Advice Request Drive-by downloads: Can you get malware just from visiting a website?

Please provide comments and solutions that are helpful to the author of this topic.

danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Gandalf_The_Grey said:
No block from VoodooShield (in auto pilot mode) and no block from Microsoft Defender hardened by ConfigureDefender and Simple Windows Hardening 😢
Click to expand...
Actually, AutoPilot blocks this attack just fine. I am guessing that have your WLC set to "Allow Safe WhitelistCloud items when OFF or AutoPilot", which would allow this attack when VS is OFF or on AutoPilot.

autopilot.png


SRP does not evaluate the parent process in the attack chain (or parse the command line asaik), so it is blind to a lot of advanced attacks, and to elevated attacks.

Here are a couple of different ways security products can mitigate against this attack.

1. They can globally block appdata and programdata, which is not granular and results in a lot of unwanted blocks.

2. They can evaluate the entire attack chain, which is granular and reduces the number of unwanted blocks, and properly block what needs to be blocked. Evaluating the entire attack chain is absolutely vital if you really want to create a robust "lock"... evaluating the parent process is actually just as vital as evaluating the child process.
 
  • Like
Reactions: Nevi, JB007, Kongo and 7 others
F

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
danb said:
Actually, AutoPilot blocks this attack just fine. I am guessing that have your WLC set to "Allow Safe WhitelistCloud items when OFF or AutoPilot", which would allow this attack when VS is OFF or on AutoPilot.

View attachment 256511
Click to expand...
You forgot to mention that "Allow Safe WhitelistCloud items when OFF or AutoPilot" is the default setting after a fresh VS install.
 
  • Like
  • +Reputation
Reactions: Nevi, JB007, Kongo and 4 others
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Gandalf_The_Grey said:
@danb you are correct, but if I want to use autopilot mode, I must change the default setting "Allow Safe WhitelistCloud items when OFF or AutoPilot" of switch off WhitelistCloud?
Click to expand...
I was simply pointing out that it was not AutoPilot that allowed this attack, it was the "Allow Safe WhitelistCloud items when OFF or AutoPilot" WLC setting. I can change the default, all I have to do is change a 1 to a 0.

AutoPilot should mainly be used as an additional layer of protection to complement an existing robust traditional or ngav security product, or it can be used as kind of a "Smart Training" mode for a few days.
 
  • Like
Reactions: ForgottenSeer 77194, Nevi, plat and 5 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,414
danb said:
I was simply pointing out that it was not AutoPilot that allowed this attack, it was the "Allow Safe WhitelistCloud items when OFF or AutoPilot" WLC setting. I can change the default, all I have to do is change a 1 to a 0.

AutoPilot should mainly be used as an additional layer of protection to complement an existing robust traditional or ngav security product, or it can be used as kind of a "Smart Training" mode for a few days.
Click to expand...
Yes, I understand that, but for the user (me) it feels like AutoPilot allowed the attack.
I'm using VS as an additional layer of protection to compliment Microsoft Defender.
Just trying to look for the best balance between security and usability that I can also use for family and friends.
What would be the additional benefit of WhitelistCloud when you don't allow safe items?
 
  • Like
Reactions: Nevi, JB007, plat and 6 others
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Freki123 said:
View attachment 256512
Since left side is not "smart mode" I guess I will say it's 50/50 (and I was half wrong with default)
Click to expand...
If you close that window, VS defaults to Smart Mode. Having said that, we probably should mention in that window that Smart Mode is the default, although, we do mention it here...

menu.png


I just figured that if people were installing a computer lock on their system, they would probably not choose the mode that is described as “This mode is not quite as secure as the Application Whitelisting Mode”.
 
  • Like
Reactions: Nevi, JB007, Kongo and 3 others
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Gandalf_The_Grey said:
Yes, I understand that, but for the user (me) it feels like AutoPilot allowed the attack.
I'm using VS as an additional layer of protection to compliment Microsoft Defender.
Just trying to look for the best balance between security and usability that I can also use for family and friends.
What would be the additional benefit of WhitelistCloud when you don't allow safe items?
Click to expand...
And that is exactly why I wanted to make it absolutely clear that it was not AutoPilot that allowed the attack, so that you were aware of this, and so you can change the setting to your liking.

For most people, run VS on AutoPilot for a day or two, then switch to Smart or Always ON.

The additional benefit of WLC is that it alerts you when an unknown item is running.

Deny-by-default products will produce blocks from time to time. If they do not, they are not deny-by-default.
 
  • Like
Reactions: Nevi, JB007, Kongo and 3 others
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Gandalf_The_Grey said:
@danb you are correct, but if I want to use autopilot mode, I must change the default setting "Allow Safe WhitelistCloud items when OFF or AutoPilot" of switch off WhitelistCloud?
Click to expand...
AutoPilot will work either way, it all depends on how tight you want your config to be, and what other security products you are running.
 
  • Like
Reactions: Nevi, JB007, Kongo and 3 others
porkpiehat

porkpiehat

Level 6
Verified
Well-known
May 30, 2015
277
Andy Ful said:

@wat0114, @porkpiehat

The below test:
Code: 
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

requires Command Prompt. PowerShell is not executed at all.
Simply open Command Prompt and paste/execute the code.(y)
OSA blocks this in another way:

View attachment 256462
Click to expand...
ok, with CFW the updater and amsi are copied to APPDATA, but nothing happens after pressing enter ! is it me, or is something supposed to happen?
 
Last edited:
  • Like
Reactions: harlan4096, Nevi, JB007 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
porkpiehat said:
ok, with CFW the updater and amsi are copied to APPDATA, but nothing happens after pressing enter ! is it me, or is something supposed to happen?
Click to expand...
It is OK. The renamed PowerShell (updater.exe) is executed and immediately closed. Depending on the Comodo settings, the execution can be allowed, contained in the sandbox, or blocked. The alerts can be suppressed by your settings. If not, then the lack of alert means that Comodo allowed unrestricted execution.

Edit.
Anyway, this test is not appropriate to test some Comodo settings because the DLL is safe (not malicious). Comodo can be configured to block unsafe DLL even when the executable which loads this DLL is safe.
 
Last edited:
  • Like
Reactions: ForgottenSeer 85179, harlan4096, Nevi and 7 others
porkpiehat

porkpiehat

Level 6
Verified
Well-known
May 30, 2015
277
Andy Ful said:
It is OK. The renamed PowerShell (updater.exe) is executed and immediately closed. Depending on the Comodo settings, the execution can be allowed, contained in the sandbox, or blocked. The alerts can be suppressed by your settings. If not, then the lack of alert means that Comodo allowed unrestricted execution.
Click to expand...
aah, I have my settings to Block.... I just enabled HIPS, and an alert was given, so I can only assume that everything is hunky dory. cheers!
 
  • Like
Reactions: harlan4096, plat, JB007 and 4 others
ErzCrz

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
Nothing blocked with CIS in Proactive default mode but it is user initiated so I wouldn't expect blocking with that.

e.g if some rogue download did that in the background or on it's own your AV should detect that.
 
Last edited:
  • Like
Reactions: Venustus, Zartarra, JB007 and 4 others
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
I was curious how SAP would do. For some odd reason I could not get it to block the attack in locked down mode (I am certain there is a simple explanation), but it did block the attack in interactive mode...

SAP.PNG
 
Last edited by a moderator:
  • Like
Reactions: Venustus, Zartarra, JB007 and 5 others

Similar threads

Xeno1234
    • Like
Question Is it possible to get infected by visiting a malicious website or putting a malicious IP into your browser?
Replies
12
Views
1,222
General Security Discussions
cartaphilus
cartaphilus
R
    • +Reputation
    • Wow
    • Like
Ghacks.net website delivering malware via fake browser update messages
Replies
30
Views
4,135
Malware Analysis
TairikuOkami
TairikuOkami
A
Previewing More Copilot+ Experiences with Windows Insiders in the Dev Channel
Replies
0
Views
107
Windows 11
Amanda Langowski
A

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top