- May 31, 2017
I'll drink to that .C'mon guys who cares let's all just agree to disagree and move on! This isn't the end of the world. This was a nasty attack and there will be plenty more to come, and besides, VoodooShield is great at what it does (mainly anti-exe) and I recommend people to use it for good protection if they use it properly
VS + UAC + SmartScreen = great
VS + WD + UAC + SmartScreen = great
WD + UAC + SS = great too
VS + HMP.A + UAC + SC = great
It doesn't even matter if VS missed the exploit execution, exploits are designed to bypass security solutions. If you block one there will be others that will succeed. Just watch what you do and don't be click happy, problem is pretty much solved. I guarantee you that anything WannaCry related was due to employees in enterprises like NHS just blatantly clicking links to attachments, that is usually how infections are spread (e-mail) or just blatantly downloading and running new apps
@danb VoodooShield is a great product, keep doing what you are doing.
Lets all move on from this storm about EP/DB and let @danb have a rest now
Are you saying that since a patch exists for EB/DP, that it is no longer a concern? I do not think CS would have made a new video if she thought that all of the 55%+ (netmarketshare / XP and 7) of the world's PC's were patched and/or properly protected.
Video Review - Comodo Firewall vs A CryptoCurrency Miner
Adylkuzz, the new virus that follows in WannaCry's footsteps - Panda Security
Please do not piss CS off, or she will never release a pic of her in the Palo Alto T-Shirt .
The EB/DP combo was originally a spy tool... it has been adapted into something much more malicious, and will continue to be enhanced.
I do agree... most of the big zero days are not intended to affect the home user, but for some reason, they always seem to trickle down.
I have actually done quite a bit more testing... and the results are scary, but we will wait for the MRG report.
A lot of people seem to keep forgetting that this was a single attack... there are (and will be) countless others.
And if the existing mechanisms failed to properly protect in this attack, there is no reason to believe that they will stop the next attack.
Cool, we are on same page then (especially on the CS point ).The exploit was never released by the agencies in the first place it was leaked.It doesn't mean that the problem doesn't exist or affect.I am suprised endpoints still running XP or any old OS's their IT department must be really bad.
The talk is never about what it trickles down to.This is not something that is for the regular user to worry most AV's even win defender will detect the malware dropper thats all that matters for the home user malware writers have no fetish for spying on users or maybe they will have one soon
Everything created by humans will have a flaw and someone will find it eventually doesn't mean security programs are useless.If there is anyone to blame its these agences.Heck! the taliban was a creation of the CIA and then people call muslims terrorists.
The only reason it ever trickled down to the user was because it was leaked and really privacy is a joke these days.
All we have been reading before was about how they spy and we never knew it would be leaked but this is what happens when our own people don't want to report problems.In this day and age its not secure to use outdated windows.
Also if you are speaking about XP/vista and its market share,remember they have more exploits that haven't been leaked and its not out yet.Just think what havoc it would wreck if it were to be released.
Malware writers will use these exploits to their adantage and you can't blame them but our own government who claim to work for our safety by violating our privacy.
If this continues on even home users will be affected its a early wake up call for the agencies since it wouldn't take much time for the regular writers to use em.
PS. I would love to CS's pic
Cool, we are on same page then (especially on the CS point ).
I have no idea how far an exploit like this trickles down. The only thing that is important is that if you are going to target SMB's and enterprise customers, this is certainly an attack that should be stopped. Thank you!
For me personally (and obviously for VS), it makes zero difference whether we are protecting a home or business computer. So while I would be curious on the distribution ratio of home / business attacks in the WannaCry outbreak (just for the heck of it), in the end it makes no difference... all computers should be adequately protected.Even if it is targeting normal users they wouldn't get much out of it (assuming screenlockers and emotet were to use this) most home users format their computers and move on.
Av vendors will have to start paying attention to detect what's underneath which they are already doing.So we should be good atleast for now.
Also I am not sure what "sort" of enterprise people you want to target using this exploit considering wannacry didn't get much of it.It would make more sense to be used in nations state attack.
Don't forget flame/stuxnet hype.
Guys, please, both of you have got some authority here on MalwareTips forum. Apparently, you cannot agree each other, and it seems that such an agreement is hardly possible on this topic. So maybe, everybody could agree with the below statements:
- Generally, no one proved that malware, using remote kernel exploit (EternalBlue & DoublePulsar as example), will be fully stopped by SRP or anti-exe security solutions.
- There is a test, that shows the fact of stopping that kind of malware by some anti-exe solutions (VoodooShield, NVT ERP) when the attacker is using Metasploit with meterpreter payload.
- There is another test with FuzzBunch showing that SRP and anti-exe may fail to stop EternalBlue & DoublePulsar part of the malware.
- It is still possible that SRP and anti-exe security solutions can stop many payloads, even when the system is infected by EternalBlue & DoublePulsar. But, in many cases SRP and anti-exe can fail, too.
- Windows native SRP can hardly stop such malware, because the infection follows with the System Rights. Such security requires frequent system patching.
- The best protection against remote kernel exploits is updating and upgrading the system. The new versions of Windows have significantly stronger protection against remote kernel exploits, and generally against all kinds of exploits.
You pretended from the start : "VS stop the installation of DP" and injection in lsass.exe , i proved you wrong; now you try to save your face by playing on words; we all can see that.danb said:VS successfully blocked the attack in the metasploit port test... this has been proven beyond any doubt.
"VS blocked the DP hacker tools" , yes better your change your statement, before it was "VS block DP installation" "or VS block kernel exploits" ...how funny you are...changing your wording when it benefit you...unbelievable...In the end... in the metasploit VS test, VS blocked the DP hacker tools and the data exfiltration, and that is all that matters. Keep in mind, only a very small handful of security products could block the attack as well or better than VS did. A lot of products with R & D budgets of hundreds of millions of dollars, and teams of 400 devs, missed the attack completely.
You made a video to promote VS and discredit AG, because you cant handle the fact that some people say AG is better than VS....you miserably failed because you didn't even understood SRP purpose and the attack you are demonstrating! hilarious !!!.As far as the MRG Fuzzbench port test goes... I will let MRG tell you the final results . It would be beneficial for MRG to run both the metasploit and the fuzzbench ports on all 4 of the original products.
it is outside , we know it from the start ! EB-DP is an in-memory kernel exploit based attack , so of course out of the scope , VS , ERP, AG Consumer or whatever can 't block it.If an attack is outside the scope of application control, then NO application control product will stop the attack.
All I wanted to do was to perform the test, using the same method that Sophos used, and post the video... because no one else was testing, they were simply speculating. Do not blame me for keeping the argument going, especially when your argument is completely dependent on the definition of the word "Install".You pretended from the start : "VS stop the installation of DP" and injection in lsass.exe , i proved you wrong; now you try to save your face by playing on words; we all can see that.
I claim since the very start VS just blocked the reverse TCP you said "no no , VS stopped the installation of DP" we have plenty of post showing your statement.
Zoltan of MRG acknowledge all my statements about EB-DP and VS , here : WannaCry Exploit Could Infect Windows 10
So just admit it.
"VS blocked the DP hacker tools" , yes better your change your statement, before it was "VS block DP installation" "or VS block kernel exploits" ...how funny you are...changing your wording when it benefit you...unbelievable...
Me? i never changed my statement , i always said "VS block the reverse-TCP connection" ... unlike you when i'm wrong , i have the balls to admit it.
i thought AG Consumer can blocked it, i was shown i was wrong, i stopped stating it. But you?....even an expert say it clearly , you can't admit it!
You made a video to promote VS and discredit AG, because you cant handle the fact that some people say AG is better than VS....you miserably failed because you didn't even understood SRP purpose and the attack you are demonstrating! hilarious !!!.
it is outside , we know it from the start ! EB-DP is an in-memory kernel exploit , so of course out of the scope , VS , ERP, AG Consumer or whatever can 't block it.
It is why in the beginning when i started to learn about EB-DP, i had a doubt, and i asked you to try 2 settings in AG, and it didn't work (based on your feedback) and then i was told it will be unsafe for the system to apply those tweaks anyway...
More you talk now, more the members can see your true color, a deceptive and lying dev that just promote his "baby beloved" soft by whatever means he can ; it is why i stopped recommending VS to people , it is a good soft but brought down by your fanboy attitude.
A dev should focus on his products, not debating on every post forum's members may say , and even less to make video comparing products he doesn't understand with attacks he doesn't understand.
And for your info, i know what is an exploit, everybody here knows that i know, don't even dare to try mocking me by twisting my words, because here you are not at Wilders...if you do , be ready to face the consequences ...got it?
All I wanted to do was to perform the test, using the same method that Sophos used, and post the video... because no one else was testing, they were simply speculating. Do not blame me for keeping the argument going, especially when your argument is completely dependent on the definition of the word "Install".
@danb your problem is your interpretation , installing doesn't mean connecting . those are 2 different actions.So really, it all comes down to the definition of install, and I believe the definition of install is "to place in position or connect for service or use".
no , there is a difference between executing a task and completing it.- if lsass.exe is able to spawn rundll, calc, or any other process , means DP is running. Umbra, if lsass.exe is not able to spawn rundll, does that mean that the opposite is true? Logic! And actually, sure, it might be running, but the fact that it cannot spawn rundll32 proves that it is restricted.
yes i never said the opposite, i said it from the start ! VS blocked the connection attempt .- however VS and ERP prevented DP to fully run any additional payloads. AND THE HACKER TOOLS ARE NOT AVAILABLE... along with preventing data exfiltration...this is very important.
Yes that is all that matter: suspended or blocked task = means task already created = DP is installed and running.- those rundll32, calc, etc... would be in suspended mode because of VS/ERP, means they were created but cant fully execute. No, they are suspended while VS decides whether to allow the process or not. If the process is denied from being created, it is completely denied.
You kept saying i was wrong , i dont run the test so i can't understand, i dont know what is an exploit from a payload, i am an agent of Appguard, etc...etc...come on..BTW, I never implied that you were stupid or ignorant... I just simply wanted you to run the test for yourself, so you can see how the attack works in real time.
Umbra, the literal definition of Install is: to place in position or connect for service or use. In fact, it has the exact word, connect, that you are arguing it does not mean.@danb your problem is your interpretation , installing doesn't mean connecting . those are 2 different actions.
I can install a commercial keylogger , it is installed on the system , the files are here, but if the firewall block it to call home , it is about "connecting" not "installing"
VS block the connection , not the installation.
You install a printer driver , the driver is there, now if you dont have the printer turned on, it doesn't mean the driver doesn't exist anymore.
Words are powerful , in demonstrations they must be weighted and used properly. No room for vagueness especially from a dev.
no , there is a difference between executing a task and completing it.
lsass.exe attempted the connection via rundll32.exe, but was unable to complete it because of VS and ERP. Means DP was there, that is all that matters.
If the backdoor is there (lsass.exe being injected by DP ), blocking the backdoor to connect , doesn't mean the backdoor doesn't exist.
If i throw a knife to you , my knife is thrown, but you intercepted it, doesn't mean my throw didn't happen and i don't exist. understand?
yes i never said the opposite, i said it from the start ! VS blocked the connection attempt .
If the reverse connection fails , the tools can't be used, exfiltration of datas won't happen, that doesn't means the backdoor doesn't exist and can't be used in the future if the attacker manage to find a way to reconnect to it. (let say disabling VS for example or using a method VS can't block)
Yes that is all that matter: suspended = means created = DP is installed.
VS block the connection, not the installation. simple and proven fact.
You kept saying i was wrong , i dont run the test so i can't understand, i dont know what is an exploit from a payload, i am an agent of Appguard, etc...etc...come on..
You throw tons of personal attacks , it is why i didn't let you get away with it without retaliation. no one will ruin my name or step on me as you tried to do (intentionally or not) ; mark my words !
i dont need to test it to get infos, i have enough knowledge to deduct fact from your video, then i did my researches to learn more... and at the end, after all my researches, i was correct on my statements. that is simple as that.
How many times i demonstrated faulty or biased video, like Black Cypher ones. i dont have to test to found out clues.
YESI think we can sum this up with one sentence.
While VoodooShield is not an anti-exploit utility, its application control mechanisms performed properly in the EB / DP metasploit test, and the attack was effectively stopped from loading the DP hacker tools and exfiltrating data. Fair enough?