• Unlock forum

    Guest, you need to be a "Verified" member to post a new thread or reply in this forum.

Andy Ful

Level 62
Verified
Trusted
Content Creator
@danb,
I used your POC Test1. After running the shortcut Windows tried to open the ping .png as a photo. I checked this with my shortcut and noticed one difference. In my shortcut the default folder entry is empty and in your shortcut, it is C:\Windows\system32. When I added this path to my shortcut it also tried to open the file as a photo. After removing the folder path from your shortcut it bypassed the command-line check as my shortcut.
I corrected my previous post to include the empty default folder path.

vs10.png
 
Last edited:

danb

From VoodooShield
Verified
Developer
@Andy Ful
Can you please either post the files or email them to me?

I think what is happening is this... When VS encounters a new item, one of the first things it does is determines if the item is a standard executable, command line, script, blacklisted item, etc, and the reason VS does this is so it can handle each file type differently. That way there is less code and each item is handled correctly. I did not introduce this feature until around VS 3.0 or 4.0 and I never really mentioned this at all (for a lot of different reasons).

But anyway, if VS did not block a command line, but did block a standard executable, that does not mean that the command line bypassed VS... it simply means that VS handled the item as a standard executable instead (and not a command line). Does that make sense? If not I can explain it more.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
@Andy Ful
Can you please either post the files or email them to me?

I think what is happening is this... When VS encounters a new item, one of the first things it does is determines if the item is a standard executable, command line, script, blacklisted item, etc, and the reason VS does this is so it can handle each file type differently. That way there is less code and each item is handled correctly. I did not introduce this feature until around VS 3.0 or 4.0 and I never really mentioned this at all (for a lot of different reasons).

But anyway, if VS did not block a command line, but did block a standard executable, that does not mean that the command line bypassed VS... it simply means that VS handled the item as a standard executable instead (and not a command line). Does that make sense? If not I can explain it more.
vs10.png

Yes, it makes sense. For me, the command-line block has clearer information about what happened as compared to the file block. The command-line block is also slightly stronger in AutoPilot mode.
Your TEST1 works on my computer the same as mine, if you will remove the starting folder path in the shortcut. (y)
 
Last edited:

danb

From VoodooShield
Verified
Developer
Yeah, for this item I think a command line classification makes more sense... well, or blacklist (because of the .cmd ;)).

I am still getting a command line block for this item. I tried both the /k and /c switches, and same result. If you want to send me a working file, that would be great because I have tried everything to get this to work. Thank you!

Still did not work.PNG
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Yeah, for this item I think a command line classification makes more sense... well, or blacklist (because of the .cmd ;)).

I am still getting a command line block for this item. I tried both the /k and /c switches, and same result. If you want to send me a working file, that would be great because I have tried everything to get this to work. Thank you!

View attachment 243990
Yeah, for this item I think a command line classification makes more sense... well, or blacklist (because of the .cmd ;)).

I am still getting a command line block for this item. I tried both the /k and /c switches, and same result. If you want to send me a working file, that would be great because I have tried everything to get this to work. Thank you!

View attachment 243990
If other members will not reproduce this behavior, then probably it is a kind of incompatibility with my software or non-standard system configuration. I will try to reproduce it in the VM. Anyway, it cannot be count in any way as a VS bypass (I do not post my original bypasses publicly). This trick is intended to fool the security to look as non-executable file and VS is not fooled. The final VS detection will be the same as when running the original EXE file. The only difference is the alert information.(y)

The test was performed on the VS free version, so I do not know if it can be reproduced on the VS Pro.
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
If other members will not reproduce this behavior, then probably it is a kind of incompatibility with my software or non-standard system configuration. I will try to reproduce it in the VM. Anyway, it cannot be count in any way as a VS bypass (I do not post my original bypasses publicly). This trick is intended to fool the security to look as non-executable file and VS is not fooled. The final VS detection will be the same as when running the original EXE file. The only difference is the alert information.(y)

The test was performed on the VS free version, so I do not know if it can be reproduced on the VS Pro.
Tested the trick in a VM. After several tests, I have got totally inconsistent results. Sometimes the file was blocked by command-line check (in all VS modes) and sometimes it passed by this check in all VS modes. :unsure:
Finally, I noticed that the passing by has to start when the VS shield is red (OFF). This can happen only in Smart or Autopilot mode when the user does not use web-based applications. After one successful passing by, it works also in the Always ON mode even when I run a web browser. It is probable that VS whitelists this command-line when it is allowed by the red shield. (y)
 
Last edited:

danb

From VoodooShield
Verified
Developer
VS is incredibly difficult to test properly because it is the only product on the market that offers dynamic security postures, we actually own the patent on that tech, and are placing our bets that it is the future of security.

So usually when I test VS, I put it in Smart Mode and start a web browser. I mean, for example, you would not test H_C after manually disabling its protections, because if you do so, it is going to inconsistent results as well, right ;).

Anyway, we recently finalized a contract with another company and they had asked me to create bullet points describing VS in a nutshell, and how it is different from all of the other products. It took an incredible amount of time to get the wording just right, so that we accurately represented and promoted VS, while being fair to the competition. So when I finished the list, we added it to our website, and here is the list explains why we believe dynamic security postures is vital and also how VS is different from the other products...
  1. VoodooShield is the only patented tangible toggling computer lock in the industry. There are other deny-by-default / zero trust products, but only VoodooShield functions as an actual computer lock with dynamic levels of protection (dynamic security postures). If it does not toggle, it is not a lock.
  2. The Achilles’ heel of all security products is that they are only able to offer a single static level of protection, so at any given time their security posture is likely either too aggressive or too relaxed, resulting in false positives and breaches. VoodooShield solves this issue by dynamically adjusting its security posture on the fly, based on the end-user’s current activity and behavior. Because of our dynamic security postures feature, VoodooShield is able to offer a tighter and more robust lock than is possible with any other product.
  3. Our patented snapshot technology automatically builds the tiny, customized whitelist for the end-user, resulting in the smallest possible whitelist and attack surface in the industry.
  4. VoodooShield does not force the end-user to respond to dangerous affirmative user prompts, which eliminates the possibility the end-user inadvertently allows an unknown item. Instead, VoodooShield displays a mini prompt prior to asking the end-user to make a decision on whether to allow a new item or not.
  5. Through our WhitelistCloud technology, VoodooShield is the only product in the industry that scans our proprietary tiny, customized whitelist specifically for safe / clean files and automatically creates firewall rules for unknown items. In other words, traditional antivirus scans for malware while WhitelistCloud scans for safe / clean files. As a result, Administrators are continually aware that only safe items are running on the endpoints. With traditional AV engines, Administrators are somewhat certain that malware is not executing on the endpoints, but with WhitelistCloud, they are essentially certain that only safe items are executing at any moment in time.
  6. VoodooShield considers the entire attack chain in the parent / child process creation relationship. Not only does this make VoodooShield more secure, our mechanism is flexible so that blacklisting vulnerable items globally is not required. For example, VoodooShield is not required to blacklist PowerShell globally in order to protect PowerShell attacks. VoodooShield considers the entire attack chain so that benign scripts that need to execute are able to do so, while blocking malicious PowerShell attacks.
  7. VoodooShield includes extremely robust ransomware, script, LOLBins and fileless malware protection capabilities.
  8. VoodooShield created the anti-exploit mechanism that many vendors utilize today, but chose not to patent it. VoodooShield is also the only deny-by-default product that protects the entire Windows system, as opposed to only protecting the Windows components that are currently being exploited by malware authors. With VoodooShield, there is no need to update our mechanism when malware authors discover a new Windows component to exploit, which tends to happen every 3-4 months.
  9. VoodooShield utilizes 70+ of the best known antivirus engines, ML/Ai and reputation based file insight, and provides the end-user with these 3 file insight metrics so they can make an informed decision, while offering an end-user recommendation based on the provided file insight.
  10. Unlike products that utilize legacy / deprecated Software Restriction Policy (SRP) that operates in user-mode, VoodooShield utilizes a modern kernel-mode monolithic blocking mechanism that does not require patches, hacks or tweaks to protect against new or undiscovered vulnerabilities and threats.
  11. VoodooShield is highly customizable through its settings, allowing Administrators to fine tune the overall security posture for each end-user.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Yes, the inconsistent results are due to several layers of VS protection which works differently in different modes and can depend on some other conditions (like using a web browser or pen drive). It is not a downside in any way, but sometimes it is hard to reproduce the test results.:) (y)

Furthermore, I noticed that the executable used in the test must be able to run via cmd.exe. The malware usually can run via cmd.exe but many applications cannot. I used one of my applications and some NirSoft tools (alternatestreamview.exe and fulleventview.exe) that run well via cmd.exe . The executable used in your POC (Test1) can be used to test the command-line blocking but cannot be tested to confirm the file blocking. If the file is not blocked by a command-line check, then it is not run by cmd.exe but opened by the Windows photo application (without success because it is not a photo).
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
...
10. Unlike products that utilize legacy / deprecated Software Restriction Policy (SRP) that operates in user-mode, VoodooShield utilizes a modern kernel-mode monolithic blocking mechanism that does not require patches, hacks or tweaks to protect against new or undiscovered vulnerabilities and threats.
...
Do you hate SRP?:)
I do not know many paid software for businesses that uses SRP. The only known/popular one is AppGuard and it uses SRP which also applies "a modern kernel-mode monolithic blocking mechanism that does not require patches, hacks or tweaks to protect against new or undiscovered vulnerabilities and threats." (y)
 

danb

From VoodooShield
Verified
Developer
The executable used in your POC (Test1) can be used to test the command-line blocking but cannot be tested to confirm the file blocking. If the file is not blocked by a command-line check, then it is not run by cmd.exe but opened by the Windows photo application (without success because it is not a photo).
Exactly, because there is nothing to block at that point ;). If there is a way to create a bypass for this, then we can make changes. For example, we could add a new filetype that is command line + standard executable, but as far as I know that is not necessary. If you find a way, please post it publicly or send it to me directly, thank you!
 

danb

From VoodooShield
Verified
Developer
Do you hate SRP?:)
I do not know many paid software for businesses that uses SRP. The only known/popular one is AppGuard and it uses SRP which also applies "a modern kernel-mode monolithic blocking mechanism that does not require patches, hacks or tweaks to protect against new or undiscovered vulnerabilities and threats." (y)
No, I do not hate anything ;). As you are aware, Software Restriction Policies is a Microsoft Windows component that they developed around 2002 or so, and I do not believe AG utilizes Microsoft Windows Software Restriction Policies. I am guessing what they did was create a kernel mode mechanism that is similar to and behaves much the same as SRP, but I do not believe they utilize Microsoft Windows SRP. If I am wrong about this, please let me know.

This is essentially what I was suggesting privately to you that you should consider for H_C and now SWH. Basically, once you have H_C and SWH exactly how you want them, then implement your own KMD, which is much more powerful and flexible than relying on SRP, which represents the best user-mode protection that 2002 had to offer. A lot has changed since then.

Anyway, that is the path we took for VS. Remember, VS 1.0 utilized a ridiculous homemade blocking mechanism, and VS 2.0 utilized a user-mode blocking mechanism. Once we were comfortable enough with VS 2.0, we then introduced the KMD in VS 3.0. In fact, several cybersecurity companies have followed similar paths, even before VS 1.0 was introduced.

Otherwise, what happens if Microsoft decides to completely remove SRP support in order to persuade admins to utilize a more modern component like AppLocker or Microsoft Defender Application Control? There are actually a surprising number of SMB's that utilize custom scripts / GP to implement SRP, and I would not be surprised if Microsoft decides to push them from user-land to kernel-land, and removing SRP support in the process. The tech is almost 20 years old, so they are going to have to remove SRP at some point. This would also create a push from Pro to Enterprise... I am shocked they have not done this yet.

The reality is, most of the H_C and SWH users are security enthusiasts who are most likely not going to be infected with a user-mode attack in the first place. So that is why I was suggesting that you might want to consider a KMD for H_C and SWH, even though I realize that it would not technically be utilizing all native components and mechanisms. Just keep in mind that there are templates for KMD's designed by Microsoft that are essentially native components, which can be easily adopted to your products.

BTW, obviously you can still offer SRP versions of H_C and SWH for the users who prefer SRP, but this will also ensure that your products do not become obsolete if MS decides to remove SRP.
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
@danb,
It seems that you consider a possibility that Windows built-in free solutions can compete with your commercial application. It is like considering that a healthy diet can compete with the curation in the private hospital. The purpose of using the legacy SRP in the home environment is different than you think and most people who use the legacy SRP will not use VS and vice versa. That is good for me and you, because we can help each other instead of fighting (like in the case of VS and AppGuard).

As for the H_C application, it is intended for enthusiasts of Windows built-in security (as you correctly noticed). I do not think that Microsoft will change the APIs used by Windows Policies and SRP in the near future. Anyway, I keep an eye on the Windows Insider compilations, so the users will know it several months before it will happen. It is more probable that Microsoft will change some APIs related to kernel security, which can break drivers used by 3-rd party security solutions. Generally, the risk of using 3-rd party drivers is greater than using the legacy Windows Policies and SRP. The risk can be compensated in enterprises, because VS is stronger protection in already infected environment (exploits), due to using kernel drivers.

Of course, I could follow your suggestion and use the free H_C front-end and the predefined setting profiles for something else like for example Excubits Bouncer or WD Application Control (if it will evolve a little). This would be interesting, because Excubits drivers work fully in the kernel and have the smallest attack area as compared to all 3-rd party security solutions that I can recall. Such a solution could be used in businesses. But, I do not think that this would be a better solution for home users, due to using 3rd party drivers.

Edit.
I have to leave this thread for a few weeks, because the new H_C website and SWH require much attention. (y)
 
Last edited:

danb

From VoodooShield
Verified
Developer
You posted on the VS thread and asked for my opinion on SRP. I could have ignored your question, but I believed that you genuinely wanted to know my thoughts on SRP, so I posted some of them. If you do not genuinely want my opinion on something, please do not ask, especially on a VS thread.

As I was saying, my bet is on dynamic levels of protection, which can be applied to any security product, so we have exactly zero competition for our main mechanism. In fact, cybersecurity companies have always preferred static security postures and have gone to great lengths to ensure that it remains static. In other words, they offer one static security posture, and then make it quite difficult to even disable the protection, which in my opinion is not the best way to protect a computer. That is, if you are able to utilize dynamic security postures, you can do some truly amazing things that increase security and usability... all while creating the smallest possible attack surface. Basically, start with a solid baseline security posture, then dynamically adjust it on the fly as needed. That is VS in a nutshell.

The attack surface is not solely defined by the drivers, especially since all KMD’s see the same events. The attack surface is also defined by the user-mode app that instructs the drivers what to do. In the case of VS, it is able to offer a tiny, customized whitelist, then automatically toggle to a higher security posture when necessary... a security posture that would otherwise not be possible, simply because of the security posture were that aggressive on startup, the computer would never boot.

I am under the impression that you do not fully understand VS’s tech and how utilizing dynamic security postures could bring a meaningful change to cybersecurity, so let me give you an analogy. Just imagine if VS was on your smart phone. Since apps are pretty much utilized one at a time, with only one app being Top Most at any given time, the web app toggling and security postures would be even better defined and seamless. VS would be truly magical on a smart phone and other IoT devices. And please do not tell me that your phone is from 2002 ;).
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
You posted on the VS thread and asked for my opinion on SRP.
I did not. Why should I? You know very little about SRP. Just as I know very little about VS.
You are doing a good job with VS. Please leave SRP to people who know it better.(y)

Edit.
Sorry, I am a guest here and my answer was not nice. I did not come here to fight. I like both SRP and VS. Furthermore, I like AppGuard (do not be angry about that).:)
 
Last edited:

danb

From VoodooShield
Verified
Developer
I actually researched SRP quite extensively a few months back and you would be surprised what all I learned ;).

Ask yourself this one simple question... do you actually believe that SRP is going to remain a Windows component 2-4 years from now? Especially with all of the streamlining Microsoft has been doing lately. I am not even sure if AutoIt is able to properly interface with a KMD, so it might be a great time to consider moving to a sustainable framework as well, but that is a whole different story.

I have never posted on the H_C or SWH threads, but if I am in need of your opinion I will be sure to do so, thank you!

Edit: It's cool, I am not here to fight either, so sorry if I said anything that offended you. I just do not want to see you spend all of that time on your projects, only to have Microsoft remove SRP, especially when you can make the changes now to a more sustainable mechanism and framework. It might seem like a mountain of work, but I bet it would be worth it in the long run. In 2-4 years, I highly doubt that my position with VS will be what it is today, so none of this is probably going to matter to me by then ;). I have never had a problem with AG either, just some of their avid fans (and we all know what happened there).
 
Last edited:

Freki123

Level 8
Verified
@danb Is there a chance that we get an option to "enable" or "disable" what exactly is shown in the whitelist tab/userlog? I see about 15+ conhost.exe and have always to look (scroll) to the far right side to see which program created that. Resizing the columns without the ability to disable some just makes it all look really ugly :D
On the other hand I have tabs with a digital signature or hash where I couldn't copy and paste the content. (So whats the use if copy and paste is not working?)
Other than that 5.78 so far running ok.Untitled - Copy.jpg
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
I actually researched SRP quite extensively a few months back and you would be surprised what all I learned ;).

Ask yourself this one simple question... do you actually believe that SRP is going to remain a Windows component 2-4 years from now? Especially with all of the streamlining Microsoft has been doing lately. I am not even sure if AutoIt is able to properly interface with a KMD, so it might be a great time to consider moving to a sustainable framework as well, but that is a whole different story.

I have never posted on the H_C or SWH threads, but if I am in need of your opinion I will be sure to do so, thank you!

Edit: It's cool, I am not here to fight either, so sorry if I said anything that offended you. I just do not want to see you spend all of that time on your projects, only to have Microsoft remove SRP, especially when you can make the changes now to a more sustainable mechanism and framework. It might seem like a mountain of work, but I bet it would be worth it in the long run. In 2-4 years, I highly doubt that my position with VS will be what it is today, so none of this is probably going to matter to me by then ;). I have never had a problem with AG either, just some of their avid fans (and we all know what happened there).
Thanks. I do not want to bloat the VS thread with SRP matters. I put my opinion on Windows built-in SRP on the Hard_Configurator thread.
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-893447
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
@danb,
There are not many people who dare to test VS against nasty tricks and unconventional attack methods. One of the reasons is the complexity of VS (which is good for security).
You should know that your reaction to such tests and the way you promoting VS can be other reasons. After our posts, I have the impression that I have done something wrong and wasted much time. So, I am sorry for that and will pass with testing. Regards.(y)
 

danb

From VoodooShield
Verified
Developer
@danb Is there a chance that we get an option to "enable" or "disable" what exactly is shown in the whitelist tab/userlog? I see about 15+ conhost.exe and have always to look (scroll) to the far right side to see which program created that. Resizing the columns without the ability to disable some just makes it all look really ugly :D
On the other hand I have tabs with a digital signature or hash where I couldn't copy and paste the content. (So whats the use if copy and paste is not working?)
Other than that 5.78 so far running ok.View attachment 244006
Thank you for the suggestions, and I agree, there is probably a better way to handle the multiple listings. We might be able to have a drop down arrow on the Process field, that when click will expand all of the items with different parents. Obviously we need to keep the multiple listings, but I agree, they tend to stack up a little ;).

Yeah, at some point we might be able to have a column for Allow/Block. I think that would be pretty cool because a lot of users have requested that VS has an option for blacklisting specific items, so that would probably be a really great way to implement this.

Let me see what I can do, thank you!
 

danb

From VoodooShield
Verified
Developer
Thanks. I do not want to bloat the VS thread with SRP matters. I put my opinion on Windows built-in SRP on the Hard_Configurator thread.
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-893447
Very interesting, thank you for letting me know! As I was saying in a previous post, I researched SRP extensively a few months ago and considered developing "VS SRP", while keeping our KMD version as well. But after much research and discovering that it was completely blind to system / kernel events, allowed web apps to directly call items from the system space, and that it was deprecated by Microsoft, along with other issues, I decided it was not worth it to pursue or develop "VS SRP".

I always thought that WDAC was for Windows Enterprise only, but from what you are suggesting, it can be utilized in Home and Pro versions of Windows as well.

If this is the case, you are absolutely correct, I would skip the KMD altogether and go with WDAC... it would be an AMAZING addition to H_C and SHW. In fact, assuming that WDAC can work with Windows Home and Pro, I am going to get started on "VS WDAC" today. We will still keep the KMD version as well because it is probably more flexible than a WDAC implementation, but if I find out otherwise and if WDAC can do everything that the KMD can do, we will ditch the KMD... but I HIGHLY doubt that is the case.
 
Top