LNK File Guard: Block Suspicious LNK Files

NoVirusThanks

From NoVirusThanks
Thread author
Verified
Developer
Well-known
Aug 23, 2012
291
We've released a new application on Appsvoid:

LNK File Guard v1.0​


Screenshot (it blocked the malicious .LNK file from the mounted ISO file):

lnk-file-guard-1.png


Windows OS security application that block suspicious and unknown .LNK (shortcut) files. After Microsoft announced to block Office macros by default, attackers found other ways to infect systems, one of these is abusing .LNK files. This program will block any suspicious .LNK file and only allow .LNK files located in safe locations. Additionally, you can also block unknown .LNK files on the Desktop folder (for extra security in case the user downloads attachments on the Desktop folder).

The program was created mainly for businesses to fight the rise of malicious .LNK shortcut files used in initial stages of an attack. Once the program is installed and running, it will monitor .LNK files and automatically block suspicious and unknown .LNK files. You don't have to configure anything, if needed you can enable the option to block unknown .LNK files on Desktop but this option is commonly recommended for businesses, should not be needed for Home users.

The program doesn't add an icon on the system tray, by default when a .LNK file is blocked it is logged in the .log files. You can see that the .LNK file has been blocked because when you double-click on it nothing will happen. For a quick test, just place a .LNK file on C:\ and try to run it, it should be blocked and logged in the .log files.

Feedbacks are as always welcome :)
 

Mops21

Level 34
Verified
Honorary Member
Content Creator
Oct 25, 2014
2,327
Hi all

Here is a new test 2 build:

Code:
It fixes the two FPs you reported.

You can install this new test build over the top (reboot should not be required, except if it is asked by the setup file).

Regarding K7 detection of LnkModule64.dll, it is a false positive (our DLLs are also all digitally signed).

I tried to reproduce the issue you reported with Brave and Edge but I can't reproduce here (will try more on these hours).

A possible solution/test:

Try to open LNK File Guard GUI, click on Exclusions tab, now click on Scan Now button (this will scan the Desktop and auto-add to exclusions the .LNK files found).

Then wait 2 minutes (so the app loads the new exclusions rules) and try to run Brave or Edge browser via the Desktop shortcut, let me know if they work fine now.

A possible additional test in case the above doesn't work:

I hope the issues you see were not caused by the privaxy.sexy tweaks .

A quick test would be to uninstall LNK File Guard and then try to run the Brave shortcut, if it doesn't work then the issue is not caused by LNK File Guard.


With best Regards
Mops21

Hi all

We've released LNK File Guard v1.1:
Monitor and Block .LNK Files with LNK File Guard | Appsvoid

Here is the changelog:

[05-Oct-2022] v1.1.0.0

+ Added option to delete .log files older than N days
+ Improved support for Windows 11 OS
+ Fixed reported false positives
+ Minor improvements
It can be installed over-the-top, but it may be needed to reboot the PC if the setup file asks to do that.

@JOHNoff

Issues reported should be fixed now, thanks a lot for reporting them and for testing.

@Floyd 57

Attackers are widely using LNK files in first stages of an infection to deliver the payload after Microsoft announced they will disable macros:
Cyber-criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP Reports

LNK files are not easy to monitor, the file type can't be fully unassociated, they can have custom icons (can be easily masqueraded as fake PDF invoices), can be used to execute lolbins and commonly abused system processes, etc. This app can help organizations to restrict opening of .LNK files, also on user Desktop folder.
i see this best as an addition to OSArmor
We would like to keep OSArmor simple and not complicate it with extra protection options other than process blocking (it already blocks execution of processes from malicious .LNK files).


With best Regards
Mops21
 

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,413

NoVirusThanks

From NoVirusThanks
Thread author
Verified
Developer
Well-known
Aug 23, 2012
291
@BryanB

Checked the article and tried to reproduce the same scenario (K-1 06.13.2022.lnk on Downloads folder that executes the specified powershell encoded command).

LNK File Guard blocked the execution of the .lnk file:

lnk-test.png


Then I disabled LNK File Guard and tried to run it, OSA blocked the execution of powershell:

osa-test.png


Additionally, firewall rules of SysHardener would have blocked regsvr32.exe from downloading the remote payloads.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top