Q&A VoodooShield and javascript files

Discussion in 'VoodooShield' started by TheMalwareMaster, May 6, 2017.

  1. TheMalwareMaster

    TheMalwareMaster Level 19
    Trusted

    Jan 4, 2016
    931
    5,464
    Europe
    Windows 10
    Default-Deny
    Thank you. I am not taking my case, but the one of a click-happy beginner, who executes everything
     
    BugCode, SHvFl and brod56 like this.
  2. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,826
    business
    Poland
    Windows 10
    Microsoft
    VoodooShield has script heuristics, that should catch a malware *.js script when ran from the disk. There was a bug related to *.wsf scripts, but it is now corrected in the latest VoodooShield version.

    See the posts #6, #39 in the thread:
    How-to Guide - How do you secure PowerShell?
    and also:
    VoodooShield ?

    After some mailing between me and VoodooShield developer, the bug related to *.wsf files was fixed:
    "... It was not an issue with the design, it has something to do with the way VS extracts the command lines for .wsf files... it will be an easy fix and it will be included in the next release"
     
  3. brod56

    brod56 Level 11

    Feb 13, 2017
    545
    1,526
    Studant
    Portugal
    Windows 10
    Default-Deny
    Thats the whole point of VS. If it is not whitelisted, VS will block it.
    Glad to know the same concept applies to .js files.
     
  4. brod56

    brod56 Level 11

    Feb 13, 2017
    545
    1,526
    Studant
    Portugal
    Windows 10
    Default-Deny
    Im not sure, but imagine a case of a script with:
    - 0/61 detections on VT
    - Fake digital signature

    Would VS still block it in auto pilot?
     
  5. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,118
    4,826
    business
    Poland
    Windows 10
    Microsoft
    I do not think, so. Signed scripts can do things, that can also do malware scripts (deleting files, folders, etc.). It would be very hard to differentiate between them by heuristics only. But, anyone can confim this by asking at VoodooShield support page.
     
  6. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,153
    16,410
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    If you go by what the developer has said then yes.
     
  7. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,288
    13,654
    Utopia
    1 It is uncommon for malware to have a digital sig
    2 I have never seen Voodooshield allow a file without a sig
    3 Even if you are on the free version, or the paid version at default settings, keep in mind that parent/child permissions are disabled for the sensitive locations where malware might be downloaded, as well as for the system files that malware might want to abuse. This feature is hard-coded.
     
  8. BugCode

    BugCode Level 10

    Jan 9, 2017
    460
    4,529
    FireFighter
    Oeno Island
    Yep and i suggest use it smart mode, actually i have using always smartmode if testing not count for the past. Now official VS site has been updated VS Version 3.53 to => 3.59, several fixes done. Dev Dan is the man in the mission!
     
  9. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,288
    13,654
    Utopia
    To answer the OP's question:
    a script file doesn't get analysed by Ai, so it will never collect enough security points to become automatically allowed, even if it has a sig.
    That is my understanding of the system.
     
Loading...
Similar Threads Forum Date
Q&A SRP vs VoodooShield General Security Discussions Friday at 1:24 AM
Q&A Cycling Update VooDooShield VoodooShield Dec 31, 2017
voodooshield and malware without files VoodooShield Dec 21, 2017