VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    VS will not block the payload in Smart Mode if it does not toggle to ON when WMP is launched. If i'm misunderstanding how VS works in some way then explain to me what i'm misunderstanding. I don't have VS installed on my machine right now so maybe some changes have been made to VS in the last couple of builds.
     
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    what protection do I lose by Always On...what performance do I gain by Toggle
    Toggle is assumed based upon list of Web Facing
    Deem everything Web Facing....no need for Toggle
    Web Facing is where bulk of risks reside ... so, Always On...no need for Toggle
    Why Toggle ...? Dan wrote user option. Why waste code ...?
     
    Last edited: Jun 21, 2015
  3. hjlbx

    hjlbx Guest

    "Exploits" take advantage of a software vulnerability to generally obtain escalated system privileges + a payload. The payload generally works by collecting data and transmitting it via the network.

    So when the exploit payload makes an outbound network connection, VS will toggle on and block it... at least that is my understanding - that VS will automatically "Auto-Detect" web-facing apps\executables.

    Has the auto-detection of web apps not been implemented? I know it was discussed during earlier builds...

    Nope. I was wrong. VS has to toggle on when WMP launches... auto-detect was never implemented.

    Apologies for the confusion...
     
    Last edited by a moderator: Jun 21, 2015
  4. hjlbx

    hjlbx Guest

    None. Always On is equivalent to "Lock Down" mode and is the most secure.
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    here's rest of my quote you missed
    why use less than most secure (your words)
     
  6. hjlbx

    hjlbx Guest

    Toggle On\Off; Off = "Training" mode...

    Just gives user the option.
     
  7. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Toggle Off ... protection is still On for user space...
    Training = Training
     
  8. hjlbx

    hjlbx Guest

    I think the setting is: "Always scan user space when VS is Off, Smart or Always On mode.
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    what's your point
    Toggle remains as superfluous and tenuous protection albeit optional.
    Will always blue tray Icon ding performance...detract protection...annoy me? Just asking..?
    Awaiting user guide to document VS settings.
     
    Last edited: Jun 21, 2015
  10. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Feature Request

    Hi. I wonder if this is possible or even desirable? Add a way to add a user defined blacklist for executables (any extension) so that they never get to run in the first place or else terminate them if found to be running. For me personally that would be a huge bonus feature.

    Reasoning behind the request:

    Currently I use a combination of several other methods that don't always work to block toolbar installers and the like when attempting to clean install software that comes bundled with PUPS. If I identify the executable responsible for installing the PUP then often I can block it and still install the software. There may be other reasons why users want to define executables that they never want to see running.
     
  11. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    requested before... thanks for adding your request
    In theory VS global blacklist as you know. Except whitelist.
     
    Last edited: Jun 21, 2015
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    @ All,

    So have we decided whether WMP should or should not be included with the Web Applications?
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I have a decent understanding of how exploits work, but yes, VS has to toggle to On in order to block the payload.
     
  14. hjlbx

    hjlbx Guest

    WMP should be a protected web app = VS should toggle on when WMP launches.
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Thank you. I will leave WMP included as a Web Application in VS.
     
  16. rm22

    rm22 Registered Member

    Joined:
    Oct 26, 2014
    Posts:
    357
    Location:
    Canada
    i finally took a look at these...

    Chrome task manager closes when i close chrome... but chrome has stopped hanging on this pc as well

    In Smart mode - so the toggling issue occurs when VS is toggled 'off' then back 'on' before shutting down the web app. In this scenario VS occasionally stays on when the web app is closed - this is self corrected the next time a web app is open/closed or corrected by re-selecting 'smart mode'. so this is not a big deal at all - at worst you might accidentally block something - so just FYI for you Dan.

    Thanks - i've put the data files on D drive in a 'downloads' folder for now and as you said executables are now blocked without doing a 'custom block'
     
  17. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey everyone, I will catch up on the posts soon... I just wanted to give you a quick update.

    The mini filter KMD should be ready in a couple of weeks, assuming everything goes right ;). We might end up liking the AppCertDll method better, who knows, I guess we will see.

    The Cuckoo Sandbox server is up and running... I just have to build a small cluster and figure out a few more things. Most important, I am trying to make it smoking fast by using SSD drives and optimizing the heck out of the Windows installation. I went with Windows 7 64bit instead of the XP route since from what I hear there actually is 64 bit malware now ;). Anyway, since 64bit is somewhat recently supported by Cuckoo, there was very little documentation and tools to help me get it going... but it was fun and I learned a heck of a lot about Cuckoo, and it is running extremely well.

    Also, I cannot make any promises whether this next part will work or not... but if it does work, it is going to be seriously cool. The idea is... when a user submits a sample for Cuckoo analysis, I was thinking that it would be really cool to ask the user if they want to start a Remote Desktop session to watch the live action!!! I mean, they are going to get an extremely detailed report either way, but it is really cool watching the malware execute and the analysis take place. That way, especially if a less advanced user is unable to read the reports, they can at least watch what happens to their computer when malware is executed... you know, before they run it on their computer ;).

    Also, down the road I am going to setup VM's with VS installed, that way the user can choose to run in a VM with VS, just to see if it could have bypassed VS.

    I will catch up soon! Thank you!

    Edit: BTW, I think we will like the KMD a lot... I am just saying that the AppCertDll is really cool too. Also, I forgot... the Cuckoo servers are so fast that they are performing the entire analysis in as little as 16 seconds! And that includes booting the VM ;).
     
  18. Cyrano2

    Cyrano2 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    131
    Location:
    Spain
    Been using VoodooShield for over a week and everything is going perfectly smooth. The only anoyance I've found is with minecraft, even whitelisting minecraft's launcher and executable it always asks me about javaw.exe twice. And, of course, I'm not going to whitelist it XD.
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,210
    Location:
    Among the gum trees
    Dan,

    I just had an issue with VS where I put it in Training Mode to install the latest Adobe Flash Player ActiveX version and it was like VS became frozen. There was nothing I could do to re-activate VS. Finally VS popped up and asked if I wanted to re-enable it but even after I'd done that it took a while before VS became responsive to either left or right clicks.

    Not sue what caused that mate, but I'm just reporting what happened.

    Thanks.
     
  20. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,453
    Location:
    .
    Will I need to be Log'd In at malwr.com
    I've tried Sign up with no joy. Promised confirm email from malwr no show. Four email's to malwr no reply.
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
  22. Gillor

    Gillor Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    86
    Location:
    UK
    Hi Dan,

    Just installed 2.74 beta and have got this again:

    2015-06-23 17_31_12-VoodooShield Scan.jpg
     
  23. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    Dan,
    Awesome idea to utilize the Cuckoo Sandbox. I used it a lot when I would test malware and loved the detail reports. Another good one is Anubis. It isn't as detailed but it does give a great summary in beginning of what is changed/modified. Great job all around. Running VS and seeing how effective it is allowed me to uninstall Sandboxie. I'm a life long fan of sandboxie but VS has proved itself and I don't feel the need to use sandboxie.
     
  24. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Install here, Dan, and running fine so far...will check a few things out and let you know if I find anything untoward.

    Regards, Baldrick
     
  25. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,974
    Location:
    Boston, MA
    Installed newest beta. Running smoothly on win 8.1 pro. Along side it's favorite sidekick WSA beta.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.