How to verify VoodooShield "anti-exploit protection"?

Status
Not open for further replies.
qftest

qftest

Level 1
Thread author
Nov 22, 2015
12
2mqmb1h.jpg


win7x64
VS 2.75
I use "hmpalert64-test.exe" test VS, did not see the interception.
How should I test is correct?
 
  • Like
Reactions: persianboy, Deleted Member 333v73x and Solarquest
Atlas147

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Honestly it's quite hard to test anti exploit for every programme, thats why the vendor normally provides a safe test to see if the protection is working, as you know HMP has one, and I know that malwarebytes has a programme to test their anti exploit too. Maybe you can try that?
 
  • Like
Reactions: Solarquest
qftest

qftest

Level 1
Thread author
Nov 22, 2015
12
Hanmin147 said:
Honestly it's quite hard to test anti exploit for every programme, thats why the vendor normally provides a safe test to see if the protection is working, as you know HMP has one, and I know that malwarebytes has a programme to test their anti exploit too. Maybe you can try that?
Click to expand...
I can't find a Malwarebytes test tool.
Maybe should use a special web page test?
 
cutting_edgetech

cutting_edgetech

Level 3
Verified
Feb 14, 2013
113
VoodooShield antiexploit feature does not stop exploits in memory. It only blocks the exploit from dropping any binary payload by not allowing applications on the "Web Apps List" to spawn child processes. If I remember correctly this feature also prevents executables in the user-space from dropping payloads into Program Files Folders. The feature is only a policy based restriction mitigation being used with whitelisting. Blocking exploits in memory can lead to incompatibility with other products, and it takes a lot of development hours to maintain this type of feature.

I have a .jar file that drops a hidden payload into Program Files, and then executes. The payload is harmless, but it can drop any payload into Program Files Folders. It can drop crypto-malware, trojans, etc. It may be able to drop payloads into System space also, but i'm not sure. If the user clicks on the .jar file it does the rest on it's own. .Jar files are archives, and portable java applications. The .jar file I have bypassed most AE solutions at the time because they did not monitor the command lines of javaw.exe. It bypasses AppGuard with default settings. If you Guard javaw.exe then AG will block the payload from writing to Program Files Folders because Guarded applications are not permitted to write to Program Files Folders, or System Space. Voodoo Shield anti-exploit feature is suppose to block threats like these. There is a lot more that could be done with this feature.

Edited 11/23 @ 9:14
 
Last edited:
  • Like
Reactions: oldschool, Parsh, Solarquest and 2 others
qftest

qftest

Level 1
Thread author
Nov 22, 2015
12
cutting_edgetech said:
VoodooShield antiexploit feature does not stop exploits in memory. It only blocks the exploit from dropping any binary payload by not allowing applications on the "Web Apps List" to spawn child processes. If I remember correctly this feature also prevents executables in the user-space from dropping payloads into Program Files Folders. The feature is only a policy based restriction mitigation being used with whitelisting. Blocking exploits in memory can lead to incompatibility with other products, and it takes a lot of development hours to maintain this type of feature.

I have a .jar file that drops a hidden payload into Program Files, and then executes. The payload is harmless, but it can drop any payload into Program Files Folders. It can drop crypto-malware, trojans, etc. It may be able to drop payloads into System space also, but i'm not sure. If the user clicks on the .jar file it does the rest on it's own. .Jar files are archives, and portable java applications. The .jar file I have bypassed most AE solutions at the time because they did not monitor the command lines of javaw.exe. It bypasses AppGuard with default settings. If you Guard javaw.exe then AG will block the payload from writing to Program Files Folders because Guarded applications are not permitted to write to Program Files Folders, or System Space. Voodoo Shield anti-exploit feature is suppose to block threats like these. There is a lot more that could be done with this feature.

Edited 11/23 @ 9:14
Click to expand...
It sounds like the previous ANI virus.
No testing tools, I went to the page to test.
Results VS / HMPA no response, no interceptions.
I do not know why.
Code: 
http:##//player.vodjk.com/player.swf?my_url=http://ek.vodjk.com/a/18001.shtml&my_pic=&a=18001&i=;

2nk49c5.jpg
 
Last edited by a moderator:
  • Like
Reactions: Solarquest
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
JFI; on VT
Code: 
http://ek.vodjk.com/a/18001.shtml&my_pic=&a=18001&i=;
= 0/66
upload_2015-11-24_0-7-44.png
upload_2015-11-24_0-7-44.png
 
Last edited by a moderator:
cutting_edgetech

cutting_edgetech

Level 3
Verified
Feb 14, 2013
113
HMPA, and MBAE will not detect an exploit unless the application is vulnerable to being exploited. If the application on your machine has been patched then the exploit will not be able to run, and therefore there is nothing for HMPA, or MBAE to detect. What application on your machine does the exploit target? I can't read hànzì, or kanji. Are you sure the application has not been patched with an update?
 
  • Like
Reactions: Solarquest, frogboy, qftest and 2 others
qftest

qftest

Level 1
Thread author
Nov 22, 2015
12
cutting_edgetech said:
HMPA, and MBAE will not detect an exploit unless the application is vulnerable to being exploited. If the application on your machine has been patched then the exploit will not be able to run, and therefore there is nothing for HMPA, or MBAE to detect. What application on your machine does the exploit target? I can't read hànzì, or kanji. Are you sure the application has not been patched with an update?
Click to expand...
oh i see.
Thank you for your reply.
hehe,"hànzì" is correct,"kanji" is an error.
 
Status
Not open for further replies.

Similar threads

Shadowra
    • +Reputation
    • Like
    • Thanks
App Review Entreprise Version Comparative - Sophos vs Checkpoint vs Eset vs Bitdefender (Hard Settings + EDR)
Replies
23
Views
1,645
Video Reviews - Security and Privacy
Trident
Trident
Gandalf_The_Grey
    • Like
    • Thanks
AV-Comparatives Anti-Tampering Certification Test 2025
Replies
1
Views
470
Security Statistics and Reports
Andy Ful
Andy Ful
oldschool
    • Like
    • Applause
    • +Reputation
New Update Malwarebytes Anti-Exploit Beta releases
Replies
2
Views
569
Malwarebytes
Vitali Ortzi
Vitali Ortzi

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top