VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    564
    Location:
    U.S. Citizen
  2. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    564
    Location:
    U.S. Citizen
    @Dzp5t,

    appreciate the quick reply!!! With the link:thumb:
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I was not going to post this, but so that everyone knows what really happened, and so this does not keep coming up, here is my response.

    r41p41 was unable to drop and execute a payload, so he was unable to bypass VS, as shown in this video:

    http://voodooshield.com/artwork/bored.mp4

    I posted my response video on his blog, and he quickly removed my video and crawled under a rock for 5 months.
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    We keep receiving requests for free VS Pro licenses, mainly from users of the following site (but others as well):

    https://translate.google.com/transl....kafan.cn/thread-1936040-1-1.html&prev=search

    Free VS Pro licenses are ONLY available to wilderssecurity.com members. If you are a member of wilderssecurity, I will be happy to set up a free license for you. Just send me your wilder’s username and the email address that you would like to use for your VS account (support@voodooshield.com). Thank you!
     
    Last edited: Mar 4, 2016
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, thank you!
     
  6. schmidthouse

    schmidthouse Registered Member

    Joined:
    Aug 18, 2015
    Posts:
    26
    Location:
    Sunny Okanagan Valley Canada
    I think it's great that folks can obtain 'free' PRO License Keys here on Wilder's.
    I personally believe "buying" Product Keys for software that one likes/uses serves to SUPPORT further development .
    I have purchased Pro Product Keys for 2 Machines.
    My question is, When will Version 3 (with it's improvements) be run through the VoodooShield V. 2.86 GUI UPDATE Functiono_O
     
  7. Moose World

    Moose World Registered Member

    Joined:
    Dec 19, 2013
    Posts:
    564
    Location:
    U.S. Citizen
    Salutations/Greetings!;)

    Will the Pro License Key work on Beta Version before/after the Beta is over?
    Will these Pro Lic.,Key for a Lifetime and/or one year?

    Also, will VoodooShield work with Sandboxie, without any kind of conflicts?
    And can you post a link for the latest version,please?

    Kind regards,:geek:

    Appreciate the quick response from everyone!!!
     
    Last edited: Mar 4, 2016
  8. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you for your support, we appreciate that! I am not sure when VS 3.0 will be completely finished, but we are getting close. Hopefully in the next 1-2 months at the most.
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, the license will work for all versions of VS!

    I am not sure if VS is working with Sandboxie the way most users would like it to or not, so hopefully we can get some feedback from them. Thank you!
     
  10. schmidthouse

    schmidthouse Registered Member

    Joined:
    Aug 18, 2015
    Posts:
    26
    Location:
    Sunny Okanagan Valley Canada
    Thanks for your response, appreciated.
     
  11. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,123
    Does VS uploads all the executable or checks hash first & if hash found no need to upload executable?

    How the cloud detection works i.e even if 1 AV detects VS alert malware detected or like 5 or more AV means threats detected so less than 5 AV means no detection?
     
  12. Tony

    Tony Registered Member

    Joined:
    Feb 9, 2003
    Posts:
    725
    Location:
    Cumbria, England
    Thanks Dan :)
    I assume the scan and allow setting also allows a user to uninstall as well as install?
     
  13. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hi yesnoo, either way VS does not upload the executable, it only checks the hash. This is mainly because it would take 5 or so minutes for the file to be analyzed, and by then the user would have already clicked block or allow. At some point, we will upload the file if it is unknown, so that it is analyzed and added to the database. We might even build this feature out a little more, and notify the user of the results when the analysis is finished.

    This part gets a little complicated, but here is a quick explanation of how it works. VS has a false positive feature that determines whether the results are false positives or not. Basically, if the results are 0, then the file is considered safe. If the results are higher than 5, then the file is considered unsafe. If the results are between 1-5, then VS's false positive feature determines the probability of whether the file is safe or not, depending on the engines that marked the file as unsafe. For example, if there are 2-3 engines that marked the file as unsafe, but all of the 3 engines have an unusual high false positive rate in general, then the file is marked as safe. Also, if there are 2-3 engines that mark the file as unsafe that have a normal false positive rate in general, then the file is considered unsafe. So basically, when there are 1-5 hits, the results can be either safe or unsafe, depending on which engines marked the file as unsafe. It is a little more complicated then that, but that is the best way to explain it. Thank you!
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sure, thank you Tony! Yes, uninstalls are allowed in Scan and Allow mode without turning VS OFF.
     
  15. Gillor

    Gillor Registered Member

    Joined:
    Jul 12, 2013
    Posts:
    83
    Location:
    UK
    There’s no conflict between VS and Sandboxie. However VS doesn’t appear to offer any protection if operated within the sandboxed environment, even though the VS shield is showing as active (On, Smart, Scan and Allow). But then I suppose the question is….does it need to? Once any items are recovered from Sandboxie they will be scanned by VS in the usual way.

    Slightly off topic, but in my set-up VS doesn't work when Shadow Defender is in Shadow Mode, whether sandboxed or not. But again, does it need to?
     
  16. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,123
    Against what it checks the hash, VT or ...?
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,165
    Location:
    The Netherlands
    I forgot about this. But if I'm correct he claims he could still bypass the new VS with kernel driver? I wonder if it's a real problem that processes are launched in suspended mode, EXE Radar also works in this way.

    Seems like he used the hollow process method in order to bypass VS. So I still think that strict parent-child "process execution control" is necessary to defeat most attacks. Browsers should not be able to spawn system and other processes.
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you Gillor! That is odd that VS does not work in Shadow Mode with Shadow Defender, I was not aware of that. What happens?
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I wish I could give credit where credit is due, but all I can say is that there are 57 scan engines in the blacklist scan ;).
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Since he was less than honest when he claimed that he bypassed VS 2.50 with the CPN, do you really think that he bypassed VS 3.0 with the KMD? He could not even get powershell to run with VS 3.0. It makes me wonder if any of his other so called bypasses are fraudulent as well. Either that, he just does not get it... I wonder if he is still trying to bypass a one year old version of VS. Also, someone needs to explain to him that clicking "Allow" while pen testing is a no-no (yes, you can clearly see in his video that he clicked "Allow" to the VS prompt). I do not believe it was a hollow process exploit in his initial "bypass" (he added that later when his initial bypass failed, but never produced a POC for that method)... he used some obscure flash exploit that most developers do not even spend the time to worry about since any semi-modern browser will block these attacks.

    You said "Browsers should not be able to spawn system and other processes." Correct... the video clearly demonstrates that VS 2.50 blocked the payload. We have since changed it so that VS 3.0 blocks the powershell as well (even though it was perfectly safe in 2.50 since the payload was blocked).

    I am certain that someone can bypass VS (a guy named Adam has found 2-3 things that have bypassed VS in the past that we had to fix)... I would even guess that if r41p41 spent enough time on it, he might be able to as well. So I am not suggesting that VS is absolutely bulletproof, but it is extremely annoying (although admittedly amusing) that people claim to bypass VS, then it turns out that they either did something wrong (like click Allow), did not demonstrate execution of the payload, or their bypass simply did not work.

    So from now on, if someone can demonstrate a legit VS bypass in a video, then cool.

    Just make sure:

    1. You do not click Allow to a VS block
    2. You can drop and execute a payload
    3. The payload process is fully executed... not suspended
     
    Last edited: Mar 5, 2016
  21. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,123
    So if hash is not available in the 57 engine database then what happens?
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Then VS will block the file, and if the user clicks on the balloon, it will display a red prompt, notifying the user that the file is unknown and that it is very suspicious (since most files should be known). Basically, no one should run a file that is unknown.
     
  23. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,123
    Ok, got it.
     
  24. khanyash

    khanyash Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,123
    Is it required to keep enabled "sync & backup snapshot in cloud" or can be disabled & doesn't affects protection & performance?

    Stable version 2 latest is supported/compatible fully with Win 10 64?
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    No, you can disable the sync if you want... that is mainly for business / enterprise. 2.0 should work fine on 10, but I would go with 3.0.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.