Emisoft - Voodoo Shield Discussion

Discussion in 'other anti-malware software' started by Feandur, Jul 28, 2013.

Thread Status:
Not open for further replies.
  1. Feandur

    Feandur Registered Member

    Joined:
    Jun 15, 2005
    Posts:
    401
    Location:
    Australia
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Maybe EAM merges with Voodoo Shield ?

    What a combo, eh.


    -cheers,
    feandur.

    <PS: Not trying to start a rumor, at all. ;) >
     
  2. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    We can whitelist files even if they don't have digital signatures. It wouldn't make much sense in this case though, as the file is constantly being updated. So a digital signature would be by far the most efficient approach.

    EAM handles a lot of states between trusted and untrusted. It may only trust applications for example, as long as they show specific behaviors, still alerting about them when they show different behaviors that aren't allowed/trusted for example.

    I am sure it's an uncool thing to say, but I don't buy into the VoodooShield craze. ERP is by far the superior choice here, as it actually blocks unknown/untrusted applications from running.
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Softwares like Trusteer Rapport and WSA's Identity Shield don't have a special browser or desktop but protect the normal browser all the time, same with HitmanPro.Alert but it's concept is different.
     
  4. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Correct. And so does EAM and OA by preventing any application from messing with the browser instead of trying to figure out whether or not the browser was compromised :).
     
  5. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,694
    Location:
    Zagreb, Croatia
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Are you sure VoodooShield does not block unknown apps from running?
     
  6. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    I'm sure.
     
  7. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    I find it in bad taste for a developer to trash the work of another developer.
     
  8. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,694
    Location:
    Zagreb, Croatia
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Fabian,
    would you be so kind to show us some example?
     
  9. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Oh please, nobody is trashing anyone. I just stated my personal preference of ERP over VS . Last time I checked being a Developer doesn't prohibit me from having and voicing an opinion.
     
    Last edited: Jul 29, 2013
  10. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    I still find it in bad taste, sorry but I do.
     
  11. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    That's cool. You are entitled to your opinion :).
     
  12. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Hi, how are you? I am the developer of VS and was curious what you meant by VS not blocking unknown/untrusted applications. Have you tried VS? Maybe if you did, you would see what the "craze" is all about? Just a thought!
     
  13. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Exactly what I said. You don't block applications from being executed. You let them run and try to kill them as fast as possible if they aren't trusted, making your approach vulnerable to race conditions.
     
  14. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Is there a method for detecting a process before it exists? If so, we will implement that on the next version.
     
  15. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Re: Emsisoft Anti-Malware 8.xx Sammelthread


    There has got to be a method because in both Kaspersky IS and CIS you can block unknown applications from even starting.
     
  16. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    There actually might be, but logic would dictate that it is not possible.

    Let's put it this way... run VS along side anything else (except UAC), and see which one blocks first! Not that it really matters... all that matters is that the malware is killed.
     
  17. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Yeah, but the malware may kill you first. If you want I can send you a little demo.
     
  18. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Ditto.

    Look, we are all in this together, it is us against the bad guys (hackers), so no hard feelings!
     
  19. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Actually, not really. Try killing OA for example when you block the file's execution.
     
  20. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    KIS and CIS if set correctly would clearly block the file first as they block the actual execution and Voodooshield needs the exe to run for a second before it blocks it. KIS or CIS set at untrusted for KIS and blocked for CIS wouldn't even let the exe run.

    That's not a dig at VS it's just the truth.
     
  21. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    Fabian I now realise you wasn't trashing VS so I owe you an apology. Sorry.
     
  22. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    No need to apologize. Just blame it on my English skills or the fact that I am German ;).
     
  23. VoodooShield

    VoodooShield Developer

    Joined:
    Dec 9, 2011
    Posts:
    4,865
    Location:
    United States
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    So do you know of something that will get through VS? I do not see how you are detecting something that does not exist. Many, many, many people have tried to defeat VS and they all have been unsuccessful. I am not claiming that anything is truly bulletproof, but I think the idea of VS has a great chance of becoming bulletproof (if that even exists), while remaining extremely user friendly.

    There are good things and bad things about every product, and there are always new releases and further refinements, so no product is in its final state. We can talk about the good and the bad of everyone's products when I have more time! Thank you!
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    All this implies some type of sandboxing or vitualization of the untrusted process going on. There could be either/or/both white/black listing and cloud scanning employed. To determine if the process is "behaving badly," it must be allowed to execute to display alerts for user action or employ a default block action. It is executing in the controlled environment while all this is going on. There have been instances of malware escaping the controlled environment; rare but they have occured.

    The issue is what is done first, outright blocking/suspending or executing first to detect bad behavior of the untrusted process. Either way, the user has to be notified unless the anti-malware software just default blocks and denies execution to anything unknown.

    Maybe I am missing something hereo_O
     
  25. ZeroDay

    ZeroDay Registered Member

    Joined:
    Jul 9, 2011
    Posts:
    693
    Location:
    Hogwarts.
    Re: Emsisoft Anti-Malware 8.xx Sammelthread

    I never even implied something would get through VS no need to get so defensive. Install Kaspersky internet security and set the application control to untrusted and/or comodo internet security and set the behaviour blocker to blocked and you will see with your own eyes the point I'm trying to make, any unknown file will be outright block with a windows error saying the file could not run.

    I'm not saying either are better than VS what I'm saying is they will both outright block an unknown exe without it running. You will simply get a windows error pop up that the file could not run or be accessed. I was going by Fabians comment where he said VS needs the file to run for a second then blocks it, I in no way implied VS could be bypassed. I simply stated KIS and CIS could outright block the file without it running.
     
Loading...
Thread Status:
Not open for further replies.