Q&A Drive-by downloads: Can you get malware just from visiting a website?

danb

From VoodooShield
Verified
Developer
May 31, 2017
888
No block from VoodooShield (in auto pilot mode) and no block from Microsoft Defender hardened by ConfigureDefender and Simple Windows Hardening 😢
Actually, AutoPilot blocks this attack just fine. I am guessing that have your WLC set to "Allow Safe WhitelistCloud items when OFF or AutoPilot", which would allow this attack when VS is OFF or on AutoPilot.

autopilot.png


SRP does not evaluate the parent process in the attack chain (or parse the command line asaik), so it is blind to a lot of advanced attacks, and to elevated attacks.

Here are a couple of different ways security products can mitigate against this attack.

1. They can globally block appdata and programdata, which is not granular and results in a lot of unwanted blocks.

2. They can evaluate the entire attack chain, which is granular and reduces the number of unwanted blocks, and properly block what needs to be blocked. Evaluating the entire attack chain is absolutely vital if you really want to create a robust "lock"... evaluating the parent process is actually just as vital as evaluating the child process.
 

Freki123

Level 8
Verified
Aug 10, 2013
392
Actually, AutoPilot blocks this attack just fine. I am guessing that have your WLC set to "Allow Safe WhitelistCloud items when OFF or AutoPilot", which would allow this attack when VS is OFF or on AutoPilot.

View attachment 256511
You forgot to mention that "Allow Safe WhitelistCloud items when OFF or AutoPilot" is the default setting after a fresh VS install.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
888
@danb you are correct, but if I want to use autopilot mode, I must change the default setting "Allow Safe WhitelistCloud items when OFF or AutoPilot" of switch off WhitelistCloud?
I was simply pointing out that it was not AutoPilot that allowed this attack, it was the "Allow Safe WhitelistCloud items when OFF or AutoPilot" WLC setting. I can change the default, all I have to do is change a 1 to a 0.

AutoPilot should mainly be used as an additional layer of protection to complement an existing robust traditional or ngav security product, or it can be used as kind of a "Smart Training" mode for a few days.
 

Gandalf_The_Grey

Level 47
Verified
Trusted
Content Creator
Apr 24, 2016
3,615
I was simply pointing out that it was not AutoPilot that allowed this attack, it was the "Allow Safe WhitelistCloud items when OFF or AutoPilot" WLC setting. I can change the default, all I have to do is change a 1 to a 0.

AutoPilot should mainly be used as an additional layer of protection to complement an existing robust traditional or ngav security product, or it can be used as kind of a "Smart Training" mode for a few days.
Yes, I understand that, but for the user (me) it feels like AutoPilot allowed the attack.
I'm using VS as an additional layer of protection to compliment Microsoft Defender.
Just trying to look for the best balance between security and usability that I can also use for family and friends.
What would be the additional benefit of WhitelistCloud when you don't allow safe items?
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
888
View attachment 256512
Since left side is not "smart mode" I guess I will say it's 50/50 (and I was half wrong with default)
If you close that window, VS defaults to Smart Mode. Having said that, we probably should mention in that window that Smart Mode is the default, although, we do mention it here...

menu.png


I just figured that if people were installing a computer lock on their system, they would probably not choose the mode that is described as “This mode is not quite as secure as the Application Whitelisting Mode”.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
888
Yes, I understand that, but for the user (me) it feels like AutoPilot allowed the attack.
I'm using VS as an additional layer of protection to compliment Microsoft Defender.
Just trying to look for the best balance between security and usability that I can also use for family and friends.
What would be the additional benefit of WhitelistCloud when you don't allow safe items?
And that is exactly why I wanted to make it absolutely clear that it was not AutoPilot that allowed the attack, so that you were aware of this, and so you can change the setting to your liking.

For most people, run VS on AutoPilot for a day or two, then switch to Smart or Always ON.

The additional benefit of WLC is that it alerts you when an unknown item is running.

Deny-by-default products will produce blocks from time to time. If they do not, they are not deny-by-default.
 

porkpiehat

Level 6
May 30, 2015
277

@wat0114, @porkpiehat

The below test:
Code:
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

requires Command Prompt. PowerShell is not executed at all.
Simply open Command Prompt and paste/execute the code.(y)
OSA blocks this in another way:

View attachment 256462
ok, with CFW the updater and amsi are copied to APPDATA, but nothing happens after pressing enter ! is it me, or is something supposed to happen?
 
Last edited:

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,883
ok, with CFW the updater and amsi are copied to APPDATA, but nothing happens after pressing enter ! is it me, or is something supposed to happen?
It is OK. The renamed PowerShell (updater.exe) is executed and immediately closed. Depending on the Comodo settings, the execution can be allowed, contained in the sandbox, or blocked. The alerts can be suppressed by your settings. If not, then the lack of alert means that Comodo allowed unrestricted execution.

Edit.
Anyway, this test is not appropriate to test some Comodo settings because the DLL is safe (not malicious). Comodo can be configured to block unsafe DLL even when the executable which loads this DLL is safe.
 
Last edited:

porkpiehat

Level 6
May 30, 2015
277
It is OK. The renamed PowerShell (updater.exe) is executed and immediately closed. Depending on the Comodo settings, the execution can be allowed, contained in the sandbox, or blocked. The alerts can be suppressed by your settings. If not, then the lack of alert means that Comodo allowed unrestricted execution.
aah, I have my settings to Block.... I just enabled HIPS, and an alert was given, so I can only assume that everything is hunky dory. cheers!
 

ErzCrz

Level 9
Verified
Aug 19, 2019
440
Nothing blocked with CIS in Proactive default mode but it is user initiated so I wouldn't expect blocking with that.

e.g if some rogue download did that in the background or on it's own your AV should detect that.
 
Last edited:

danb

From VoodooShield
Verified
Developer
May 31, 2017
888
I was curious how SAP would do. For some odd reason I could not get it to block the attack in locked down mode (I am certain there is a simple explanation), but it did block the attack in interactive mode...

SAP.PNG
 
Last edited by a moderator:
Top