H

hjlbx

Aside from powershell, and macros in Office apps, what else could a standard user disable?
Vulnerable Processes

This is a Windows OS problem, and not a security soft problem:

The infos below are a combination of infos from Florian (Excubits) and JP (Japanese) CERT:
  • Blacklist all occurrences of powershell.exe if you do not use it regularely,
  • Blacklist or remove all interpreters (e.g. python, perl, ...) if you do not use them,
  • Blacklist or remove all debuggers,
  • Only whitelist required software, move not used software to the blacklist, and
  • If there is software you only use once a year put it onto the blacklist and then temporarily put it on the whitelist if you really need it for the dedicated task.
  • Also blacklist the following applications (executables) if you do not need them:
*Regsvcs.exe
*RegAsm.exe
*wusa.exe
?:\$Recycle*
*reg.exe
*vssadmin.exe
*aspnet_compiler.exe
*csc.exe
*jsc.exe
*vbc.exe
*ilasm.exe
*MSBuild.exe
*script.exe
*journal.exe
*msiexec.exe
*bitsadmin.exe
*iexpress.exe
*mshta.exe
*systemreset.exe
*bcdedit.exe
*mstsc.exe
*powershell.exe
*powershell_ise.exe
*hh.exe
*set.exe
*setx.exe
*InstallUtil.exe
*IEExec.exe
*DFsvc.exe
*dfshim.dll
*PresentationHost.exe
*wscript.exe
*cscript.exe
*iexplore.exe
*at.exe
*schtasks.exe
*mrsa.exe
*bcdedit.exe
*bcdboot.exe
*bootcfg.exe
*bootim.exe
*bootsect.exe
*ByteCodeGenerator.exe
*debug.exe
*diskpart.exe
*regini.exe
*regsvr32.exe
*RunLegacyCPLElevated.exe
*UserAccountControlSettings.exe
*wmic.exe
*regedit.exe
*regedt32.exe

* * * * *

*cmd.exe
*tasklist.exe
*netstat.exe
*net.exe
*ipconfig.exe
*systeminfo.exe
*qprocess.exe
*query.exe
*whoami.exe
*nslookup.exe
*fsutil.exe
*csvde.exe
*nbtstat.exe
*nltest.exe
*wevtutil.exe
*arp.exe
*sc.exe
*qwinsta.exe

* * * * *

C:\Windows\ADFS\*
C:\Windows\Fonts\*
C:\Windows\Minidump\*
C:\Windows\Offline Web Pages\*
C:\Windows\tracing\*
C:\Windows\Tasks\*

I also suggest that you restrict write (make read only) access permissions on

C:\Windows\ADFS\*
C:\Windows\Fonts\*
C:\Windows\Minidump\*
C:\Windows\Offline Web Pages\*
C:\Windows\tracing\*
C:\Windows\Temp\*
C:\Windows\Tasks\*
C:\ProgramData\*

such, that you - as a default/normal user - cannot copy (or write) files into one of these folders. Please note, ensure that Windows Update (or the Trusted Installer and Admin) are still able to write into these folders or you gonna end up in some trouble.
 
Last edited by a moderator:

shmu26

Level 85
Verified
Trusted
Content Creator
not so sure about SAP anymore:
I snagged a free licence for SpyShelter Premium from yesterday's giveaway, and I put it on medium security.
I viewed a web page on Internet Explorer, closed it, and got an alert from SpS that IE wants to execute rundll. (probably one of those Windows privacy-invading processes)
But I did not get an alert from SAP about this.
hmmm...
okay, so SAP tech support says like I pasted below. Sounds like a fair explanation to me. Probably this is also why Voodoo doesn't give you all those paranoid prompts like SpS and ERP do. What do you guys say about the following explanation?

Hi Shmu,

You will only get a prompt when rundll32 matches a criteria in the command line rules. For example, the command line rule now will prevent rundll32 to do something unusual, like trying to execute javascript. This technique is used by Poweliks (Poweliks – Command Line Confusion). The other good link that explain about this javascript backdoor isJavaScript Backdoor - Drops.

Rundll32 has many purposes, one of the most commonly used is to call a function from a dll. In this case, if SecureAPlus is installed, as long as the dll is trusted, it will allow rundll32 to load the dll and call the function without any prompting. If the dll is not trusted, then SecureAPlus will prompt. Basically we try to only prompt user if there is something suspicious.

Best regards,
Hendy Chandra
 
H

hjlbx

okay, so I don't use interpreters, as far as I know. Can I just disable them in Windows?
I don't use debuggers either, as far as I know. Disable in Windows?
Interpreters are on your system: cmd.exe, powershell.exe, powershell_ise.exe, wscript.exe, etc.

You can uninstall powershell via Programs and Features.

You should do an online search for how to disable wscript.exe.

Don't worry about the debuggers.
 

ElectricSheep

Level 12
Verified
I test VS in the VM quiet often and can tell you it is very solid in lines of protection. Everytime i have set it up in the VM i always go through and use all applications and set the white list before creating my snapshots ect.
I'm not a VM user, I don't do testing but I've learnt how to build a solid defence and VS is just the latest addition to my arsenal:cool:
 
L

Lucent Warrior

I'm not a VM user, I don't do testing but I've learnt how to build a solid defence and VS is just the latest addition to my arsenal:cool:
You have the blacklist, AI, the local sandbox and the ability to upload to cuckoo's all wrapped in a neat little package. It is a tool I continue to test and check out in the VM. I have not officially bypassed it with anything as of yet.
 

uninfected1

Level 10
Verified
I installed VoodooShield yesterday on my computer. It's really nice, easy to handle and clear.
I've been using VS for several days and I'm also impressed with it and I haven't had any stability issues with 3.33 Beta. It detects anything that's not digitally signed as a threat and recommends blocking it even if it's not blacklisted but that's not really a problem. The lack of any real configurability in the free version is probably the biggest negative imo but overall it seems very good.
 
D

Deleted member 2913

I've been using VS for several days and I'm also impressed with it and I haven't had any stability issues with 3.33 Beta. It detects anything that's not digitally signed as a threat and recommends blocking it even if it's not blacklisted but that's not really a problem. The lack of any real configurability in the free version is probably the biggest negative imo but overall it seems very good.
What do you mean by the above bold?

And what mode you run VS?
 

ElectricSheep

Level 12
Verified
I've been using VS for several days and I'm also impressed with it and I haven't had any stability issues with 3.33 Beta. It detects anything that's not digitally signed as a threat and recommends blocking it even if it's not blacklisted but that's not really a problem. The lack of any real configurability in the free version is probably the biggest negative imo but overall it seems very good.
I'm liking it too, it blocks every unknown .exe file that tries to run, giving you time to check it out first and decide whether to whitelist it or not:)
Yeah, the lack of configurability in the free version's a downside, but it works!:D
 

uninfected1

Level 10
Verified
What do you mean by the above bold?

And what mode you run VS?
For example, Ultimate Windows Tweaker, FixWin and the like. Perfectly safe afaik, just not signed. VS confirms the blacklist scan determines they're safe but that VS Ai thinks it's unsafe, and the 3 algorithms it uses aren't really explained. It's clearly just flagging up anything that's unsigned as a threat, but as I said I don't regard this as a significant problem as it's easily overcome with one click.

PS - started off in SMART mode and switched to ALWAYS ON a few days ago.

PPS - When I've got more time I'll try and read through the Wilders thread:
VoodooShield ?

Apparently Dan is continuing to improve the algorithms.
 
Last edited:
D

Deleted member 2913

For example, Ultimate Windows Tweaker, FixWin and the like. Perfectly safe afaik, just not signed. VS confirms the blacklist scan determines they're safe but that VS Ai thinks it's unsafe, and the 3 algorithms it uses aren't really explained. It's clearly just flagging up anything that's unsigned as a threat, but as I said I don't regard this as a significant problem as it's easily overcome with one click.

PS - started off in SMART mode and switched to ALWAYS ON a few days ago.
Do you mean any/all unsigned are flagged as threat i.e unsafe by VAi?

I have few unsigned And were not flagged as threat i.e unsafe by VAi.

Currently dont have VS installed But will try latest VS & test with unsigned & report the outcome here.

I do think VAi works good with most programs But I do think VAi may flag programs of advanced nature like some system tweaker, registry fixer, troubleshooting tools, utils to fix system, advanced/deep malware cleaning tools, etc..., may be due to their coding, behavior, etc...

VAi is good And will improve/optimize with time But I do find VAi work good with general programs, average users programs, most programs that you find on most systems of the majority users And VAi is good with malicious/malware stuffs.
 
Top