LNK File Guard: Block Suspicious LNK Files

[NoVirusThanks]

We've released a new application on Appsvoid:

LNK File Guard v1.0​

Monitor and Block .LNK Files with LNK File Guard | Appsvoid

Block suspicious and unknown .LNK (shortcut) files on Windows, prevent malware and ransomware that installs via .LNK files, block unknown .LNK shortcuts.

www.appsvoid.com

Screenshot (it blocked the malicious .LNK file from the mounted ISO file):

Windows OS security application that block suspicious and unknown .LNK (shortcut) files. After Microsoft announced to block Office macros by default, attackers found other ways to infect systems, one of these is abusing .LNK files. This program will block any suspicious .LNK file and only allow .LNK files located in safe locations. Additionally, you can also block unknown .LNK files on the Desktop folder (for extra security in case the user downloads attachments on the Desktop folder).

The program was created mainly for businesses to fight the rise of malicious .LNK shortcut files used in initial stages of an attack. Once the program is installed and running, it will monitor .LNK files and automatically block suspicious and unknown .LNK files. You don't have to configure anything, if needed you can enable the option to block unknown .LNK files on Desktop but this option is commonly recommended for businesses, should not be needed for Home users.

The program doesn't add an icon on the system tray, by default when a .LNK file is blocked it is logged in the .log files. You can see that the .LNK file has been blocked because when you double-click on it nothing will happen. For a quick test, just place a .LNK file on C:\ and try to run it, it should be blocked and logged in the .log files.

Feedbacks are as always welcome

 

[Mops21]

Hi all

Here is a new test 2 build:

Code:

https://downloads.appsvoid.com/lnk-file-guard-setup-1-1-test2.exe

It fixes the two FPs you reported.

You can install this new test build over the top (reboot should not be required, except if it is asked by the setup file).

Regarding K7 detection of LnkModule64.dll, it is a false positive (our DLLs are also all digitally signed).

I tried to reproduce the issue you reported with Brave and Edge but I can't reproduce here (will try more on these hours).

A possible solution/test:

Try to open LNK File Guard GUI, click on Exclusions tab, now click on Scan Now button (this will scan the Desktop and auto-add to exclusions the .LNK files found).

Then wait 2 minutes (so the app loads the new exclusions rules) and try to run Brave or Edge browser via the Desktop shortcut, let me know if they work fine now.

A possible additional test in case the above doesn't work:

I hope the issues you see were not caused by the privaxy.sexy tweaks .

A quick test would be to uninstall LNK File Guard and then try to run the Brave shortcut, if it doesn't work then the issue is not caused by LNK File Guard.

LNK File Guard: Block Suspicious LNK Files

We've released a new application on Appsvoid: LNK File Guard v1.0 https://www.appsvoid.com/products/lnk-file-guard/ Screenshot (it blocked the...

www.wilderssecurity.com

With best Regards
Mops21

Hi all

We've released LNK File Guard v1.1:
Monitor and Block .LNK Files with LNK File Guard | Appsvoid

Here is the changelog:

[05-Oct-2022] v1.1.0.0

+ Added option to delete .log files older than N days
+ Improved support for Windows 11 OS
+ Fixed reported false positives
+ Minor improvements

It can be installed over-the-top, but it may be needed to reboot the PC if the setup file asks to do that.

@JOHNoff

Issues reported should be fixed now, thanks a lot for reporting them and for testing.

@Floyd 57

Attackers are widely using LNK files in first stages of an infection to deliver the payload after Microsoft announced they will disable macros:
Cyber-criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP Reports

Cyber-criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP Reports

The report shows an 11% rise in archive files containing malware, including LNK files

www.infosecurity-magazine.com

LNK files are not easy to monitor, the file type can't be fully unassociated, they can have custom icons (can be easily masqueraded as fake PDF invoices), can be used to execute lolbins and commonly abused system processes, etc. This app can help organizations to restrict opening of .LNK files, also on user Desktop folder.

i see this best as an addition to OSArmor

We would like to keep OSArmor simple and not complicate it with extra protection options other than process blocking (it already blocks execution of processes from malicious .LNK files).

LNK File Guard: Block Suspicious LNK Files

We've released a new application on Appsvoid: LNK File Guard v1.0 https://www.appsvoid.com/products/lnk-file-guard/ Screenshot (it blocked the...

www.wilderssecurity.com

With best Regards
Mops21

 

[vtqhtr413]

I wonder how your software would have performed against this particular threat, what are your thoughts @NoVirusThanks , thanks

Emotet Strikes Again - Lnk File Leads to Domain Wide Ransomware - The DFIR Report

In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period. During this time period, multiple rounds of … Read More

thedfirreport.com

 

[NoVirusThanks]

@BryanB

Checked the article and tried to reproduce the same scenario (K-1 06.13.2022.lnk on Downloads folder that executes the specified powershell encoded command).

LNK File Guard blocked the execution of the .lnk file:

Then I disabled LNK File Guard and tried to run it, OSA blocked the execution of powershell:

Additionally, firewall rules of SysHardener would have blocked regsvr32.exe from downloading the remote payloads.