VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    I had to uninstall VS because it slowed my boot down and my system was very sluggish, now it's fast again!
     
  2. Cyrano2

    Cyrano2 Registered Member

    Joined:
    Mar 19, 2010
    Posts:
    129
    Location:
    Spain
    Or something like "Default mode" would also be awesome ;).
     
    Last edited: Jul 9, 2015
  3. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    406
    noticed that if i remove my snapshots from your website they never come back, even when it says its synching
     
  4. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    Is Dan on vacation?
     
  5. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,850
    How intensive is this on the HDD? I am getting a SSD soon and don't want a security program that is tough on it.
     
  6. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    I think Dan will be up to his neck sorting out the KMD for the next version.
    He'll be back.
     
  7. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,756
    Location:
    Ontario, Canada
    Yes he is very busy! Cuckoo Sandbox :) It's coming soon!
     
    Last edited: Jul 16, 2015
  8. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, sorry I have been away... I got a little carried away with the new features ;). The Cuckoo Sandbox is pretty much ready, although we will want to refine and tweak it a little in the next few days. There is still a little more work to do on the KMD, but it is getting there. I might even take a little break for a few days before finishing that up.

    Here is the latest version with the Cuckoo Sandbox integration. So far I have not been able to get it to work with XP (and it may not ever), but it seems to work great with everything else. So if you are running XP, there is no reason to upgrade to this version.

    This version is all about the Cuckoo Sandbox / Remote Sandbox. So either drag and drop a file, or have VS block a file, then choose “Sandbox”, then “Cuckoo”.

    If you want to watch the analysis in real-time, in a remote desktop session, just make sure you check the option “Watch Cuckoo Sandbox analysis in a Remote Desktop session in real-time”, before you click the “Cuckoo” button. I was going to have it enabled by default, but I did not want to scare one of our other users that have no idea about the RDP features ;). Besides, the more bandwidth (among other things) we can conserve, the better.

    http://www.voodooshield.com/freeoffer/Install VoodooShield.2.77 beta.exe

    I have not tested the Cuckoo server other than just running internal tests, but I think it will do quite well. It estimates that it can perform 13,000+ analysis per day (or 525+ per hour), but I guess we will see ;). For now I limited the RDP sessions to 1 every 5 minutes, just to make sure I did not overlook something... and we end up crashing the server ;). There are a lot of "moving parts" between VS and the Cuckoo Sandbox, and a lot of things that could potentially go wrong, but I think everything is pretty darn stable at this point. Hopefully there will not be any firewall issues, but I think since it is just a standard RDP, it should be fine.

    Hopefully I will be able to catch up on the posts I have missed this weekend... then after these last few features are finished, hopefully things will go back to normal. Thank you, talk to you soon!
     
    Last edited: Jul 18, 2015
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, I forgot to mention that the mouse on the RDP will automatically move around on the desktop... this is normal, it is simulating mouse movement and clicks to help evade sandbox detection.
     
  10. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,537
    Location:
    South Wales, UK
    Hi Dan

    First impressions are good in terms of of existing functionality and as far as I can seethe recent additions have not affected normal operation. Yet to give the sandbox a run for its money but some far nothings seems broken. Will post back over the weekend after trying to make the cuckoo sing...;):argh:
     
  11. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,975
    Location:
    Boston, MA
    Working well so far. The only thing I've had an issue with is getting cuckoo to finish analyzing a file. I let it run for about 5-6 min and never finished. It was just a small EXE file too. I figured it shouldn't take so long. Other than the it's running nice and smooth.
     
  12. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,161
    Location:
    Among the gum trees
    VoodooShield  -  After 3 Weeks.PNG

    ... Sounds OK. How do I reverse it if I need to?
     
  13. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    VS Basic settings GUI ...................

    Capture.PNG
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,161
    Location:
    Among the gum trees
    Awesome! Thank you Sir. :cool:
     
  15. hjlbx

    hjlbx Guest

    v. 2.77beta

    Sat 7/18 18:00 US EST

    Cuckoo sandbox keeps returning time-out.

    * * * * *

    This is not a criticism - just pointing out some rather complicated issues with no easy solutions.

    In its current incarnation the Cuckoo sandbox analysis report is way too complicated for the typical user to interpret. Such interpretation requires knowledge well beyond what even most die-hard security software enthusiasts possess.

    Therefore, I question its value to the typical user. If the average user cannot decipher the analysis report, then those infos are essentially useless to the user.

    Perhaps for most users all that is needed is a "score" (in a notification instead of the browser) from 0 to 10 that lets the user know how probable it is that the file is malicious. For example, 0 = known safe and 10 = known malicious.

    Even if VS would implement such a scale there is a problem with scores 4, 5, 6 and 7. The typical user is apt to simply "Allow" without any further investigation. In these cases, infos in the report are, indeed, needed to make an informed judgment. Despite this fact, again we return to the primary problem that necessitates the use of a malware "score" scale to begin with - the typical user lacks the knowledge to make sense of the report.

    Perhaps it might be best to have a user-defined "threshold" setting. For example, allow only files with a Cuckoo score of <= 4.

    Although, even if deemed worthwhile, I am not sure if any of these can technically be implemented; how does one link the Cuckoo sandbox results to VS ?

    In any case, virtually impossible problem to solve = VS to compensate for user 1) lack of knowledge and 2) poor judgment.

    Some food for thought...

    Best Regards,

    HJLBX
     
    Last edited by a moderator: Jul 19, 2015
  16. hjlbx

    hjlbx Guest

    BUG

    v. 2.77beta

    W8.1

    Despite Wscript, Cscript, Rundll32 and Regedit being blacklisted when VS is ON, they are still able to run.

    Best Regards,

    HJLBX
     
  17. hjlbx

    hjlbx Guest

    BUG

    v. 2.77beta

    W8.1

    When open Quarantine via VS UI it does not list all items actually inside C:\ProgramData\VooDooShield\Quarantine.

    Best Regards,

    HJLBX
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you. I think the Cuckoo Sandbox turned out pretty well, I just have a little polishing to do and we will be good to go! As far as WMP is concerned, VS will not let it spawn a child process so we should be good to go!
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hmmm, it should be blocking wscripts and cscripts (it is working on my machines anyway, let me know if it is not working on yours). But as far as rundll32 and regedit, I need to remove those options. rundll32 is now managed through command lines, and regedit is now allowed when VS is ON. Thank you!
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Cool, thank you, yeah, that was a bug, I think it is fixed now, so it should be fixed in the next release. Although, it will not detect the old items, just the new ones.
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, VS does block items when it is in Smart Mode... and if the blacklist scan comes back clean, then it automatically allows the item. Also, keep in mind, for an exploit to attack, a web app has to be running, right? We can make VS toggle with WMP, but I really do not think it is necessary. The whole purpose of Smart Mode is for it to safely whitelist as many items as possible when web apps are not running.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    This is covered by the Anti-Exploit feature. In Smart Mode, if an exploit tries to spawn a payload through WMP, VS will block it. We can toggle VS with WMP, but either way the payload from the exploit is going to be blocked.
     
  23. hjlbx

    hjlbx Guest

    Hello @VoodooShield

    I know it is a lot of work - really, I do... but users need a way to allow safe command lines for the vulnerable processes.

    With the Cuckoo sandbox and KMD projects underway, I'm not sure this request is a priority. However, managing command lines is fundamental to getting everything to work with VS - especially hardware.

    The command line logging and management functionality of NVT ERP is its one decisive advantage over VS.

    Best Regards,

    HJLBX
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Without toggling, VS will block anything and everything that is not on the whitelist. If you are going to lock a computer, you have to make it as user-friendly as possible, otherwise it will burden the user with unnecessary prompts... you know, like the prompts that are blocking perfectly safe items. Some advanced users prefer to have total control of what is being blocked and allowed, and that is why VS also has Always ON mode.
     
  25. hjlbx

    hjlbx Guest

    VS extends monitoring\protection to child processes = Anti-Exploit feature ?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.