VoodooShield ?

It works without conflict.

There is tiny issue with command line white-listing file path of every single sandbox deletion, but that is not a conflict. It is just a matter of Vlad fixing it... nothing is broken.

 

VS works without conflict... but, does VS work in browser sandbox...?

 

VS protects file system and all drives by default... that includes all sandbox file path(s). I guess you are asking will VS protect against launches in SBIE sandbox(es)... for example, force running browser sandboxed. Yes, it certainly does.

IF you mean does VS inject into browser sandboxed processes - like Chrome's own sandbox, then no it does not.

 

Yeah, Dan asked Sandboxie user to test v3
So, v3 is the same as v2 with respect to Sandboxie. Or, not the same.
Is there a difference between protect against launches in sandbox vs. payloads dropped in sandbox'd browser.
How about if browser sandbox is not forced.
Thanks

 

Where the SBIE sandbox resides within the file system does not matter... VS monitors the entire file system. A sandbox is part of the file system... so VS will monitor files and block non-whitelisted executions - both sandboxed and unsandboxed - by default.

 

Hmm, then that's different than v2
v2 did not communicate in browser sandbox facing the net.

 

Hmmm... I see what you mean. I will report it to developer...

 

No comment from the peanut gallery (me) on sandboxie . I will be happy with whatever you guys and Vlad decide on this, since I am in the minority on this one . Same goes for adding a Blacklist tab... whatever you guys decide and Vlad decide is perfectly fine with me .

Thanks again for all of your guy's help! See, I told you guys that you would like Vlad .

 

No problem. ;-)
It was a drive-by attack, so a router or any normal network-firewall would make no difference. The malicious URL (just an IP really) was deliberately visited on the test PC to simulate the drive-by. Next thing to happen was a shell! We could activate the webcam and microphone, and basically use all the other features available via meterpreter.

To those wanting some sort of "proof" I will point out that this method is nothing fancy. It's out there for all to see. It's basically just how a Metasploit interpreter works. Metasploit is build into Kali Linux which is completely free, so anyone who knows how to use Metasploit should be able to reproduce it. Not that I see why it would be needed. After all, when there is no executable, how is an anti-executable supposed to block the attack?

Just uninstall plugins such as Flash and Java, or install an anti-exploit, and you should be secure against this type of attack.

 

I definitely see your point, and we are both now on the same page. But let me pm you a demo... I am curious if you will see my point as well . I think in the end, we were both correct. And I do agree that if users are concerned that exploits might do something other than drop and execute a malicious payload, then they certainly should run MBAE or EMET along side VS, or simply uninstall plugins like flash and java like you recommended. I really would like to see an EMET block, I have never seen what one looks like, although I have seen MBAE blocks. Thank you!

 

I think we have the cmd stuff figured out... we are just trying to find the best balance between usability and safety. So when you guys try the next version where this is fixed, please try it and let us know what you think. BTW, VS 2.86 essentially handled cmd the same way that VS 3.01 does (even though the code itself has been much improved)... so I actually made this change a while back, so it is my fault .

There is an Allow and an Install button in VS... if VS detects the blocked file as an installer, it will show the Install button, so that VS will temporarily toggle to OFF so that the number of blocks are limited while new software is being installed. If VS detects the blocked file as a non-installer (plain executable), then the Allow button is shown, and VS does not temporarily toggle to OFF since it is allowing just 1 new process. I think there is a chance that we can do away with the Install button if Vlad can find a way to basically allow by parent process more effectively then I could (so there are not a lot of blocks during an install), and I am hoping that there is a way.

Hopefully the last cmd issue you mentioned will be fixed as well after everything is worked out, but if it is not, please let us know! Thank you!

 

Hey TH, sure, I will add the calendarofupdates.org fix to the to do list right now, thank you!

 

Hello

From reading the threads I see the plan for the next 3.02 release. Those issues and request were the most asked/discussed.
As I understand, the 2 main issues are:
- handling command line scripts in different VS modes (On, Off, Smart)
- duplicated values in a whitelist and command lines list.
And 1 request:
- add wildcard ability to the command line (for programs like sandboxie)

So those are the tasks that I'm going to work on them in the next few days.
Starting this Thursday I'll be on vacation so the next release will once I'll be back.

 

Thanks Dan and come by!

Hello Vlad and Welcome to Wilders! You also should join the new Calendar of updates as well! Great Job guys!

Daniel

 

@Peter2150
Thank you!

 

Thank you Pete, although I admit that I am still in the minority on this one, but that makes sense to me. Perhaps we can add an option in Settings / Advanced so that people can set this to their liking... sound good?

With your guy's help, I got 2.86 to the point where I was happy with most of the features and stuff, so now I am excited to see what Vlad and you guys will do with it to improve it and "make it your own"... I am certain you guys and Vlad will amaze me!

BTW everyone, Pete found a bug in the code that resulted in a bypass for VS, and Vlad has fixed it. Thank you Pete!

 

Hehehe, I definitely see your point. And I totally respect all of the wilders users knowledge and insights, and I certainly do not have all of the answers, which is why I am excited to see how amazing you guys are going to make VS 3.0 .

Also, I hurt my foot again a couple of weeks ago walking my dog Molly (she pulls really, really hard), so I have been resting it... but it is almost time to step away from the computer and enjoy the outdoors .

BTW, has anyone seen any good videos lately . If not, PM me and I will send you one .

 

Indeed there was a bug in VT scanning of the scripts. Fixing it. Thanks for the finding

 

Thank you.

 

Please send me the file to vlad@voodooshield.com. I was unable to reproduce.

I think it was fixed. Is VS mode Always On?

 

Hey everyone, Vlad is leaving on vacation and wanted me to post this after I took it for a quick spin... looks great to me!

Release notes:

- Updated link

- Fixed reported bypasses

- Fixed auto-quarantine issue

- Fixed sending script/registry/command line files to blacklist scan (wrong hash was sent before)

- Added wildcard ability to command line (* - any chars, ? – any single char). User is responsible to edit wildcard manually. There are still some questions on wildcard feature (i.e. the order of wildcard checks and so on), so need to get a feedback from the users.

- Rewritten command line handler, behavior now:

o If command is like cmd.exe /c script.bat , then it handled as process script.bat

o If command is like cmd.exe /c ping … (any cmd), then it handled as command line.

o Only command line part is added to command line list (without cmd.exe or something like that)

- Improtant! Due to command line fixes it is recommended to delete all previous command lines from the Command Line tab!

http://www.voodooshield.com/download/beta3/InstallVoodooShield.exe

 

http://uk.pcmag.com/antivirus-reviews/8141/guide/the-best-antivirus-for-2015

That was VS 2.00, I am guessing that Vlad's VS 3.0 might do alright too .

Thank you Neil and PCMag!

 

Really loving this program, but I wish they could cut out detections from "lesser" AVs and stick to the big name ones. Its annoying to have CCleaner and other safe programs show an alert because some random little AV detects a PUP.