Reply To: VoodooShield and SRP

    Dan
    Keymaster
    US

    SudoJudo: I guess that Umbra dude doesn’t understand that DLL’s are called by executables, does he?

     

    My guess, people like him aren’t going to shut up until VS can function as a full SRP. I have little doubt that Dan could write something like this in a weekend.

    Dan, I am not really appraised with exactly how an SRP works. AppGuard to me, is pretty basic and works like a group policy editor in terms of software. It allows software to execute in many cases, but restricts what they software can do. For example in my testing it allowed Brave Browser to run, but prevented Brave from writing to some registry keys.  Is this where AppGuard differs from VS/WLC?

    I know when I tested AppGuard I had to quickly remove it as it impacted the functionality and usability of the system to such an extent that it rendered it basically a brick. Even with tweaking, it required more tweaking. Eventually I was spending so much time trying to get things to work I removed it.

    So my question is – the firewall aspect of WLC isn’t helpful to me, I use a stand alone, powerful firewall. However, what happens when WLC encounters an unsafe file right now other than the firewall rule? Would giving WLC an option to ‘kill’ an unsafe program and it’s activities essentially make WLC into an SRP?

    If so, I would say go for it. As WLC’s intelligent quantification of software would reduce the alerts from a traditional SRP whilst providing SRP activity?

     

    It super easy to do, here is what is involved…

    1.  Create the registry entries in the VoodooShield service, something like this… although I would simply enable and tweak SRP on my computer, then export the registry settings and convert them to .net.  This takes about 10 minutes.

    https://malwaretips.com/threads/software-restriction-policies-to-windows-home.63530/

    2.  Create an option in the VoodooShield GUI and connect it to the service.  Another 10 minutes.

    3.  Modify the NewProcessHandler logic in VS to make sure the user prompts are handled correctly.  30 minutes.

    4.  Write some code to make sure UAC is enabled, and prompt the user if it is not, because apparently SRP does not work well when UAC is disabled.  15 minutes.

    5.  Modify the Windows right click Context menu to handle .msi files. 5 minutes.

    So it is all super simple and straightforward… the only thing is that users will not be able to whitelist items from the user space when clicking Allow on the prompts.  And since new items can never be allowed by the prompts, there really is no reason to have prompts, or file insight for that matter.  So what I might do instead is have a simple, completely free version of VS called VoodooShield SRP that does not have prompts or file insight… it would just act like a normal SRP, except with VS’s automatic toggling it might be pretty cool (as far as SRP goes), since we would disable the SRP when VS toggles to OFF, so then users can launch new items.

    I am pretty sure that SRP does not kill existing processes, but I actually was thinking about doing something like that when working on the “Blacklist Item” button recently, in the WLC tab / file insight panel.  Basically, when the user clicks the Blacklist Item button, it could kill the running process, along with removing it from the whitelist.  it is super simple to do so… it is one line of code.

    Anyway, if anyone can find a good reason to implement SRP, I would be happy to do so.  In the meantime, I might create VoodooShield SRP Free.

     

    • This reply was modified 10 months, 3 weeks ago by Dan.
    0
    0