VoodooShield/Cyberlock

BTW, the hollow process POC link that he posted on his rant is the same one I sent you 5 or so months ago (ironically ).

https://www.trustwave.com/Resources/SpiderLabs-Blog/Analyzing-Malware-Hollow-Processes/

Here is the POC that they refer to in that article:

http://www.codereversing.com/blog/archives/65

I compiled the POC so everyone can try it for themselves, here is a link:
Keep in mind, I did this quickly, so feel free to recompile the source code just to make sure I did everything correctly.

http://www.voodooshield.com/artwork/runasprocess.exe

Here is the usage:

runasprocess [process to replace] [replacement process]

VS blocked everything as expected. I did not spend too much time on it, so there might be a way to get it to work, but I do not see how… please play around with it and see if you can get something to slip through.

Here is the video:

http://voodooshield.com/artwork/hollowprocess.mp4

Now do you see why I am annoyed when people suggest that there are ways to bypass VS, but do not demonstrate a proper bypass? My time would be better spent improving VS, and finding a way to put a lock on all web connected devices . Although, this is fun too at times .

 

I dont install beta on my production system so didn't install version 3.

Any probs/compatibility/conflict issues with AX64 Time Machine?
And guess no probs with Windows Defender on Win 10, right?
And I read somewhere that the install ask & recommends to disable UAC but I didn't get any such wizard during install? Any probs with UAC enabled? Should I disable UAC? Currently UAC is enabled.

 

Thank you.
Very impressed with Voodoo sheild in the short time i have been using it.

 

Hehehe, I just think that every web connected device should be locked when it is running a web app that places the computer or device at risk… that really is what VS is all about.

That is… anything running before the user launches a web app should be automatically allowed, but once the user launches a web app, the device should be locked, and then anything that is not whitelisted is blocked. Obviously the lock contains other measures such as blocking command lines, and we can always add other security measures to the lock, if we find it necessary to do so.

NOT something as silly as a full time “lock type thing” (UAC) that annoys the user and only blocks certain processes that do not require elevation. Hehehe, but then if the process does require elevation, then prompt the user EVERY FREAKING TIME!!!! It does not make sense.

Some devices currently use what is essentially allowing by digital signature… and we all experienced first-hand how far Microsoft got with that technique once they were inundated with malware . They also use behavior blockers, sandboxing, Ai and blacklisting (among other security mechanisms), and these are all important / vital security measures in the fight against malware.

But really, if the device is running a web app, it needs to be locked. And if the device is not at risk, it should be learning what not to block, so that item is not later blocked when the device is again locked.

 

VS 3.0 beta is actually more stable than 2.0... I would use it, especially on 10.

I have no idea on AX64, but I am sure someone will be able to help.
VS works great with defender.
Yeah, some things on the internet just never die . VS used to prompt the user to see if they would like to disable UAC, because VS worked better with UAC off. But that is no longer the case, and has not been the case for probably 2 years now. VS works great with or without UAC disabled.

 

Thank you, we appreciate that!

 

BTW, not this kind of lock .

http://www.bleepingcomputer.com/new...ypts-local-files-and-unmapped-network-shares/

Now they are encrypting unmapped network shares!!!! How scary is that!!!!

 

OK thanks for the info. And yes, everything can be hacked or bypassed, same goes for HMPA and MBAE.

OK I see. BTW, the part that I didn't understand was about 64 bit systems, is process hollowing not possible on Win 64 bit?

 

Are you sure about this? ERP does block execution inside the sandbox. It's always handy because let's say ERP is bypassed, then the malware is still running sandboxed and can't infect the system. On top of that, SpyShelter can also block suspicious behavior of sandboxed apps.

 

I am not exactly sure what you would like best, but you can change most of the prompt and balloon options in Settings... I think if you explore these Basic and Advanced settings you will find what you are look for, but if not, please let me know.

The upload of the unknown file is kind of independent of the user prompt. The only reason to upload the file is so that the database is updated.

Are you saying that if a file is detected as a threat, then to not even show the balloon, like maybe JUST flash the VS shield?

I am actually going to step away from the computer for today, and possibly tomorrow, but I will catch up with you guys soon, thank you!

 

I am not sure to be honest... but I did even get that far because VS blocked runasprocess.exe before it had a chance to do anything .

 

Hehehe, this is an OLDDDDDDD discussion, and I am in the minority on this one. I personally do not think that VS should block sandboxie's sandboxed apps anymore than sandboxie should sandbox VS's blocked / non-whitelisted apps. That is not the perfect example, but you get the idea... besides, I would think that there might be some conflicts. But as I said, it appears that I am in the minority on this topic, so that is the only opinion I will provide on that .

 

Perhaps this should be posted on the Sandboxie forum, because sometimes extra configuration is needed in order to make anti-exe and anti-exploit tools work inside the sandbox. I don't believe it's something that should be "fixed" inside VS. For some reason, ERP works out of the box and without any conflicts combined with SBIE.

 

Ok, got it.
Thanxx for all the info

 

Yeah, probably so . BTW, I just tried the latest Sandboxie with VS 3.09, and I ran Firefox sandboxed and downloaded a file from download.com, and when I tried to run the file, VS blocked the file. Is this what you mean? Please let me know because I am not that familiar with Sandboxie, and I might not be doing something right.

I know a couple of guys from wilders were talking to Vlad about changing the way Sandboxie and VS work together, so maybe they already changed it, but I just did not notice. I think it should probably create an option in settings to make this optional.

 

Ohhh, I see what prompt you mean now... well, that prompt confirms with the user that it really is a false postive that they are trying to run... so we might want to keep it, what do you think?

Yeah, I took my dog for a walk and started thinking about Sandboxie, so when I came back, I tested it real quick . But really, I am going to sign off for now .

 

Sure, thank you! BTW, if you decide to install 3.09 instead, you might have to delete all of the .dat files in the following directory (well, at lease the CommandLines.dat): C:\ProgramData\VoodooShield

There is a small update we need to do in the sqlite database, so it kind of messes up, but we will fix it.

 

If it blocked the file inside the sandbox, then it seems like VS and SBIE can probably work together just fine. So perhaps member Gillor can explain what he/she means.

 

Uninstall 2 & install 3 will work or still manual delete of the .dat files required?

 

Salutations/Greetings!

Just install VoodooShield 3.09 seem to be working very well with Sandboxie!
@Gillor Post # 8752: Good to know the information about Shadow Defender!

 

Uninstalling doesn't remove all of VS components so manually deleting might be better, unless you have REVO Uninstaller installed.

 

Ummm! Seem, I have spoken a little to soon! Sandboxie yellow border is now missing around Firefox!
But with Opera the yellow border is there showing that is working! Wonder what is causing this? I am
not sure if Sandboxie is working with Firefox? Also, tried to disable VoodooShield and still not working?
Strange this happen on after a few hours,after VoodooShield was install. The first hour or so,no problem
with Firefox?

Any thoughts on how correct the above?

VoodooShield latest Beta 3.09
Windows 10 X64 Bits O.S.

Kind regards,

 

Hello, @VoodooShield , @VladimirM ,
It just happened again.

 

Just tested again.
Downloaded Freemake Video Convertor.
Open Freemake in “normal” desktop mode - VS blocks it.
Open Freemake in SD Shadow Mode – no reaction from VS whether set to Scan and Allow, Smart or Always On. Interestingly though, if I drag the Freemake programme onto the VS Shield then VS kicks in and blocks it.

 

From: Post # 8787. Put into SMART (Default)

Taken a break this evening for a few hours after putting it into SMART (Default)
FireFox is working with yellow border back around the outside of the browser. Now!

Problem occur when had it on ALWAYS ON.

Could anyone explain the differences between SMART (Default) and ALWAYS ON?

VoodooShield latest Beta 3.09
Windows 10 X64 Bits O.S.