1. VoodooShield is an anti-executable therefore it will intercept process start-up. Therefore, VoodooShield is capable of blocking malicious software from executing code as long as a process is used -> block the process and now the malicious code doesn't run. It has an Ai score which can help you when responding to start-up alerts, but it doesn't actually know whether the program starting up is malicious or not so it isn't like an AV which may know if a sample is really malicious from signatures and what-not.
2. VoodooShield does watch for specific command lines which can be used by payload of some malicious software (e.g. post-exploitation). It isn't an "anti-exploit" but it can do the command line checks for some things.
A truly file-less attack? No it won't stop it, because it'd be truly file-less. There would be no additional process spawns, the malicious code would be executing in-memory of other processes which were already running at the time of the exploit deployment. So that would be out of VoodooShield scope, but this type of attack is exceptionally rare for Home users.
"file-less" malware in the sense that the payload will execute without its own process but will still spawn additional processes? Yes VoodooShield should be capable of blocking features of the payload which required those processes to be started up as long as the programs started up by the payload are not white-listed/trusted (e.g. depends on configuration).
So here are two scenarios. The first example one is 99% unrealistic for a normal scenario because we are not businesses who are high value targets (and malware in the wild for average users is usually made by people who just copy-paste probably), whereas the second one is 90% unrealistic for average home users.
1. You click a link. The browser is exploited for remote code execution. The attacker is now executing malicious shell-code within the context of the web browser - bypassed the Data Execution Prevention restriction by somehow getting the browser to call NtProtectVirtualMemory to provide PAGE_EXECUTE_READWRITE flags so the shell-code inserted can actually be executed, or alike. The malicious shell-code now work-arounds Address Space Layout Randomisation with a pattern scan to find a routine address containing code in the browser executable which has a vulnerability, and now the malicious shell-code exploits that vulnerability to escape the sandbox for privilege escalation. Now the malicious shell-code sets up a remote connection for backdoor functionality without needing to spawn any other programs or dropping to disk during the process. ->>>>> (UNREALISTIC 99%)
2. Same as #1 but a new process was spawned during the process. ->>>> STILL UNREALISTIC however in this case, VoodooShield may be able to intervene and block the payload either at the start, middle or end -> still potentially reducing attack damage from the post-exploitation
On the contrary as an addition, it depends what "file-less" means to you. If you're talking about malicious documents, then I do not know how VoodooShield will handle them. If I recall, it is not very good with macro's, but you should disable those anyway and Microsoft Office is insecure on its own so best not use it in the first place in my opinion. Problem solved
If you download an image which actually has a double extension of *.exe, well VoodooShield would pick that up too because a new process would be spawned (hence really being an *.exe).
It does close attack vectors, I think it can be quite useful if it works for you.
What does that mean?? where that malware come from if there is no file ?how can I protect myself from such malware?
@rancis de lorraine Rehips is better than vs! give it a try! it has an app control which limits the program's actions.even if you run the malware it cant reach cmd, PowerShell or other critical places... because Rehips will alert you.or you can even sandbox the program from the start(like your browser)!but like vs it will not defend you against injections!
If a webpage activates some sort of "plug-in" for functionality, this could lead to exploitation of that plug-in/browser as well.
The malicious shell-code would face issues with modern browsers though; due to code executing under the context of the browser processes by security solutions for various mitigations (if performed by the security solution) and the default built-in sandbox container which is present in Microsoft Edge, and Google Chrome (as two examples).
Anyway, the attacker would need to gain persistence. So they'll likely be looking for exploitation of the registry for code execution, or similar. Since patching binaries on the local system counts touching disk. Otherwise, after the session ends (shutdown) and the system starts back up, exploitation would have to re-occur for the attacker to gain code execution again (e.g. victim visits the malicious web-page again -> exploit the browser again).
That's nothing more than an example though. And it's very unrealistic because of the expertise required. However, try looking into web browser sandboxing/anti-exploit utilities for enhancing protection against such.
Thnks for the explanations.so there is smth but we cant see it.
What if I sandbox browser?! will those attack only come from the browser? can malware magically get to my pc if I don't run anything and sandbox the browser?
Well no because 99.9% of the time user-interaction is always required. How did the exploit deploy in the first place? In the example of a malicious webpage which deploys a zero-day exploit, you still navigated to that malicious web-page, or another web-page which redirected you there. A different example would be software you're using which connects to somewhere, but the destination has been compromised and this may be possibly abused as an attack vector to gain control of the victims machine if it can be done by the attacker - we saw something similar to this with the initial spread of Petya. It didn't deploy a "file-less" attack, however the company providing banking software was compromised and this led to a rogue update which contained malicious software, even though that isn't a "file-less" attack, it might help you understand better.
You can sandbox your browser, it'll improve protection, but it isn't impossible for that to be bypassed as well, hahaha. It's all possible, just extremely unrealistic to happen. Vulnerabilities like this are usually identified by good security researchers and submitted for bug bounty/credits, leading to a patch, before a black-hat identifies it and is capable of exploiting found said vulnerability with malicious intent most of the time.
Malware won't magically arrive on your PC 99.9% of the time. An exception would be a compromised network (e.g. as we already know of Metasploit attacks coming from a compromised Local Area Network, or after port forwarding, etc.). You still have to ask yourself though, how did this happen if you have a properly secured network?
I've seen more fileless malware in the last few months than I care to admit. It's frightening.
Especially when products known to be good against exploits and zero days like Symantec/Norton can't even seem to cope with fileless malware. Trend Micro Office Scan, we've found the same thing. The good thing is, layered security often prevents the occurrences of it - layered as in a good UTM on the gateway, a good AV on the endpoint, then possibly some lockdowns. Malware isn't my specialty, but lately it's sort of frightening out there.