Q&A VoodooShield and javascript files

TheMalwareMaster

Level 19
Verified
Joined
Jan 4, 2016
Messages
931
OS
Windows 10
Antivirus
Default-Deny
#1
Good mornig, I thought of a situation with VoodooShield. We are running VoodooShield free on AutoPilot mode. A user downloads a javascript file "malware.js". This file is really new, it has already been scanned with VirusTotal and has a detection rate of 0/61. Since VoodooAI is not available for javascript files, this file will be allowed to run (if this last sentence is false, please say it). This javascript file downloads "payload.exe". This executable has already been scanned with VirusTotal and has a detection rate of, let's say 3/61 (it's possible, considering that not all antivirus companies add javascript files to signatures, but only the dropped file). I have some questions
1 After malware.js is able to run, it will download payload.exe. Will payload.exe be blocked, or it will be allowed, considering that malware.js has been allowed (does parent process influence this situation?)?
2 If we were in Always ON or Smart mode, will VoodooShield prompt us for malware.js?
 

brod56

Level 13
Joined
Feb 13, 2017
Messages
600
OS
Windows 10
Antivirus
Default-Deny
#2


1- You would be prompted even in AutoPilot mode (tested for myself with MT sample, having VT scan disabled in VS settings).
If you select allow and you are in default settings, I guess the ransomware would infect you because it would run in a parent process. However, if parent processes auto allow is disabled in VS settings, I'm pretty sure it would be blocked.

2- In this specific case, I think there should be no differences between AutoPilot and Always On modes.

I'm not a specialist, please let me know if I'm wrong.
 

mekelek

Level 28
MH Trial
Verified
Joined
Feb 24, 2017
Messages
1,709
OS
Windows 10
Antivirus
Kaspersky
#3


1- You would be prompted even in AutoPilot mode (tested for myself with MT sample, having VT scan disabled in VS settings).
If you select allow and you are in default settings, I guess the ransomware would infect you because it would run in a parent process. However, if parent processes auto allow is disabled in VS settings, I'm pretty sure it would be blocked.

2- In this specific case, I think there should be no differences between AutoPilot and Always On modes.

I'm not a specialist, please let me know if I'm wrong.
that's correct but he can't disable the parent process option since he's using the Free version of VS.
 

brod56

Level 13
Joined
Feb 13, 2017
Messages
600
OS
Windows 10
Antivirus
Default-Deny
#4
that's correct but he can't disable the parent process option since he's using the Free version of VS.
Correct.
Also, in VS free no prompt is shown, only a 20-sec countdown baloon appears to inform the process is being blocked. If no option is shown, Im sure no one would click that and choose allow for an unknown file :)
 

TheMalwareMaster

Level 19
Verified
Joined
Jan 4, 2016
Messages
931
OS
Windows 10
Antivirus
Default-Deny
#5
I noticed you disabled the blacklist scan. What about with blacklist scan enabled, and a detection of 0/61? (as I said). Considering that for blacklist scan the javascript file is clean, it should run, right?
 
Likes: Sunshine-boy

brod56

Level 13
Joined
Feb 13, 2017
Messages
600
OS
Windows 10
Antivirus
Default-Deny
#7
I noticed you disabled the blacklist scan. What about with blacklist scan enabled, and a detection of 0/61? (as I said). Considering that for blacklist scan the javascript file is clean, it should run, right?
No way to be sure with no sample to test.
But in theory it should still be blocked because there would be no digital signature for the file.
 

mekelek

Level 28
MH Trial
Verified
Joined
Feb 24, 2017
Messages
1,709
OS
Windows 10
Antivirus
Kaspersky
#9
I noticed you disabled the blacklist scan. What about with blacklist scan enabled, and a detection of 0/61? (as I said). Considering that for blacklist scan the javascript file is clean, it should run, right?
I'm not sure but the Blacklist scan is based on the VT result and maybe it ignores VS AI results?
 

Sunshine-boy

Level 26
Verified
Joined
Apr 1, 2017
Messages
1,555
OS
Windows 10
Antivirus
ESET
#12
when u cant change the setting for more protection it's useless
as u said if parent processes auto allow is disabled in VS settings, I'm pretty sure it would be blocked
with free version u are infected...
comodo can do the same thing for free:D
 

brod56

Level 13
Joined
Feb 13, 2017
Messages
600
OS
Windows 10
Antivirus
Default-Deny
#13
when u cant change the setting for more protection it's useless
as u said if parent processes auto allow is disabled in VS settings, I'm pretty sure it would be blocked
with free version are infected...
comodo can do the same thing for free:D
When you can have an automatic VT scan for free (not mentioning other advantages), you consider the program useless?
 
Likes: askmark

Sunshine-boy

Level 26
Verified
Joined
Apr 1, 2017
Messages
1,555
OS
Windows 10
Antivirus
ESET
#14
You are right my friend but I don't need to scan everything with vt:/ why?cuz already using comodo:D
and if I want.... I can do it with vtuploader
 

mekelek

Level 28
MH Trial
Verified
Joined
Feb 24, 2017
Messages
1,709
OS
Windows 10
Antivirus
Kaspersky
#15
You are right my friend but I don't need to scan everything with vt:/ why?cuz already using comodo:D
and if I want.... I can do it with vtuploader
you're missing the whole point of VS just so you can tell everyone you're using Comodo..

that is heavily relying on signed exe's and cloud whitelisting while having to change default configuration massively to make it work somewhat acceptable.
 

brod56

Level 13
Joined
Feb 13, 2017
Messages
600
OS
Windows 10
Antivirus
Default-Deny
#17
You are right my friend but I don't need to scan everything with vt:/ why?cuz already using comodo:D
and if I want.... I can do it with vtuploader
Comodo is a great product, but that doesnt mean VS is useless. Please inform yourself.
 
Likes: askmark

Sunshine-boy

Level 26
Verified
Joined
Apr 1, 2017
Messages
1,555
OS
Windows 10
Antivirus
ESET
#18
I'm, not comodo fan..I hate it but I have to use it...
I didn't say vs is useless cuz comodo is good!
I said vs(free)is bad!I didn't say vs is totally useless
the free version is useless when u are infected!
 

SHvFl

Level 33
Content Creator
Verified
Joined
Nov 19, 2014
Messages
2,264
OS
Windows 10
Antivirus
Emsisoft
#19
No way to be sure with no sample to test.
But in theory it should still be blocked because there would be no digital signature for the file.
Digital signature doesn't do anything for VS except improve the VAi score which in this case will not have one because js files are not scanned. Anw all scripts not whitelisted should get an alert. At least this is what the developer is saying but i can't confirm as i don't use the product.
VoodooShield ?
 

Evjl's Rain

Level 38
Content Creator
AV-Tester
Verified
Joined
Apr 18, 2016
Messages
2,715
OS
Windows 8.1
Antivirus
Avast
#20
I noticed you disabled the blacklist scan. What about with blacklist scan enabled, and a detection of 0/61? (as I said). Considering that for blacklist scan the javascript file is clean, it should run, right?
you should never ever execute a .js file unless you create it. I found no use of a .js as I have never had anything to do with it. If you use zemana, .js or .vbs will be blocked automatically regardless what inside is.

you sentence about autopilot is not true. A file is allowed to run only if it has 0 or 1/62 + Ai = safe. In this case, Ai doesn't produce a score so by default, VS will prompt you to allow it manually. Even when you disable the blacklist scanner, it will also prompt just because there is no Ai score. You must allow it to run in order for it to infect and download the payloads. I don't know if the payloads would be blocked or not because I have never progressed into this stage. Perhaps the payloads would be blocks considering wscript is a vulnerable process. I need to ask the dev

so when we uee VS free, you should disable windows script host via registry to avoid this situation. Just revert the change of WSH when you really need to run something, for example .vbs file, then block WSH again