1. francis de lorraine

    Mar 19, 2017
    36
    81
    ecrouves (54) france
    Windows 10
    ESET
    hello the forum is voodooshield stopping malware without files ?
     
    BryanB and Sunshine-boy like this.
  2. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    Without signatures? Yes it does and will stop a huge array of malware in my experience with it - no signatures needed.
     
    BryanB and TerrakionSmash like this.
  3. Antimalware18

    Antimalware18 Level 8

    Jan 17, 2014
    367
    1,427
    Windows 10
    Kaspersky
    I believe he meant, Is Voodooshield stopping Fileless malware?

    I don't know though.
     
    BryanB and Sunshine-boy like this.
  4. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    I assume one of the malware focused pros will chime in. But in theory, I would guess VS would stop them because it should close off the attack methods they use. <looks around nervously>
     
    BryanB likes this.
  5. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,300
    Caille
    Windows 10
    1. VoodooShield is an anti-executable therefore it will intercept process start-up. Therefore, VoodooShield is capable of blocking malicious software from executing code as long as a process is used -> block the process and now the malicious code doesn't run. It has an Ai score which can help you when responding to start-up alerts, but it doesn't actually know whether the program starting up is malicious or not so it isn't like an AV which may know if a sample is really malicious from signatures and what-not.

    2. VoodooShield does watch for specific command lines which can be used by payload of some malicious software (e.g. post-exploitation). It isn't an "anti-exploit" but it can do the command line checks for some things.

    A truly file-less attack? No it won't stop it, because it'd be truly file-less. There would be no additional process spawns, the malicious code would be executing in-memory of other processes which were already running at the time of the exploit deployment. So that would be out of VoodooShield scope, but this type of attack is exceptionally rare for Home users.

    "file-less" malware in the sense that the payload will execute without its own process but will still spawn additional processes? Yes VoodooShield should be capable of blocking features of the payload which required those processes to be started up as long as the programs started up by the payload are not white-listed/trusted (e.g. depends on configuration).

    So here are two scenarios. The first example one is 99% unrealistic for a normal scenario because we are not businesses who are high value targets (and malware in the wild for average users is usually made by people who just copy-paste probably), whereas the second one is 90% unrealistic for average home users.

    1. You click a link. The browser is exploited for remote code execution. The attacker is now executing malicious shell-code within the context of the web browser - bypassed the Data Execution Prevention restriction by somehow getting the browser to call NtProtectVirtualMemory to provide PAGE_EXECUTE_READWRITE flags so the shell-code inserted can actually be executed, or alike. The malicious shell-code now work-arounds Address Space Layout Randomisation with a pattern scan to find a routine address containing code in the browser executable which has a vulnerability, and now the malicious shell-code exploits that vulnerability to escape the sandbox for privilege escalation. Now the malicious shell-code sets up a remote connection for backdoor functionality without needing to spawn any other programs or dropping to disk during the process. ->>>>> (UNREALISTIC 99%)

    2. Same as #1 but a new process was spawned during the process. ->>>> STILL UNREALISTIC however in this case, VoodooShield may be able to intervene and block the payload either at the start, middle or end -> still potentially reducing attack damage from the post-exploitation

    VoodooShield is well-used and well-liked on this forum so many people here will be able to help you if you use it and have any issues, and there's a free version so you can test it out any-time by downloading it from here: VoodooShield™ - The User-Friendly Toggling Computer Lock.

    It works well for what it is supposed to do and it can definitely keep you safe if you use it properly, it isn't very hard to learn how to use it.
     
    Xtwillight, ZeroDay, BryanB and 6 others like this.
  6. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,300
    Caille
    Windows 10
    On the contrary as an addition, it depends what "file-less" means to you. If you're talking about malicious documents, then I do not know how VoodooShield will handle them. If I recall, it is not very good with macro's, but you should disable those anyway and Microsoft Office is insecure on its own so best not use it in the first place in my opinion. Problem solved

    If you download an image which actually has a double extension of *.exe, well VoodooShield would pick that up too because a new process would be spawned (hence really being an *.exe).

    It does close attack vectors, I think it can be quite useful if it works for you.
     
  7. boredog

    boredog Level 8

    Jul 5, 2016
    392
    818
    Retired
    usa
    Windows 10
    Malwarebytes
    Voodooshield also uses all Virus Total scanners on each new file. The sensitivity can be changed so that is VT is set to say 2, it is most likely a false possitive.
     
    HarborFront likes this.
  8. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    What do you recommend we set this to? I know on VT a lot of innocent things get hit by a couple of the scanners. What's a good number?
     
    BryanB and Sunshine-boy like this.
  9. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,169
    5,186
    IRAN
    Windows 10
    ESET
    #9 Sunshine-boy, Dec 21, 2017
    Last edited: Dec 21, 2017
    What does that mean?? where that malware come from if there is no file ?how can I protect myself from such malware?
    @rancis de lorraine Rehips is better than vs! give it a try! it has an app control which limits the program's actions.even if you run the malware it cant reach cmd, PowerShell or other critical places... because Rehips will alert you.or you can even sandbox the program from the start(like your browser)!but like vs it will not defend you against injections!
     
    GonzitoVir and BryanB like this.
  10. boredog

    boredog Level 8

    Jul 5, 2016
    392
    818
    Retired
    usa
    Windows 10
    Malwarebytes
    I leave it at default of 5 or more.
     
    TerrakionSmash likes this.
  11. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,300
    Caille
    Windows 10
    It means no file exists at all. No initial file to be executed in-memory (e.g. Portable Executable) and no files being dropped to disk by the payload - this is my definition of a "true" file-less attack however there are different meanings. An example of such attack would be exploiting of a web-browser via malicious JavaScript, as an attempt to execute native shell-code in the address space of the web-browser process responsible for processing the web-page (in which local files such as HTML and JS are downloaded locally for the browser to interpret the files contents -> JavaScript executes for web-page functionality but it's on the local-side, nor server-side like PHP). In that example, no file exists in the sense that the user had to download and execute a binary - the JavaScript file containing the malicious JavaScript code still existed though, but it's a different context. The malicious shell-code now runs under an existent process, instead of under its own process, without requiring independent code execution on the local system to inject the shell-code into the vulnerable process.

    If a webpage activates some sort of "plug-in" for functionality, this could lead to exploitation of that plug-in/browser as well.

    The malicious shell-code would face issues with modern browsers though; due to code executing under the context of the browser processes by security solutions for various mitigations (if performed by the security solution) and the default built-in sandbox container which is present in Microsoft Edge, and Google Chrome (as two examples).

    Anyway, the attacker would need to gain persistence. So they'll likely be looking for exploitation of the registry for code execution, or similar. Since patching binaries on the local system counts touching disk. Otherwise, after the session ends (shutdown) and the system starts back up, exploitation would have to re-occur for the attacker to gain code execution again (e.g. victim visits the malicious web-page again -> exploit the browser again).

    That's nothing more than an example though. And it's very unrealistic because of the expertise required. However, try looking into web browser sandboxing/anti-exploit utilities for enhancing protection against such.
     
  12. boredog

    boredog Level 8

    Jul 5, 2016
    392
    818
    Retired
    usa
    Windows 10
    Malwarebytes
    Sunshine-boy likes this.
  13. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,169
    5,186
    IRAN
    Windows 10
    ESET
    Thnks for the explanations.so there is smth but we cant see it.
    What if I sandbox browser?! will those attack only come from the browser? can malware magically get to my pc if I don't run anything and sandbox the browser?
     
    BryanB likes this.
  14. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,300
    Caille
    Windows 10
    Well no because 99.9% of the time user-interaction is always required. How did the exploit deploy in the first place? In the example of a malicious webpage which deploys a zero-day exploit, you still navigated to that malicious web-page, or another web-page which redirected you there. A different example would be software you're using which connects to somewhere, but the destination has been compromised and this may be possibly abused as an attack vector to gain control of the victims machine if it can be done by the attacker - we saw something similar to this with the initial spread of Petya. It didn't deploy a "file-less" attack, however the company providing banking software was compromised and this led to a rogue update which contained malicious software, even though that isn't a "file-less" attack, it might help you understand better.

    You can sandbox your browser, it'll improve protection, but it isn't impossible for that to be bypassed as well, hahaha. It's all possible, just extremely unrealistic to happen. Vulnerabilities like this are usually identified by good security researchers and submitted for bug bounty/credits, leading to a patch, before a black-hat identifies it and is capable of exploiting found said vulnerability with malicious intent most of the time.

    Malware won't magically arrive on your PC 99.9% of the time. An exception would be a compromised network (e.g. as we already know of Metasploit attacks coming from a compromised Local Area Network, or after port forwarding, etc.). You still have to ask yourself though, how did this happen if you have a properly secured network?
     
  15. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,169
    5,186
    IRAN
    Windows 10
    ESET
    Many thanks.
     
    Opcode and BryanB like this.
  16. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    I've seen more fileless malware in the last few months than I care to admit. It's frightening.

    Especially when products known to be good against exploits and zero days like Symantec/Norton can't even seem to cope with fileless malware. Trend Micro Office Scan, we've found the same thing. The good thing is, layered security often prevents the occurrences of it - layered as in a good UTM on the gateway, a good AV on the endpoint, then possibly some lockdowns. Malware isn't my specialty, but lately it's sort of frightening out there.
     
Loading...
Similar Threads Forum Date
Video Review Comodo FW bypass malware the sandbox (sandbox hips off + on) and voodooshield (autopilot) Video Reviews Oct 30, 2016
Video Review VoodooShield- Messin' with Malware Video Reviews Jul 18, 2016
Help Me Decide Voodooshield vs. Malware Defender Compare Apps Archive Apr 1, 2014