VoodooShield/Cyberlock

It will come back to life now and then.

 

I like the "Recommended" label to help novice.

I am waiting for the upcoming release. Will the upcoming release or beta have the "Recommended" label on alerts?

On my family system I am going to use "Scan & Allow" as its easiest mode available in VS...& "Recommended" label will make it more easy or enhance the usability for average users.

 

C:\Windows\explorer.exe
is triying to modify other program's status.
Target:explorer.exe

 

I have a machine to test on, but I have to reformat it. I could install Windows 7X64 on it without any patches, and then do some testing. It takes for ever to download all the Windows updates. I don't really see any reason in downloading all those updates in order to test unless the security software requires the updates to function correctly. It would be best to install some outdated java, and flash on there also. We could really see how well a Security Product can perform on an unpatched OS, outdated java, and outdated flash player.

 

OK, you win.

 

There was Comodo too in the video.
Did Comodo passed or failed?

Guess VS passed. And VoodooAi showed super Unsafe.

 

I don't think Comodo can pass, you see pic4 and pic5, Comodo wouldn't bolck the normal system application.

 

COMODO doesn't block code injection.

 

You may like to see this.

 

It should not be difficult for a HIPS to detect injection into explorer.exe. Some of the products tested failed to prevent injection because they don't cover injection attacks. I rely on policy based AE software since there are no HIPS left I like. I was a dedicated Online Armor user from 2005-2014, but those good old days are over. I believe the SRP I use would have covered all the attacks used on that website. I don't allow web applications (browser, flash player, pdf readers, etc..) to launch cmd.exe, rundll32.exe, taskhost.exe, conhost.exe, taskeng.exe, msiexec.exe, etc.. Since those processes can't be blocked globally one should not allow web applications to access them. Many other vulnerable applications like powershell.exe, cscript.exe, wscript.exe, vssadmin.exe, bitsadmin.exe, etc. can be blocked globally so I don't allow them to run at all. If for some reason one needs to allow something like script.exe, and wscript.exe to run then I would recommend only allowing them to run with limited rights. I also use memory protection that does not allow vulnerable applications to read/write to the memory of other applications. That should prevent the injection attacks by itself.

 

Do you know what HIPS mode Eset was in when it was tested?

 

Sorry, I have no idea of ESET HIPS Mode, but the test date is April 2nd

 

But ESET can detect injection, by the way, I'm also the fans of Online Armor.

 

I wasn't able to use the latest version of VS at all. If I tried to launch any application not on the whitelist it would take VS 1-2 minutes on average to prompt me for the unknown application. Sometimes it would cause Windows to give me a message stating that the application may have been deleted, or moved. I think that is what the message stated, it was something close to that. When I finally did receive the prompt VSAi never would finish it's classification of the file. I'm going to take a wild guess, and suggest that maybe it is a problem with .NetFramework. If I remember correctly you informed me that VS now detects the latest version you have installed, and uses that version.

 

The maximum version i have is .NET 4.6, but VS uses .NET-modules from 2.0, 3.0 and 3.5
I don't know, if it can be a problem if VS is loading modules from different .NET-versions.

 

No.

 

I was thinking something like Qihoo 360 have (picture).
Maybe is stupid and not needed...

BTW: this "Recommended" thing is very good idea

 

@hjlbx I know you use NVT ERP, AG and VS. All these have different approaches.
I run NVT ERP and AG, as do others in this forum, on my Win 8.1 machine, and find these work well together as a layered combination, and just VS on my Win 7 machine.
I have no doubt that running three AE's together would be overkill (!), but would there be any benefit in running either ERP or AG in combination with VS?
Just curious. I would value your opinion.

 

Do not combine VS and NVT ERP. They might conflict. Even if they don't, why would anyone want duplicate alerts from both VS and NVT ERP ?

AG is SRP soft, so it can run with either VS or NVT ERP.

VS has more protection than NVT ERP.

Combo VS with AG will be high protection. Very high.

VS will protect system, and if anything get by it - for example some crazy online browser exploit - or, much more likely, a user makes a mistake, then AG will block the execution.

VS-AG combo is like using VS on system with configured AppLocker. I can't see getting persistent infection unless user #s-up.

 

AG runs guarded programs in standard user sandbox and blocks execution (also DLL's) in user folders of unsigned programs in default mode (allowing signed programs to run in user folders facilitates updates of all legit software).

NVT-ERP has a build in whitelist based on signatures, VS uses AI, so both would be a good match with AG (to refine its simple signature based user folders anti-execution). I have not used VS or ERP, so I have no preference or meaning on which one to combine with AG.

When you want to run without AV then the combo of AG with (VS or ERP) would provide really great protection (as @hjlbx states).

 

What @Windows_Security is pointing out is that AG applies policies to Guarded Apps such that they are limited\restricted to the same extent as if you using them while signed into the LUA. That's the general idea... AG is no great mystery.

 

Thanks @hjlbx and @Windows_Security for your insights.
May then play with VS + AG at some point.
I do really like simplicity and intuitiveness of NVT ERP, and hope @novirusthanks is still around.
And the enhusiastic development and support at Wilders by @VoodooShield.
AG may not be a 'great mystery', but is maybe the most complex of these, but I think thanks to @pegr, @Cutting_Edgetech and others I have some sort of grip on it

 

You can do almost all the same in VS now that you can do in NVT ERP. Dan will be adding user ability to define vulnerable processes - at least that is what I recall. When he will implement this I do not know. He has a lot going on - so it depends upon where it is on the priority list. If you keep asking about it, then it will get implemented.

You can handle all the vulnerable processes in AG until then. In fact, BRN asked me for the list of vulnerable processes that I provided to you a while back. I'm not sure what BRN intends on doing, but I suppose they will be adding at least a few of the vulnerable processes to Guarded Apps or User Space.

 

But ERP is still useful, because information about processes is being logged. Start-time, Filepath, MD5, Publisher, Parent Process, Command-Line,...
With AG or VS you don't have this kind of information.

 

Both VS and AG do this.

VS stores a log in ProgramData. AG writes everything to Windows Event Viewer (mmc.exe). However, I think you mean Active Events log which shows real-time events on system.