VoodooShield/Cyberlock

Thank you Djigi... I just installed TunnelBear and had the same error.

Vlad will be able to test with TunnelBear and figure this out, it should be a quick fix.

 

I checked it. Seems like one of the TunnelBear processes starts cmd.exe without any argument (in the log I see cmd = "C:\windows\system32\cmd.exe") and later that cmd.exe is used for calling another processes (i.e. ipconfig /flushdns).
So there is nothing to do with that until there is a setting set to block cmd.exe

 

She advocates COMODO's concept of default-deny using virtualization (auto-sandboxing) as a solution against malwares. My problem with virtualization is that it permits data theft; all data within the virtual user session can be stolen if data restriction policies are not enforced within the sandbox. The creation and administration of data restriction policies is a real pain - even for seasoned IT pros.

The best solution is absolute default-deny; don't let anything run on your system that you do not trust in the first place.

voila... VooDooShield

 

Interesting... I never considered the data theft issue, that makes sense though. Thank you!

 

Hi Dan, thanks for taking the time to respond.

They were malicious e-mail attachments that when accessed launched VBE scripts to download Locky. The original execution of the VBE script triggered the FP message without any indication from AI which I assume is only for executables(?).

For testing purposes I allowed the script which downloaded a Locky variant to Local/temp as expected. VS kicked in with another FP warning but with very high AI score.

In the end VS prevented the infection which is the whole point. I knew it was Malware though so how to respond to the prompts. I just wonder if there is a different way to handle very new threats that still recognises the high number of FPs some engines spew out. I know it is very difficult and you're working on it. I'm sure you'll find a way, you have for every other challenge to date.

For someone like me who is very sceptical and who really wasn't too sure about this product in the early days I have to say it is now up there with my very favorite apps. The day to day threats users face through drive-by's, malicious e-mails or social engineering are just eaten up by VS with very little fuss. I'm sure there must be some targeted threat out there waiting but as a light, effective and intuitive tool it takes a bit of beating.

Cheers

 

Thank you, we appreciate that, it's great to hear that VS has become one of your favorite apps! Yeah, VoodooAi currently only classifies executables (exe and dll), but we hope to be able to classify more file types soon... the challenge will be getting enough samples for the training data sets, and also figuring out what features to include in the models... although I think there are ways around these obstacles.

 

Yeah, I was having a little fun as well, there is no way I would uninstall VoodooShield.

 

She say in CCAV...keyloggers running in sandbox...keyloggers connections are automatically blocked. Its new in CCAV.
I have requested her on MT on the thread to do a test of it.

 

Keylogger is not the only malware that can steal data.

 

Not that I in any way want to hijack this thread, but before data theft can occur the data must be transmitted out to the thief. With CF at the levels I endorse there are actually three ways transmission would be prevented:

1). Sandbox restriction may prohibit the malware from starting a routine to connect to the Network, and
2). Failing that a simple firewall tweak prevents ANY virtualized file from connecting out (policy).

Add to the above getting an Outbound firewall alert (if one is so inclined to receive them) and one can understand that data hijackers are not a Clear and Present Danger.

And please note- the above refers to Comodo firewall. CCAV in not as robust of a solution.

(VS- thanks for the kind words, and hope you like the Vids).

 

My earlier point about virtualization is that, alone, it is not sufficient protection.

Tweak COMODO settings and it is much more secure.

 

I got an error, anyone know something about it?

 

But sometimes working just fine!

 

That's good to hear .

 

Thank you cruelsister, that makes sense too... keep up the great work!

 

I see, now it all makes sense . Thank you!

 

Sorry about that... it should be fixed in the next version. I just have to remove the invalid results from the database from time to time, otherwise, if the file is in the database, it will return the invalid results. Thank you!

 

He (andi) is also from Croatia.

@cruelsister
Would you do the video test of VS similar to last tests (ransomware/cryptolockrs)?

 

Hello
This is a known bug and will be fixed in the next release. The issue is in invalid parsing of the floating point number. In US the floating numbers are using dot (.) symbol, while in Croatia comma (,) is used.

 

~ Removed Image as per Policy ~

Ok thanks...

 

Ok, thanks
2-3 weaks to next relese?

 

@VoodooShield, @VladimirM

Any possible way to add the following?...



When I get a notification, as shown above, I always want to know what specific engine(s) triggered the file as malicious.

So, considering there is currently no convenient way of checking, can you integrate a hyperlink to the VirusTotal results? - Example: Hyperlink (let the user click) "THREAT DETECTED in 1 of 56 Scan Engines!", which then opens the results from the VirusTotal web site.

Can this be done?

 

Voodoo Shield,

As you are improving alerts for adjusted multiple engines + VoodooAi results, would it be good if the alert displays something like "Final Verdict" or the term you find best suited?

Display on the alert could be like -

Final Verdict - Safe
Multiple Engines - 0/57
VoodooAi - Safe

 

@VoodooShield
I wanted to delete old checksums from my whitelist, because they are not needed anymore.
For example:
firefox.exe - c:\program files\mozilla firefox\firefox.exe - (4 different checksums)
If i select an old entry and delete it, ALL 4 entries from firefox are deleted
Not only the one i selected from the list.

Can it be changed that only the one i selected is deleted? (not all 4)

 

Yeah, that would be cool if she would like to test VS at some point. It should block everything... but I would be curious of the VoodooAi results on zero day and unknown malware... especially once VoodooAi is completely integrated into the user prompt for Scan & Allow mode and Smart / OFF mode (instead of just displaying the results like it does now).