VoodooShield/Cyberlock

But Pete, I thought you agreed with me that once malware is allowed to execute, all bets are off, right?

 

It's a self-protection bypass. Not a process monitoring or VoodooAi bypass. omg

this is not rocket science.

dude I'm laughing too much

 

oh ok, im way too far to visit you.
btw, i think you quoted the wrong person

Yes but novice won't know, what we trying to make you understand, is that we talk about a single mechanism (the self protection) , and we assume that the blocking was bypassed , because it is how you do tests; you assume various scenarii and bypasses is one of them.

 

Yes! FINALLY.

So let's say that someone does use the same method from within a macro, then it would not be blocked initially... Or let's say someone does allow it to run regardless of what VoodooAi thinks, that doesn't mean that it doesn't abuse a weakness in the self-protection just because the user "allowed it".

What @VoodooShield is saying to me is like a vendor saying to someone: "Thanks for bypassing our sandbox analysis, but it isn't valid because you downloaded and ran it first", or "Thanks for bypassing our self-protection, but it isn't valid because you allowed it when it wasn't a whitelisted object", or "Thanks for bypassing our behavior blocker, but it doesn't count because it has to be running"

I do not think I can re-explain myself anymore times. If the developer really cannot understand me after re-explaining 10000000x times when it just goes to show how ignorant he really is

I think I can see what is going on here... he doesn't want to admit it's valid because he is embarrassed that his self protection is flawed. LOL. So he tries to excuse himself by saying "Oh but it has to be allowed first".. Well urm duh? It's an anti-executable!

 

Just curious, besides Dan are there any software developers in this thread that can supply a link to their software(s)?

 

I didn't ask about the forum, I asked if there were any in this thread, I stated clearly I was curious.

 

Ouch, where we come from, this is called a "tautology." But isn't this the bottom-line inherency in an anti-exe, regardless of test or real-world scenarios? It is what it is, anything further and it would be a departure from strict anti-exe, no?

 

Dan,

I think, its like EfficacyTest.exe i.e To test malware against VS with ET.exe, you have to allow ET.exe so that ET.exe can run all the malware & test VS.
If you block ET.exe itself, ET.exe cannot run malware to test VS.

Similarly, to test Self-Protection, you have to allow the "SelfProtectionTest.exe" so that SPT.exe can run & test Self-Protection.
If you block SPT.exe itself, SPT.exe cannot run to test Self-Protection.

 

Exact , this is what we call "testing" , unless you test the prevention only, you have to "allow" to test other features, and self-protection is about the system being compromised because if the system isn't compromised, the self-protection will never kicks-in.

 

Ok, guys, I recommend everyone to relax. Step away from your computer/laptop/electronic device, go outside and take a breath of fresh air.

I feel like huge amount of misunderstandings are going on this thread. Feedback is important, be it positive or negative, cause it helps the software and developer grow. However it's also important to do so in a way that's respectful between tester and developer. Basically try to understand and read carefully what's being posted before replying.

Now then. @VoodooShield
If you are going implement this lock-down/self-protection mechanism, will there be a way to disable it?
If you do make a setting for it, I think opt-in would be my preferred option.

 

I agree, but it does happen...Let me suggest a scenario from my perspective...I recommend someone I know who wishes to develop their knowledge of computer security to Wilders and they happen on this thread and ask me about various members in this "discussion"....I would tell them that Dan is a software engineer who has developed a somewhat unique security product and the others are simply users who have questionable opinions on it...I would advise them to try for themselves and pretty much ignore the regular "I have something to say each day" types, I strongly believe its simply venting a "look at me and my (questionable) knowledge opportunity...Having said that there are a few balanced regulars who openly display that along with what they know they also realise that they too are learning everyday, Kees springs instantly to mind.

 

This!

 

@clubhouse1 you also have to mention , that some are testers, other works in the field. And IMO, you learn more by reading an argument rather than a discussion where everybody agrees. In my case , Dan and me had a long tumultuous history, so we know each other quite well, it is why we talk to each other the way we do; maybe for the newcomer it seems aggressive or heated but Dan and me are used to it.
and you know , the expression : " we argue about what we like, and ignore what we don't"

 

Yeah, it will be optional... but once it is fully implemented and all of the bugs are worked out, I doubt anyone will want to disable it.

 

hope you can make it fast and efficient

 

The user can just manually click on each malware file to test. Similarly, mWave can create a bypass that does not require him to click allow.

 

Absolutely, there is always a use for adult and progressive discussion...However there is nothing productive in disrespectful asides and juvenile usage of smileys by I assume adults...As I said and will continue to say put over inflated egos aside and put forward rational insights and opinions.

 

I will say this for the last time. When you click Allow to an uninstaller for any given AV product, it will completely remove the driver and all of the software.

 

If you really wanted to prove your point, all you have to do is create a bypass that does not require you to click Allow. There is no reason to discuss hypotheticals. Just do it.

 

@VoodooShield

Hi Dan

I'm all for implementation of a 'tamper mode' feature that locks the system down when VS is targeted, but I do believe it should be optional - opt in or out, I don't mind.

All the software I've used with self-protection builtin has had the ability to turn the feature on or off. I think VS should follow suit, to appease those that want it and those that don't.

Personally if I'm using VS as my primary or only security protection then if it's not running as a result of malicious action I would want the computer locked down. No question!

However if I have other layers of protection on my system, say an AM or AE, I may be prepared to accept the risk of losing VS, because my other defenses can step in. In this scenario I wouldn't necessarily want a lock down to occur if VS is tampered with, but If I'm not given the choice then I would have no option but to remove VS.

Mark

 

OR you could run an actual valid test like I did, and test the self-protection with the macro, like I did, and find out that it works perfectly and also kills the payload.