and .au3 to the list and they will be included in 7.73.
 
Last edited:
  • Like
Reactions: oldschool

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
@Digmor Crusher

When a user runs a script which does not has a MOTW, what should an AI engine do? The program executing the script is legitimate (probably Microsoft signed). The commands used in the script are all legitimate programs running from UAC protected folder. The parent program is File Explorer also a Microsoft signed legitimate program and the user has started the sequence of actions him/herself. What is suspicious about these sequence of events?

The only effective counter measure is blocking scripts originating from external source (but then you shift the Achilles heel to the MOTW). A better (more solid, but dumber) counter measure would be to block scripts running in user folders.

This is what old-SWH does, it blocks scripts in user folders and allows executable's to run. Old-SWH has as default setting to apply these rules for standard users. I have used old SWH trouble free for years. New WHHL also has a SWH part (blocking scripts using software restriction policies), but the new version applies these rules for all users. I am running WHHL problem free for I think for three months now.

I stopped counting, but the vast majority of Cruel Sister's home brewed samples would be blocked by old SWH.
Actually, if you can parse the command line and also determine the primary parent process, there are some really cool things you can do, so that you do not have to block these file types globally, and you can allow what needs to be allowed, whether the script is in the user or system space.

I can go in to further detail at some point, but here is a quick overview.

When I run a .bat script from my desktop, here is the command line: c:\windows\system32\cxd.exe /c ""c:\users\user\desktop\test.bat" " (the cxd is actually cmd, but I could not post that.)

The way CyberLock has always worked in this scenario (well, for at least 10 years), is that it parses the command line and "c:\users\user\desktop\test.bat" becomes the executable path, and from that path is where it determines whether it should block it or not... for example, if it has already been allowed / is whitelisted, then the file will allowed, otherwise it will be blocked. This is overly simplified explanation, but you get the point. But ultimately, instead of simply blocking globally by file type, CyberLock figures out the path of the script / file, then either blocks or allows it after it is evaluated by many different checks.

The new File Type feature works pretty much the same way, and it also made it super easy to add or remove file types / extensions from the list.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Do you use machine learning when analyzing parent-child process relationship to block a script.
CyberLock utilizes hand written algorithms that have been refined over 13 years that are quite similar to a decision tree that a ML/Ai would produce, but no, there is no machine learning model involved, so it is not ML/Ai. This feature is also known as our Antimalware Contextual Engine.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
What are all the file types cyberlock protect against?
You must have been reading my mind or have connections I do not know about ;).

Anyway, prior to 7.72, there was a dedicated script list that contained all of the common and many not so common file types. But keep in mind, CyberLock utilizes other modules, such as its anti-exploit and command line modules that are capable of blocking all kinds of things. So there was not a list that was written in stone, and even with 2.72 there still is not a list written in stone.

Starting with 7.72, in addition to the dedicated script list, we also have a dedicated BlockedFileType list. The BlockedFileType list in 7.72 is a quick and dirty list that needs to be refined a little. I need to add and remove types, and maybe move a few from the BlockedFileType to the Script list. There is also a dedicated Executable binary list.

The entire goal is to block each individual attack vector / file type as optimally as possible, and ultimately we will be able to refine the user prompts so they are dead on and super useful to the end user. We actually get a lot of compliments on our user prompt, but I am certain we can do even better.

Here is an one example of what I mean by an optimal block for a specific file type…

Just for the fun of it, I included .rtf in the BlockedFileType list for 7.72. The .rtf file type is best suited to be blocked by our Anti-Exploit module, and that way CyberLock only has to block a specific file if it is being utilized in an exploit. I have been reading a lot about .rtf file malware, so if we wanted to be even safer, we could keep it on the BlockedFileType, and that way each .rtf file has to be manually allowed. Sure, it might be slightly safer to block it this way, but it might interrupt end-users workflow too much.

So essentially, we need to take hard look at each file type and decide which module in CyberLock would be optimal to perform the block. Cybersecurity is all about striking the right balance between robust security and convenience, and each attack vector / file type is a little different, and should be handled optimally.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Hi @danb ,
any chance adding, Control flow guard and Hardware-enforced Stack Protection on all cyberlock's processess.
Not sure, I can look into this at some point, I am quite busy as the moment though, but thank you for the suggestion!
 
  • Like
Reactions: Azazel

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Is there a way to stop Cyberlock from adding a registry that disables Edge's Startup boost every time I install/update the application.
A while back there was a conflict between Startup Boost and CyberLock, so we disabled Startup Boost when CyberLock was installed, and then enabled it when CyberLock was uninstalled. The conflict is probably resolved by now, so we can probably remove this at some point.

The question is should we? I mean, Edge has a super small marketshare, yet when it starts on startup, it creates 20 or so new processes and uses about a half a gig of RAM. That is some pretty heavy resource usage, especially considering the marketshare. I could understand if 40% or so of users actually used Edge, but when it is as low as it is, it seems like a massive waste or resources. Anyway, that is why we have left it that way for now.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Hi there is another company named CyberLock ,no big deal but just thought maybe people should know if they are googling that name
Yeah, but they do physical security, and the name fit incredibly well, so we went with it.
 
  • Like
Reactions: Jonny Quest

n8chavez

Level 19
Well-known
Feb 26, 2021
945
Since you are having this issue with both executables and scripts, my best guess is that you created a rule or custom folder that auto allows everything. It should tell you in the developer log why a file was allowed: C:\ProgramData\CyberLock\DeveloperLog.log

But if we are only considering scripts, you might be running the script from a text editor or IDE, in which case CyberLock is designed not to block these events, that way developers can use our software without it interfering with their workflow. That is, most novices and intermediate users do not use text editors or IDE's to write code.

CyberLock has always been very capable in blocking all common, and even many lesser known scripts. With the new File Type feature, it covers even more scripts, but honestly it will not make a huge difference because most users do not have the additional script hosts on their machines, so the script would never run in the first place. But I figured, why not add them anyway, just to be safe, especially since CyberLock has this capability now.

What are the file types of the scripts that are not being blocked? If the file type is not included in our new File Type feature, then I will probably add it. But I would be surprised if it is not already on the list. That is why I am thinking that you inadvertently wrote a rule that auto allows everything.

Sorry, but no. I'm using default settings. I've even reset the whitelist. Still, I'm not getting notified about anything running. Everything is active, and notifications are turn on. I'm just not being prompted about anything prior to it running. If there a way you recommend I test this?
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
Sorry, but no. I'm using default settings. I've even reset the whitelist. Still, I'm not getting notified about anything running. Everything is active, and notifications are turn on. I'm just not being prompted about anything prior to it running. If there a way you recommend I test this?
Can you please email me this log (support at cyberlock.global): C:\ProgramData\CyberLock\DeveloperLog.log

What script file types are not being blocked?

If you have multiple monitors, is the prompt being displayed on a different monitor?
 

n8chavez

Level 19
Well-known
Feb 26, 2021
945
I can't send those logs because I reimaged to before I did any damage. But I can tell you that the script files were .bat and .vbs. I do have multiple monitors but the notifications have always been on monitor 1, never 2 or 3. I just find it odd that I'm never asked about anything, not so much that the commands in the script were able to run but that the script itself was able to run. I can't see a new file having a verifiable whitecloud hash.
 

danb

From VoodooShield
Thread author
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,719
I can't send those logs because I reimaged to before I did any damage. But I can tell you that the script files were .bat and .vbs. I do have multiple monitors but the notifications have always been on monitor 1, never 2 or 3. I just find it odd that I'm never asked about anything, not so much that the commands in the script were able to run but that the script itself was able to run. I can't see a new file having a verifiable whitecloud hash.
If you have issues in the future, please send me your logs and we can figure it out.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top