VoodooShield/Cyberlock

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, you mean like this (from our Owner's Manual that is available for download on our website in the download section)...

    Enable VoodooShield anti-exploit protection for all web apps in all file / folder locations: When enabled, this feature automatically blocks all child processes of web app parent processes. In other words, this feature effectively blocks payloads dropped by exploits.

    That was the old description, and is a quick summary of how it works, although there is a little more to it than that.

    Cool, if you think of a name (or if anyone does), that fits this feature better, I would be happy to change it.
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Dan is there a description like this in the UI? I just rolled my machine back, and I don't have VS installed at the moment. You could put the description of the feature from the manual embedded in a link in the UI if it takes up too much space. Clarity if the key, so developers can not claim you are making false claims about your product.
     
  3. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    I think the world and its wife knows what a exploit is after wannacry was big news throughout the world via the media, I don't think there's any real purpose to be achieved by changing it.
     
  4. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Your paths look wrong

    [GUIDE] Using ImDisk to set up RAM disk(s) in Windows with no limit on disk size

    C:\Device\ImDisk0\Cent\chrome.exe

    Your RAMdisk should be mounted on boot with it's own drive letter.
     
  5. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK
    K.I.S.S The other thing is using to much jargon will put the average user off as they will think its beyond them, its pretty much ready to go out of the box.
     
  6. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
  7. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    I used AG a few years ago with a different winOS and older hardware. I recall it worked ok. But overtime, either there was some type of conflict, or whatever, and I uninstalled it. I also recall that I did not fully understand all its settings, seemed to get a lot of popus, my fault perhaps, but I've read others view / viewed it as "complex." You say it has to be properly customized for each user, and that if you're a commercial enterprise BRN helps with the setup (hope I'm not mis-stating your posts). I wouldn't mind trying it again, (even buying a new license) with a better understanding of how it enhances my security, and being able to get knowledgeable help to properly customize. yikes just realized I'm in a voodoo thread... no offense intended Dan :oops:
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I've been running lsass.exe as a protected process (enforced via SecureBoot/UEFI) throughout various versions of Windows 8.1 and Windows 10 (including Creators Update right now) for quite some time without any issues thus far. I would love to see Microsoft enable lsass.exe as a protected process by default.

    Link: https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    At some point we can make it so that when the user hovers over an option, that these descriptions are displayed.
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, no problem... it is my fault for taking the time to test ;). There really was tons of speculation on how EB/DP would do with these types of products... and no one else was testing them, so I figured I would do it.
     
  12. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    172
    Location:
    London UK
    Okay I used the ImDisk driver only before but have just installed toolkit GUI. Use the Control Panel applet to set up a RAMdisk.

    FYI: It works for me.

    Administrator_ C__Windows_system32_cmd.exe.jpg
     
  13. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
    | Advanced | Voodooshield "anti-exploit" protection rather than Voodooshield anti-exploit protection
     
  14. guest

    guest Guest

  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    That might work, thank you! I was thinking maybe "VoodooShield super duper kernel level backdoor exploit smasher". What do you think, too much? ;)
     
  16. Houley456

    Houley456 Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    195
    Now thats a good one!
     
  17. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    PLEASE TEST MORE at MT!!! And I promise to not get upset when someone bypasses VS. If anyone wants help setting up Kali with EB/DP, I would be happy to help.

    The MRG report should be out soon, and I think it is going to surprise a lot of people.

    I do not think people realize that if EB can create DP and have it run at system... what is to stop it from creating another malicious process?
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe ;).
     
  19. simmersK00L

    simmersK00L Registered Member

    Joined:
    Mar 20, 2013
    Posts:
    323
    Location:
    USA
  20. guest

    guest Guest

    ok let me ask you:

    Try to do the test from outside the system , means you have to penetrate the network, pass the NAT router, find the right machine , and exploit its kernel while the security product is in it.

    how hackers do that ? as Black Cipher does, ,they try to get in the network via weaponized container (malicious exe, infected attachements, weaponized docs, etc...) as any other malware, they must run, exploit doesn't popup out-of-the-blue in the target system...it is not magic !

    So if the security products block those container, how the system can be infected and the exploit spread?

    To use metasploits exploits, you need a container to deliver the shell. shells don't popup out-of-nowhere in the target machine...
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    You are forgetting that a lot of people use laptops... they might visit the coffee shop, then go back to work... it is a VERY real problem... that is actually how some of the biggest recent breaches originated. One was a maintenance man of some kind who brought in his infected laptop to the company... and boom.

    You are also forgetting about web exploits... if the security mechanism does not protect against this type of attack, there is a heck of a chance that it will not be effective for web exploits either.

    Besides... there is no reason, and no excuse to not protect against this type of a attack.

    I do agree that testing with Kali is not always optimal... for the reasons you stated. But in the case of worms, it is highly relevant. How do you think WannaCry spread so fast? It was because it had a worm component. It is that simple.
     
  22. guest

    guest Guest

    yes but now we enter in the Firewall domain, VS/AG/ERP doesn't belong there. it is the job of the firewall and other NIDS.

    memory protection (isolation) of AG , the only SRP having it , process A (brower) can't read/write memory of process B.

    not a valid argument, SRP/anti-exe like (VS, AG, ERP) are specific dedicated tools , they are designed to do one thing , they are not suites. You can't ask a saw to be used as a screwdriver...
    However if you can make VS to do more than it is supposed to do at the beginning, it will be good for VS.
    does a anti-ransomware supposed to block exploits or keyloggers? no, so you don't blame the softs for it, right?

    surely because some users ran a weaponized container (i guess an email attachment) in a machine in the network , then go the spreading...
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I was under the impression that the main job of an SRP/AE is to stop new / malicious processes from being created. In this case, EB created the malicious process DP.

    If that is not the primary job of SRP/AE, then what is?

    Also, please do not get me wrong... while VS stopped the attack, there are a couple of changes I am going to be making to VS in light of the test.
     
  24. guest

    guest Guest

    Ooohhh ok i see now the why of your view :

    "Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run"

    https://technet.microsoft.com/en-us/library/hh831534(v=ws.11).aspx


    AG is SRP not anti-exe.
     
  25. guest

    guest Guest

    so basically you can create whatever you want , but based on the policy applied , you can't run whatever you want.

    it is why keep saying AG must not be run as default, the policy must be tailored to the machine.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.