App Review Those Nasty RATS Part 4

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Aout the Lic check- No, that had nothing to do with it. The dll was run prior to the reboot by run32dll.exe. I know some AG fans will put run32dll in the User space which would have stopped this from occurring. This is actually a very good idea as lately the CryptXXX ransomware will folow this means of transmission albeit on a more elaborate scale.

About the last part- Macros are an issue for AG. The home user can shut them off, but that's often not a viable option in the corporate space.
 
  • Like
Reactions: shmu26, Cats-4_Owners-2, Rishi and 5 others
Malicious macros can also be used to enable\disable Windows services - and not just digitally signed malware while running AppGuard in Protected mode.

There are a couple of simple things that can be done to hinder this:
  • Add sc.exe (command line utility to modify Windows Services) to User Space (AppGuard will block sc.exe launch during both Automatic Maintenance during system idle or manual Automatic Maintenance; sc.exe is used during system maintenance - so not recommended).
  • Add powershell.exe and powershell_ise.exe to User Space.
  • Disable macros in Microsoft Office, Kingsoft WPS and Softmaker Office.
  • Set UAC to maximum setting.
Windows Task Scheduler (at.exe) and scheduled tasks (schtask.exe) are both already in AppGuard User Space - so no need to add them.
 
  • Like
Reactions: Cats-4_Owners-2, Rishi, _CyberGhosT_ and 3 others
Nice video CS...

XhenEd said:
BRN should be made aware of this video.
Click to expand...
BRN should be informed ASAP before the end of Version 4.x.x..

Anyone have gone to BRN support?!

hjlbx said:
Malicious macros can also be used to enable\disable Windows services - and not just digitally signed malware while running AppGuard in Protected mode.

There are a couple of simple things that can be done to hinder this:
  • Add sc.exe (command line utility to modify Windows Services) to User Space (AppGuard will block sc.exe launch during both Automatic Maintenance during system idle or manual Automatic Maintenance; sc.exe is used during system maintenance - so not recommended).
  • Add powershell.exe and powershell_ise.exe to User Space.
  • Disable macros in Microsoft Office, Kingsoft WPS and Softmaker Office.
  • Set UAC to maximum setting.
Windows Task Scheduler (at.exe) and scheduled tasks (schtask.exe) are both already in AppGuard User Space - so no need to add them.
Click to expand...

Powershell and rundll32 is already included in guarded apps, will that work?!
 
  • Like
Reactions: Cats-4_Owners-2, Rishi, Der.Reisende and 2 others
Great Video (+ Music)...
have you any plans to test Voodooshield?...
...On a completely different note:
I have my systems remote settings set on "Do not allow",and in addition to this I have killed access to both "System Remote Settings" & "Windows Remote Assistance" through my Firewall....
Is this move pointless,helpful,or hurtful?
I know that you are not here to be bombarded with endless questions from those that possess less than 1% of your knowledge such as I, but if you do get an opportunity I would value any information you could give.
 
  • Like
Reactions: Cats-4_Owners-2 and XhenEd
Duotone said:
Nice video CS...


BRN should be informed ASAP before the end of Version 4.x.x..

Anyone have gone to BRN support?!



Powershell and rundll32 is already included in guarded apps, will that work?!
Click to expand...

Absolutely not. You don't need powershell and powershell_ise; they should both be added to User Space.

You can add rundll32.exe to User Space, but then it will be blocked during System Maintenance; I keep rundll32.exe as a Guarded App.

The key point to the entire story is - and something that has been stated over-and-over again by most of us AppGuard users - do not use Protected mode; Lock Down mode is the only mode that ensures physical system protection. As @cruelsister points out in her video, Microsoft Office, Kingsoft WPS, Softmaker Office, etc macros, can connect out and download files while in Lock Down mode. In that case you have the option to disable macros. However, if AppGuard Lock Down mode works as designed, then any file downloaded and executed by the macro will be blocked - even if digitally signed.

The pain with AppGuard for most people is learning to use it and properly configure it. A number of us have urged BRN to implement better usability -- but it looks like it just ain't gonna happen - at least anytime soon.
 
  • Like
Reactions: Maggot Brain, Cats-4_Owners-2 and XhenEd
From what I gather from the discussions in Wilders forum, the video exposed not a bug or bugs, but rather a design "flaw" of AppGuard, especially regarding the Protected mode and Trusted Publishers List.
 
  • Like
Reactions: Cats-4_Owners-2
XhenEd said:
From what I gather from the discussions in Wilders forum, the video exposed not a bug or bugs, but rather a design "flaw" of AppGuard, especially regarding the Protected mode and Trusted Publishers List.
Click to expand...

The problem is Protected mode will allow installation of files digitally signed by one of the vendors included in the Trusted Publishers list.

I don't know the exact details as to how it was accomplished, the un-signed *.dll was blocked but rundll32.exe (Guarded App) still managed to modify the Windows Remote Access services and the *.dll was loaded upon reboot. I don't know if the loading of the *.dll was tied to service start-up or something else.

A user that runs AppGuard in Protected mode assumes - at the very least - some small risk of persistent infection.

BRN incorporated Protected mode for those users that complain that their softs won't automatically update in Lock Down mode; they complain that they have to lower AppGuard from Lock Down to Install mode and then back again to Lock Down mode after update is complete. Rubenking from PCMag - for one - made a big hub-bub about it a few years ago...
 
Last edited by a moderator:
  • Like
Reactions: shmu26, Cats-4_Owners-2, tonibalas and 1 other person
h- Regarding the RAT, everything was done prior to the system reboot. The fact that the dll was detected was actually trivial, as on reboot the the dll would be loaded by the legitimate svchost. It's actually a typical higher quality RAT with the major difference being the certificate used.

If I may go off on a tangent, this sort of thing is considered a Clear and Present danger in certain quarters. The nightmare scenario being that an unfriendly government can co-opt (or even start) a popular security company. Then the RAT would have a pristine certificate and can connect at will to Command without anyone being the wiser ("It's only a definition update! What are you worried about?"). I'm actually glad I'm not in the field anymore- Ignorance is Bliss...
 
  • Like
Reactions: Cats-4_Owners-2, tonibalas and XhenEd
@cruelsister

If I seem annoyed it is because I am.

The first completely legitimate reason is that I'm old - old and decrepit. Live long enough... and it happens...annoyed and grumpy most of the time.

The other legitimate reasons:

1.

Your video clearly demonstrates what myself and others have been saying to BRN for a long time now - at least a few years - that Protected mode is vulnerable under certain conditions. The BRN higher-ups think Protected mode is all that is needed - and if it were not for us at Wilders - Lock Down mode would have been completely removed by now.

When it was made known that Lock Down was on the chopping block, there was absolute bedlam... a sloppy and disorganized user-revolt, but it saved the day -- fortunately.

2.

I have repeatedly told BRN that System Space processes can access malicious files of various types in User Space and the end result can be modification of System Space in unexpected\undesirable ways. The bottom line is this - if malware does manage to execute with AppGuard installed - it might, or it might not, protect the system. It depends upon which Windows processes are abused and what the malicious objectives are - and Windows processes added to the Guard list is not complete protection against system modification. Specific parts of the registry and file system are protected, but services are not - as far as what I have been led to believe; AppGuard does not protect against services tampering. So, until proven otherwise, I think your video is just confirmation of this fact; according to AppGuard policy, unsigned User Space *.dlls are not supposed to be loadable - even in Protected mode. Obviously, it just ain't so... and there have been repeated user concerns directed to BRN about the potential for System Space processes loading User Space files during system boot.

To top it off - if I recall correctly - a macro can be crafted that abuses InstallUtil.exe (NET Framework) to create a service.

The argument from BRN is that malware can only manage to execute under a specific set of conditions. Malc0der targets AppGuard Protected mode - and it is lights out. Quite a trivial Protected mode bypass - don't you think ?

3.

I don't know the reason(s) - but BRN is extremely slow at fixing things - even ones that, no doubt are, relatively speaking, easy fixes. If it were not for Barb, I don't think anything would get fixed.

4.

Getting BRN to make improvements - both in terms of security and usability - often seems - no, not seems - it most definitely is a futile enterprise. To get something as relatively simple as an export\import setting - so that the policy & settings xml can be shared with novice users and for user convenience - might as well forget it.

There's more to it, but that is the gist of it...

Don't be like me... stay out the formaldehyde... you'll have to forgive me - you know - I'm not so good with the social graces.

So thanks for your video.
 
Last edited by a moderator:
  • Like
Reactions: Cats-4_Owners-2, tonibalas and XhenEd
h- You're not in any way grumpy!!! you like the application and want them to strive to close up loopholes in protection; personally I would expect no less from you as you very, very obviously know what you are doing.

Regarding the Lockdown Mode, a few people had PM'd me back when they though of doing that and they were quite upset, understandably so. But even Lockdown has it's disadvantages if a previously Trusted program runs malware on its own, and there's really nothing that can be done about this, just like a high certificate app going rogue.

But my continuing concern with the Anti-exe class is that although a competent user knows what and what not to do, a rookie will tend to just use install mode to run a blocked application, a decision that may end in Tears. But even the experienced user may just run that Document or spreadsheet and have data stolen without a peep from AG (I'm still proud that I actually remembered to blur out my GreyHat server; it could potentially have sucked big time if i forgot!). So personally I would prefer to run something like Shadow defender then running AG in Lockdown continually. A lot less issues, you can see what you are installing and total protection is but a reboot away (although an Outbound Firewall would be needed, but that's a truism).

Anyway, you Social Graces seem fine to me and it means a great deal that you appreciated the video.

M
 
  • Like
Reactions: Handsome Recluse, Brahman, Cats-4_Owners-2 and 2 others
@cruelsister ..you are a class act...are you working for MOZAD or something like that. Well then, Anti-exe class has its own weakness with RAT. That really calls for a multi layered approach (aka an Enterprise class sandbox). I hope to see a test of voodooshield vs RAT at-least a brief one would suffice , if you are in the mood.
 
  • Like
Reactions: Andytay70 and XhenEd

You may also like...