Take caution! VoodooShield and WinRAR

Status
Not open for further replies.
TheMalwareMaster

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Forum Veteran
Jan 4, 2016
1,065
5,725
1,978
Europe
This morning, a Facebook user alerted me about a possible security problem about VoodooShield free, because parent process is on by default. This was made using WinRAR. Since it's a popular software, I decided to share the results with you. This could be a huge problem, since most of the ransomware is usually delivered by email, using Archives, and a lot of people use WinRAR
Steps done in the test:
1) installed winrar
2)installed VoodooShield on Autopilot
3) tested VoodooShield against CDBurnerXP, using the version bundled with adware

Here are the results:

1) I launched the main EXE to check is VoodooShield was working, and it blocked it successfully
case1.PNG
2) I created a WinRAR archive and run the file directly inside the archive, exactly how a beginner would do and... No alerts!
case2.PNG
3) I created a zip archive, then removed WinRAR and tried to open it with the default Windows option. Blocked
case3.PNG

Let me known your thoughts. Regards,
TheMalwareMaster
 
Last edited:
  • Like
Reactions: frogboy, RoboMan, Solarquest and 12 others
It's not a bypass. It's known fact on how VS works and we talked about it a millions times. You have whitelist by parent on. Winrar is whitelisted, when you double click on the program within a rar it launches as child so it automatically gets whitelisted. It runs, the end.
Go in settings and change the mentioned setting if you don't want it to act like this.
 
Last edited:
  • Like
Reactions: Andytay70, RoboMan, reboot and 8 others
TheMalwareMaster said:
I expressed myself badly. Yeah, it's not a bypass, but it can be risky using VS free, if running WinRAR
Click to expand...
But it's not just winrar. If malware that force legit application to launch them are a thing again it will be worse. That setting in VS needs to be off by default and maybe Dan will do it one day.
He probably doesn't atm to minimize alerts.
 
  • Like
Reactions: Andytay70, Solarquest, Rolo and 8 others
Wingman said:
I have notified Dan about this workaround and he confirmed that this will be fixed in the next version (exclude the .rar extension from the parent process feature). He will also investigate other compression filetypes
Click to expand...
Thanks a lot for you help. He said the issue will be fixed. The irony is that I can't still post on that forum for no reason VoodooShield ?
 
  • Like
Reactions: Solarquest, Deleted member 2913, Wingman and 2 others
Wingman said:
I have notified Dan about this workaround and he confirmed that this will be fixed in the next version (exclude the .rar extension from the parent process feature). He will also investigate other compression filetypes
Click to expand...
If I understand correctly this involves parent/child relationship. The zip archive created for step 3 (in OP) would have done the same had WinRAR been used to open the zip. This is about excluding "safe" apps from the parent/child inheritance.

Excluding the *.rar extension is just treating the symptoms. Either uncheck the parent/child option or else create an exclusion feature for that option. I'm sure Dan will figure out an even better solution once he's had time to soak on it.
 
  • Like
Reactions: Parsh, Deleted member 2913 and askmark
Telos said:
If I understand correctly this involves parent/child relationship. The zip archive created for step 3 (in OP) would have done the same had WinRAR been used to open the zip. This is about excluding "safe" apps from the parent/child inheritance.

Excluding the *.rar extension is just treating the symptoms. Either uncheck the parent/child option or else create an exclusion feature for that option. I'm sure Dan will figure out an even better solution once he's had time to soak on it.
Click to expand...
Archives should never be considered as applications in case of whitelisting.
 
  • Like
Reactions: Andytay70, Deleted member 2913, codswollip and 2 others
SHvFl said:
It's not a bypass. It's known fact on how VS works and we talked about it a millions times. You have whitelist by parent on. Winrar is whitelisted, when you double click on the program within a rar it launches as child so it automatically gets whitelisted. It runs, the end.
Go in settings and change the mentioned setting if you don't want it to act like this.
Click to expand...

So as an example (and for clarification) one could be using a download manager like IDM and strike the same problem. It is not just archive software.
 
Last edited:
  • Like
Reactions: Deleted member 2913
Status
Not open for further replies.

You may also like...