Advice Request VoodooShield and javascript files

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Good mornig, I thought of a situation with VoodooShield. We are running VoodooShield free on AutoPilot mode. A user downloads a javascript file "malware.js". This file is really new, it has already been scanned with VirusTotal and has a detection rate of 0/61. Since VoodooAI is not available for javascript files, this file will be allowed to run (if this last sentence is false, please say it). This javascript file downloads "payload.exe". This executable has already been scanned with VirusTotal and has a detection rate of, let's say 3/61 (it's possible, considering that not all antivirus companies add javascript files to signatures, but only the dropped file). I have some questions
1 After malware.js is able to run, it will download payload.exe. Will payload.exe be blocked, or it will be allowed, considering that malware.js has been allowed (does parent process influence this situation?)?
2 If we were in Always ON or Smart mode, will VoodooShield prompt us for malware.js?
 

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
vs%20report.png


1- You would be prompted even in AutoPilot mode (tested for myself with MT sample, having VT scan disabled in VS settings).
If you select allow and you are in default settings, I guess the ransomware would infect you because it would run in a parent process. However, if parent processes auto allow is disabled in VS settings, I'm pretty sure it would be blocked.

2- In this specific case, I think there should be no differences between AutoPilot and Always On modes.

I'm not a specialist, please let me know if I'm wrong.
 

mekelek

Level 28
Verified
Well-known
Feb 24, 2017
1,661
vs%20report.png


1- You would be prompted even in AutoPilot mode (tested for myself with MT sample, having VT scan disabled in VS settings).
If you select allow and you are in default settings, I guess the ransomware would infect you because it would run in a parent process. However, if parent processes auto allow is disabled in VS settings, I'm pretty sure it would be blocked.

2- In this specific case, I think there should be no differences between AutoPilot and Always On modes.

I'm not a specialist, please let me know if I'm wrong.
that's correct but he can't disable the parent process option since he's using the Free version of VS.
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
I noticed you disabled the blacklist scan. What about with blacklist scan enabled, and a detection of 0/61? (as I said). Considering that for blacklist scan the javascript file is clean, it should run, right?
 
  • Like
Reactions: Sunshine-boy

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
I noticed you disabled the blacklist scan. What about with blacklist scan enabled, and a detection of 0/61? (as I said). Considering that for blacklist scan the javascript file is clean, it should run, right?

No way to be sure with no sample to test.
But in theory it should still be blocked because there would be no digital signature for the file.
 

mekelek

Level 28
Verified
Well-known
Feb 24, 2017
1,661
I noticed you disabled the blacklist scan. What about with blacklist scan enabled, and a detection of 0/61? (as I said). Considering that for blacklist scan the javascript file is clean, it should run, right?
I'm not sure but the Blacklist scan is based on the VT result and maybe it ignores VS AI results?
 
  • Like
Reactions: TheMalwareMaster

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
when u cant change the setting for more protection it's useless
as u said if parent processes auto allow is disabled in VS settings, I'm pretty sure it would be blocked
with free version u are infected...
comodo can do the same thing for free:D
 

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
when u cant change the setting for more protection it's useless
as u said if parent processes auto allow is disabled in VS settings, I'm pretty sure it would be blocked
with free version are infected...
comodo can do the same thing for free:D

When you can have an automatic VT scan for free (not mentioning other advantages), you consider the program useless?
 
  • Like
Reactions: askmark

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
You are right my friend but I don't need to scan everything with vt:/ why?cuz already using comodo:D
and if I want.... I can do it with vtuploader
 
  • Like
Reactions: Handsome Recluse

mekelek

Level 28
Verified
Well-known
Feb 24, 2017
1,661
You are right my friend but I don't need to scan everything with vt:/ why?cuz already using comodo:D
and if I want.... I can do it with vtuploader
you're missing the whole point of VS just so you can tell everyone you're using Comodo..

that is heavily relying on signed exe's and cloud whitelisting while having to change default configuration massively to make it work somewhat acceptable.
 

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Please don't hijack this thread. I have to say that I find VoodooShield free one of the best solution for beginners, because it needs no tweaking to work well and it's automated in autopilot. Please don't argue here about the product, and keep discussing about the javascript topic
 

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
You are right my friend but I don't need to scan everything with vt:/ why?cuz already using comodo:D
and if I want.... I can do it with vtuploader

Comodo is a great product, but that doesnt mean VS is useless. Please inform yourself.
 
  • Like
Reactions: askmark

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
I'm, not comodo fan..I hate it but I have to use it...
I didn't say vs is useless cuz comodo is good!
I said vs(free)is bad!I didn't say vs is totally useless
the free version is useless when u are infected!
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
No way to be sure with no sample to test.
But in theory it should still be blocked because there would be no digital signature for the file.
Digital signature doesn't do anything for VS except improve the VAi score which in this case will not have one because js files are not scanned. Anw all scripts not whitelisted should get an alert. At least this is what the developer is saying but i can't confirm as i don't use the product.
VoodooShield ?
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I noticed you disabled the blacklist scan. What about with blacklist scan enabled, and a detection of 0/61? (as I said). Considering that for blacklist scan the javascript file is clean, it should run, right?
you should never ever execute a .js file unless you create it. I found no use of a .js as I have never had anything to do with it. If you use zemana, .js or .vbs will be blocked automatically regardless what inside is.

you sentence about autopilot is not true. A file is allowed to run only if it has 0 or 1/62 + Ai = safe. In this case, Ai doesn't produce a score so by default, VS will prompt you to allow it manually. Even when you disable the blacklist scanner, it will also prompt just because there is no Ai score. You must allow it to run in order for it to infect and download the payloads. I don't know if the payloads would be blocked or not because I have never progressed into this stage. Perhaps the payloads would be blocks considering wscript is a vulnerable process. I need to ask the dev

so when we uee VS free, you should disable windows script host via registry to avoid this situation. Just revert the change of WSH when you really need to run something, for example .vbs file, then block WSH again
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top