VoodooShield and SRP

  • Post
    Dan
    Keymaster
    US
    While working on VS 5.50, I explored the possibility of adding SRP to VS.  It turns out, we can add full SRP to VS in around 4-5 hours, and will be happy to do so if ANYONE can figure out a compelling reason to do so.

    So far, I have yet to find a good reason to do so, although some people insist SRP is the way to go.

    https://malwaretips.com/threads/voodooshield-latest.78018/post-847076

    What Umbra does not understand is that the dll is not going to spawn itself and the driver is not going to install itself.  And VS will block the executable or command line (eg rundll32) long before this happens.  As far as memory protection goes… who needs memory protection when the file is blocked from running in the first place?

    There are however, a few disadvantages to implementing SRP into VS.  SRP is not nearly as flexible or granular as the mechanism VS currently uses.  That, and I do not believe there is a way to parse the command line with SRP, so that makes it even less flexible and granular.

    But if anyone can find a reason for me to add SRP to VS, I will be happy to do so over the weekend.  Thank you!

     

    0
    0
Viewing 15 replies - 1 through 15 (of 20 total)
  • Replies
    VecchioScarpone
    Participant
    AU
    For me personally, I hardly change any VS default settings as I do not fully understand the implications. I usually go for an errors and trials methods that often get me into trouble, so I keep clear.

    Off course I’m a minority as far as VS users population.

    SRP, for the little I Know I would not dare to touch it.

    1
    0
    SudoJudo
    Moderator
    none
    I guess that Umbra dude doesn’t understand that DLL’s are called by executables, does he?

    My guess, people like him aren’t going to shut up until VS can function as a full SRP. I have little doubt that Dan could write something like this in a weekend.

    Dan, I am not really appraised with exactly how an SRP works. AppGuard to me, is pretty basic and works like a group policy editor in terms of software. It allows software to execute in many cases, but restricts what they software can do. For example in my testing it allowed Brave Browser to run, but prevented Brave from writing to some registry keys.  Is this where AppGuard differs from VS/WLC?

    I know when I tested AppGuard I had to quickly remove it as it impacted the functionality and usability of the system to such an extent that it rendered it basically a brick. Even with tweaking, it required more tweaking. Eventually I was spending so much time trying to get things to work I removed it.

    So my question is – the firewall aspect of WLC isn’t helpful to me, I use a stand alone, powerful firewall. However, what happens when WLC encounters an unsafe file right now other than the firewall rule? Would giving WLC an option to ‘kill’ an unsafe program and it’s activities essentially make WLC into an SRP?

    If so, I would say go for it. As WLC’s intelligent quantification of software would reduce the alerts from a traditional SRP whilst providing SRP activity?

     

    0
    0
    Dan
    Keymaster
    US

    VecchioScarpone: For me personally, I hardly change any VS default settings as I do not fully understand the implications. I usually go for an errors and trials methods that often get me into trouble, so I keep clear.

     

    Off course I’m a minority as far as VS users population.

    SRP, for the little I Know I would not dare to touch it.

    Users would not notice the difference if we implement SRP… VS would act EXACTLY the way it currently does, except you would encounter more blocks, simply because anything outside of the system / program files space is blocked.  Not only that, but SRP does not whitelist / remember items that you allowed.  So if you launch an executable from the desktop when VS is OFF, you would not be able to launch the same executable later on when VS is ON, unless you somehow manually whitelist that file.

    The current kernel mode driver would be the default mechanism, but users would have the option to use SRP instead.  I am just having a difficult time finding a reason to implement SRP, especially since Microsoft is replacing it with more modern tech that is a lot more similar to the way VS currently works.  A handful of people insist that SRP is a better mechanism, without explaining exactly why they believe it is better.  I am guessing that since SRP locks everything down and does not allow users to quickly whitelist items, they somehow feel it is more secure.  Who knows?

    0
    0
    Dan
    Keymaster
    US

    SudoJudo: I guess that Umbra dude doesn’t understand that DLL’s are called by executables, does he?

     

    My guess, people like him aren’t going to shut up until VS can function as a full SRP. I have little doubt that Dan could write something like this in a weekend.

    Dan, I am not really appraised with exactly how an SRP works. AppGuard to me, is pretty basic and works like a group policy editor in terms of software. It allows software to execute in many cases, but restricts what they software can do. For example in my testing it allowed Brave Browser to run, but prevented Brave from writing to some registry keys.  Is this where AppGuard differs from VS/WLC?

    I know when I tested AppGuard I had to quickly remove it as it impacted the functionality and usability of the system to such an extent that it rendered it basically a brick. Even with tweaking, it required more tweaking. Eventually I was spending so much time trying to get things to work I removed it.

    So my question is – the firewall aspect of WLC isn’t helpful to me, I use a stand alone, powerful firewall. However, what happens when WLC encounters an unsafe file right now other than the firewall rule? Would giving WLC an option to ‘kill’ an unsafe program and it’s activities essentially make WLC into an SRP?

    If so, I would say go for it. As WLC’s intelligent quantification of software would reduce the alerts from a traditional SRP whilst providing SRP activity?

     

    It super easy to do, here is what is involved…

    1.  Create the registry entries in the VoodooShield service, something like this… although I would simply enable and tweak SRP on my computer, then export the registry settings and convert them to .net.  This takes about 10 minutes.

    https://malwaretips.com/threads/software-restriction-policies-to-windows-home.63530/

    2.  Create an option in the VoodooShield GUI and connect it to the service.  Another 10 minutes.

    3.  Modify the NewProcessHandler logic in VS to make sure the user prompts are handled correctly.  30 minutes.

    4.  Write some code to make sure UAC is enabled, and prompt the user if it is not, because apparently SRP does not work well when UAC is disabled.  15 minutes.

    5.  Modify the Windows right click Context menu to handle .msi files. 5 minutes.

    So it is all super simple and straightforward… the only thing is that users will not be able to whitelist items from the user space when clicking Allow on the prompts.  And since new items can never be allowed by the prompts, there really is no reason to have prompts, or file insight for that matter.  So what I might do instead is have a simple, completely free version of VS called VoodooShield SRP that does not have prompts or file insight… it would just act like a normal SRP, except with VS’s automatic toggling it might be pretty cool (as far as SRP goes), since we would disable the SRP when VS toggles to OFF, so then users can launch new items.

    I am pretty sure that SRP does not kill existing processes, but I actually was thinking about doing something like that when working on the “Blacklist Item” button recently, in the WLC tab / file insight panel.  Basically, when the user clicks the Blacklist Item button, it could kill the running process, along with removing it from the whitelist.  it is super simple to do so… it is one line of code.

    Anyway, if anyone can find a good reason to implement SRP, I would be happy to do so.  In the meantime, I might create VoodooShield SRP Free.

     

    • This reply was modified 1 week, 5 days ago by Dan.
    0
    0
    VecchioScarpone
    Participant
    AU
    Dan

    Thanks for the explanation.

    I tried to use  Windows Defender Protected Folders. I could not deal with all the prompts. I had a look at Andy-Full Defender configurator or whatever is called. I could not even dare try it.

    Will it be there a option to disable VS SRP if one wishes to?

    0
    0
    Geri123
    Participant
    none
    I like the option to block the lol bins and the other file types that I will never legit ever use.
    • This reply was modified 1 week, 5 days ago by Geri123.
    • This reply was modified 1 week, 5 days ago by Geri123.
    0
    0
    VecchioScarpone
    Participant
    AU
    @Geri123,

    Got your points. I do have an offline backup.

    Thanks.

    0
    0
    Geri123
    Participant
    none
    @VeccioScarpone Glad to hear that 🙂
    Edited my previous post a few times and saved the wrong one. I wanted to say that I wouldn’t trust any “folder protection” besides two offline backups.
    0
    0
    SudoJudo
    Moderator
    none
    The problem I found with SRP are the incessant blocking of good things, and constant prompts.

     

    AppGuard, even after just a couple days nearly drove me to drink. AppGuard, IMO, is so limited in usability that I don’t really know anyone that can/would use it, even on the commercial level. When you block almost everything, it isn’t hard to achieve nearly perfect protection!

    Speaking from enterprise market.. This is what we do to secure the average enterprise environment;

    1) Strong lockdowns with Group Policies.

    2) Limited (Standard) user accounts.

    3) Security Profiles for folder/drive access.

    4) Install Endpoint Security Product.

    5) Implement a quality backup solution.

    Done…

    For anything needing even stronger security we setup a VDI (Virtual Desktop Environment) which allows complete isolation in HyperV for desktops, and at the same time, an instant wipe and restore of them with any issues.

    There really isn’t any need for AppGuard/SRP at the enterprise level. HOWEVER, there would be a need for WLC-Enterprise, because it would provide great insight into what is running that is safe.

    For VS, the fact it does so much and does it without breaking systems like AppGuard does, and without incessant, annoying prompts, means for almost everyone it is a superior product. It also explains why AppGuard generally speaking, wouldn’t have much of a widespread market.

    I think if VS offered some of the lockdown options within OSArmor it would be really helpful. Maybe a couple of footprint options on install that enable OSArmor type lockdowns depending on desired profile ‘Light, Firm, Paranoid’.  Would something like that be helpful at all?

    0
    0
    Dan
    Keymaster
    US
    Yeah, there might actually be a good use for SRP in VS… kind of a weird hybrid between our KMD and SRP.  I do not think we need it, but you know me, I am always looking for ways to kill malware while improving VS.

    Ultimately, I do not care what any of the SRP fanboys say, SRP IS WHITELISTING, and it whitelists by hash and path.  These are actually in the SRP Policies registry settings.  And if SRP is blocking something that you want to allow, guess what you do???  You manually create a policy that whitelists the item by hash or path.

    The thing is though, it is not granular at all, SRP blocks everything except the system space and Program Files folders.  Which is exactly where VS starts.  But then VS takes the extra step of automatically creating fine grain rules and policies to make the computer lock usable.

    Anyway, I am still looking for a good reason to implement SRP, and when I find one, we will certainly do so, because there is a chance there is something there.

    Also, VoodooForums was down earlier, but it is up and running now.  I will catch up with the other posts asap… I am running late for something, thank you guys, have a great weekend!

    • This reply was modified 1 week, 5 days ago by Dan.
    0
    0
    gorblimey
    Participant
    none

    Dan:

    It super easy to do, here is what is involved…

    4.  Write some code to make sure UAC is enabled, and prompt the user if it is not, because apparently SRP does not work well when UAC is disabled.  15 minutes.

    Bit of a deal-breaker there, I can’t get productivity if I’m not in Admin 😛 😉

    _________________________________

    Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]
    0
    0
    gorblimey
    Participant
    none

    Dan: Yeah, there might actually be a good use for SRP in VS…

    Anyway, I am still looking for a good reason to implement SRP,

    Of course, if M$ is moving away from SRP…  Is there something we should know?  Like perhaps it doesn’t work too good?

    • This reply was modified 1 week, 5 days ago by gorblimey.

    _________________________________

    Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]
    1
    0
    Dan
    Keymaster
    US

    SudoJudo: The problem I found with SRP are the incessant blocking of good things, and constant prompts.

     

     

    AppGuard, even after just a couple days nearly drove me to drink. AppGuard, IMO, is so limited in usability that I don’t really know anyone that can/would use it, even on the commercial level. When you block almost everything, it isn’t hard to achieve nearly perfect protection!

    Speaking from enterprise market.. This is what we do to secure the average enterprise environment;

    1) Strong lockdowns with Group Policies.

    2) Limited (Standard) user accounts.

    3) Security Profiles for folder/drive access.

    4) Install Endpoint Security Product.

    5) Implement a quality backup solution.

    Done…

    For anything needing even stronger security we setup a VDI (Virtual Desktop Environment) which allows complete isolation in HyperV for desktops, and at the same time, an instant wipe and restore of them with any issues.

    There really isn’t any need for AppGuard/SRP at the enterprise level. HOWEVER, there would be a need for WLC-Enterprise, because it would provide great insight into what is running that is safe.

    For VS, the fact it does so much and does it without breaking systems like AppGuard does, and without incessant, annoying prompts, means for almost everyone it is a superior product. It also explains why AppGuard generally speaking, wouldn’t have much of a widespread market.

    I think if VS offered some of the lockdown options within OSArmor it would be really helpful. Maybe a couple of footprint options on install that enable OSArmor type lockdowns depending on desired profile ‘Light, Firm, Paranoid’.  Would something like that be helpful at all?

    I am not going to comment either way about AppGuard and I am referring specifically to SRP as a tech, mainly the one built into Windows.  Years ago a lot of people believed that VS blocked entirely too much as well, which is why I spent all of the time refining the usability tweaks.  But either way, whether the tech is SRP, VS, AppLocker, whatever, I have believed for a very long time that a perfect balance between security and usability is absolutely vital.

    VS has always had hardwired rules that are quite similar to the OSArmor rules, but the rules have not been user definable / optional.  There might be a few rules we can make optional and available to the user for tweaking, but I highly doubt most people would ever want to tweak them.  And some rules really should not be modified… for example, some users flat out block (without prompt) interpreters like ps, wscript, cscript, etc., and then they later wonder why their computer acts funny or does not update, or whatever.  They are disabling vital components on the machine that devs use all of the time to perform certain tasks.

    We might be able to tweak the Security Posture feature (Aggressive, Moderate, Relaxed, Silent) a little more.  What do you think?

    • This reply was modified 1 week, 5 days ago by Dan.
    2
    0
    Geri123
    Participant
    none
    Disclaimer: Novice+ user here so all I did could have been totally wrong but I had always a backup so I wouldn’t rage if all went south.

    I used appguard before it became a subscription model. Since I have a rather static system and after adding some programs appguard worked good for me. As long as my stuff runs and works as expected I don’t care if I get popups for memory blocks or so. Systems runs normal > don’t care about “memory blocks”.
    If the wouldn’t get greedy for company money and had decent end user prices I would still think about it.

    I used Hard Configurator from Andy Full. Besides having activated 173 sponsors on the blocklist and nearly maxed all the “designated file types” I didn’t see any block in my “blocked events” log.

    The file types I see in the list I have never encountered as a home user and doubt I ever will. I can update stuff like adguard (desktop app from the adblocker) without problems.

    From memory: VS on the other hand gives tones of popups when adguard uses.tmp or tmp.exe for updating from a dumb filepath. [Getting as “suspicious” warning in VS without any real VT results to back it up doesn’t help much]

    I know it’s the fault of adguards devs for using stupid file pathes but you either trust them and disable VS and hope for Windows Defender/your AV or click accept 10++ times in VS 😀

    Tldr: As long as SRP seems to let me block 173 sponsors and dozens of strange file types without any problems why not give me an option to do it in VS?

     

    • This reply was modified 1 week, 4 days ago by Geri123.
    1
    0
    VecchioScarpone
    Participant
    AU

    gorblimey:

    Of course, if M$ is moving away from SRP…  Is there something we should know?  Like perhaps it doesn’t work too good?

    This thought crossed my mind too…

    0
    0
Viewing 15 replies - 1 through 15 (of 20 total)
  • You must be logged in to reply to this topic.