VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,045
    Location:
    Ontario, Canada
    What other site do you know Mike from? Please do tell. :)

    TH
     
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    If an exploit tried to drop a payload to the system space in Windows Folder would the malware have to have Admin privileges in order to run? If the application being exploited has Admin privileges wouldn't the exploit automatically gain Admin privileges? Would the binary payload dropped be able to gain Admin privileges?

    Edit: 2/18 9:40 Would the exploit be able to write to the system space at all without Admin privileges?
     
    Last edited: Feb 18, 2015
  3. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,045
    Location:
    Ontario, Canada
    Again Dan would have to let us know for sure. And again the payload would have to execute.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I'm interested in hearing from Dan about this, but i'm also interested in hearing from anyone that feels they have the answer to this.
     
  5. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,007
    Location:
    .
    Why are you looking for an argument where there are no grounds for an argument...
    I post what I observe and simply ask why ....
    My security passes eicar...
     
    Last edited: Feb 18, 2015
  6. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,045
    Location:
    Ontario, Canada
    Well if you look at it this way. VS is On when any Browser is Open or Email Client the 2 main vectors which Malware comes from so in this case it's Locked Down Right? Also both if an Exploit tried to download and execute it would be in the user space, lets say IE it stores it's data in Appdata not Program Files the same with Outlook.
     
    Last edited: Feb 18, 2015
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Most malware tries to run from the user-space. My question basically is what does it take for an exploit to drop a payload in Program Files or System Space. I will just pose this question in a different thread. It may get out of hand in this thread.
     
  8. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,007
    Location:
    .
    That's what I'm wondering....until I understand what the setting is intended for....how would I know the result.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I was just asking if you have experienced any noticeable problems since you unticked that in the settings. I was afraid it might cause serious problems.
     
  10. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,045
    Location:
    Ontario, Canada
    Well it's about VS so anyone can join here if you would like to invite them IMO. How about @Rmus
     
  11. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,007
    Location:
    .
    So, does VS have settings that may cause serious problems. I unticked to see what VS flags.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I think if the process being exploited has Admin privileges it can write to the system space, but maybe there are other factors that also have to be true before it can do this. This is assuming the exploit is able to execute in the first place. It has to run in the memory first. I'm not sure how the OS treats Program Files Folders in terms of privileges. I wonder if Admin privileges are needed to write there as well. Once technique used by some software I use is web applications are not allowed to write to Program Files Folders, or the System Space. I will see if I can find my privilege question with some Googling.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    None that I have experienced myself. I was just curious if you have had any problems since you "unticked allow specific critical Windows processes". Have you had any problems so far since you unticked allow critical windows processes?
     
  14. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,007
    Location:
    .
    Yeah, that circles around to why does VS drops UAC bar to not recommended. If we're back to Admin privileges...then UAC v LUA
    Are we all starting from the same account privileges.
     
  15. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,007
    Location:
    .
    No problems....actually VS may be acting as a system monitor. My jury is still out.
    I'm still trying to get flag'd to run via VS sandbox. How do I test ?
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    You can use both if you want. You will get redundant prompts though. UAC will prompt you more than VS will unless you untick "allow all software in the Program Files Folder". I see what you are saying though with UAC, and how it should prevent process from running with Admin privileges without an Admin user allowing it. That's why I prefer to prevent unknown executables from running in Program Files Folders, or System Space.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    I'm not sure how you can test. I don't use Sandboxie since special exceptions need to be made for it with most AE's, and policy based software. I have spent a lot of time helping users configure AppGuard for Sandboxie. I'm not sure what needs to be done in VS since I have never set them up together. Have you gone to the custom tab in VS, and tried adding whatever is being blocked as an allowed folder? I don't know what flag'd is that you are referring to.
     
  18. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,007
    Location:
    .
    Not talking about SBoxie....VS native sandbox....
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,648
    Location:
    USA
    Oh, ok. What is flag'd?
     
  20. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,972
    Location:
    Poland - Cracow
    Wow...what's a honor...hahaha :D
    Of course I'll try new build and give you answer how it works.
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    He was suggesting that I was the only one who understood what the description of that option meant. Well, that is just kinda silly, considering that only 2 people had an issue with it.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey ichito, cool, thank you. I do not think it is fixed yet, but I put in some debugging code. So can you run it a day or so and make it mess up a few times, then send me the DeveloperLog.log from the C:\programdata\voodooshield folder. Either way, we are getting really, really close. Thank you!
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    And if someone could make a video, that would help too. I just got an email today from a guy in France running the French version of windows, and he is having the same issue. But he is working with me to figure it out. We are definitely getting close, sorry it is taking so long!
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you!
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Exactly! That is why malware is ALWAYS found in the user space (usually appdata or programdata), at least initially. If it can execute in the user space, then it can do whatever it wants, and all bets are off. So as long as you can stop it executing in the user space, then you are safe.

    BTW, VS is not the only security software that automatically allows everything from the program files folder, as far as I know, they all do, but they just do not have the option to turn that feature on and off. From what I remember, even UAC automatically allows everything in the program files folder. Thank you!

    Edit: Keep in mind, I am not suggesting that traditional antivirus does not scan the program files executables, I am just suggesting that they do not deny them by default.
     
    Last edited: Feb 19, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.