Vulnerability in Windows Disclosed by…an Agentcy. (Phoney Certificates)

Forums VoodooShield Support Forum General VoodooShield Discussions Vulnerability in Windows Disclosed by…an Agentcy. (Phoney Certificates)

  • Post
    GrDukeMalden
    Participant
    US
    So there was a vulnerability revealed in windows a little while ago about a new way that digital signatures of windows system files could be faked in such a way that a lot of antivirus products would mistake malware as a legitimate system file. From there, privilege escalation can be done and then it’s game set match. Microsoft has since patched this vulnerability in windows 10, but that couldn’t have been the only problem. I really don’t understand why digital signatures are such a common way that the safety of a file is determined. They’re super easy to fake.

    My question is this: Does Voodooshield identify windows system files by just a digital signature? Or worse yet, by the location of the file?

    If so, that needs to change. I’m well aware that VS identifies most things based on an SHA256 hash, but I also see that setting on the front page about the option to “automatically allow items that match a digital signature in the whitelist snapshot.” That option needs to not exist anymore.

    Malware has had commonly seen digital signatures for awhile now. And theoretically, if a virus has the same digital signature as something in your whitelist snapshot, it would be allowed by VS. So a digital signature is not now, nor ever been, enough to ensure the safety of a file. Now that WLC exists, that option I spoke of above, in bold, doesn’t need to be there anymore. Perhaps you could add a button to allow the user to scan their whole PC to ensure that all known-safe files are already in the whitelist. And then the user could check the hashes of any unknown files on virus total.

    So Dan, I really hope you get rid of that option. It’s REALLY easy to fake a digital signature, but it’s almost impossible to fake an SHA256 hash.

    No one can know everything, please do correct me if I have the wrong idea about anything.

    |VPN(paid)| VoodooShield(Paid)| ComodoFW-Beta(Free)| HitManPro.Alert!(Paid)|
    0
    0
Viewing 6 replies - 1 through 6 (of 6 total)
  • Replies
    Dan
    Keymaster
    US
    We have understood from the very beginning how dangerous it is to allow by digital signature alone, which is why VS does not do so.  We have some creative, safe methods we have developed over the years that reduces unnecessary blocks while remaining perfectly safe.

    Everyone knows how conservative I am when it comes to security and we simply do not take chances.  When a company or product assures a user that their device is protected, the user automatically assumes this means 100% protection, which I discovered 20+ years ago while removing malware for local customers.  In other words, the user installed a filter when they thought they installed a lock.

    Having said that, while no security product can guarantee 100% efficacy, it is inexcusable that new, unknown arbitrary code would ever be allowed to execute when the endpoint is at risk.  If this simple rule is not followed, there certainly will be bypasses and infections.

    Just run VS in its default settings in Smart or Always On mode and you will be just fine.  There are obviously tweaks within VS that allows the user to reduce its security posture, and this is typically safe as long as you are running an effective AV along side VS as well.

    A lot of people are switching over to the Windows Defender / VS combo.  It is what I am running now… it is unbelievably light and simply amazing.  VS perfectly covers the weak spots of Windows Defender and vice versa.  Perfect combo.

    0
    0
    GrDukeMalden
    Participant
    US
    My main concern is that one setting by the name of: “automatically allow items that match a digital signature in the whitelist snapshot.”

    How does that setting work? I’ve had it turned off for a long time. Because if all it takes for something to be allowed is a digital signature of something allowed previously, that’s a problem. A bad actor could just spoof a digital signature of something that tons of people use and slap that phoney signature on malware and VS would allow it, right?

    I don’t like windows defender. The setup I have in my signature is heavier, yes, but I like having something like SecureAplus to go with VS. Two products that always get 5/5 star ratings from AVLab

    I’ve also had the option to “automatically deactivate after (X-number) minutes of system idle” off since I started using the paid version of VS.

    • This reply was modified 8 months, 3 weeks ago by GrDukeMalden. Reason: I'm uncertain of something I stated
    |VPN(paid)| VoodooShield(Paid)| ComodoFW-Beta(Free)| HitManPro.Alert!(Paid)|
    0
    0
    Dan
    Keymaster
    US
    That option has many different checks… it does not just blindly auto allow by digital signature, and it is limited to certain sigs (very long story).  Besides, VoodooAi is quite capable at detecting spoofed sigs.

    Having said that, if you do not mind a few extra unnecessary blocks and you want to lock the computer down as tight as possible, it does not hurt to disable that option.

    1
    0
    gorblimey
    Participant
    none
    Yeah, I’ve been rabbitting on about this for years.  And no I don’t allow “… matching digital signature in whitelist snapshot“.  I don’t even “Automatically allow … from Program Files“!

    The only encryption that means anything for me–apart from SvenFaw’s wonderful Cobbler–is the download hash.  Having said that, we note that CCleaner had a download hash…  Even the hash is not a good shield against malice, you are making an assumption the author has a secure repository and has not p….d off any dodgy employees.

    So as long as downloaded softs are not allowed access to the phone, we should be secure.  Learn how to use your firewall!

    And lock down %user/local/temp% for all users, even Admin.  Dan’s Rules make that easy, but you do lose Custom Folders in the deal.

    _________________________________

    Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]
    1
    0
    GrDukeMalden
    Participant
    US
    I’m a little confused about what @Gorblimey is talking about.

    They said that ccleaner “has a download hash” in a way that implies not everything has a “download hash”

    Literally every file has an info hash of every kind. MD5, SHA1, SHA256 and so on. Every file has one. That’s why it’s such a good way to keep a whitelisting application from being fooled. Because if the file is different, the hashes calculated from it will also be different.

    A digital signature is more like a name tag. Any idiot can wear a name tag that says anything, it doesn’t make them who that name tag says they are.

    I’ve never seen an honest test of voodooshield where it failed. Even with the default settings.

    If you want to make it tighter, uncheck the option to allow by parent process and uncheck the option to auto allow anything that matches a digital signature in the whitelist snapshot. Maybe even disable the option for VS to be deactivated after X-number of minutes.

    |VPN(paid)| VoodooShield(Paid)| ComodoFW-Beta(Free)| HitManPro.Alert!(Paid)|
    0
    0
    gorblimey
    Participant
    none
    Aaahhhh.  Apologies all around.  I thought everyone knew about the CCleaner catastrophe.

    What happened was, Avast bought CCleaner, but it seems a few CCleaner employees weren’t happy.  They put a trojan into the product, and replaced the hash.  It was only done to one version of one variant, but caused havoc and much damage to Avast’s reputation.  The damage was made good, but it did serve to underline some realities.

    1) disgruntled employees can be a wonderful malware vector;

    2) the presence of a download hash is no guarantee the product is malware-free or that the repository has not been hacked*: it is only a guarantee the download was not intercepted in a MiM attack.

    * Mind you, any softs publisher that stores download hashes in the main repository is begging for trouble.

    And, sadly, not every software publisher automatically provides a download hash.

    _________________________________

    Understanding the scope of the problem is the first step on the path to true panic. [Florence Ambrose, "Freefall"]
    1
    0
Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.