VoodooShield/Cyberlock

Yeah, very true! VoodooAi will help with this tremendously once we adjust the prompts and adjust the blacklist results with VoodooAi. Thank you!

 

Yeah, once we adjust the prompts and adjust the blacklist results with VoodooAi, we will be good to go. Thank you!

 

Explorer and svchost are always going to be whitelisted, otherwise the computer will not run correctly, but VS will block any child processes in the attack you described. And as far as I know, in order to hollow a process, you need to start a non-whitelisted malicious processes first. If someone can provide a sample of a hollow process attack without a payload, please post it! Thank you!

 

We could have the false positive feature user adjustable, but I think most people would not ever adjust it. I have been told by some very wise people in the security industry to limit the number of user adjustable options in VS as much as possible.

VoodooAi is all cloud based... if there is no internet connection, both the blacklist scan and VoodooAi will not work. Then again, if there is no internet connection, I highly doubt you are going to get a virus .

VoodooAi does not upload the file... it extracts the metadata and uploads it... and it is tiny.

Hopefully soon we will be able to upload files to the blacklist scanner, and it will probably be automatic. Thank you!

 

I think this is explained pretty well in the user guide, but if not, please let me know and I will explain it even better. Thank you!

 

Once we adjust the prompts and adjust the blacklist results with VoodooAi, we will be good to go... This will help the user decide even better. Thank you!

 

Yeah, this is by design. This is for enterprise customers who wish to lock down their end points.

 

Hmmm, that is odd... do you know which updates so I can test? Were they manual or automatic updates? Keep in mind that VS turns OFF after 10 minutes of inactivity, so at some point the updates will succeed.

 

Hey Baldrick... how many do you need? . Can you pm me the list of web apps? Maybe we can hardwire them at some point. I had no idea that someone would ever use more than 8 custom web apps. Thank you!

 

But VS will block the payload from the exploited processes!!! The Chinese people launched windows processes, and then tried to exploit these windows processes to drop and launch their payload, but VS blocked the payload. Yeah, child processes of web apps are automatically blocked... it has been this way ever since the parent process feature was introduced.

Keep in mind... whether we are using a CPN or KMD, the process is suspended until VS (or the user) decides whether to allow or block the new, non-whitelisted process. So removing the parent process feature will have the exact same result... either way, the determination is made to block the process if it is spawned by a vulnerable process. Does this make sense?

Someone sent me another video of the Chinese people trying to defeat VS again... but it was the same result. The only thing that was different was that VoodooAi detected the ransomware as super unsafe, and there were 3 blacklist detections.

Speaking of the Chinese people, I gave out around 75 or so free licenses to you guys. Can one of you please explain to Kid Mohists what a suspended process is and that he is in no way bypassing VS? If he is testing with process hacker and downloads ANY executable binary, VS will block it THE EXACT SAME WAY IT IS BLOCKING THE RANSOMWARE, AND WILL BE DISPLAYED IN PROCESS HACKER THE EXACT SAME WAY. Now, if he is able to show an exploit drop and execute some ransomware, and show the ransom demand, then we will have to make some changes. But until that happens, we need to safely allow as many benign processes as possible, so that VS remains user-friendly and does not over burden the user with useless prompts. Thank you!

 

VS does not allow by digital signature alone... that is very dangerous. Trust me, after uploading over 1 million malware samples while building VoodooAi and seeing all of the signed malware, I am glad we made the decision to not allow by digital signature alone.

However, if the user allows a new item, then VS will temporarily allow items signed with that, and only that digital signature. Thank you!

 

No, java has nothing to do with this test... it is not an exploit. It just simulates what would happen if an exploit dropped and executed a payload from whatever location you decide to test from.

 

Sure, thank you!

 

Hmmm, 3.10 seems to be working great. Can you please keep an eye on it and if it acts up please let us know? Thank you!

 

Hmmm, I tested twice with brand new VM's and did not experience any of the issues you are describing. Have you talked to Vlad about this? I know he said there were a couple of small issues with 3.10, but I think they were simple fixes. Thank you!

 

Hehehe, you are funny . No, VS utilizes a patented whitelist snapshot method that automatically whitelists the running processes when VS is OFF. When the computer launches a web app, it is then at risk for being infected, so VS then toggles to ON, and anything that was running before the computer was locked, is allowed. Then when the computer is no longer at risk, VS automatically turns OFF so that new, safe items can be automatically whitelisted, so this automatically builds the whitelist so the user is not bombarded with affirmative user prompts. But no, VS does not determine if any of the items are government spyware or not . I hope you enjoyed my funny answer . Thank you!

 

Microsoft is changing the way they handle digital signatures in Windows 10 (and maybe in 8 as well, I do not remember)... so we have to make some changes, but hopefully this is fixed now. Thank you!

 

VS made the known list 3-4 years ago... it has to do with the new way windows handles digital certificates. I think you would be surprised how many users we have. Thank you .

 

Yeah, this is fixed now!!! Well, it will be in the next release. The crazy high numbers were because the "." was missing. For example, 230498230 should have been 0.2305... but it will be fixed now. Thank you!

 

It does not take that many users... even when we only had a few hundred users 3-4 years ago, we made the list.

 

Great to hear, thank you for letting us know!

 

Great to hear that VS blocked the threat! Yeah, we need to rework the user prompts a little... we will do our best to make sure everyone is happy . thank you!

 

Cool, my answer was a complete joke .

 

Basically, Scan and Allow mode does not toggle VS from OFF to ON and vice versa. It just stays in "Scan Mode". In Scan and Allow mode, VS will automatically allow anything that has 0 threats, assuming the item is in the database. Otherwise, VS will block it.

We are also going to factor the VoodooAi results into Scan and Allow mode, so that will be really cool!

 

It blocks it .