VoodooShield/Cyberlock

Block all, maybe 1 miss...

 

Users with dismhost.exe blocks. Are you using any other third party system optimization software that might check installed windows updates. Just asking because I only see those blocks when running Comodo Programs Manager and it checks installed updates when launched.



I don't see this as a problem. Notice path begins with v:\appdata because the directory is moved onto a RAMdisk.

 

Okay forget that. dismhost.exe is running because Windows Features are being checked (in this case) and not Windows Updates.

 

Thank you Callender... it still might be something to consider / check! We are all basically detectives trying to figure out this mystery... we will figure it out soon . Thanks again for all of your guys help!

 

FYI, here is the 1 from the 36 that VoodooAi missed: http://voodooshield.asuscomm.com:8080/analysis/555/

On AutoPilot, if the blacklist scan is enabled, VS would have blocked this file, but if the blacklist scan is not enabled, VS would have allowed it. Smart Mode ON or Always ON, VS would have blocked it either way.

Then again, that is why you really need a quality blacklist scanner of some kind, then VoodooAi for the zero days and unknowns . They make a great combo.

 

What do you think of the video test, whether it is OK (and the CIS has a big FAIL) or am I done something wrong?

 

Are you asking me? I really do not know... I am confused because everything worked great on the 1,000 samples using the same testing methodologies.

Hopefully CS will be able to make sense of it all, if so, everyone owes her a vodka tonic in Vegas .

 

Mods- please forgive the YouTube link, but this is response to the above discussion:

https://www.youtube.com/watch?v=zC134xY5jfQ

This includes setup from the initial install. Note although I chose to put the Firewall in Safe Mode with the switch I made, Custom Mode is just as good and will alert to anything trying to access the Network. I did this to cut down on any other popups as I had to save some time (couldn't think of a longer song).

 

Thanks, cruelsister.

 

I installed latest Comodo FW on real system Win 10 64 & set to "Internet Security" config as this is the default Comodo config of Comodo Internet Security Suite installed.
I executed EfficacyTest.exe & was not AutoSandboxed, so I checked "Trusted Files" list & EfficacyTest.exe was in "Trusted Files" list i.e EfficacyTest.exe is trusted by CIS. I think this is the prob with CIS test with EfficacyTest.exe.

 

So, this is manual starting every file and Comodo did good but with EfficacyTest Comodo failed...

 

Tnx, I was think that is something like that in the way...but I think this still not good for Comodo because this way can any malware use some Trusted file and thru that infect system

 

If that is the case, then how did this happen? (you can skip to the end if you want)

www.voodooshield.com/artwork/Comodo.webm

CIS 10 + EfficacyTest.exe + 1,000 samples = 93.1% efficacy

 

I posted in one of my previous posts to check trusted files for efficacytest but guess you missed the post.

And I dont know how efficacytest.exe is trusted?
I dont see VoodooSoft in trusted vendors.
And I dont see in logs that efficacytest.exe was scanned & found safe.

UPDATE - I had installed CIS & restarted the system And then downloaded EfficacyTest.exe

It seems CCAV uses different Trusted Vendors List, VoodooSoft is in TVL.

 

I checked with CIS stable version.
Dont know if there are any changes in CIS 10 or anything broken in CIS 10?

 

Yeah, but keep in mind...

I tested CIS 8 without the EfficacyTest app (I manually executed each file), and had the same result.

https://www.wilderssecurity.com/threads/voodooshield.313706/page-455#post-2602347

BTW, everything I tested was on default settings, since the absolute vast majority of users do not tweak their security software.

 

Why did the voodoo shield thread turn in to CIS lol.

 

Hehehe, I totally agree . Maybe testing security software is not the best thing for us to do after all .

 

Looks like this may be similar to my last RAT video as the malware is running through the trusted efficacy test thingy. With HIPS enabled and Block Terminate and Reverse chosen things may be different.

Update- Yeah- the Hips with Reverse would have kept the system clean. Certainly were a lot of very, very nasty things the malware tried to do!

 

I'm sorry about that...maybe it's my fault

 

Were the samples on the system before CIS install?
If Yes then the samples will be trusted.

 

Yes, for BOTH the 1,000 sample and the 36 sample tests... and the exact same settings (all default) and procedures were followed for both.

The 1,000 sample test worked flawlessly with EfficacyTest.exe, and the final result was 93.1%

www.voodooshield.com/artwork/Comodo.webm

So then when I performed the 36 sample test, first by using EfficacyTest.exe, then by manually clicking on each item, this produced the exact same results.

 

Yeah, but why did EfficacyTest.exe work with the first 1,000 samples flawlessly, using the exact same procedure?

www.voodooshield.com/artwork/Comodo.webm

BTW, I appreciate everyone's input, I just think we are misunderstanding each other.

Basically, if what some of you are saying is true, then the above video / link could have never happened.

 

Also... keep in mind 3 of the files were blocked in the 36 sample test! If what you are saying is true, then all of the files would have been trusted, right?

There is absolutely no consistency at all.

 

VS blocked dismhost.exe on the same machine of mine again today and once again VS froze.