VoodooShield/Cyberlock

Thanks a ton wolfrun! That was quite the informative article! In fact, it answered many of the questions that I had/have about VS. And, it did so in language that even this old guy could understand. Thanks again for the link.

 

Thank you Wolfrun

Do you remember this video from a while ago? https://www.youtube.com/watch?v=qaarN03QECs

In the video, the gentleman was testing TH's WSA / VS combo with a lot of different malware... and yeah, if it is a known / obvious piece of malware, WSA and Emsisoft will block the file before VS does, which is a great thing. I am just saying that after it is blocked by VS, scanned by VS, and allowed by the user, WSA or Emsisoft (I am assuming), is still monitoring the behavior. Sorry, I thought this was assumed, so technically, the first layer is WSA or Emsisoft doing its initial voodoo . And really VS's mode should not matter either way, it should act the same.

As far as blocking speed goes compared to other security products, VS blocks somewhere in the middle, which was not necessarily by design, but it worked out pretty well. We could try to make VS block quicker or slower, but it is probably about right the way it is.

Maybe it is not as much of a question of one is a companion of another... maybe it is more of a question of 2 security products, each offering different layers of protection, working well together?

Yeah, VS works great with both products... I would love to see something bypass either combo .

 

Nearly the same as @Peter2150 (he is testing VS, but still using NVT ERP), by the way you a early mod-shift from the UK

 

Should be a more than suffucient setup IMO. Which mode do you run VS?

 

I am not sure if you guys have seen this yet or not, but I thought you might find it as interesting, I certainly did.

This is just a random sample so you can see what all info it shows... it is pretty cool!

http://whitelist.kaspersky.com/advisor#search/8f83fb40d57a720d5367cfc82f652233

Here is a recent cerber sample I copied and pasted from Cuckoo... it is currently not listed in the Kaspersky database, although Kaspersky has now identified the file as cerber. Earlier, when the Cuckoo analysis was performed, the VT ratio was 14/56, and it is currently 33/56.

http://voodooshield.asuscomm.com:8080/analysis/1126/

http://whitelist.kaspersky.com/advisor#search/4804b61a76671980885c644d211ca971

Anyway... let's look at this file a week or two from now, it should be interesting. The really messed up part is that a certain amount of computers will probably become infected, and there is nothing we can do to stop this from happening... crazy, huh?

Edit: Actually, I just noticed that the file is in Kaspersky's database, but it blocked me for 24 hours because I looked up more than 10 samples . Anyway, we will see how the stats change over the next couple of weeks.

 

I am not comparing it with sandoboxie or its features, just asking for an on demand sandbox. In the same way is able to sandbox something suspicious via pop-up I should be able to sandbox any exe via right click, on demand. Maybe it will have some limitations in terms of compatibility but I guess it should be easy to add the feature


@VoodooShield

 

Dan.

Great find and fun to monitor the detection rates at VT.

It is now 31/54 strangly AVG detects it while its sibling AVAST thinks it is safe

This is not just a random sample it is a sample from the few malwares which are signed with a valid certificate (of course the issuer is Comodo, who else). Irony is that Comodo marks it as malware (so they know), but does not inform other AV's about their own fraudulent certificate


CLAIM:
Replacing VoodooShield's current build-in 'allow by already installed parent program' white-list with an 'allow by already installed program signature' white-list reduces both False Positives and False Negatives.

PROOF:
Ironically this sample proofs that building a PC specific white-list of already installed programs also blocks fraudulent signatures. VS would not have allowed this signed program, since this is a new signed program (not detected by snapshot scan in UAC protected folders), so Dan vs Kees discussion to replace snapshot (parent) white-list = 0 : 1

 

Does the free license Dan kindly offers to Wilders members apply to one machine only?

 

Yes it does just for one, afaik.

Edit: Dan's reply a bit later:

 

Again, I am not talking about sanboxie or its technology...

VS already have a local sandbox (good or bad) for detections accessible via pop-up, so what is the problem to make it available on demand via right click?

 

Better still perhaps sandboxIE should implement some kind of AV component within its structure

 

I know, it was just another ridiculous notion for a cureitall!

 

Yeah, I think that would be a cool feature to add, thank you, I put it on the to do list! We are going to wait at least a month or so before adding new features... I want to make sure that we work out every last bug in VS before adding new features. We really need to finish up the web console and a few things with VoodooAi during that time anyway.

 

Yeah, exactly... that is what the whole VoodooAi Cloud think is all about, except I never thought about replacing the 'already installed parent program' whitelist... which we might be able to do (or at least scan all of the files, which is what the real time scanner is all about). It will probably take 4-6 months to for the VoodooAi Cloud database to automatically build itself anyway, so maybe we can do something like this after the database is built out well enough? Something like that?

BTW, that first sample is different from the cerber sample below it. The first sample is an example of a file that has been around for awhile, whereas the 2 links below are for the new cerber variant. BTW... I was thinking about this last night while getting ready for bed... since Kaspersky already knows about the new variant, I wonder how the stats are going to turn out, and actually, where the stats come from. I mean, obviously they probably come from machines with Kaspersky installed, but either way, it should be interesting.

 

ALL Wilder's user licenses are good for up to 10 devices .

 

Thanks Dan, you're so generous.

 

I'll second that!

 

Yes, we are nearly there. I was thinking about corporate market and preventing spikes on your cloud infrastructure. Bear with me.

Having a local white-list is probably needed for corporate market, because corporations might not want a big cloud based white-list (but more granular central managed white-list)*. Since most corporate endpoints PC's have the OS replaced by a standardized image with all software. Having a local whitelist also protects those endpoints when they are not connected to the internet. So you can guarantee central policy enforcement in all situations. Point I want to bring across: corporate market requires a local white-list any way

Extending the local hash based installed programs white an installed signatures white-list before the cloud AI white list is up and running, has the advantage that you offer better FP and FN control sooner and you can implement some sort of trickle feed from local data base to the cloud, to prevent overload and spikes.

Regards Kees

* PS. In business development I learned that when you can't offer the same as the competition from start (like KapLab's whitelist of over a billion samples), make your weakness your strength and offer something different (every disadvantage has an advantage). In terms of Jung's preference most system admin's and IT-managers are BLUE, so they value control. The tighter the better as long as it is hassle free.

So don't tell them it takes time to build a central cloud whitelist (and prevent discussions like my cloud is bigger than your cloud), but tell them that they will get a tailor made whitelist, automatically matching their standardized image policy with the ease of central management control and adjustments