VoodooShield/Cyberlock

I was totally unaware of this... maybe it is not a crazy idea after all . What products use this type of self-protection?

 

I understand that but for my machines, I'll take my chances. How does the attacker gain access to your machine to have unlimited attempts at defeating VS? If an attacker has access to your machine then it is too late and your machine is already compromised, right?

What if I want to kill VS for whatever reason?

 

Yeah, I think if all security software had this type of protection, it would be a major, major pain for attackers . The question is... is it possible to do it correctly, so that the end user does not even notice that it is there.

 

no i mean if the GUI is killed by me , i should be able to use my system , and no you are not begging for bypass because killing the GUI shouldn't open any vulnerability; if it does, means the soft should be rethought.

and that is enough

because the user may have background tasks running or still working and a forced reboot will indo the task?

Appguard Enterprise for example. This is not a feature needed for Home Users, in my opinion.

That is also my point.

 

Other methods of self-protection are fine, but if your machine is under a targeted attack, and all you do is fend off each attempt without locking down the system, then the attacker has another try, and another try, and another try.

If you want to kill VS, just exit properly... it is the polite thing to do .

 

If it can be done I think a "timer" would be useful for some to save work etc, ie "VS has detected malware

I think it would be useful if it had a countdown timer integrated with a warning "VS has detected attempts to disable its self-protection, it will reboot your computer in 10 seconds) with a yes\no option.

 

if you are under targeted attacks, the system is already compromised and VS failed.
and what if you get infected by a malware trying to disable VS all the time? you reboot , the malware attack again? you re-reboot? the malware attack again? you re-re-reboot?

 

Exactly!

 

It really is not good to kill items in the task manager if you can avoid it. Almost all software has shutdown procedures that need to be performed, otherwise you risk database corruption and a host of other issues. All you have to do is shutdown VS properly by right clicking on the desktop shield gadget or tray icon and choose exit.

I have not tried AG Enterprise... but from what I remember, if you kill the AG Standard gui, the system is locked down and you cannot start any new programs until you restart the gui, right? What is the difference between the Enterprise and Standard versions in this scenario?

VS's new feature does not force you to reboot right then... it gives you the chance to close all of your programs and save your work, then reboot when you are ready. You just cannot start any new programs.

 

This is simply not true. I can send you a macro that is similar to the one Adam used, and you will see.

For example, in this scenario, the macro is launched in MS Word, which kills the gui, so the system goes into immediate lockdown. The macro then tries to launch the payload, and it is blocked by the service. When you reboot, there is no startup entry because the payload was never spawned, so your system is clean.

 

Yeah, we could do that... that would be cool. I think we will wait to see if this new feature is going to work well for everyone first before we add a timer though .

 

In any case, I vote for an option to disable this feature.

 

if you implement a security feature , you have to consider all aspects, you know that already. Don't make it just because a particular case (aka this macro) , other methods exist to terminate/disable a service (and used by persistent malware like rootkits)

I don't say "don't do it !" , i say "don't overdo it" ; VS users are mostly average to average+ users , they don't have the skills to remove malware by themselves, if the situation you describe "targeted attacks" is happening , they can't just reboot to normal mode, they have to find the cause of the lockdown , remove it or they will end with a compromised system that is perpetually locked because the attack is self-perpetuating. Most won't be able to do that.

Now you may surely find a compromise, it is possible, just take all situations into consideration.

 

What happens if an AV or other anti-malware solution suddenly decides to detect VS and tries to remove it? Machine gets locked down, user restarts, AV once again tries to remove VS, machine gets locked down, user restarts....

 

Anyway it should be opt-in.

 

Yeah, we do not want to overdo anything... we will figure it out and make it right.

Really what it all comes down to is when there is a targeted attack, should the machine be locked down or not?

 

It that happens, the gui will not start on reboot (because the AV software would have deleted or quarantined VoodooShield.exe), so the service will never activate completely. You can simply reinstall VS and whitelist it in your AV. Although, the odds of that happening are very small.

 

IMO, the machine should be reformated. All my security apps are chosen to avoid being targeted and deny anything to get in my system. If i see i'm compromised, i don't care what happens next, i shutdown my system, wipe my disk and restore a backup.

 

No offence, Dan, but so is your targeted attack.

 

Yeah, that was a bug, sorry about that! The funny thing is, if there would have not been any bugs in the new self-protection feature, everyone probably would have been quite happy with it, simply because they would not have even noticed it was there . I will try to get it right, and if it is too much trouble, we will figure out something else .

 

Let me rephrase this... when there is a targeted attack where the payload is successfully blocked by VS, but the gui is killed, should the machine go into lockdown, and block everything or not?

 

in that case, yes. if only the gui is killed, no

 

Yeah, I agree... but if we can make it completely seamless and unnoticeable, there is no reason to not implement it.

The funny thing is, it is only one very specific script that I am aware of that is an issue at all... otherwise, VS does a great job at protecting itself, even without this new self-protection feature.

 

I really have to go to bed... but if the gui is killed, how is the determination made to run a new item or not? You cannot just allow everything, you have to block everything, right?