Advice Request VoodooShield and javascript files

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
you should never ever execute a .js file unless you create it. I found no use of a .js as I have never had anything to do with it. If you use zemana, .js or .vbs will be blocked automatically regardless what inside is.

you sentence about autopilot is not true. A file is allowed to run only if it has 0 or 1/62 + Ai = safe. In this case, Ai doesn't produce a score so by default, VS will prompt you to allow it manually. Even when you disable the blacklist scanner, it will also prompt just because there is no Ai score. You must allow it to run in order for it to infect and download the payloads. I don't know if the payloads would be blocked or not because I have never progressed into this stage. Perhaps the payloads would be blocks considering wscript is a vulnerable process. I need to ask the dev

so when we uee VS free, you should disable windows script host via registry to avoid this situation. Just revert the change of WSH when you really need to run something, for example .vbs file, then block WSH again
Thank you. I am not taking my case, but the one of a click-happy beginner, who executes everything
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
VoodooShield has script heuristics, that should catch a malware *.js script when ran from the disk. There was a bug related to *.wsf scripts, but it is now corrected in the latest VoodooShield version.

See the posts #6, #39 in the thread:
How-to Guide - How do you secure PowerShell?
and also:
VoodooShield ?

After some mailing between me and VoodooShield developer, the bug related to *.wsf files was fixed:
"... It was not an issue with the design, it has something to do with the way VS extracts the command lines for .wsf files... it will be an easy fix and it will be included in the next release"
 

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
A file is allowed to run only if it has 0 or 1/62 + Ai = safe. In this case, Ai doesn't produce a score so by default, VS will prompt you to allow it manually. Even when you disable the blacklist scanner, it will also prompt just because there is no Ai score.

Thats the whole point of VS. If it is not whitelisted, VS will block it.
Glad to know the same concept applies to .js files.
 

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
Digital signature doesn't do anything for VS except improve the VAi score which in this case will not have one because js files are not scanned. Anw all scripts not whitelisted should get an alert. At least this is what the developer is saying but i can't confirm as i don't use the product.
VoodooShield ?

Im not sure, but imagine a case of a script with:
- 0/61 detections on VT
- Fake digital signature

Would VS still block it in auto pilot?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I do not think, so. Signed scripts can do things, that can also do malware scripts (deleting files, folders, etc.). It would be very hard to differentiate between them by heuristics only. But, anyone can confim this by asking at VoodooShield support page.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
1 It is uncommon for malware to have a digital sig
2 I have never seen Voodooshield allow a file without a sig
3 Even if you are on the free version, or the paid version at default settings, keep in mind that parent/child permissions are disabled for the sensitive locations where malware might be downloaded, as well as for the system files that malware might want to abuse. This feature is hard-coded.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
To answer the OP's question:
a script file doesn't get analysed by Ai, so it will never collect enough security points to become automatically allowed, even if it has a sig.
That is my understanding of the system.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top