VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. hjlbx

    hjlbx Guest

    It works without conflict.

    There is tiny issue with command line white-listing file path of every single sandbox deletion, but that is not a conflict. It is just a matter of Vlad fixing it... nothing is broken.
     
  2. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,715
    Location:
    .
    VS works without conflict... but, does VS work in browser sandbox...?
     
  3. hjlbx

    hjlbx Guest

    VS protects file system and all drives by default... that includes all sandbox file path(s). I guess you are asking will VS protect against launches in SBIE sandbox(es)... for example, force running browser sandboxed. Yes, it certainly does.

    IF you mean does VS inject into browser sandboxed processes - like Chrome's own sandbox, then no it does not.
     
  4. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,715
    Location:
    .
    Yeah, Dan asked Sandboxie user to test v3
    So, v3 is the same as v2 with respect to Sandboxie. Or, not the same.
    Is there a difference between protect against launches in sandbox vs. payloads dropped in sandbox'd browser.
    How about if browser sandbox is not forced.
    Thanks
     
    Last edited: Oct 4, 2015
  5. hjlbx

    hjlbx Guest

    Where the SBIE sandbox resides within the file system does not matter... VS monitors the entire file system. A sandbox is part of the file system... so VS will monitor files and block non-whitelisted executions - both sandboxed and unsandboxed - by default.
     
  6. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,715
    Location:
    .
    Hmm, then that's different than v2
    v2 did not communicate in browser sandbox facing the net.
     
  7. hjlbx

    hjlbx Guest

    Hmmm... I see what you mean. I will report it to developer...
     
  8. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    No comment from the peanut gallery (me) on sandboxie ;). I will be happy with whatever you guys and Vlad decide on this, since I am in the minority on this one ;). Same goes for adding a Blacklist tab... whatever you guys decide and Vlad decide is perfectly fine with me ;).

    Thanks again for all of your guy's help! See, I told you guys that you would like Vlad ;).
     
  9. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    No problem. ;-)
    It was a drive-by attack, so a router or any normal network-firewall would make no difference. The malicious URL (just an IP really) was deliberately visited on the test PC to simulate the drive-by. Next thing to happen was a shell! We could activate the webcam and microphone, and basically use all the other features available via meterpreter.

    To those wanting some sort of "proof" I will point out that this method is nothing fancy. It's out there for all to see. It's basically just how a Metasploit interpreter works. Metasploit is build into Kali Linux which is completely free, so anyone who knows how to use Metasploit should be able to reproduce it. Not that I see why it would be needed. After all, when there is no executable, how is an anti-executable supposed to block the attack?

    Just uninstall plugins such as Flash and Java, or install an anti-exploit, and you should be secure against this type of attack.
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I definitely see your point, and we are both now on the same page. But let me pm you a demo... I am curious if you will see my point as well ;). I think in the end, we were both correct. And I do agree that if users are concerned that exploits might do something other than drop and execute a malicious payload, then they certainly should run MBAE or EMET along side VS, or simply uninstall plugins like flash and java like you recommended. I really would like to see an EMET block, I have never seen what one looks like, although I have seen MBAE blocks. Thank you!
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I think we have the cmd stuff figured out... we are just trying to find the best balance between usability and safety. So when you guys try the next version where this is fixed, please try it and let us know what you think. BTW, VS 2.86 essentially handled cmd the same way that VS 3.01 does (even though the code itself has been much improved)... so I actually made this change a while back, so it is my fault ;).

    There is an Allow and an Install button in VS... if VS detects the blocked file as an installer, it will show the Install button, so that VS will temporarily toggle to OFF so that the number of blocks are limited while new software is being installed. If VS detects the blocked file as a non-installer (plain executable), then the Allow button is shown, and VS does not temporarily toggle to OFF since it is allowing just 1 new process. I think there is a chance that we can do away with the Install button if Vlad can find a way to basically allow by parent process more effectively then I could (so there are not a lot of blocks during an install), and I am hoping that there is a way.

    Hopefully the last cmd issue you mentioned will be fixed as well after everything is worked out, but if it is not, please let us know! Thank you!
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey TH, sure, I will add the calendarofupdates.org fix to the to do list right now, thank you!
     
  13. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel
    Hello

    From reading the threads I see the plan for the next 3.02 release. Those issues and request were the most asked/discussed.
    As I understand, the 2 main issues are:
    - handling command line scripts in different VS modes (On, Off, Smart)
    - duplicated values in a whitelist and command lines list.
    And 1 request:
    - add wildcard ability to the command line (for programs like sandboxie)

    So those are the tasks that I'm going to work on them in the next few days.
    Starting this Thursday I'll be on vacation so the next release will once I'll be back.
     
  14. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,959
    Location:
    Ontario, Canada
    Thanks Dan and come by!
    Hello Vlad and Welcome to Wilders! You also should join the new Calendar of updates as well! Great Job guys!

    Daniel :)
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    For those curious, I just did another test of the beta in a VM. Tested against a nasty piece of Ransomware. VS does indeed stop it, but what I was curious to see is what happened if I ran it sandboxed in Sandboxie and indeed VS stopped it.

    Last time some people wondered why one would do that. Let me explain.

    When I test malware against my setup, I make an assumption, that if something gives me a pop up to make a decision, that I will make the worst decision one could make. I do this because when we are in a hurry and tired it's very easy to click and then go oops. So by running this sandboxed I can make the wrong decision and accidently allow this ransomware to run. Doesn't matter as all the encrypted files are in the sandbox, and get deleted. No harm to the real system. To me that has to be the first line of defense, and i have a simple rule. If it doesn't work with sandboxie it's not for me.

    Pete
     
  16. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,715
    Location:
    .
  17. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you Pete, although I admit that I am still in the minority on this one, but that makes sense to me. Perhaps we can add an option in Settings / Advanced so that people can set this to their liking... sound good?

    With your guy's help, I got 2.86 to the point where I was happy with most of the features and stuff, so now I am excited to see what Vlad and you guys will do with it to improve it and "make it your own"... I am certain you guys and Vlad will amaze me!

    BTW everyone, Pete found a bug in the code that resulted in a bypass for VS, and Vlad has fixed it. Thank you Pete!
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Thanks Dan. I am chuckling. You wouldn't be in the minority if you'd seen how many times I've seen Sandboxie save people from themselves.
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, I definitely see your point. And I totally respect all of the wilders users knowledge and insights, and I certainly do not have all of the answers, which is why I am excited to see how amazing you guys are going to make VS 3.0 ;).

    Also, I hurt my foot again a couple of weeks ago walking my dog Molly (she pulls really, really hard), so I have been resting it... but it is almost time to step away from the computer and enjoy the outdoors ;).

    BTW, has anyone seen any good videos lately ;). If not, PM me and I will send you one ;).
     
  20. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel
    Indeed there was a bug in VT scanning of the scripts. Fixing it. Thanks for the finding
     
  21. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    793
    Thank you. :)
     
  22. VladimirM

    VladimirM Developer

    Joined:
    Sep 16, 2015
    Posts:
    153
    Location:
    Jerusalem, Israel
    Please send me the file to vlad@voodooshield.com. I was unable to reproduce.
    I think it was fixed. Is VS mode Always On?
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey everyone, Vlad is leaving on vacation and wanted me to post this after I took it for a quick spin... looks great to me!

    Release notes:

    - Updated link

    - Fixed reported bypasses ;)

    - Fixed auto-quarantine issue

    - Fixed sending script/registry/command line files to blacklist scan (wrong hash was sent before)

    - Added wildcard ability to command line (* - any chars, ? – any single char). User is responsible to edit wildcard manually. There are still some questions on wildcard feature (i.e. the order of wildcard checks and so on), so need to get a feedback from the users.

    - Rewritten command line handler, behavior now:

    o If command is like cmd.exe /c script.bat , then it handled as process script.bat

    o If command is like cmd.exe /c ping … (any cmd), then it handled as command line.

    o Only command line part is added to command line list (without cmd.exe or something like that)

    - Improtant! Due to command line fixes it is recommended to delete all previous command lines from the Command Line tab!

    http://www.voodooshield.com/download/beta3/InstallVoodooShield.exe
     
    Last edited: Oct 5, 2015
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
  25. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,850
    Really loving this program, but I wish they could cut out detections from "lesser" AVs and stick to the big name ones. Its annoying to have CCleaner and other safe programs show an alert because some random little AV detects a PUP.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.