VoodooShield/Cyberlock

Yes, I disabled Automatically Allow all software from Program Files Folders. I didn't really think it would make a difference in regards to expected behavior when dealing with command lines.

I did an advanced Snapshot, but it didn't whitelist Anki.

Also, my computer would not shut down after installing VS last night. Choosing shut down from the start menu did nothing. I ended up having to do a hard shutdown. I will let you know if it continues to happen. It's probably a conflict with another Security Soft i'm using.

 

I see what you are saying, but please keep in mind that the settings are intertwined to a certain extent, in ways that are difficult for anyone to predict.

Hmmm, I am not familiar with Anki... I will download it and play around with it.

Cool, if your computer is still not shutting down, please try to exit out of VS while it is stuck and see what happens.

 

I'm using Anki build 2.0.41. I didn't know there was an update for Anki until after this occurred.

I actually did shut down VS, and that did not help. I never had this occur until after installing VS though. I will need to shut down Windows again later today, I guess I will find out then.

 

Yeah, translating the product into other languages may give you more customers. Yeah, I'm spreading the product and I believe other on this thread are doing it too

 

Hmmm, are there any "Exceptions" in the DeveloperLog.log in the c:\programdata\voodooshield folder?

Usually what I do is just search for the word Exception.

If so, please post them on here or email them to me.

 

I was wondering who was doing that . Thank you guys!

 

I didn't see anything that stood out. I just pm'd you the logs.

 

I may be wrong, but some time ago Microsoft warned his users that desktop gadget had a lot of security issues and invited users to remove them. Is this true? (considering VS gadget)

 

VS "shield" is not that type of gadget, and very simple to disable should you feel exposed.

 

Cool, thank you. PM sent. If you find out more, please either post on here or pm me.

 

Yeah, here is some more info: https://technet.microsoft.com/library/security/2719662

VS is not that kind of a gadget (sidebar)... believe it or not, it is just a standard Windows form that is made to look like a gadget. By no means am I suggesting that VS has zero vulnerabilities, but the attacker has to gain a foothold first. One day, when we can afford it, we will have VS professionally tested... I am sure they will find something.

 

+1

 

...but the right click gui, the text is slightly different from png. Minor point, but gui does not say "Application Whitelisting Mode" it says Whitelisting Modes (plural). Perhaps the png from your webpage should say Application Whitelisting Modes (plural). Not immediately obvious (to the uninformed) that Training is whitelisting, and if so how long do I have it in Training. And how is Smart (Default) different than Always On. I think it is not that hard to figure out so don't get me wrong, but png says Mode, but then the app bui has 3, or really 2 + a training mode.

 

concur (fwiw)

 

Dan, isn't this what the discussion is about? You say that in your video it's crystal clear what happens, but it's really not. It's not clear if VS blocks DP, or if it blocks DP from running the Meterpreter payload.

But anyway, to really put an end to this discussion why not contact MRG and make them test VS? If you were right, they can put VS to the list, it's great marketing. If it didn't block DP, no problem, since anti-executable tools like VS and EXE Radar are not designed to block in-memory backdoors/payloads. And you might want to read this (see link), the DP backdoor is probably not even needed to load malware on the system, so VS and ERP would most likely block this attack anyway.

http://www.darkreading.com/endpoint/wannacry-exploit-could-infect-windows-10/d/d-id/1329049?

Actually, old versions of HMPA also didn't stop the attack, because in general anti-exploit don't monitor system processes. But new versions can indeed protect against it.

Why not take your own advice? I'm getting a bit tired of people telling us to stop talking about it. Some us of are interested in the technical details. I also don't read posts that are not of interest to me, it's that simple.

 

I like this idea myself, but the developer said this isn't in the budget right now. Insofar as advertising, for the meantime, we in this forum are groovy people and provide honest, multi-dimensional viewpoints--better than a lot of manufactured ads that are generally full of hot air.

 

I didn't realize you had to pay for this test? If I'm correct, normally a test may get "sponsored" by one party, but all of the other products that are mentioned are tested for free, bad results or good results it doesn't matter. Apparently, MRG does first approach security companies to ask if they don't mind being mentioned in those tests, and they also give them a chance to improve their product, but I assume they have to pay for technical details about tests they failed.

 

Very cool find!!! It looks like RiskSense has discovered the nightmare scenario that MRG and I was so concerned about... Man that was quick.

http://www.darkreading.com/endpoint/wannacry-exploit-could-infect-windows-10/d/d-id/1329049?

We need to contact RiskSense to see if they would be willing to test VS. We follow each other on Twitter, so I can contact them, unless someone has a contact there.

I think there is a heck of a chance they would be willing to test VS, after reading the extended discussion .

Does anyone have a contact at RiskSense? Thank you!

Edit: Actually, this might go beyond the nightmare scenario that MRG and I was concerned about. It is hard to say without finding out more about the attack.

 

Cool, thank you guys... in a month or so, we can figure out things like this, I just have a lot going on right now, sorry about that.

 

Yeah, some tests you have to pay for (sponsored) and some you don't. I would prefer the non-sponsored tests because they are free and there is no concern about potential bias. The sponsored tests can run around $30,000-$100,000 from what I understand (somewhere in that ballpark).

Either way, I hope VS is included in the tests soon.

 

I just sent this to RS... we will see what they say.

Dear RiskSense,

This is Dan from VoodooShield, and there has been a massive 10 day extended discussion on WildersSecurity.com and MalwareTips.com about EternalBlue and DoublePulsar.

Is there a chance that you guys would be willing to run a quick test with VoodooShield to see if it is able to block this attack? If not, is there someone that we can speak with and ask a couple of quick questions about the attack below?

http://www.darkreading.com/endpoint/wannacry-exploit-could-infect-windows-10/d/d-id/1329049?

Thank you,

Dan

 

Maybe this has been noted. I just opened Process Explorer and it immediately shut down VS. Tried it a few times with the same result

 

Hopefully everyone now understands why I was so concerned about this attack. I was not picking on anyone, I was concerned... deeply.

This is a BFD.

 

Yeah, VS does not need self protection at this point, but we will be adding it soon... it protects itself just fine, with the exception of one very specific script.

That is on my ever growing to do list .

 

To be clearer. When I open Process Explorer VS completely crashes. Not a big deal for me. Just wanted to inform.