Advice Request Drive-by downloads: Can you get malware just from visiting a website?

Please provide comments and solutions that are helpful to the author of this topic.

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
No block from VoodooShield (in auto pilot mode) and no block from Microsoft Defender hardened by ConfigureDefender and Simple Windows Hardening 😢
Actually, AutoPilot blocks this attack just fine. I am guessing that have your WLC set to "Allow Safe WhitelistCloud items when OFF or AutoPilot", which would allow this attack when VS is OFF or on AutoPilot.

autopilot.png


SRP does not evaluate the parent process in the attack chain (or parse the command line asaik), so it is blind to a lot of advanced attacks, and to elevated attacks.

Here are a couple of different ways security products can mitigate against this attack.

1. They can globally block appdata and programdata, which is not granular and results in a lot of unwanted blocks.

2. They can evaluate the entire attack chain, which is granular and reduces the number of unwanted blocks, and properly block what needs to be blocked. Evaluating the entire attack chain is absolutely vital if you really want to create a robust "lock"... evaluating the parent process is actually just as vital as evaluating the child process.
 

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
737
Actually, AutoPilot blocks this attack just fine. I am guessing that have your WLC set to "Allow Safe WhitelistCloud items when OFF or AutoPilot", which would allow this attack when VS is OFF or on AutoPilot.

View attachment 256511
You forgot to mention that "Allow Safe WhitelistCloud items when OFF or AutoPilot" is the default setting after a fresh VS install.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
@danb you are correct, but if I want to use autopilot mode, I must change the default setting "Allow Safe WhitelistCloud items when OFF or AutoPilot" of switch off WhitelistCloud?
I was simply pointing out that it was not AutoPilot that allowed this attack, it was the "Allow Safe WhitelistCloud items when OFF or AutoPilot" WLC setting. I can change the default, all I have to do is change a 1 to a 0.

AutoPilot should mainly be used as an additional layer of protection to complement an existing robust traditional or ngav security product, or it can be used as kind of a "Smart Training" mode for a few days.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
I was simply pointing out that it was not AutoPilot that allowed this attack, it was the "Allow Safe WhitelistCloud items when OFF or AutoPilot" WLC setting. I can change the default, all I have to do is change a 1 to a 0.

AutoPilot should mainly be used as an additional layer of protection to complement an existing robust traditional or ngav security product, or it can be used as kind of a "Smart Training" mode for a few days.
Yes, I understand that, but for the user (me) it feels like AutoPilot allowed the attack.
I'm using VS as an additional layer of protection to compliment Microsoft Defender.
Just trying to look for the best balance between security and usability that I can also use for family and friends.
What would be the additional benefit of WhitelistCloud when you don't allow safe items?
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
View attachment 256512
Since left side is not "smart mode" I guess I will say it's 50/50 (and I was half wrong with default)
If you close that window, VS defaults to Smart Mode. Having said that, we probably should mention in that window that Smart Mode is the default, although, we do mention it here...

menu.png


I just figured that if people were installing a computer lock on their system, they would probably not choose the mode that is described as “This mode is not quite as secure as the Application Whitelisting Mode”.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
Yes, I understand that, but for the user (me) it feels like AutoPilot allowed the attack.
I'm using VS as an additional layer of protection to compliment Microsoft Defender.
Just trying to look for the best balance between security and usability that I can also use for family and friends.
What would be the additional benefit of WhitelistCloud when you don't allow safe items?
And that is exactly why I wanted to make it absolutely clear that it was not AutoPilot that allowed the attack, so that you were aware of this, and so you can change the setting to your liking.

For most people, run VS on AutoPilot for a day or two, then switch to Smart or Always ON.

The additional benefit of WLC is that it alerts you when an unknown item is running.

Deny-by-default products will produce blocks from time to time. If they do not, they are not deny-by-default.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
@danb you are correct, but if I want to use autopilot mode, I must change the default setting "Allow Safe WhitelistCloud items when OFF or AutoPilot" of switch off WhitelistCloud?
AutoPilot will work either way, it all depends on how tight you want your config to be, and what other security products you are running.
 

porkpiehat

Level 6
Verified
Well-known
May 30, 2015
277

@wat0114, @porkpiehat

The below test:
Code:
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
%APPDATA%\updater.exe -Command exit

requires Command Prompt. PowerShell is not executed at all.
Simply open Command Prompt and paste/execute the code.(y)
OSA blocks this in another way:

View attachment 256462
ok, with CFW the updater and amsi are copied to APPDATA, but nothing happens after pressing enter ! is it me, or is something supposed to happen?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
ok, with CFW the updater and amsi are copied to APPDATA, but nothing happens after pressing enter ! is it me, or is something supposed to happen?
It is OK. The renamed PowerShell (updater.exe) is executed and immediately closed. Depending on the Comodo settings, the execution can be allowed, contained in the sandbox, or blocked. The alerts can be suppressed by your settings. If not, then the lack of alert means that Comodo allowed unrestricted execution.

Edit.
Anyway, this test is not appropriate to test some Comodo settings because the DLL is safe (not malicious). Comodo can be configured to block unsafe DLL even when the executable which loads this DLL is safe.
 
Last edited:

porkpiehat

Level 6
Verified
Well-known
May 30, 2015
277
It is OK. The renamed PowerShell (updater.exe) is executed and immediately closed. Depending on the Comodo settings, the execution can be allowed, contained in the sandbox, or blocked. The alerts can be suppressed by your settings. If not, then the lack of alert means that Comodo allowed unrestricted execution.
aah, I have my settings to Block.... I just enabled HIPS, and an alert was given, so I can only assume that everything is hunky dory. cheers!
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,003
Nothing blocked with CIS in Proactive default mode but it is user initiated so I wouldn't expect blocking with that.

e.g if some rogue download did that in the background or on it's own your AV should detect that.
 
Last edited:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,635
I was curious how SAP would do. For some odd reason I could not get it to block the attack in locked down mode (I am certain there is a simple explanation), but it did block the attack in interactive mode...

SAP.PNG
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top