- May 31, 2017
- 1,662
EternalBlue and DoublePulsar application whitelisting test
- Thread starter TheMalwareMaster
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Status
VS blocked DP to do its nasty job , not DP to exploit the kernel itself (which he can't because it isn't an anti-exploit), do you agree?
(it is why i meant since the beginning )
- May 31, 2017
- 1,662
This is not a which hunt. ALL security vendors should address this issue. MRG will publish their findings on most of the mainstream AV's, which I am assuming (after testing several) will be dismal. Since I was concerned whether VS blocked this threat or not, I performed the test. Since I went through all of the trouble to perform the test for VS, and since there was so much speculation whether similar products would block this kind of threat or not, I ran a quick test on the other products as well. It really is that simple.
- Aug 2, 2015
- 4,286
we thought we did, but with every post we are learning very much about you, please keep posting
- May 31, 2017
- 1,662
Not at all... the exploit EB failed to execute the malicious payload DP.
- May 31, 2017
- 1,662
My first like on MTwe thought we did, but with every post we are learning very much about you, please keep posting
.
- Aug 2, 2015
- 4,286
Dan your beating a dead horse with a wet spaghetti noodle
- Aug 2, 2015
- 4,286
First one ? you must not be reading my posts misterMy first like on MT
jokingnot all vendors, only the security products having the purpose of blocking this kind of attacks or suites.
AG Consumer won't (unless they change mind) , however AG business does it already.
EB is just the smb abuse. which will provide DP in the targeted system, right?
- May 31, 2017
- 1,662
We just need CS to chime in.Dan your beating a dead horse with a wet spaghetti noodle
- May 31, 2017
- 1,662
Hehehe, I think it was my first likeFirst one ? you must not be reading my posts mister
. I am so tired that I might not be remembering correctly .
- May 31, 2017
- 1,662
Any product that is designed to stop new processes from being created (not to mention running as system), should block this attack.
Actually, about the only security product that should not be concerned about this kind of attack are spam filters.
- May 31, 2017
- 1,662
Keep in mind, it does not matter how they block the attack... just as long as the attack is somehow blocked.
As I have mentioned a couple of times, in the MRG report, Kaspersky blocked the attack after it was successful...
"Update 2017-05-19: Kaspersky Internet Security can detect the DOUBLEPULSAR in-memory backdoor via memory scan (part of quick scan)."
This is not optimal (as CS would say), but at least it did not allow DP to keep running. This is all according to MRG, please do not sue me Mr. Kaspersky.
As I have mentioned a couple of times, in the MRG report, Kaspersky blocked the attack after it was successful...
"Update 2017-05-19: Kaspersky Internet Security can detect the DOUBLEPULSAR in-memory backdoor via memory scan (part of quick scan)."
This is not optimal (as CS would say), but at least it did not allow DP to keep running. This is all according to MRG, please do not sue me Mr. Kaspersky
.depending their policy...in the case of AG , AppGuard does not apply a policy to the kernel.
AG Consumer block user-space items to get into system-space items (this is what malware does) . that is it. that is SRP.
so it doesn't care of DP, but what DP will do after in the system like executing downloaded malicious exes, some vulnerable processes exploits (powershell, etc...), etc...
Once you understand the role of AG , you can setup a proper layered setup , adding an AV or like i do an anti-exploit like HMPA.
@Peter2150 im quite sure he will use a application that forbid writing of files in the system , he mentioned about MZwritescanner.
Last edited by a moderator:
- May 31, 2017
- 1,662
Okay, let's just wait until CS, Fabian, or someone else explains this to you. I cannot do this anymore.
When we meet in Vegas, I hope you realize that I have fondness for Krug Private Cuvée.
It is time to relinquish my White Cipher name. My new name is Job. And I and not even religious.
When we meet in Vegas, I hope you realize that I have fondness for Krug Private Cuvée
.It is time to relinquish my White Cipher name. My new name is Job. And I and not even religious
.
- Dec 29, 2016
- 131
I think so too. So long as it stays civil, everyone can gain from this.
Nothing to explain me, nobody will talk about it anymore, obsolete attack...
Personally i don't care of it, because i won't be affected. You can't get into my system in the first place and if you manage to get in (which i will be curious how) , you won't stay long...
I debated only for the sake of the demonstration, in practice, i really don't care, my system is impervious to it.
And after all this the goal of everyone here.
Personally i don't care of it, because i won't be affected. You can't get into my system in the first place and if you manage to get in (which i will be curious how) , you won't stay long...
I debated only for the sake of the demonstration, in practice, i really don't care, my system is impervious to it.
And after all this the goal of everyone here.
- Dec 23, 2014
- 8,133
Guys, please, the video can be interpreted in many ways, because we know for sure from it, only that rundll32.exe was blocked after a successful EternalBlue exploit. So, there are three or more scenarios:
So, additional information is required to choose the right scenario. The first point verification, can be done easily by reproducing Dan's video, and performing the test for DoublePulsar on the target machine.
Until the test will be made, the discussion is pointless, and annoying.
It would be also fine if Dan could avoid using the word AG (AppGuard) and Umbra the word VS (VoodooShield).
- EternalBlue tried to inject DoublePulsar and failed because the rundll32.exe was used on this stage (Dan).
- EternalBlue successfully injected DoublePulsar, but DoublePulsar failed to run the payload, because the rundll32.exe was used on this stage.
- EternalBlue & DoublePulsar successfully executed the payload, but the payload (or its child process) failed, because the rundll32.exe was used to load additional DLL. (Umbra).
So, additional information is required to choose the right scenario. The first point verification, can be done easily by reproducing Dan's video, and performing the test for DoublePulsar on the target machine.
Until the test will be made, the discussion is pointless, and annoying.
It would be also fine if Dan could avoid using the word AG (AppGuard) and Umbra the word VS (VoodooShield).
- Feb 24, 2017
- 1,661
From an outsiders prospective, this whole drama seems like a few Appguard pluggers didn't like someone showing Appguard in a bad light and started going personal on VS/Dan.
sorry @Umbra ..
can't understand why people are arguing which is the best between Appguard and VS, when even Appguard dev @Lockdown said that Appguard is an Enterprise solution, and VS is clearly a Home one.
at the end of the day, as an enduser: Did VS automatically block(without adding every single ##### in a blocklist) any possible damage done through/by EternalBlue? Yes.
who cares how it is done exactly.
Did Appguard do the same? No.
So?
sorry @Umbra ..
can't understand why people are arguing which is the best between Appguard and VS, when even Appguard dev @Lockdown said that Appguard is an Enterprise solution, and VS is clearly a Home one.
at the end of the day, as an enduser: Did VS automatically block(without adding every single ##### in a blocklist) any possible damage done through/by EternalBlue? Yes.
who cares how it is done exactly.
Did Appguard do the same? No.
So?
Last edited:
- Status
