Shadow Defender Update Thread (Current Version 1.4.0.680)

[Deleted member 65228]

what kind of software virtualize the GPU and the whole hardware? I just want to have it!|

The hardware are the components responsible for operating the machine in the first place, and thus it all boils down to them allowing things to function or not.

What you can do is what @Mr.X suggested - use a Virtual Machine. Virtual Machines will leverage built-in virtualisation support (technology embedded into your CPU). Intel implement their own virtualisation technology into their CPUs and AMD do the same by implementing theirs. Intel have Intel VT-x and AMD have AMD SVM (Secure Virtual Machine). If your hardware supports it then you can enable it from the BIOS. This is also referred to as the "hyper-visor", which explains why some security software have conflicts with Virtual Machine software on-occasion.

You shouldn't be worrying about hardware infections, or even firmware infections for that matter. A bigger concern for an average home user like ourselves would be accidentally making a mistake with a dodgy e-mail or download and becoming infected with a normal ransomware sample.

You're extremely unlikely to run into a UEFI-based bootkit, or the alike. These types of attacks are simply not prevalent in the wild, especially not aimed at home users. It would be out of the ordinary for even a business to be targeted with such an attack. You have to know what you are doing and have information regarding the environment for the target to even consider deploying an attack like this, which pretty much eliminates the home user potential. I can tell you right now that developing attacks like those will not just require your average "experience", especially for it to be successful and work as intended a majority of the time.

You need to remember that only kernel-mode code can access the firmware/hardware, which means a kernel-mode component will be required. This is one factor which eliminates the home user abuse potential, not to mention that you'd need a zero-day Windows vulnerability to bypass PatchGuard for 64-bit targets without an EV certificate now.

Afterwards, you need to remember that the author would need to understand how the Windows boot-loader works. They'll need to plan and take action with the plan in-order to get their code executing at boot first, and then allow Windows to start-up. This typically involves byte-patching of the Windows boot-loader in memory (e.g. for UEFI systems it'd be targeting an *.efi). All of this needs to be done without triggering any internal protection mechanisms in Windows, or making the system unstable in a way that it won't work properly after the deployment of the attack (stability will require extreme experience, as well as for the success rate to be in favour and not odds). This will differ between each OS version and potentially patch updates as well.

After that, you need to remember that if Windows has an update, depending on the circumstances it can cause that previously deployed attack to have problems and leave the system unstable. This would raise awareness and people would start to wonder why the system is having trouble, and in an endpoint environment this can lead to a proper investigation -> potentially exposing the attack which had previously been deployed.

Now I cannot say much about the deployment of an attack on hardware because I've not studied this reasonably to talk about it, but the only bootkit attack or any similar attack a Home user has any chance of encountering, or most businesses, would be evolving around the Master Boot Record. Cut off any potential for anything deeper than that in a realistic situation. You'll find Proof-Of-Concepts on GitHub but none of which are abused by malware in the wild, even years later from their disclosure date, and that is for the reason that most malware authors will not even know where to start with developing such an attack, let alone deploy it successfully without having their operation identified due to unstable/unreliable code - whether a "professional" or not.

A more realistic concern would be whether the hardware in your system had been altered with malicious intent by employees from your manufacturer on behalf of a government agency, since this has actually been done before (exposed by Kaspersky a few years ago). As opposed to worrying about whether you'll be hit with an attack which touches firmware/hardware.

 

[Mr.X]

@Opcode
You're a dang walking encyclopedia.

 

[Andy Ful]

What you can do is to always turn on your pc and run a vm and work from there...

There are probably more chances to escape by the malware from a virtual machine than infect GPU. Virtual machines are much more popular.
One can also be hit by a lightning bolt before the above will happen.

 

[Andy Ful]

Lockdown I know it will not bother me but still possible. I'm talking about the possibility

It is more useful to think about a possibility of winning the National Lottery.

 

[Andy Ful]

The hardware are the components responsible for operating the machine in the first place, and thus it all boils down to them allowing things to function or not.

What you can do is what @Mr.X suggested - use a Virtual Machine. Virtual Machines will leverage built-in virtualisation support (technology embedded into your CPU). Intel implement their own virtualisation technology into their CPUs and AMD do the same by implementing theirs. Intel have Intel VT-x and AMD have AMD SVM (Secure Virtual Machine). If your hardware supports it then you can enable it from the BIOS. This is also referred to as the "hyper-visor", which explains why some security software have conflicts with Virtual Machine software on-occasion.

You shouldn't be worrying about hardware infections, or even firmware infections for that matter. A bigger concern for an average home user like ourselves would be accidentally making a mistake with a dodgy e-mail or download and becoming infected with a normal ransomware sample.

You're extremely unlikely to run into a UEFI-based bootkit, or the alike. These types of attacks are simply not prevalent in the wild, especially not aimed at home users. It would be out of the ordinary for even a business to be targeted with such an attack. You have to know what you are doing and have information regarding the environment for the target to even consider deploying an attack like this, which pretty much eliminates the home user potential. I can tell you right now that developing attacks like those will not just require your average "experience", especially for it to be successful and work as intended a majority of the time.

You need to remember that only kernel-mode code can access the firmware/hardware, which means a kernel-mode component will be required. This is one factor which eliminates the home user abuse potential, not to mention that you'd need a zero-day Windows vulnerability to bypass PatchGuard for 64-bit targets without an EV certificate now.

Afterwards, you need to remember that the author would need to understand how the Windows boot-loader works. They'll need to plan and take action with the plan in-order to get their code executing at boot first, and then allow Windows to start-up. This typically involves byte-patching of the Windows boot-loader in memory (e.g. for UEFI systems it'd be targeting an *.efi). All of this needs to be done without triggering any internal protection mechanisms in Windows, or making the system unstable in a way that it won't work properly after the deployment of the attack (stability will require extreme experience, as well as for the success rate to be in favour and not odds). This will differ between each OS version and potentially patch updates as well.

After that, you need to remember that if Windows has an update, depending on the circumstances it can cause that previously deployed attack to have problems and leave the system unstable. This would raise awareness and people would start to wonder why the system is having trouble, and in an endpoint environment this can lead to a proper investigation -> potentially exposing the attack which had previously been deployed.

Now I cannot say much about the deployment of an attack on hardware because I've not studied this reasonably to talk about it, but the only bootkit attack or any similar attack a Home user has any chance of encountering, or most businesses, would be evolving around the Master Boot Record. Cut off any potential for anything deeper than that in a realistic situation. You'll find Proof-Of-Concepts on GitHub but none of which are abused by malware in the wild, even years later from their disclosure date, and that is for the reason that most malware authors will not even know where to start with developing such an attack, let alone deploy it successfully without having their operation identified due to unstable/unreliable code - whether a "professional" or not.

A more realistic concern would be whether the hardware in your system had been altered with malicious intent by employees from your manufacturer on behalf of a government agency, since this has actually been done before (exposed by Kaspersky a few years ago). As opposed to worrying about whether you'll be hit with an attack which touches firmware/hardware.

I think that most probable (but still not realistic) way to have contact with this type of malware is buying a pendrive or mouse with a malware firmware.

 

[Sunshine-boy]

Will vmare virtualize the GPU too? or only the CPU?my government do everything! I mean how can I make sure when I want to buy a CPU?! they are all made in China!

 

[Andy Ful]

Will vmare virtualize the GPU too? or only the CPU?my government do everything! I mean how can I make sure when I want to buy a CPU?! they are all made in China!

Yes. The Government in China has so many Chinese people to spy, that you can sleep soundly.

 

[Sunshine-boy]

So vmare> SD! right?although I don't like the vmare!
let's say I'm gonna buy a new CPU ok? in my country the story is different and you never cant find the original products... they are all fake or already used.xd I want a tool to scan the GPU and CPU for me opcode create one pls many thanks

 

[Andy Ful]

Yes.

So vmaware> SD! right?although I don't like the vmare!

Not from the probability point of view.

 

[Deleted member 65228]

So vmaware> SD! right?although I don't like the vmare!

VMWare creates an isolated environment of a new OS environment. Shadow Defender isolates the existent environment. I believe VMWare is more effective when used to its full potential because of other features like snapshots but remember that data theft can occur within both of them.

I doubt you will ever even run into a Virtual Machine Guest -> Host escape exploitation let alone the other sorts of attacks you're worrying about. There are malware hunters here who go hunting daily and have never witnessed this with their own eyes, and that's a lot more probable than the other things you're worrying about.

If you go down the VM route, disable clipboard share and only enable shared folders with write protection enabled for those shared folders (and remember not to put any personal documents inside because as I said before, data theft can still occur).

 

[509322]

Yes. The Government in China has so many Chinese people to spy, that you can sleep soundly.

The Chinese government is in a position to have its intelligence and other agencies work to have component manufactures install spyware right on the factory floor as everything is manufactured - every component with its own backdoor, logger, screencapture, and whatever else is technologically possible. No ? Not possible ? Really ? You must think the rainbows and unicorns are gonna protect you and the world order then. How you like them apples ? I bet it makes you want to run out an buy Chinese manufactured digital devices - right ? Makes the whole Kaspersky debate look like trivial child's play.

The entire world is strategically stupid to be dependent upon China for 90+% of its digital devices.

I bet you'd didn't know that 85+% of hospital medications are produced in India and China too. Research that one. You'll be aghast at what you find out. People actually die because of practices.

 

[Andy Ful]

The Chinese government is in a position to have its intelligence and other agencies work to have component manufactures install spyware right on the factory floor as everything is manufactured - every component with its own backdoor, logger, screencapture, and whatever else is technologically possible. No ? Not possible ? Really ? You must think the rainbows and unicorns are gonna protect you and the world order then. How you like them apples ? I bet it makes you want to run out an buy Chinese manufactured digital devices - right ? Makes the whole Kaspersky debate look like trivial child's play.

The entire world is strategically stupid to be dependent upon China for 90+% of its digital devices.

I bet you'd didn't know that 85+% of hospital medications are produced in India and China too. Research that one. You'll be aghast at what you find out. People actually die because of practices.

Everybody has his own fears. Some people are frightened by China, other people by the US. I am afraid of my wife in the first place.
By the way, I fully agree with the statement: The entire world is strategically stupid to be dependent upon China for 90+% of its digital devices. That is because the capitalistic economic system is stupid by design. The cheapest production and money are always the priority. But, other economic systems can be even worse, I was born in one of them.
.
Edit
Fearing of China, Russia or the US is not really useful for the ordinary man. There are far more probable dangers around, for example, the danger to be killed in a traffic accident.
Also one should remember the Romans history. They were afraid of Huns, but were defeated by Goths.

 

[509322]

Everybody has his own fears. Some people are frightened by China, other people by the US. I am afraid of my wife in the first place.
By the way, I fully agree with the statement: The entire world is strategically stupid to be dependent upon China for 90+% of its digital devices. That is because the capitalistic economic system is stupid by design. The cheapest production and money are always the priority. But, other economic systems can be even worse, I was born in one of them.

Lech Wałęsa naprawił pewne rzeczy, nie wszystko.

"Lech Walesa fixed some things, but not everything."

 

[Andy Ful]

I bet that if such malware existed for Windows, Appguard would just SMACK it in the face, am I right

No, you are not right. If you plug the pendrive (mouse) with the malware firmware even AppGuard cannot help.

 

[Andy Ful]

Lech Wałęsa naprawił pewne rzeczy, nie wszystko.

"Lech Walesa fixed some things, but not everything."

Your Polish is pretty good. Thanks.

 

[509322]

I bet that if such malware existed for Windows, Appguard would just SMACK it in the face, am I right

The most common installation route for all malware on Windows is User Space, which includes kernel-mode components - and AppGuard blocks execution in User Space when enabled. The kernel-mode component begins with a user-mode component, and the user-mode component typically executes from User Space. For example, a manually downloaded firmware updater. However, in the case of a malicious one it could land on a system via an exploit or drive-by download without the user being aware of. In that case, AppGuard will block execution from User Space.

Your Polish is pretty good. Thanks.

Google Translate

Anything beyond a simple sentence, and Google Translate mangles it.

 

[509322]

No, you are not right. If you plug the pendrive (mouse) with the malware firmware even AppGuard cannot help.

AppGuard blocks autorun.inf even when enabled in the Windows OS, but if the mouse is pre-loaded with malware on the system and was already installed\running before AG was installed, then there is nothing that AppGuard can do about it. AppGuard can't do anything about malicious kernel-mode firmware running on the system. It can block user-mode malware already running on the system after a system reboot dependent upon certain criteria, but not malicious kernel-mode firmware already running on the system.

 

[Andy Ful]

AppGuard blocks autorun.inf.

I had in mind the pendrive's built-in manufactory firmware.

 

[509322]

I had in mind the pendrive's built-in manufactory firmware.

I know. If we start blocking drivers, then users will start screaming bloody murder. Right ? Right away, they will be the ones who will say such attacks are so low on the probability scale that they will accept the risk in favor of usability - in other words, they don't want the increased inconvenience in favor of increased protection against some extremely unlikely attack. Somebody on the forums will say those users are out of their minds - put the protection in place and make it an opt-out protection.

It depends upon how the malicious driver is installed. There are various means for existing firmware. Most methods are going to be by social engineering using a .exe - which AppGuard is going to block.

I mean think about it - how is a blackhat going to attract a user to a site to get them to download a malicious firmware update for their GPU card ? We're already dealing with the visual to begin with - graphics, probably a gamer, video issuses, etc. All of my answers in this thread focus around that single, specific scenario - and no other.

 

[Sunshine-boy]

PPl if the Chinese products contain keyloggers or ... how the companies that use these products keep themselves safe?!there should be many companies that use the Lenovo laptop ok? but how they remove the malware from it?