Q&A VoodooShield and javascript files

TheMalwareMaster

Level 19
Verified
Joined
Jan 4, 2016
Messages
931
OS
Windows 10
Antivirus
Default-Deny
#21
you should never ever execute a .js file unless you create it. I found no use of a .js as I have never had anything to do with it. If you use zemana, .js or .vbs will be blocked automatically regardless what inside is.

you sentence about autopilot is not true. A file is allowed to run only if it has 0 or 1/62 + Ai = safe. In this case, Ai doesn't produce a score so by default, VS will prompt you to allow it manually. Even when you disable the blacklist scanner, it will also prompt just because there is no Ai score. You must allow it to run in order for it to infect and download the payloads. I don't know if the payloads would be blocked or not because I have never progressed into this stage. Perhaps the payloads would be blocks considering wscript is a vulnerable process. I need to ask the dev

so when we uee VS free, you should disable windows script host via registry to avoid this situation. Just revert the change of WSH when you really need to run something, for example .vbs file, then block WSH again
Thank you. I am not taking my case, but the one of a click-happy beginner, who executes everything
 

Andy Ful

Level 30
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,970
OS
Windows 10
Antivirus
Microsoft
#22
VoodooShield has script heuristics, that should catch a malware *.js script when ran from the disk. There was a bug related to *.wsf scripts, but it is now corrected in the latest VoodooShield version.

See the posts #6, #39 in the thread:
How-to Guide - How do you secure PowerShell?
and also:
VoodooShield ?

After some mailing between me and VoodooShield developer, the bug related to *.wsf files was fixed:
"... It was not an issue with the design, it has something to do with the way VS extracts the command lines for .wsf files... it will be an easy fix and it will be included in the next release"
 

brod56

Level 13
Joined
Feb 13, 2017
Messages
601
OS
Windows 10
Antivirus
Default-Deny
#23
A file is allowed to run only if it has 0 or 1/62 + Ai = safe. In this case, Ai doesn't produce a score so by default, VS will prompt you to allow it manually. Even when you disable the blacklist scanner, it will also prompt just because there is no Ai score.
Thats the whole point of VS. If it is not whitelisted, VS will block it.
Glad to know the same concept applies to .js files.
 

brod56

Level 13
Joined
Feb 13, 2017
Messages
601
OS
Windows 10
Antivirus
Default-Deny
#24
Digital signature doesn't do anything for VS except improve the VAi score which in this case will not have one because js files are not scanned. Anw all scripts not whitelisted should get an alert. At least this is what the developer is saying but i can't confirm as i don't use the product.
VoodooShield ?
Im not sure, but imagine a case of a script with:
- 0/61 detections on VT
- Fake digital signature

Would VS still block it in auto pilot?
 

Andy Ful

Level 30
Content Creator
Verified
Joined
Dec 23, 2014
Messages
1,970
OS
Windows 10
Antivirus
Microsoft
#25
I do not think, so. Signed scripts can do things, that can also do malware scripts (deleting files, folders, etc.). It would be very hard to differentiate between them by heuristics only. But, anyone can confim this by asking at VoodooShield support page.
 

shmu26

Level 67
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,655
OS
Windows 10
#27
1 It is uncommon for malware to have a digital sig
2 I have never seen Voodooshield allow a file without a sig
3 Even if you are on the free version, or the paid version at default settings, keep in mind that parent/child permissions are disabled for the sensitive locations where malware might be downloaded, as well as for the system files that malware might want to abuse. This feature is hard-coded.
 

shmu26

Level 67
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,655
OS
Windows 10
#29
To answer the OP's question:
a script file doesn't get analysed by Ai, so it will never collect enough security points to become automatically allowed, even if it has a sig.
That is my understanding of the system.