VoodooShield/Cyberlock

I don't where I got it in my head that SMART mode toggles. Toggle On when VS sees a new web facing app. IE prompts half the time and FF none of the time. FF prompts plugin container on close of FF ? So, now Default for me is not Smart it's On.

So, I have to open a web facing app for VS to prompt a web facing app ?

 

HP needs to be added on the web app list in prefs.

 

Hello Dan et al,
Does VS protect against malware exploiting a whitelisted program’s process memory.

Does VS protect the whitelisted program’s process (in memory) while the program is running.

For example > if Adobe Reader opens a PDF file containing Malware, this malware will poison the memory of Adobe Reader (not the file on the hard drive) and then attack other components of the system.

What say ye' VS

 

I believe the answer to both of those questions is 'No'. Although I don't know the internals as well and would love to be corrected if I am wrong.

What VS would stop in this case is if that whitelisted process (now infected/exploited) was to additionally download another infected executable and try to execute that from a directory which is not whitelisted. This particular scenario is also why I would uncheck the option to allow all from Program Files, and instead train/hash those on an individual basis, which I believe is also what you have been experimenting with lately.

I believe your questions are more in line with how AppGuard behaves to protect processes. We'll have to wait for Dan to give a more thorough answer anyways. And who knows, maybe this type of protection can be built into VS sometime as well. That would be fantastic.

 

Hmmm, I am not sure. I just disabled "Automatically allow all software from the Program Files Folders" and reset my whitelist, then put VS is Smart Mode. I then launched IE and closed it (no balloon). I then launched FF and closed it (no balloon). So I am guessing that you pretty much did the same thing, except you did not close the first web app that you had opened, so at that point VS was ON. If this is not correct, please list the steps I can follow to reproduce this behavior. Thank you!

 

I think something is getting whitelisted automatically, which that is what VS is supposed to do. If you can provide me the exact steps to reproduce this behavior, I will look into it. Thank you!

 

Thank you TH and Baldrick! Happy New Years!

 

Yeah, something is not right, but I think VS is working properly. One thing I noticed about testing VS is that the user has to be cognizant of what is automatically being whitelisted, and reset your whitelist often. I also have noticed that a lot of times things do not make sense when testing VS... then a few minutes later you realize "Ohhhhhh, that is why VS allowed that." But yeah, from what I understand, that is how it is supposed to work. Thank you!

 

Does VS protect against malware exploiting a whitelisted program’s process memory.
Yes, assuming that the new malware is not whitelisted .

Does VS protect the whitelisted program’s process (in memory) while the program is running.
VS currently does not do anything to specifically protect memory of whitelisted processes, and I am not sure that it really needs to. In order for non-whitelisted malware to do anything, it has to execute first, right? Although, it would be nice to add some memory protection features... and we will soon with VS 3.0.

 

HEY WBD, yeah, we plan to add some memory protection in VS 3.0, but we have to be careful how we implement it. There are a lot of proprietary techniques that other security software use, and we do not want to "borrow" anything that is not ours . However, if we find one that works particularly well with VS, we will see if the owner of the intellectual property will license their technology to us. Thank you!

 

VS: Will it not then overlap with HIPS like outpost firewall?
The user space guard is what i like about VS.
I did have appguard installed but it became too much of a pain trying to figure out why an app didnt load also the notification system was poor so uninstalled AG

 

Yeah, I think since OF focuses on network connections / activity (traffic), and VS focuses on denying unknown executable code, I would think that is a pretty good combo .

 

I did close the first app. So, in SMART. I have to open a web facing app for VS to prompt a web facing app ?

 

I reset whitelist daily and am cognizant of whitelist status. My Ohhh, is why did VS SMART not do that. So, I run ALWAYS ON when not testing SMART.

"VoodooShield tries to stay out of the way by going active only when the user is at risk. VoodooShield blocks unknown programs when the user runs a browser or email client, and when a removable drive is inserted".

Seems my quandary is that I have to open a trained web facing app to protect an untrained web facing app.

EDIT: Found another VS review that explains. <<One points out that by default VoodooShield remains in training mode when you’re not using email or a browser, noting and whitelisting any programs you use.>> That's exactly what I observed. But, did not understand default.
* No more quandary. Prefer ALWAYS ON to SMART.

 

I was thinking of the hips section of the firewall which prompts on memory modification, reading the screen buffer etc

 

Just to clarify, AG is also yearly subscription. Their website is just not clear about it last time I checked.

EDIT: My apologies, I was wrong on this. trott3r's comment below is correct. Sorry, let's get back on topic with VS.

 

AIUI AG is lifetime for the current version like 4.x
for v5.x you have to pay.

Slight difference and one i agree with

 

I was quoting from PC Mag AG Review Date February 13, 2014. <<Refreshingly, the $29.95 price tag is a one-time expense, not a yearly subscription. That makes sense, really, since the product doesn't require the regular signature updates that are a staple of traditional antivirus products.>>

 

I have been tardy...I just this morning updated from the previous version, i.e. 2.21...

But, I noticed this for the first time when uninstalling, and then doing a fresh install of v2.22. Just wondering why I am seeing this, now.

Spoiler: screenshot

 

It is working great for me, so we are not on the same page. Please clearly list the steps to reproduce this behavior and I will test it asap.

The PC Mag quote is correct as well. We just must be misunderstanding each other. Please let me know how to reproduce this behavior. Thank you!

 

Yeah, that makes it a great combo as well . Sorry, now that I read your original post, I see what you mean. But yeah, for both reasons, it is a great combo.

 

Yeah, that is to be expected... no big deal at all. I made some changes to the service to fix a couple of bugs. Thank you!

 

My HIPS monitor, SSM sees all...

 

Sent PM as not to bump VS

 

I wish the developer would have continued to develop SSM. It's a great peace of software!