VoodooShield/Cyberlock

Yes correct. Speaking of Sandboxie, let's say if anti-exe is bypassed there is always SBIE to save the day, because the payload will still run sandboxed.

Anti-exploit will stop exploits in an earlier stage, so it will block so called "in-memory" payloads, this is something that anti-exe can't do. The good news is that this type of payload/shellcode is almost never used in real life attacks, because it makes it harder for hackers to get ransomware and banking trojans running on the system.

 

Exploits need shell and script access like plants need water, so blocking those being spawned by browsers is a strong mitigation. Combined with general anti-execution policy this should be enough to block any exploit bases intrusion (at least as far as I know).

 

Salutations/Greeting!

Boot Time Protection is this possible with VoodooShield protecting against encryption? After a force reboot of
the PC? It so, how would one set this up with VoodooShield? To protect once PC?

An example of Boot Time Protection failing. https://malwaretips.com/threads/kas...boot-time-protection.56051/page-3#post-479569

An example of Boot Time Protection doing it job! https://malwaretips.com/threads/mcafee-and-eset-boot-time-protection.55486/#post-472735

Kind regards,

 

I think you will see that each product blocked what it was designed to block. I looked at the AG logs posted, and AG blocked a lot more than the binary payload. AG blocks .dll injection, and should block all scripts in Locked Down Mode. I'm not sure if they only tested in Medium Mode, or if they tested in Locked Down Mode also. I will have to go back, and look again.

Edited 2/18 @ 7:33

 

This is not what the page says. You must read it in Chinese - and within the entire context of the complete threads - to fully understand; the webpages cannot be properly interpreted with Bing Translate.

Only app that blocked the *.tmp files was AppGuard; VS and ERP were bypassed - at least that is what the OP states.

 

Are VoodooShield, and ERP capable of blocking .tmp files?

 

Yes.

 

If that's the case then I was wrong then. They failed to block what they should have been able to block.

 

I actually thought VoodooShield blocked the .tmp files when I made my original statement because the screen shots indicate that VS blocked the .tmp files. It's hard to say whether the .tmp files were responsible for launching presentationhost.exe, conhost.exe, and dllhost.exe. It's hard to say with any certainty if the .tmp files were responsible for the bypass from the limited information in the thread. It could be due to the horrible translation of the thread as you have already pointed out.

2/18 @ 8:58
Disregard. I see the .tmp file running in Process Hacker now. VoodooShield prompted for the .tmp files, and allowed them anyways. I did not see them at first because they were partially covered by the VS prompt. I have seen in my own testing in the past that VS will allow something to run for about a second before killing the process. I do not know if this was the case in this incident, or not. Regardless, the .tmp file should not be allowed to run.

 

Dan, can you confirm if it was the .tmp files that bypassed VS?

2/18 @ 8:58
Disregard. I see the .tmp file running in Process Hacker now. I did not see them at first because they were partially covered by the VS prompt.

 

Cool, thank you, if you hear something different, please let us know .

 

Hehehe, yeah, the .tmp files were the payload and they did not bypass any of the security solutions in question .

 

Why are the .tmp files shown running in Process Hacker then at the time of the VS prompt, and after? Look at the first, and second image of the thread. The first image shows one .tmp file running, and the second image shows two .tmp file running so apparently the first .tmp file that VS prompted for was allowed also. I really wish there was a video posted also so I can see if they chose block for each of the .tmp files that appear to be running in Process Hacker.

 

Why are we even talking about this? We know what is up and we know what needs to change to make

Hi, I would think there are some pretty cool things we could do with this... we will have to look into it. Thank you for the suggestion!

 

This is normal for the process to be suspended... test with AG, ERP and VS and you will see the same result.

If they figured out a way to bypass one of these 3 security products, they would have posted the bypass by now, mainly to prove that they are not simply script kiddies.

 

Hey Dan,

 

Hmmm, that is interesting, thank you for letting us know! Depending on what metadata they extract, there might be some really cool things we can do with this and VoodooAi! Here is a link that explains it a little more... it is funny that they extracted all of the metadata from all of the files in Windows XP through 10... that is what I did with VoodooAi, and I really hope that I do not have to do that again . Basically, they are extracting metadata (features), and if there is a match, then they know it is a clean file, which is essentially what VoodooAi does, except it does not have to be an exact match... if the features are more similar to a clean file than malware, the file is classified as clean and the probability is shown. It looks like after they evaluate the metadata and determine it is a clean file, they sign the file with a Class 3 Digital Code Signing Certificate. Yeah, here we go again with another round of digital signatures .

http://standards.ieee.org/develop/indconn/icsg/amss.html

I will check into it more and see if that might be something we can add, thanks again!

 

Hello
Thanks for the link, indeed very interesting. I think I and Dan will learn it deeper to understand how and/or if we can use it in VS or VoodooAi. Since it doesn't database, but a limited time archive of metadata files the approach of querying that service for getting evaluation of the file is not feasible so we need to think about another way of using it.

Thanks

 

Thanks guys! I hope you can use it to somehow make VS even better.

 

First look at editing command line feature
Feel free to comment/ask question/give feedback.
There are a lot of things to polish, but I just want to ensure that the interface is user friendly enough.

1. Editing command line (non wildcard):


2. Edit wildcard command:

 

That is way cool @VoodooShield @VladimirM !

 

Nice!

Now I'll just need to learn how to use the edit feature.

Vlad, remember when I said "I seem to have many Command Line copies"? I think that every time Norton updates it creates a new Command Line. Most of the time I don't notice until I check VS but sometimes if I have a web application open I am prompted to allow a new Command Line, so I'm hoping a Wild Card would stop the constant new entries being created.

Does that make sense?

 

Wildcard will stop showing prompt for all command lines that are match that wildcard. Unless there is a bug, of course
But you still have to edit the wildcard manually. But the edit feature is really very simple and I hope to make it intuitive enough.
Also when you create the wildcard - all rules that match that wildcard are deleted, so you will have less entries.

 

Awesome!

 

That is looking good @VladimirM!