Update Shadow Defender Update Thread (Current Version 1.4.0.629)

Discussion in 'Shadow Defender' started by Umbra, Jun 27, 2011.

  1. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    894
    6,334
    Caille
    Windows 10
    #141 Opcode, Dec 3, 2017
    Last edited: Dec 3, 2017
    The hardware are the components responsible for operating the machine in the first place, and thus it all boils down to them allowing things to function or not.

    What you can do is what @Mr.X suggested - use a Virtual Machine. Virtual Machines will leverage built-in virtualisation support (technology embedded into your CPU). Intel implement their own virtualisation technology into their CPUs and AMD do the same by implementing theirs. Intel have Intel VT-x and AMD have AMD SVM (Secure Virtual Machine). If your hardware supports it then you can enable it from the BIOS. This is also referred to as the "hyper-visor", which explains why some security software have conflicts with Virtual Machine software on-occasion.

    You shouldn't be worrying about hardware infections, or even firmware infections for that matter. A bigger concern for an average home user like ourselves would be accidentally making a mistake with a dodgy e-mail or download and becoming infected with a normal ransomware sample.

    You're extremely unlikely to run into a UEFI-based bootkit, or the alike. These types of attacks are simply not prevalent in the wild, especially not aimed at home users. It would be out of the ordinary for even a business to be targeted with such an attack. You have to know what you are doing and have information regarding the environment for the target to even consider deploying an attack like this, which pretty much eliminates the home user potential. I can tell you right now that developing attacks like those will not just require your average "experience", especially for it to be successful and work as intended a majority of the time.

    You need to remember that only kernel-mode code can access the firmware/hardware, which means a kernel-mode component will be required. This is one factor which eliminates the home user abuse potential, not to mention that you'd need a zero-day Windows vulnerability to bypass PatchGuard for 64-bit targets without an EV certificate now.

    Afterwards, you need to remember that the author would need to understand how the Windows boot-loader works. They'll need to plan and take action with the plan in-order to get their code executing at boot first, and then allow Windows to start-up. This typically involves byte-patching of the Windows boot-loader in memory (e.g. for UEFI systems it'd be targeting an *.efi). All of this needs to be done without triggering any internal protection mechanisms in Windows, or making the system unstable in a way that it won't work properly after the deployment of the attack (stability will require extreme experience, as well as for the success rate to be in favour and not odds). This will differ between each OS version and potentially patch updates as well.

    After that, you need to remember that if Windows has an update, depending on the circumstances it can cause that previously deployed attack to have problems and leave the system unstable. This would raise awareness and people would start to wonder why the system is having trouble, and in an endpoint environment this can lead to a proper investigation -> potentially exposing the attack which had previously been deployed.

    Now I cannot say much about the deployment of an attack on hardware because I've not studied this reasonably to talk about it, but the only bootkit attack or any similar attack a Home user has any chance of encountering, or most businesses, would be evolving around the Master Boot Record. Cut off any potential for anything deeper than that in a realistic situation. You'll find Proof-Of-Concepts on GitHub but none of which are abused by malware in the wild, even years later from their disclosure date, and that is for the reason that most malware authors will not even know where to start with developing such an attack, let alone deploy it successfully without having their operation identified due to unstable/unreliable code - whether a "professional" or not.

    A more realistic concern would be whether the hardware in your system had been altered with malicious intent by employees from your manufacturer on behalf of a government agency, since this has actually been done before (exposed by Kaspersky a few years ago). As opposed to worrying about whether you'll be hit with an attack which touches firmware/hardware.
     
    Av Gurus, harlan4096, Tiny and 5 others like this.
  2. Mr.X

    Mr.X Level 6

    Aug 2, 2014
    289
    878
    PC Tech
    Mexico
    @Opcode
    You're a dang walking encyclopedia. :p
     
    Tiny, Sunshine-boy and Opcode like this.
  3. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,824
    business
    Poland
    Windows 10
    Microsoft
    There are probably more chances to escape by the malware from a virtual machine than infect GPU. Virtual machines are much more popular.
    One can also be hit by a lightning bolt before the above will happen.:)
     
  4. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,824
    business
    Poland
    Windows 10
    Microsoft
    It is more useful to think about a possibility of winning the National Lottery.:)
     
    Sunshine-boy and Opcode like this.
  5. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,824
    business
    Poland
    Windows 10
    Microsoft
    I think that most probable (but still not realistic) way to have contact with this type of malware is buying a pendrive or mouse with a malware firmware.
     
  6. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,185
    5,232
    IRAN
    Windows 10
    ESET
    Will vmare virtualize the GPU too? or only the CPU?my government do everything! I mean how can I make sure when I want to buy a CPU?! they are all made in China!
     
  7. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,824
    business
    Poland
    Windows 10
    Microsoft
    Yes. The Government in China has so many Chinese people to spy, that you can sleep soundly.:)
     
  8. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,185
    5,232
    IRAN
    Windows 10
    ESET
    #148 Sunshine-boy, Dec 3, 2017
    Last edited: Dec 3, 2017
    So vmare> SD! right?although I don't like the vmare!
    let's say I'm gonna buy a new CPU ok? in my country the story is different and you never cant find the original products... they are all fake or already used.xd I want a tool to scan the GPU and CPU for me:D opcode create one pls many thanks :)
     
  9. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,824
    business
    Poland
    Windows 10
    Microsoft
    Not from the probability point of view.:)
     
    Opcode and Sunshine-boy like this.
  10. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    894
    6,334
    Caille
    Windows 10
    VMWare creates an isolated environment of a new OS environment. Shadow Defender isolates the existent environment. I believe VMWare is more effective when used to its full potential because of other features like snapshots but remember that data theft can occur within both of them.

    I doubt you will ever even run into a Virtual Machine Guest -> Host escape exploitation let alone the other sorts of attacks you're worrying about. There are malware hunters here who go hunting daily and have never witnessed this with their own eyes, and that's a lot more probable than the other things you're worrying about.

    If you go down the VM route, disable clipboard share and only enable shared folders with write protection enabled for those shared folders (and remember not to put any personal documents inside because as I said before, data theft can still occur).
     
    harlan4096, Andy Ful and Sunshine-boy like this.
  11. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,712
    11,884
    AppGuard LLC Virginia, U.S.
    #151 Lockdown, Dec 3, 2017
    Last edited: Dec 3, 2017
    The Chinese government is in a position to have its intelligence and other agencies work to have component manufactures install spyware right on the factory floor as everything is manufactured - every component with its own backdoor, logger, screencapture, and whatever else is technologically possible. No ? Not possible ? Really ? You must think the rainbows and unicorns are gonna protect you and the world order then. How you like them apples ? I bet it makes you want to run out an buy Chinese manufactured digital devices - right ? Makes the whole Kaspersky debate look like trivial child's play.

    The entire world is strategically stupid to be dependent upon China for 90+% of its digital devices.

    I bet you'd didn't know that 85+% of hospital medications are produced in India and China too. Research that one. You'll be aghast at what you find out. People actually die because of practices.
     
    TerrakionSmash and Sunshine-boy like this.
  12. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,824
    business
    Poland
    Windows 10
    Microsoft
    #152 Andy Ful, Dec 3, 2017
    Last edited: Dec 3, 2017
    Everybody has his own fears. Some people are frightened by China, other people by the US. I am afraid of my wife in the first place.:)
    By the way, I fully agree with the statement: The entire world is strategically stupid to be dependent upon China for 90+% of its digital devices. That is because the capitalistic economic system is stupid by design. The cheapest production and money are always the priority. But, other economic systems can be even worse, I was born in one of them.:sick:
    .
    Edit
    Fearing of China, Russia or the US is not really useful for the ordinary man. There are far more probable dangers around, for example, the danger to be killed in a traffic accident.:(
    Also one should remember the Romans history. They were afraid of Huns, but were defeated by Goths.
     
    upnorth, Tiny and Sunshine-boy like this.
  13. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,712
    11,884
    AppGuard LLC Virginia, U.S.
    Lech Wałęsa naprawił pewne rzeczy, nie wszystko.

    "Lech Walesa fixed some things, but not everything."
     
    upnorth and Andy Ful like this.
  14. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,824
    business
    Poland
    Windows 10
    Microsoft
    #154 Andy Ful, Dec 3, 2017
    Last edited: Dec 3, 2017
    No, you are not right. If you plug the pendrive (mouse) with the malware firmware even AppGuard cannot help.:(
     
    TerrakionSmash and Sunshine-boy like this.
  15. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,824
    business
    Poland
    Windows 10
    Microsoft
    :)
    Your Polish is pretty good. Thanks.
     
    Sunshine-boy likes this.
  16. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,712
    11,884
    AppGuard LLC Virginia, U.S.
    The most common installation route for all malware on Windows is User Space, which includes kernel-mode components - and AppGuard blocks execution in User Space when enabled. The kernel-mode component begins with a user-mode component, and the user-mode component typically executes from User Space. For example, a manually downloaded firmware updater. However, in the case of a malicious one it could land on a system via an exploit or drive-by download without the user being aware of. In that case, AppGuard will block execution from User Space.

    Google Translate

    Anything beyond a simple sentence, and Google Translate mangles it.
     
  17. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,712
    11,884
    AppGuard LLC Virginia, U.S.
    AppGuard blocks autorun.inf even when enabled in the Windows OS, but if the mouse is pre-loaded with malware on the system and was already installed\running before AG was installed, then there is nothing that AppGuard can do about it. AppGuard can't do anything about malicious kernel-mode firmware running on the system. It can block user-mode malware already running on the system after a system reboot dependent upon certain criteria, but not malicious kernel-mode firmware already running on the system.
     
  18. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,824
    business
    Poland
    Windows 10
    Microsoft
    I had in mind the pendrive's built-in manufactory firmware.:)
     
    Sunshine-boy likes this.
  19. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,712
    11,884
    AppGuard LLC Virginia, U.S.
    #159 Lockdown, Dec 3, 2017
    Last edited: Dec 3, 2017
    I know. If we start blocking drivers, then users will start screaming bloody murder. Right ? Right away, they will be the ones who will say such attacks are so low on the probability scale that they will accept the risk in favor of usability - in other words, they don't want the increased inconvenience in favor of increased protection against some extremely unlikely attack. Somebody on the forums will say those users are out of their minds - put the protection in place and make it an opt-out protection.

    It depends upon how the malicious driver is installed. There are various means for existing firmware. Most methods are going to be by social engineering using a .exe - which AppGuard is going to block.

    I mean think about it - how is a blackhat going to attract a user to a site to get them to download a malicious firmware update for their GPU card ? We're already dealing with the visual to begin with - graphics, probably a gamer, video issuses, etc. All of my answers in this thread focus around that single, specific scenario - and no other.
     
  20. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,185
    5,232
    IRAN
    Windows 10
    ESET
    PPl if the Chinese products contain keyloggers or ... how the companies that use these products keep themselves safe?!there should be many companies that use the Lenovo laptop ok? but how they remove the malware from it?
     
Loading...
Similar Threads Forum Date
Shadow Defender stopped working Shadow Defender Dec 29, 2017
On Sale! 35% OFF Shadow Defender Discounts & Deals Dec 17, 2017
Expired Shadow Defender Giveaway Giveaways Archive Oct 29, 2017