Q&A VoodooShield and javascript files

Discussion in 'VoodooShield' started by TheMalwareMaster, May 6, 2017.

  1. TheMalwareMaster

    TheMalwareMaster Level 19
    Trusted

    Jan 4, 2016
    931
    5,464
    Europe
    Windows 10
    Default-Deny
    Good mornig, I thought of a situation with VoodooShield. We are running VoodooShield free on AutoPilot mode. A user downloads a javascript file "malware.js". This file is really new, it has already been scanned with VirusTotal and has a detection rate of 0/61. Since VoodooAI is not available for javascript files, this file will be allowed to run (if this last sentence is false, please say it). This javascript file downloads "payload.exe". This executable has already been scanned with VirusTotal and has a detection rate of, let's say 3/61 (it's possible, considering that not all antivirus companies add javascript files to signatures, but only the dropped file). I have some questions
    1 After malware.js is able to run, it will download payload.exe. Will payload.exe be blocked, or it will be allowed, considering that malware.js has been allowed (does parent process influence this situation?)?
    2 If we were in Always ON or Smart mode, will VoodooShield prompt us for malware.js?
     
  2. brod56

    brod56 Level 11

    Feb 13, 2017
    543
    1,517
    Studant
    Portugal
    Windows 10
    Default-Deny
    [​IMG]

    1- You would be prompted even in AutoPilot mode (tested for myself with MT sample, having VT scan disabled in VS settings).
    If you select allow and you are in default settings, I guess the ransomware would infect you because it would run in a parent process. However, if parent processes auto allow is disabled in VS settings, I'm pretty sure it would be blocked.

    2- In this specific case, I think there should be no differences between AutoPilot and Always On modes.

    I'm not a specialist, please let me know if I'm wrong.
     
  3. mekelek

    mekelek Level 21

    Feb 24, 2017
    1,012
    4,410
    Hungary
    Windows 10
    Kaspersky
    that's correct but he can't disable the parent process option since he's using the Free version of VS.
     
  4. brod56

    brod56 Level 11

    Feb 13, 2017
    543
    1,517
    Studant
    Portugal
    Windows 10
    Default-Deny
    Correct.
    Also, in VS free no prompt is shown, only a 20-sec countdown baloon appears to inform the process is being blocked. If no option is shown, Im sure no one would click that and choose allow for an unknown file :)
     
  5. TheMalwareMaster

    TheMalwareMaster Level 19
    Trusted

    Jan 4, 2016
    931
    5,464
    Europe
    Windows 10
    Default-Deny
    I noticed you disabled the blacklist scan. What about with blacklist scan enabled, and a detection of 0/61? (as I said). Considering that for blacklist scan the javascript file is clean, it should run, right?
     
    Sunshine-boy likes this.
  6. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,169
    5,186
    IRAN
    Windows 10
    ESET
    vs free is useless
     
  7. brod56

    brod56 Level 11

    Feb 13, 2017
    543
    1,517
    Studant
    Portugal
    Windows 10
    Default-Deny
    No way to be sure with no sample to test.
    But in theory it should still be blocked because there would be no digital signature for the file.
     
  8. brod56

    brod56 Level 11

    Feb 13, 2017
    543
    1,517
    Studant
    Portugal
    Windows 10
    Default-Deny
    You are absolutely wrong.
     
    askmark and TheMalwareMaster like this.
  9. mekelek

    mekelek Level 21

    Feb 24, 2017
    1,012
    4,410
    Hungary
    Windows 10
    Kaspersky
    I'm not sure but the Blacklist scan is based on the VT result and maybe it ignores VS AI results?
     
    TheMalwareMaster likes this.
  10. TheMalwareMaster

    TheMalwareMaster Level 19
    Trusted

    Jan 4, 2016
    931
    5,464
    Europe
    Windows 10
    Default-Deny
    VoodooAI is never ignored, but, in this case, artificial intelligence is not available for javascript files
     
    harlan4096 and Sunshine-boy like this.
  11. brod56

    brod56 Level 11

    Feb 13, 2017
    543
    1,517
    Studant
    Portugal
    Windows 10
    Default-Deny
    VoodoAI and VT scan are independent and run at the same time.
    Our doubt is, would a 0/61 scan force VS in AutoPilot to allow an unknown file for AI?
     
  12. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,169
    5,186
    IRAN
    Windows 10
    ESET
    when u cant change the setting for more protection it's useless
    as u said if parent processes auto allow is disabled in VS settings, I'm pretty sure it would be blocked
    with free version u are infected...
    comodo can do the same thing for free:D
     
  13. brod56

    brod56 Level 11

    Feb 13, 2017
    543
    1,517
    Studant
    Portugal
    Windows 10
    Default-Deny
    When you can have an automatic VT scan for free (not mentioning other advantages), you consider the program useless?
     
    askmark likes this.
  14. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,169
    5,186
    IRAN
    Windows 10
    ESET
    You are right my friend but I don't need to scan everything with vt:/ why?cuz already using comodo:D
    and if I want.... I can do it with vtuploader
     
    TerrakionSmash likes this.
  15. mekelek

    mekelek Level 21

    Feb 24, 2017
    1,012
    4,410
    Hungary
    Windows 10
    Kaspersky
    you're missing the whole point of VS just so you can tell everyone you're using Comodo..

    that is heavily relying on signed exe's and cloud whitelisting while having to change default configuration massively to make it work somewhat acceptable.
     
  16. TheMalwareMaster

    TheMalwareMaster Level 19
    Trusted

    Jan 4, 2016
    931
    5,464
    Europe
    Windows 10
    Default-Deny
    Please don't hijack this thread. I have to say that I find VoodooShield free one of the best solution for beginners, because it needs no tweaking to work well and it's automated in autopilot. Please don't argue here about the product, and keep discussing about the javascript topic
     
  17. brod56

    brod56 Level 11

    Feb 13, 2017
    543
    1,517
    Studant
    Portugal
    Windows 10
    Default-Deny
    Comodo is a great product, but that doesnt mean VS is useless. Please inform yourself.
     
    askmark likes this.
  18. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,169
    5,186
    IRAN
    Windows 10
    ESET
    I'm, not comodo fan..I hate it but I have to use it...
    I didn't say vs is useless cuz comodo is good!
    I said vs(free)is bad!I didn't say vs is totally useless
    the free version is useless when u are infected!
     
  19. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,153
    16,392
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    Digital signature doesn't do anything for VS except improve the VAi score which in this case will not have one because js files are not scanned. Anw all scripts not whitelisted should get an alert. At least this is what the developer is saying but i can't confirm as i don't use the product.
    VoodooShield ?
     
    shmu26, Parsh, askmark and 3 others like this.
  20. Evjl's Rain

    Evjl's Rain Level 28
    Trusted AV Tester

    Apr 18, 2016
    1,798
    13,154
    Vietnam
    Windows 8.1
    Avast
    you should never ever execute a .js file unless you create it. I found no use of a .js as I have never had anything to do with it. If you use zemana, .js or .vbs will be blocked automatically regardless what inside is.

    you sentence about autopilot is not true. A file is allowed to run only if it has 0 or 1/62 + Ai = safe. In this case, Ai doesn't produce a score so by default, VS will prompt you to allow it manually. Even when you disable the blacklist scanner, it will also prompt just because there is no Ai score. You must allow it to run in order for it to infect and download the payloads. I don't know if the payloads would be blocked or not because I have never progressed into this stage. Perhaps the payloads would be blocks considering wscript is a vulnerable process. I need to ask the dev

    so when we uee VS free, you should disable windows script host via registry to avoid this situation. Just revert the change of WSH when you really need to run something, for example .vbs file, then block WSH again
     
Loading...
Similar Threads Forum Date
Q&A Cycling Update VooDooShield VoodooShield Dec 31, 2017
voodooshield and malware without files VoodooShield Dec 21, 2017
VoodooShield Latest VoodooShield Dec 11, 2017